Re: [ovs-dev] [PATCH ovn v6 9/9] northd: Allow flow simplification for ACL sampling.

Tue, 06 Aug 2024 11:47:34 -0700 

On 8/6/24 05:44, Dumitru Ceara wrote:

From: Ales Musil <[email protected]>

Currently, OVN would generate up to 2 flows per sample, depending
on the configuration. Add optimization that can reduce the number
of flows added into the ACL pipeline down to 3 per collector. This
optimization can be achieved only when the sample action with
registers is supported in OvS and the sample has only single
collector. The single collector per sample should be the case
in most configurations, usually even the same collector
for all samples which greatly reduces the number of flows per
ACL with sampling.

If there are more collectors per sample or the OvS feature is not
supported, the implementation will fall back to flows per sample.

Reported-at: https://issues.redhat.com/browse/FDP-709
Signed-off-by: Ales Musil <[email protected]>
---
V6:
- Rebased.
- Removed Dumitru's ack.
- Store (newly created) Sample_Collector.id in ct state - instead of the
   actual set-id to avoid ambiguity when multiple probabilities are used
   with the same collector set id.
- Fixed bug with stateful to-lport ACLs on router ports.
- Reduced number of ct mark bits used for storing the collector id to 4.
V5:
- Address Ilya's comments:
   - Explicitly set acl_observation_stage enum values.
- Added Dumitru's ack
---
  include/ovn/logical-fields.h |   2 +
  lib/logical-fields.c         |   8 +
  northd/northd.c              | 273 ++++++++++++++++++------
  tests/ovn-northd.at          | 388 +++++++++++++++++++++++++++++------
  tests/ovn.at                 |   2 +
  tests/system-ovn.at          |  10 +-
  6 files changed, 553 insertions(+), 130 deletions(-)

diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h
index ce79b501cf..d6c4a9b6b3 100644
--- a/include/ovn/logical-fields.h
+++ b/include/ovn/logical-fields.h
@@ -197,6 +197,8 @@ const struct ovn_field *ovn_field_from_name(const char 
*name);
  #define OVN_CT_NATTED_BIT  1
  #define OVN_CT_LB_SKIP_SNAT_BIT 2
  #define OVN_CT_LB_FORCE_SNAT_BIT 3
+#define OVN_CT_OBS_STAGE_1ST_BIT 4
+#define OVN_CT_OBS_STAGE_END_BIT 5
#define OVN_CT_BLOCKED 1 
  #define OVN_CT_NATTED  2
diff --git a/lib/logical-fields.c b/lib/logical-fields.c
index 0c187e1c84..00bbc4a1c4 100644
--- a/lib/logical-fields.c
+++ b/lib/logical-fields.c
@@ -165,6 +165,14 @@ ovn_init_symtab(struct shash *symtab)
                                      OVN_CT_STR(OVN_CT_LB_FORCE_SNAT_BIT)
                                      "]",
                                      WR_CT_COMMIT);
+    expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_stage", NULL,
+                                    "ct_mark["
+                                    OVN_CT_STR(OVN_CT_OBS_STAGE_1ST_BIT) ".."
+                                    OVN_CT_STR(OVN_CT_OBS_STAGE_END_BIT)
+                                    "]",
+                                    WR_CT_COMMIT);
+    expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_collector_id", NULL,
+                                    "ct_mark[16..19]", WR_CT_COMMIT);
expr_symtab_add_field_scoped(symtab, "ct_label", MFF_CT_LABEL, NULL, 
                                   false, WR_CT_COMMIT);
diff --git a/northd/northd.c b/northd/northd.c
index 13f9faba31..b1201bcc86 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -144,8 +144,20 @@ static bool vxlan_mode;
  #define REGBIT_ACL_VERDICT_ALLOW "reg8[16]"
  #define REGBIT_ACL_VERDICT_DROP "reg8[17]"
  #define REGBIT_ACL_VERDICT_REJECT "reg8[18]"
+#define REGBIT_ACL_OBS_STAGE "reg8[19..20]"
  #define REG_ACL_TIER "reg8[30..31]"
+enum acl_observation_stage { 
+    ACL_OBS_FROM_LPORT          = 0,
+    ACL_OBS_FROM_LPORT_AFTER_LB = 1,
+    ACL_OBS_TO_LPORT            = 2,
+    ACL_OBS_STAGE_MAX
+};
+
+/* enum acl_observation_stage_t values must fit in the 2 bits of
+ * REGBIT_ACL_OBS_STAGE .*/
+BUILD_ASSERT_DECL(ACL_OBS_STAGE_MAX < (1 << 2));
+
  /* Indicate that this packet has been recirculated using egress
   * loopback.  This allows certain checks to be bypassed, such as a
   * logical router dropping packets with source IP address equals
@@ -189,6 +201,8 @@ static bool vxlan_mode;
   * domain and point ID. */
  #define REG_OBS_POINT_ID_NEW "reg3"
  #define REG_OBS_POINT_ID_EST "reg9"
+#define REG_OBS_COLLECTOR_ID_NEW "reg8[0..3]"
+#define REG_OBS_COLLECTOR_ID_EST "reg8[4..7]"
/* Register used for temporarily store ECMP eth.src to avoid masked ct_label 
   * access. It doesn't really occupy registers because the content of the
@@ -228,12 +242,13 @@ static bool vxlan_mode;
   * +----+----------------------------------------------+ G |                  
                 |
   * | R7 |                   UNUSED                     | 1 |                  
                 |
   * 
+----+----------------------------------------------+---+-----------------------------------+
- * |    |              LB_AFF_MATCH_PORT               |
- * |    |  (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN)  |
- * +----+----------------------------------------------+
- * | R9 |              OBS_POINT_ID_EST                |
- * |    |       (>= ACL_EVAL* && <= ACL_ACTION*)       |
- * +----+----------------------------------------------+
+ * | R8 |              LB_AFF_MATCH_PORT               | X |      
REG_OBS_COLLECTOR_ID_NEW     |
+ * |    |  (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN)  | R |      
REG_OBS_COLLECTOR_ID_EST     |
+ * |    |                                              | E |  (>= ACL_EVAL* && 
<= ACL_ACTION*) |
+ * +----+----------------------------------------------+ G 
+-----------------------------------+
+ * | R9 |              OBS_POINT_ID_EST                | 4 |                   
                |
+ * |    |       (>= ACL_EVAL* && <= ACL_ACTION*)       |   |                   
                |
+ * 
+----+----------------------------------------------+---+-----------------------------------+
   *
   * Logical Router pipeline:
   * 
+-----+---------------------------+---+-----------------+---+------------------------------------+
@@ -6532,7 +6547,8 @@ build_acl_sample_action(struct ds *actions, const struct 
nbrec_acl *acl,
  static void
  build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl,
                                const struct nbrec_sample *sample_new,
-                              const struct nbrec_sample *sample_est)
+                              const struct nbrec_sample *sample_est,
+                              enum acl_observation_stage obs_stage)
  {
      if (!acl->label && !sample_new && !sample_est) {
          return;
@@ -6540,6 +6556,8 @@ build_acl_sample_label_action(struct ds *actions, const 
struct nbrec_acl *acl,
uint32_t point_id_new = 0; 
      uint32_t point_id_est = 0;
+    uint8_t collector_id_new = 0;
+    uint8_t collector_id_est = 0;
if (acl->label) { 
          point_id_new = acl->label;
@@ -6547,16 +6565,27 @@ build_acl_sample_label_action(struct ds *actions, const 
struct nbrec_acl *acl,
      } else {
          if (sample_new) {
              point_id_new = sample_new->metadata;
+            if (sample_new->n_collectors == 1) {
+                collector_id_new = sample_new->collectors[0]->id;
+            }
          }
          if (sample_est) {
              point_id_est = sample_est->metadata;
+            if (sample_est->n_collectors == 1) {
+                collector_id_est = sample_est->collectors[0]->id;
+            }
          }
      }
ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " 
                             REG_OBS_POINT_ID_NEW " = %"PRIu32"; "
-                           REG_OBS_POINT_ID_EST " = %"PRIu32"; ",
-                  point_id_new, point_id_est);
+                           REG_OBS_POINT_ID_EST " = %"PRIu32"; "
+                           REG_OBS_COLLECTOR_ID_NEW " = %"PRIu8"; "
+                           REG_OBS_COLLECTOR_ID_EST " = %"PRIu8"; "
+                           REGBIT_ACL_OBS_STAGE " = %"PRIu8"; ",
+                  point_id_new, point_id_est,
+                  collector_id_new, collector_id_est,
+                  (uint8_t) obs_stage);
  }
/* This builds an ACL logical flow specific match that selects traffic 
@@ -6604,46 +6633,16 @@ build_acl_sample_label_match(struct ds *match, const 
struct nbrec_acl *acl,
  }
/* This builds a logical flow that samples and forwards/drops traffic 
- * that hit a stateless ACL ("pass" or "allow-stateless") that has sampling
- * enabled.
+ * that hit a stateless/stateful ACL that has sampling enabled.
   */
  static void
-build_acl_sample_new_stateless_flows(const struct ovn_datapath *od,
-                                     struct lflow_table *lflows,
-                                     enum ovn_stage stage,
-                                     struct ds *match, struct ds *actions,
-                                     const struct nbrec_acl *acl,
-                                     uint8_t sample_domain_id,
-                                     struct lflow_ref *lflow_ref)
-{
-    if (!acl->sample_new) {
-        return;
-    }
-
-    ds_clear(actions);
-    ds_clear(match);
-
-    ds_put_cstr(match, "ip && ");
-    build_acl_sample_register_match(match, acl, acl->sample_new);
-
-    build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id);
-
-    ovn_lflow_add(lflows, od, stage, 1100, ds_cstr(match),
-                  ds_cstr(actions), lflow_ref);
-}
-
-/* This builds a logical flow that samples and forwards/drops traffic
- * that created a new conntrack entry and hit a stateful ACL that has sampling
- * enabled.
- */
-static void
-build_acl_sample_new_stateful_flows(const struct ovn_datapath *od,
-                                    struct lflow_table *lflows,
-                                    enum ovn_stage stage,
-                                    struct ds *match, struct ds *actions,
-                                    const struct nbrec_acl *acl,
-                                    uint8_t sample_domain_id,
-                                    struct lflow_ref *lflow_ref)
+build_acl_sample_new_flows(const struct ovn_datapath *od,
+                           struct lflow_table *lflows,
+                           enum ovn_stage stage,
+                           struct ds *match, struct ds *actions,
+                           const struct nbrec_acl *acl,
+                           uint8_t sample_domain_id, bool stateful,
+                           struct lflow_ref *lflow_ref)
  {
      if (!acl->sample_new) {
          return;
@@ -6652,12 +6651,16 @@ build_acl_sample_new_stateful_flows(const struct 
ovn_datapath *od,
      ds_clear(actions);
      ds_clear(match);
- /* Match on new connections. However, for to-lport ACLs, due to 
+    /* Match on new connections.  However, for stateful to-lport ACLs, due to
       * skip_port_from_conntrack() conntrack state might be cleared, so
       * take that into account too. */
-    ds_put_format(match, "ip && %s && ",
-                  stage != S_SWITCH_OUT_ACL_SAMPLE
-                  ? "ct.new" : "(ct.new || !ct.trk)");
+    if (!stateful) {
+        ds_put_format(match, "ip && ");
+    } else if (stage != S_SWITCH_OUT_ACL_SAMPLE) {
+        ds_put_format(match, "ip && ct.new && ");
+    } else {
+        ds_put_format(match, "ip && (ct.new || !ct.trk) && ");
+    }
      build_acl_sample_register_match(match, acl, acl->sample_new);
build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); 
@@ -6758,6 +6761,112 @@ build_acl_sample_est_stateful_flows(const struct 
ovn_datapath *od,
static void build_acl_reject_action(struct ds *actions, bool is_ingress); +/* This builds a generic logical flow that samples traffic 
+ * that hit a stateless/stateful ACL that has sampling enabled with
+ * single collector and all chassis supporting the sample with match action.
+ */
+static void
+build_acl_sample_generic_new_flows(const struct ovn_datapath *od,
+                                   struct lflow_table *lflows,
+                                   enum ovn_stage stage,
+                                   enum acl_observation_stage obs_stage,
+                                   struct ds *match, struct ds *actions,
+                                   const struct nbrec_sample_collector *coll,
+                                   uint8_t sample_domain_id, bool stateful,
+                                   struct lflow_ref *lflow_ref)
+{
+    ds_clear(match);
+    ds_clear(actions);
+
+    /* Match on new connections.  However, for stateful to-lport ACLs, due to
+     * skip_port_from_conntrack() conntrack state might be cleared, so
+     * take that into account too. */
+    const char *new_conn_match = "";
+    if (stateful) {
+        if (stage != S_SWITCH_OUT_ACL_SAMPLE) {
+            new_conn_match = "&& ct.new ";
+        } else {
+            new_conn_match = "&& (ct.new || !ct.trk) ";
+        }
+    }
+
+    ds_put_format(match, "ip %s&& "REG_OBS_COLLECTOR_ID_NEW" == %"PRIu8" && "
To me, it seems really strange to include "&& " and the trailing space as part of new_conn_match. I think formatting the match string looks more natural like this: 

ds_put_format(match, "ip && %s && "REG_OBS_COLLECTOR_ID_NEW" == ...



+                         REGBIT_ACL_OBS_STAGE " == %"PRIu8, new_conn_match,
+                         (uint8_t) coll->id,
+                         (uint8_t) obs_stage);
+
+    ds_put_format(actions, "sample(probability=%"PRIu16","
+                           "collector_set=%"PRIu8","
+                           "obs_domain=%"PRIu32","
+                           "obs_point="REG_OBS_POINT_ID_NEW");"
+                           " next;",
+                           (uint16_t) coll->probability,
+                           (uint8_t) coll->set_id,
+                           sample_domain_id);
+
+    ovn_lflow_add(lflows, od, stage, stateful ? 1000 : 900, ds_cstr(match),
+                  ds_cstr(actions), lflow_ref);
+}
+
+/* This builds a generic logical flow that samples established traffic
+ * that hit a stateful ACL that has sampling enabled with
+ * single collector and all chassis supporting the sample with match action.
+ */
+static void
+build_acl_sample_generic_est_flows(const struct ovn_datapath *od,
+                                   struct lflow_table *lflows,
+                                   enum ovn_stage stage,
+                                   enum acl_observation_stage obs_stage,
+                                   struct ds *match, struct ds *actions,
+                                   const struct nbrec_sample_collector *coll,
+                                   uint8_t sample_domain_id,
+                                   struct lflow_ref *lflow_ref)
+{
+    ds_clear(match);
+    ds_clear(actions);
+
+    ds_put_cstr(match, "ip && ct.trk && (ct.est || ct.rel) && "
+                       "ct_label.obs_unused == 0 && ");
+
+    size_t match_len = match->length;
+    ds_put_format(match, "!ct.rpl && ct_mark.obs_collector_id == %"PRIu8" && "
+                         "ct_mark.obs_stage == %"PRIu8,
+                         (uint8_t) coll->id,
+                         (uint8_t) obs_stage);
+
+    ds_put_format(actions, "sample(probability=%"PRIu16","
+                           "collector_set=%"PRIu8","
+                           "obs_domain=%"PRIu32","
+                           "obs_point=ct_label.obs_point_id);"
+                           " next;",
+                           (uint16_t) coll->probability,
+                           (uint8_t) coll->set_id,
+                           sample_domain_id);
+
+    ovn_lflow_add(lflows, od, stage, 1000, ds_cstr(match),
+                  ds_cstr(actions), lflow_ref);
+
+    enum ovn_stage rpl_stage = (stage == S_SWITCH_OUT_ACL_SAMPLE
+                                ? S_SWITCH_IN_ACL_SAMPLE
+                                : S_SWITCH_OUT_ACL_SAMPLE);
+
+    ds_truncate(match, match_len);
+    ds_put_format(match, "ct.rpl && ct_mark.obs_collector_id == %"PRIu8,
+                  (uint8_t) coll->id);
+
+    ovn_lflow_add(lflows, od, rpl_stage, 1000, ds_cstr(match),
+                  ds_cstr(actions), lflow_ref);
+}
+
+/* Check if the smaple has only single collector and the sample action
+ * with registers is supported. */
+static bool
+acl_use_generic_sample_flows(const struct nbrec_sample *sample,
+                             const struct chassis_features *features)
+{
+    return sample && sample->n_collectors == 1 && features->sample_with_reg;
+}
+
  /* This builds all ACL sampling related logical flows:
   * - for packets creating new connections
   * - for packets that are part of an existing connection
@@ -6769,6 +6878,7 @@ build_acl_sample_flows(const struct ls_stateful_record 
*ls_stateful_rec,
                         const struct nbrec_acl *acl,
                         struct ds *match, struct ds *actions,
                         const struct sampling_app_table *sampling_apps,
+                       const struct chassis_features *features,
                         struct lflow_ref *lflow_ref)
  {
      bool should_sample_established =
@@ -6792,13 +6902,17 @@ build_acl_sample_flows(const struct ls_stateful_record 
*ls_stateful_rec,
bool ingress = !strcmp(acl->direction, "from-lport") ? true : false; 
      enum ovn_stage stage;
+    enum acl_observation_stage obs_stage;
if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { 
          stage = S_SWITCH_IN_ACL_AFTER_LB_SAMPLE;
+        obs_stage = ACL_OBS_FROM_LPORT_AFTER_LB;
      } else if (ingress) {
          stage = S_SWITCH_IN_ACL_SAMPLE;
+        obs_stage = ACL_OBS_FROM_LPORT;
      } else {
          stage = S_SWITCH_OUT_ACL_SAMPLE;
+        obs_stage = ACL_OBS_TO_LPORT;
      }
uint8_t sample_new_domain_id = sampling_app_get_id(sampling_apps, 
@@ -6806,14 +6920,28 @@ build_acl_sample_flows(const struct ls_stateful_record 
*ls_stateful_rec,
      uint8_t sample_est_domain_id = sampling_app_get_id(sampling_apps,
                                                         SAMPLING_APP_ACL_EST);
+ if (acl_use_generic_sample_flows(acl->sample_new, features)) { 
+        build_acl_sample_generic_new_flows(od, lflows, stage, obs_stage,
+                                           match, actions,
+                                           acl->sample_new->collectors[0],
+                                           sample_new_domain_id,
+                                           stateful_match, lflow_ref);
+    } else {
+        build_acl_sample_new_flows(od, lflows, stage, match, actions,
+                                   acl, sample_new_domain_id, stateful_match,
+                                   lflow_ref);
+    }
+
      if (!stateful_match) {
-        build_acl_sample_new_stateless_flows(od, lflows, stage, match, actions,
-                                             acl, sample_new_domain_id,
-                                             lflow_ref);
+        return;
+    }
+
+    if (acl_use_generic_sample_flows(acl->sample_est, features)) {
+        build_acl_sample_generic_est_flows(od, lflows, stage, obs_stage,
+                                           match, actions,
+                                           acl->sample_est->collectors[0],
+                                           sample_est_domain_id, lflow_ref);
      } else {
-        build_acl_sample_new_stateful_flows(od, lflows, stage, match, actions,
-                                            acl, sample_new_domain_id,
-                                            lflow_ref);
          build_acl_sample_est_stateful_flows(od, lflows, stage, match, actions,
                                              acl, sample_est_domain_id,
                                              lflow_ref);
@@ -6845,13 +6973,17 @@ consider_acl(struct lflow_table *lflows, const struct 
ovn_datapath *od,
  {
      bool ingress = !strcmp(acl->direction, "from-lport") ? true :false;
      enum ovn_stage stage;
+    enum acl_observation_stage obs_stage;
if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { 
          stage = S_SWITCH_IN_ACL_AFTER_LB_EVAL;
+        obs_stage = ACL_OBS_FROM_LPORT_AFTER_LB;
      } else if (ingress) {
          stage = S_SWITCH_IN_ACL_EVAL;
+        obs_stage = ACL_OBS_FROM_LPORT;
      } else {
          stage = S_SWITCH_OUT_ACL_EVAL;
+        obs_stage = ACL_OBS_TO_LPORT;
      }
const char *verdict; 
@@ -6885,7 +7017,8 @@ consider_acl(struct lflow_table *lflows, const struct 
ovn_datapath *od,
          || !strcmp(acl->action, "allow-stateless")) {
/* For stateless ACLs just sample "new" packets. */ 
-        build_acl_sample_label_action(actions, acl, acl->sample_new, NULL);
+        build_acl_sample_label_action(actions, acl, acl->sample_new, NULL,
+                                      obs_stage);
ds_put_cstr(actions, "next;"); 
          ds_put_format(match, "(%s)", acl->match);
@@ -6924,7 +7057,7 @@ consider_acl(struct lflow_table *lflows, const struct 
ovn_datapath *od,
/* For stateful ACLs sample "new" and "established" packets. */ 
          build_acl_sample_label_action(actions, acl, acl->sample_new,
-                                      acl->sample_est);
+                                      acl->sample_est, obs_stage);
          ds_put_cstr(actions, "next;");
          ovn_lflow_add_with_hint(lflows, od, stage, priority,
                                  ds_cstr(match), ds_cstr(actions),
@@ -6948,7 +7081,7 @@ consider_acl(struct lflow_table *lflows, const struct 
ovn_datapath *od,
/* For stateful ACLs sample "new" and "established" packets. */ 
          build_acl_sample_label_action(actions, acl, acl->sample_new,
-                                      acl->sample_est);
+                                      acl->sample_est, obs_stage);
          ds_put_cstr(actions, "next;");
          ovn_lflow_add_with_hint(lflows, od, stage, priority,
                                  ds_cstr(match), ds_cstr(actions),
@@ -6968,7 +7101,8 @@ consider_acl(struct lflow_table *lflows, const struct 
ovn_datapath *od,
          ds_truncate(actions, log_verdict_len);
/* For drop ACLs just sample all packets as "new" packets. */ 
-        build_acl_sample_label_action(actions, acl, acl->sample_new, NULL);
+        build_acl_sample_label_action(actions, acl, acl->sample_new, NULL,
+                                      obs_stage);
          ds_put_cstr(actions, "next;");
          ovn_lflow_add_with_hint(lflows, od, stage, priority,
                                  ds_cstr(match), ds_cstr(actions),
@@ -6991,7 +7125,8 @@ consider_acl(struct lflow_table *lflows, const struct 
ovn_datapath *od,
          ds_truncate(actions, log_verdict_len);
/* For drop ACLs just sample all packets as "new" packets. */ 
-        build_acl_sample_label_action(actions, acl, acl->sample_new, NULL);
+        build_acl_sample_label_action(actions, acl, acl->sample_new, NULL,
+                                      obs_stage);
          ds_put_cstr(actions, "ct_commit { ct_mark.blocked = 1; }; next;");
          ovn_lflow_add_with_hint(lflows, od, stage, priority,
                                  ds_cstr(match), ds_cstr(actions),
@@ -7237,6 +7372,7 @@ build_acls(const struct ls_stateful_record 
*ls_stateful_rec,
             const struct ls_port_group_table *ls_port_groups,
             const struct shash *meter_groups,
             const struct sampling_app_table *sampling_apps,
+           const struct chassis_features *features,
             struct lflow_ref *lflow_ref)
  {
      const char *default_acl_action = default_acl_drop
@@ -7429,7 +7565,8 @@ build_acls(const struct ls_stateful_record 
*ls_stateful_rec,
                       meter_groups, ls_stateful_rec->max_acl_tier,
                       &match, &actions, lflow_ref);
          build_acl_sample_flows(ls_stateful_rec, od, lflows, acl,
-                               &match, &actions, sampling_apps, lflow_ref);
+                               &match, &actions, sampling_apps,
+                               features, lflow_ref);
      }
const struct ls_port_group *ls_pg = 
@@ -7448,7 +7585,7 @@ build_acls(const struct ls_stateful_record 
*ls_stateful_rec,
                               &match, &actions, lflow_ref);
                  build_acl_sample_flows(ls_stateful_rec, od, lflows, acl,
                                         &match, &actions, sampling_apps,
-                                       lflow_ref);
+                                       features, lflow_ref);
              }
          }
      }
@@ -8111,6 +8248,8 @@ build_stateful(struct ovn_datapath *od, struct 
lflow_table *lflows,
      ds_put_cstr(&actions,
                   "ct_commit { "
                      "ct_mark.blocked = 0; "
+                    "ct_mark.obs_stage = " REGBIT_ACL_OBS_STAGE "; "
+                    "ct_mark.obs_collector_id = " REG_OBS_COLLECTOR_ID_EST "; "
                      "ct_label.obs_point_id = " REG_OBS_POINT_ID_EST "; "
                    "}; next;");
      ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,
@@ -16161,6 +16300,7 @@ build_ls_stateful_flows(const struct ls_stateful_record 
*ls_stateful_rec,
                          const struct ls_port_group_table *ls_pgs,
                          const struct shash *meter_groups,
                          const struct sampling_app_table *sampling_apps,
+                        const struct chassis_features *features,
                          struct lflow_table *lflows)
  {
      build_ls_stateful_rec_pre_acls(ls_stateful_rec, od, ls_pgs, lflows,
@@ -16170,7 +16310,7 @@ build_ls_stateful_flows(const struct ls_stateful_record 
*ls_stateful_rec,
      build_acl_hints(ls_stateful_rec, od, lflows,
                      ls_stateful_rec->lflow_ref);
      build_acls(ls_stateful_rec, od, lflows, ls_pgs, meter_groups,
-               sampling_apps, ls_stateful_rec->lflow_ref);
+               sampling_apps, features, ls_stateful_rec->lflow_ref);
      build_lb_hairpin(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref);
  }
@@ -16487,6 +16627,7 @@ build_lflows_thread(void *arg) 
                                              lsi->ls_port_groups,
                                              lsi->meter_groups,
                                              lsi->sampling_apps,
+                                            lsi->features,
                                              lsi->lflows);
                  }
              }
@@ -16710,6 +16851,7 @@ build_lswitch_and_lrouter_flows(
              build_ls_stateful_flows(ls_stateful_rec, od, lsi.ls_port_groups,
                                      lsi.meter_groups,
                                      lsi.sampling_apps,
+                                    lsi.features,
                                      lsi.lflows);
          }
          stopwatch_stop(LFLOWS_LS_STATEFUL_STOPWATCH_NAME, time_msec());
@@ -17225,6 +17367,7 @@ lflow_handle_ls_stateful_changes(struct ovsdb_idl_txn 
*ovnsb_txn,
                                  lflow_input->ls_port_groups,
                                  lflow_input->meter_groups,
                                  lflow_input->sampling_apps,
+                                lflow_input->features,
                                  lflows);
/* Sync the new flows to SB. */ 
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 6cc372b8a4..afad71685d 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -4609,7 +4609,7 @@ check_stateful_flows() {
      AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
    table=??(ls_in_stateful     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl 
@@ -4633,7 +4633,7 @@ check_stateful_flows() {
      AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
    table=??(ls_out_stateful    ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
  }
@@ -4676,7 +4676,7 @@ AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl 
  AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
    table=??(ls_in_stateful     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
AT_CHECK([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl 
@@ -4697,7 +4697,7 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | 
ovn_strip_lflows], [0], [dnl
  AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
    table=??(ls_out_stateful    ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
# LB with event=false and reject=false 
@@ -4726,23 +4726,23 @@ ovn-sbctl dump-flows sw0 > sw0flows
  AT_CAPTURE_FILE([sw0flows])
AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; next;)
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;)
  ])
  AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
    table=??(ls_in_stateful     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; next;)
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;)
  ])
  AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
    table=??(ls_out_stateful    ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
# Add new ACL without label 
@@ -4753,27 +4753,27 @@ ovn-sbctl dump-flows sw0 > sw0flows
  AT_CAPTURE_FILE([sw0flows])
AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
  ])
  AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
    table=??(ls_in_stateful     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
  ])
  AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
    table=??(ls_out_stateful    ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
# Delete new ACL with label 
@@ -4790,7 +4790,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | 
ovn_strip_lflows], [0]
  AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
    table=??(ls_in_stateful     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
@@ -4800,7 +4800,7 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 
| ovn_strip_lflows], [0
  AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
    table=??(ls_out_stateful    ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_out_stateful    ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
  AT_CLEANUP
  ])
@@ -4828,7 +4828,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 
acl-add ls from-lport 1
dnl Check that the label is committed to conntrack in the ingress pipeline 
  AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e 
ls_in_stateful -A 2 | grep commit], [0], [dnl
-    ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
  ])
AS_BOX([from-lport --apply-after-lb allow-related ACL]) 
@@ -4836,7 +4836,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- 
--apply-after-lb --label=1234 acl-add
dnl Check that the label is committed to conntrack in the ingress pipeline 
  AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e 
ls_in_stateful -A 2 | grep commit], [0], [dnl
-    ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
  ])
AS_BOX([to-lport allow-related ACL]) 
@@ -4844,7 +4844,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 
acl-add ls to-lport 1 ip
dnl Check that the label is committed to conntrack in the ingress pipeline 
  AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e 
ls_out_stateful -A 2 | grep commit], [0], [dnl
-    ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
  ])
AT_CLEANUP 
@@ -7680,7 +7680,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | 
ovn_strip_lflows], [0], [dnl
  AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl
    table=??(ls_in_stateful     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
AS_BOX([Remove and add the ACLs back with the apply-after-lb option]) 
@@ -7735,7 +7735,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | 
ovn_strip_lflows], [0], [dnl
  AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl
    table=??(ls_in_stateful     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option]) 
@@ -7790,7 +7790,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | 
ovn_strip_lflows], [0], [dnl
  AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl
    table=??(ls_in_stateful     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
-  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = 
reg9; }; next;)
+  table=??(ls_in_stateful     ), priority=100  , match=(reg0[[1]] == 1 && 
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = 
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; 
}; next;)
  ])
AT_CLEANUP 
@@ -12608,8 +12608,8 @@ ovn-nbctl --wait=sb \
    --id=@sample2 create Sample collector="$collector1 $collector2" 
metadata=4302 -- \
    --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" 
allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval 
-e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e 
reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
next;)
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 
0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new && reg3 
== 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
    table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
!ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
 next;)
@@ -12620,7 +12620,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e 
ls_in_acl_sample -e ls_in_acl_eval -e l
  dnl Trace new connections.
  flow="$base_flow"
  AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
-    ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
      reg9 = 4302;
      sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
      sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);
@@ -12640,8 +12640,8 @@ ovn-nbctl --wait=sb \
    --id=@sample1 create Sample collector="$collector1 $collector2" 
metadata=4301 -- \
    --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval 
-e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e 
reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
next;)
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 0; 
reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new && reg3 
== 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
@@ -12650,7 +12650,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e 
ls_in_acl_sample -e ls_in_acl_eval -e l
  dnl Trace new connections.
  flow="$base_flow"
  AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
-    ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
      reg9 = 0;
      sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
      sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);
@@ -12670,8 +12670,8 @@ ovn-nbctl --wait=sb \
    --id=@sample2 create Sample collector="$collector1 $collector2" 
metadata=4302 -- \
    --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 
"1" allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e 
ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | 
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
next;)
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 
0; reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;)
    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
    table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && 
reg3 == 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
    table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) 
&& !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
 next;)
@@ -12682,7 +12682,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e 
ls_in_acl_after_lb_sample -e ls_in_acl_
  dnl Trace new connections.
  flow="$base_flow"
  AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
-    ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
      reg9 = 4302;
      sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
      sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);
@@ -12702,8 +12702,8 @@ ovn-nbctl --wait=sb \
    --id=@sample1 create Sample collector="$collector1 $collector2" 
metadata=4301 -- \
    --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" 
allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e 
ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | 
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
next;)
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 0; 
reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;)
    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
    table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && 
reg3 == 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
@@ -12712,7 +12712,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e 
ls_in_acl_after_lb_sample -e ls_in_acl_
  dnl Trace new connections.
  flow="$base_flow"
  AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
-    ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
      reg9 = 0;
      sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
      sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);
@@ -12734,8 +12734,8 @@ ovn-nbctl --wait=sb \
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval 
-e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
 next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 
0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_sample  ), priority=1100 , match=(ip && (ct.new || !ct.trk) 
&& reg3 == 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
    table=??(ls_out_acl_sample  ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
!ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
 next;)
@@ -12744,7 +12744,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e 
ls_out_acl_sample -e ls_out_acl_eval -e
  dnl Trace new connections.
  flow="$base_flow"
  AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], 
[0], [dnl
-    ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
      ct_commit { ct_mark.blocked = 0; };
      reg9 = 4302;
      sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
@@ -12766,8 +12766,8 @@ ovn-nbctl --wait=sb \
    --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval 
-e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 0; 
reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_sample  ), priority=1100 , match=(ip && (ct.new || !ct.trk) 
&& reg3 == 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
  ])
@@ -12775,7 +12775,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e 
ls_out_acl_sample -e ls_out_acl_eval -e
  dnl Trace new connections.
  flow="$base_flow"
  AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], 
[0], [dnl
-    ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
      ct_commit { ct_mark.blocked = 0; };
      reg9 = 0;
      sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
@@ -12792,6 +12792,276 @@ AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls 
"$flow" | TRACE_FILTER], [0],
  AT_CLEANUP
  ])
+OVN_FOR_EACH_NORTHD_NO_HV([ 
+AT_SETUP([ACL Sampling - Generic sample])
+AT_KEYWORDS([acl])
+
+ovn_start
+
+collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 
set_id=100)
+check_row_count nb:Sample_Collector 1
+
+ovn-nbctl create Sampling_App type="acl-new" id="42"
+ovn-nbctl create Sampling_App type="acl-est" id="43"
+check_row_count nb:Sampling_App 2
+
+check ovn-nbctl                               \
+  -- ls-add ls                                \
+  -- lsp-add ls lsp1                          \
+  -- lsp-set-addresses lsp1 00:00:00:00:00:01 \
+  -- lsp-add ls lsp2                          \
+  -- lsp-set-addresses lsp2 00:00:00:00:00:02
+check ovn-nbctl --wait=sb sync
+
+base_flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02 
&& ip4.src == 42.42.42.1 && ip4.dst == 42.42.42.2"
+m4_define([TRACE_FILTER], [grep -e sample -e commit -e reg9 -e 
'reg8\[[0..3\]]' -e 'reg8\[[4..7\]]' | grep -v _sample | sort])
+
+AS_BOX([ACL sampling without register support])
+check ovn-sbctl chassis-add gw1 geneve 127.0.0.1 \
+  -- set chassis gw1 other_config:ovn-sample-with-registers="false"
+
+check ovn-nbctl acl-del ls
+ovn-nbctl --wait=sb                                                    \
+  --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \
+  --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \
+  --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" 
allow-related
+AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e 
ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 
1; reg8[[4..7]] = 1; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
+  table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new && reg3 
== 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); 
next;)
+  table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
!ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;)
+  table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
+  table=??(ls_out_acl_sample  ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;)
+])
+
+dnl Trace new connections.
+flow="$base_flow"
+AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 1;
+    reg9 = 4302;
+    sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
+])
+
+dnl Trace estasblished connections.
+flow="$base_flow && ct_label.obs_point_id == 4302"
+AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 1;
+    reg9 = 4302;
+    sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);
+])
+
+check ovn-sbctl set chassis gw1 other_config:ovn-sample-with-registers="true"
+
+AS_BOX([from-lport ACL sampling (new, est)])
+check ovn-nbctl acl-del ls
+ovn-nbctl --wait=sb                                                    \
+  --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \
+  --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \
+  --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" 
allow-related
+AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e 
ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 
1; reg8[[4..7]] = 1; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
+  table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.new && reg8[[0..3]] 
== 1 && reg8[[19..20]] == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
+  table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
+  table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
+  table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
+])
+
+dnl Trace new connections.
+flow="$base_flow"
+AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 1;
+    reg9 = 4302;
+    sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3);
+])
+
+dnl Trace estasblished connections.
+flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 0 && 
ct_mark.obs_collector_id == 1"
+AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 1;
+    reg9 = 4302;
+    
sample(probability=65535,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
+])
+
+AS_BOX([from-lport ACL sampling (new)])
+check ovn-nbctl acl-del ls
+ovn-nbctl --wait=sb                                                    \
+  --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \
+  --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related
+AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e 
ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..3]] = 1; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 1; 
reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
+  table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.new && reg8[[0..3]] 
== 1 && reg8[[19..20]] == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
+  table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
+])
+
+dnl Trace new connections.
+flow="$base_flow"
+AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 0;
+    reg9 = 0;
+    sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3);
+])
+
+dnl Trace established connections (no point id was committed in the label in
+dnl the original direction).
+flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 0 && 
ct_mark.obs_collector_id == 0"
+AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 0;
+    reg9 = 0;
+])
+
+AS_BOX([from-lport-after-lb ACL sampling (new, est)])
+check ovn-nbctl acl-del ls
+ovn-nbctl --wait=sb                                                    \
+  --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \
+  --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \
+  --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 
"1" allow-related
+AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e 
ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | 
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 
1; reg8[[4..7]] = 1; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
+  table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && 
reg8[[0..3]] == 1 && reg8[[19..20]] == 1), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
+  table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
+  table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
+  table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
+])
+
+dnl Trace new connections.
+flow="$base_flow"
+AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 1;
+    reg9 = 4302;
+    sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3);
+])
+
+dnl Trace estasblished connections.
+flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 1 && 
ct_mark.obs_collector_id == 1"
+AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 1;
+    reg9 = 4302;
+    
sample(probability=65535,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
+])
+
+AS_BOX([from-lport-after-lb ACL sampling (new)])
+check ovn-nbctl acl-del ls
+ovn-nbctl --wait=sb                                                    \
+  --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \
+  --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" 
allow-related
+AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e 
ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | 
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..3]] = 1; reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 1; 
reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
+  table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && 
reg8[[0..3]] == 1 && reg8[[19..20]] == 1), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
+  table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
+])
+
+dnl Trace new connections.
+flow="$base_flow"
+AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 0;
+    reg9 = 0;
+    sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3);
+])
+
+dnl Trace established connections (no point id was committed in the label in
+dnl the original direction).
+flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 0 && 
ct_mark.obs_collector_id == 0"
+AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 0;
+    reg9 = 0;
+])
+
+AS_BOX([to-lport ACL sampling (new, est)])
+check ovn-nbctl acl-del ls
+ovn-nbctl --wait=sb                                                    \
+  --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \
+  --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \
+  --sample-new=@sample1 --sample-est=@sample2 acl-add ls to-lport 1 "1" 
allow-related
+AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval 
-e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
+  table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
+  table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 
1; reg8[[4..7]] = 1; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
+  table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && (ct.new || !ct.trk) && 
reg8[[0..3]] == 1 && reg8[[19..20]] == 2), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
+  table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
+])
+
+dnl Trace new connections.
+flow="$base_flow"
+AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], 
[0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; };
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 1;
+    reg9 = 4302;
+    sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3);
+])
+
+dnl Trace estasblished connections.
+flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 2 && 
ct_mark.obs_collector_id == 1"
+AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], 
[0], [dnl
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 1;
+    reg9 = 4302;
+    
sample(probability=65535,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
+])
+
+AS_BOX([to-lport ACL sampling (new)])
+check ovn-nbctl acl-del ls
+ovn-nbctl --wait=sb                                                    \
+  --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \
+  --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related
+AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval 
-e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
+  table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..3]] = 1; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 1; 
reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
+  table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && (ct.new || !ct.trk) && 
reg8[[0..3]] == 1 && reg8[[19..20]] == 2), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
+])
+
+dnl Trace new connections.
+flow="$base_flow"
+AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], 
[0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; 
ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; };
+    ct_commit { ct_mark.blocked = 0; };
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 0;
+    reg9 = 0;
+    sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3);
+])
+
+dnl Trace established connections (no point id was committed in the label in
+dnl the original direction).
+flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 2 && 
ct_mark.obs_collector_id == 0"
+AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], 
[0], [dnl
+    reg8[[0..3]] = 1;
+    reg8[[4..7]] = 0;
+    reg9 = 0;
+])
+
+AT_CLEANUP
+])
+
  OVN_FOR_EACH_NORTHD_NO_HV([
  AT_SETUP([ACL Sampling - same collector set id, multiple probabilities])
  AT_KEYWORDS([acl])
@@ -12831,24 +13101,22 @@ check_row_count nb:Sample 6
  check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep probability | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && 
reg3 == 4303), dnl
-action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4303);
 next;)
-  table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) 
&& !ct.rpl && ct_label.obs_point_id == 4304 && ct_label.obs_unused == 0), dnl
-action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4304);
 next;)
-  table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new && reg3 
== 4301), dnl
-action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4301);
 next;)
-  table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
!ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), dnl
-action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4302);
 next;)
-  table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct.rpl && ct_label.obs_point_id == 4306 && ct_label.obs_unused == 0), dnl
-action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4306);
 next;)
-  table=??(ls_out_acl_sample  ), priority=1100 , match=(ip && (ct.new || !ct.trk) 
&& reg3 == 4305), dnl
-action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4305);
 next;)
-  table=??(ls_out_acl_sample  ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
!ct.rpl && ct_label.obs_point_id == 4306 && ct_label.obs_unused == 0), dnl
-action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4306);
 next;)
-  table=??(ls_out_acl_sample  ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), dnl
-action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4302);
 next;)
-  table=??(ls_out_acl_sample  ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct.rpl && ct_label.obs_point_id == 4304 && ct_label.obs_unused == 0), dnl
-action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4304);
 next;)
+  table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && 
reg8[[0..3]] == 1 && reg8[[19..20]] == 1), dnl
+action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3);
 next;)
+  table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 1), dnl
+action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
 next;)
+  table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.new && reg8[[0..3]] 
== 1 && reg8[[19..20]] == 0), dnl
+action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3);
 next;)
+  table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 0), dnl
+action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
 next;)
+  table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 2), dnl
+action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
 next;)
+  table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && (ct.new || !ct.trk) && 
reg8[[0..3]] == 1 && reg8[[19..20]] == 2), dnl
+action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3);
 next;)
+  table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 2), dnl
+action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
 next;)
+  table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 2), dnl
+action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
 next;)
  ])
AT_CLEANUP 
diff --git a/tests/ovn.at b/tests/ovn.at
index f1fc29503f..602f68161e 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -336,6 +336,8 @@ ct_mark.blocked = ct_mark[0]
  ct_mark.ecmp_reply_port = ct_mark[16..31]
  ct_mark.force_snat = ct_mark[3]
  ct_mark.natted = ct_mark[1]
+ct_mark.obs_collector_id = ct_mark[16..19]
+ct_mark.obs_stage = ct_mark[4..5]
  ct_mark.skip_snat = ct_mark[2]
  ct_state = NXM_NX_CT_STATE
  ]])
diff --git a/tests/system-ovn.at b/tests/system-ovn.at
index ef9652f02a..853004f93a 100644
--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
@@ -7724,7 +7724,7 @@ NS_CHECK_EXEC([sw0-p3], [ping -q -c 10 -i 0.3 -w 15 
10.0.0.2 | FORMAT_PING], \
  AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.2) | \
  sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | \
  sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/'], 
[0], [dnl
-icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=<cleared>,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=<cleared>,type=0,code=0),zone=<cleared>,labels=0x4d3000000000000000000000000
+icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=<cleared>,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=<cleared>,type=0,code=0),zone=<cleared>,mark=32,labels=0x4d3000000000000000000000000
  
icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=<cleared>,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=<cleared>,type=0,code=0),zone=<cleared>
  ])
@@ -7851,7 +7851,7 @@ NS_CHECK_EXEC([sw0-p1], [ping -q -c 10 -i 0.3 -w 15 10.0.0.4 | FORMAT_PING], \ 
  AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.4) | \
  sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | \
  sed -e 's/labels=0x4d2[[0-9a-f]]*/labels=0x4d2000000000000000000000000/'], 
[0], [dnl
-icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=<cleared>,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=<cleared>,type=0,code=0),zone=<cleared>,labels=0x4d2000000000000000000000000
+icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=<cleared>,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=<cleared>,type=0,code=0),zone=<cleared>,mark=16,labels=0x4d2000000000000000000000000
  
icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=<cleared>,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=<cleared>,type=0,code=0),zone=<cleared>
  ])
@@ -7866,7 +7866,7 @@ NS_CHECK_EXEC([sw0-p3], [ping -q -c 10 -i 0.3 -w 15 10.0.0.2 | FORMAT_PING], \ 
  AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.2) | \
  sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | \
  sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/'], 
[0], [dnl
-icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=<cleared>,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=<cleared>,type=0,code=0),zone=<cleared>,labels=0x4d3000000000000000000000000
+icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=<cleared>,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=<cleared>,type=0,code=0),zone=<cleared>,mark=32,labels=0x4d3000000000000000000000000
  
icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=<cleared>,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=<cleared>,type=0,code=0),zone=<cleared>
  ])
@@ -8081,7 +8081,7 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.3) | \ 
  sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | \
  sed -e 's/labels=0x4d2[[0-9a-f]]*/labels=0x4d2000000000000000000000000/' | 
sort], [0], [dnl
  
icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=<cleared>,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=<cleared>,type=0,code=0),zone=<cleared>
-icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=<cleared>,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=<cleared>,type=0,code=0),zone=<cleared>,labels=0x4d2000000000000000000000000
+icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=<cleared>,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=<cleared>,type=0,code=0),zone=<cleared>,mark=16,labels=0x4d2000000000000000000000000
  ])
# Add a higher priority ACL with different label. 
@@ -8097,7 +8097,7 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | 
FORMAT_CT(10.0.0.3) | \
  sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | \
  sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/' | 
sort], [0], [dnl
  
icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=<cleared>,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=<cleared>,type=0,code=0),zone=<cleared>
-icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=<cleared>,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=<cleared>,type=0,code=0),zone=<cleared>,labels=0x4d3000000000000000000000000
+icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=<cleared>,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=<cleared>,type=0,code=0),zone=<cleared>,mark=16,labels=0x4d3000000000000000000000000
  ])
OVS_APP_EXIT_AND_WAIT([ovn-controller]) 

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to