Hi, Ales! We would like to avoid checking for ACL while passing the egress pipeline on logical switch the where the target port (sink) locates for cloned packet.
On 10 Feb 2025, at 17:04, Ales Musil <[email protected]> wrote: That makes sense, with that you can probably scratch the suggestion from last paragraph. However, it makes this approach very error prone. If OVN changes the pipeline order, or adds another pipeline after "ls_in_l2_unknown", we might break the mirroring. I think it would make it way clearer and more robust if we would add a new action that would actually do the whole "clone { outport = "..."; resubmit(,OFTABLE_OUTPUT_INIT) }". I'm still a bit confused by the whole CT skip. So the flow matches on the outport being the mirror port mp-*. Is it because the clone will continue within the original switch in the egress so you want to avoid ACLs? _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
