On 11/7/24 9:03 AM, Ales Musil wrote: > On Thu, Oct 17, 2024 at 4:09 PM Lorenzo Bianconi < > [email protected]> wrote: > >> Considering the following configuration: >> >> $ovn-nbctl acl-list sw01 >> from-lport 100 (inport == "sw01-port1" && udp.dst == 5201) allow-related >> [after-lb] >> from-lport 10 (inport == "sw01-port1" && udp) allow-related [after-lb] >> >> $ovn-nbctl list acl >> _uuid : e440336a-84d3-4a6d-95a9-edd1db1c3631 >> action : allow-related >> direction : from-lport >> external_ids : {} >> label : 0 >> log : false >> match : "inport == \"sw01-port1\" && udp" >> meter : [] >> name : [] >> options : {apply-after-lb="true"} >> priority : 10 >> sample_est : ac6a6efc-a2e0-4d68-b5f8-8cd91113e554 >> sample_new : 5cdad2ab-4390-4772-ac40-74aa2980c06e >> severity : [] >> tier : 0 >> >> _uuid : 85ef08d7-aacc-41d7-b808-6ab011edd753 >> action : allow-related >> direction : from-lport >> external_ids : {} >> label : 0 >> log : false >> match : "inport == \"sw01-port1\" && udp.dst == 5201" >> meter : [] >> name : [] >> options : {apply-after-lb="true"} >> priority : 100 >> sample_est : 143ce7e2-fd13-4d5e-930c-133d5cf87d0d >> sample_new : 1d1a0a05-2a8a-4c72-ad35-77d7e2908183 >> severity : [] >> tier : 0 >> >> If the priority-100 acl is removed, the udp traffic with destination port >> 5201 will hit the second ACL, however ovn-controller will continue >> sampling the existing connection with the observationPointID associated to >> the removed ACL. >> Fix the issue always committing ct.est sampled traffic in the original >> direction in order to update the observationPointID stored in the >> connection >> tracking table. >> >> Fixes: d15b12da6fe6 ("northd: Add ACL Sampling.") >> Repoerted-at: https://issues.redhat.com/browse/FDP-848 >> Signed-off-by: Lorenzo Bianconi <[email protected]> >> ---
Thanks, Lorenzo and Ales! Applied to main and 24.09. Regards, Dumitru _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
