On Mon, Apr 28, 2025 at 11:49 AM Dumitru Ceara <dce...@redhat.com> wrote:
> On 4/25/25 9:16 PM, Mark Michelson via dev wrote: > > REGBIT_CONNTRACK_COMMIT determines if a packet will be committed to > > conntrack when it reaches the STATEFUL stage of a logical switch. When > > stateful ACLs are present, the goal is to have this bit set for all > > traffic. However, if the packet hit only "pass" ACLs, then the packet > > was being allowed but not being committed to conntrack. > > > > This patch addresses the error by setting REGBIT_CONNTRACK_COMMIT during > > the ACL_HINT stage. Any time we set REGBIT_ACL_HINT_ALLOW_NEW, we also > > set REGBIT_CONNTRACK_COMMIT. If the packet gets denied by ACLs, then the > > packet will get dropped or rejected before REGBIT_CONNTRACK_COMMIT is > > used. If the packet is allowed (statelessly, statefully, or by default), > > then the packet will be committed to conntrack. > > > > Reported-at: https://issues.redhat.com/browse/FDP-1321 > > > > Signed-off-by: Mark Michelson <mmich...@redhat.com> > > --- > > Hi Mark, > > Thanks for the fix but for some reason this patch is a bit corrupted. I > manually applied it and pushed it for CI in my fork here: > > > https://github.com/dceara/ovn/tree/refs/heads/review-pws454250-tier-acl-commit > > ovn-k CI: https://github.com/dceara/ovn/actions/runs/14704219132 > ovn CI: https://github.com/dceara/ovn/actions/runs/14704219144 Hello Mark and Dumitru, I have one additional/parallel suggestion down below. > > > > northd/northd.c | 20 +++--- > > tests/ovn-northd.at | 172 ++++++++++++++++++++++---------------------- > > tests/system-ovn.at | 120 +++++++++++++++++++++++++++++++ > > 3 files changed, 217 insertions(+), 95 deletions(-) > > > > diff --git a/northd/northd.c b/northd/northd.c > > index 74792e38b..9f66c7469 100644 > > --- a/northd/northd.c > > +++ b/northd/northd.c > > @@ -6368,10 +6368,16 @@ build_acl_hints(const struct ls_stateful_record > *ls_stateful_rec, > > /* New, not already established connections, may hit either > allow > > * or drop ACLs. For allow ACLs, the connection must also be > committed > > * to conntrack so we set REGBIT_ACL_HINT_ALLOW_NEW. > > + * > > + * All new traffic should be committed to conntrack if there are > > + * stateful ACLs present, so set REGBIT_CONNTRACK_COMMIT here to > > + * ensure that the traffic is committed to conntrack in the > STATEFUL > > + * stage. > > */ > > ovn_lflow_add(lflows, od, stage, 7, "ct.new && !ct.est", > > REGBIT_ACL_HINT_ALLOW_NEW " = 1; " > > REGBIT_ACL_HINT_DROP " = 1; " > > + REGBIT_CONNTRACK_COMMIT " = 1; " > > "next;", lflow_ref); > > > > /* Already established connections in the "request" direction > that > > @@ -6379,13 +6385,15 @@ build_acl_hints(const struct ls_stateful_record > *ls_stateful_rec, > > * - allow ACLs for connections that were previously allowed by > a > > * policy that was deleted and is being readded now. In this > case > > * the connection should be recommitted so we set > > - * REGBIT_ACL_HINT_ALLOW_NEW. > > + * REGBIT_ACL_HINT_ALLOW_NEW. Since we want traffic > recommitted > > + * in this case, we also set REGBIT_CONNTRACK_COMMIT. > > * - drop ACLs. > > */ > > ovn_lflow_add(lflows, od, stage, 6, > > "!ct.new && ct.est && !ct.rpl && ct_mark.blocked > == 1", > > REGBIT_ACL_HINT_ALLOW_NEW " = 1; " > > REGBIT_ACL_HINT_DROP " = 1; " > > + REGBIT_CONNTRACK_COMMIT " = 1; " > > "next;", lflow_ref); > > I'm not sure this is correct. This matches on sessions that were > established at some point (so there was an ACL that allowed them) but > later an ACL change happened and the new set of ACLs doesn't allow the > sessions anymore. > > When the ACL change happened ct_mark.blocked was already set to 1 so we > don't need to update these sessions. > > However later, in build_stateful(), we assume that if > REGBIT_CONNTRACK_COMMIT == 1 we should recommit (with ct_mark.blocked = > 0) which "unblocks" these sessions, breaking ACL behavior. > > I was about to suggest only setting REGBIT_CONNTRACK_COMMIT = 1 in this > case if ct_mark.blocked == 0 but I'm afraid that might cause all packets > in the original direction that match allow ACLs to be committed. > > There might still be a way to do this in the hint stage but I'm not so > sure it's that easy. > > Maybe we should change the code that handles "pass" action instead so > that it behaves as if action was "allow-related" if the ACLs tier is > equal to the max tier for that switch? > I wonder if we actually should do something like the diff below: diff --git a/northd/northd.c b/northd/northd.c index 74792e38b..f42957670 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -7008,6 +7008,9 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, obs_stage); + if (has_stateful && !strcmp(acl->action, "pass")) { + ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); + } ds_put_cstr(actions, "next;"); ds_put_format(match, "(%s)", acl->match); ovn_lflow_add_with_hint(lflows, od, stage, priority, This should prevent the issues that Dumitru mentioned and unless I have overlooked something, should solve the issue. > > > > /* Not tracked traffic can either be allowed or dropped. */ > > @@ -7041,7 +7049,6 @@ consider_acl(struct lflow_table *lflows, const > struct ovn_datapath *od, > > acl->match); > > > > ds_truncate(actions, log_verdict_len); > > - ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); > > > > if (smap_get_bool(&acl->options, "persist-established", false)) > { > > const struct sbrec_acl_id *sb_id; > > @@ -7477,22 +7484,17 @@ build_acls(const struct ls_stateful_record > *ls_stateful_rec, > > ds_put_format(&match, "ip && ct.est && ct_mark.blocked == 1"); > > ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1, > > ds_cstr(&match), > > - REGBIT_CONNTRACK_COMMIT" = 1; " > > REGBIT_ACL_VERDICT_ALLOW" = 1; next;", > > lflow_ref); > > ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1, > > ds_cstr(&match), > > - REGBIT_CONNTRACK_COMMIT" = 1; " > > REGBIT_ACL_VERDICT_ALLOW" = 1; next;", > > lflow_ref); > > > > - const char *next_action = default_acl_drop > > - ? "next;" > > - : REGBIT_CONNTRACK_COMMIT" = 1; next;"; > > ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1, "ip && > !ct.est", > > - next_action, lflow_ref); > > + "next;" , lflow_ref); > > ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1, "ip && > !ct.est", > > - next_action, lflow_ref); > > + "next;", lflow_ref); > > > > /* Ingress and Egress ACL Table (Priority 65532). > > * > > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > > index 82dfe92fd..82850e099 100644 > > --- a/tests/ovn-northd.at > > +++ b/tests/ovn-northd.at > > @@ -2442,13 +2442,13 @@ ovn-sbctl dump-flows sw1 > sw1flows3 > > AT_CAPTURE_FILE([sw1flows3]) > > > > AT_CHECK([grep "ls_out_acl" sw0flows3 sw1flows3 | grep pg0 | > ovn_strip_lflows], [0], [dnl > > -sw0flows3: table=??(ls_out_acl_eval ), priority=2001 , > match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; > reg0[[1]] = 1; next;) > > +sw0flows3: table=??(ls_out_acl_eval ), priority=2001 , > match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; > next;) > > sw0flows3: table=??(ls_out_acl_eval ), priority=2001 , > match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; > next;) > > sw0flows3: table=??(ls_out_acl_eval ), priority=2002 , > match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)), > action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; > ct_label.obs_point_id = 0; }; next;) > > sw0flows3: table=??(ls_out_acl_eval ), priority=2002 , > match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)), > action=(reg8[[18]] = 1; next;) > > sw0flows3: table=??(ls_out_acl_eval ), priority=2003 , > match=(reg0[[10]] == 1 && (outport == @pg0 && ip6 && udp)), > action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; > ct_label.obs_point_id = 0; }; next;) > > sw0flows3: table=??(ls_out_acl_eval ), priority=2003 , > match=(reg0[[9]] == 1 && (outport == @pg0 && ip6 && udp)), > action=(reg8[[18]] = 1; next;) > > -sw1flows3: table=??(ls_out_acl_eval ), priority=2001 , > match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; > reg0[[1]] = 1; next;) > > +sw1flows3: table=??(ls_out_acl_eval ), priority=2001 , > match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; > next;) > > sw1flows3: table=??(ls_out_acl_eval ), priority=2001 , > match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; > next;) > > sw1flows3: table=??(ls_out_acl_eval ), priority=2002 , > match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)), > action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; > ct_label.obs_point_id = 0; }; next;) > > sw1flows3: table=??(ls_out_acl_eval ), priority=2002 , > match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)), > action=(reg8[[18]] = 1; next;) > > @@ -2715,8 +2715,8 @@ check ovn-nbctl --wait=sb \ > > -- acl-add ls from-lport 2 "udp" allow-related \ > > -- acl-add ls to-lport 2 "udp" allow-related > > AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e > ls_out_acl_hint -e ls_in_acl -e ls_out_acl | grep 'ct\.' | > ovn_strip_lflows], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(reg0[[1]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] > = 1; reg8[[16]] = 1; ct_commit_nat;) > > table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; > next;) > > table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && > ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; > next;) > > @@ -2726,10 +2726,10 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e > ls_in_acl_hint -e ls_out_acl_hint -e > > table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(reg0[[1]] = 1; next;) > > - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] > = 1; ct_commit_nat;) > > table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && > ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;) > > @@ -2739,8 +2739,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e > ls_in_acl_hint -e ls_out_acl_hint -e > > table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > ]) > > > > AS_BOX([Check match ct_state with load balancer]) > > @@ -2756,9 +2756,9 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e > ls_in_acl_hint -e ls_out_acl_hint -e > > table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] > == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] > == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=0 , match=(1), > action=(next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(reg0[[1]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (ip)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (ip)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] > = 1; reg8[[16]] = 1; ct_commit_nat;) > > @@ -2772,12 +2772,12 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e > ls_in_acl_hint -e ls_out_acl_hint -e > > table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=0 , match=(1), > action=(next;) > > - table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(reg0[[1]] = 1; next;) > > - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (ip)), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (ip)), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] > = 1; ct_commit_nat;) > > @@ -2791,8 +2791,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e > ls_in_acl_hint -e ls_out_acl_hint -e > > table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > ]) > > > > check ovn-nbctl --wait=sb clear logical_switch ls acls > > @@ -4912,7 +4912,7 @@ ovn-sbctl dump-flows sw0 > sw0flows > > AT_CAPTURE_FILE([sw0flows]) > > > > AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | > ovn_strip_lflows], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; > next;) > > + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = > 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) > > table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; > next;) > > ]) > > AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl > > @@ -4922,7 +4922,7 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | > ovn_strip_lflows], [0], [dnl > > ]) > > > > AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | > ovn_strip_lflows], [0], [dnl > > - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; > next;) > > + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = > 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) > > table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; > next;) > > ]) > > AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl > > @@ -4939,8 +4939,8 @@ ovn-sbctl dump-flows sw0 > sw0flows > > AT_CAPTURE_FILE([sw0flows]) > > > > AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | > ovn_strip_lflows], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; > next;) > > - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = > 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) > > + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (udp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; > next;) > > table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (udp)), action=(reg8[[16]] = 1; next;) > > ]) > > @@ -4951,8 +4951,8 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | > ovn_strip_lflows], [0], [dnl > > ]) > > > > AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | > ovn_strip_lflows], [0], [dnl > > - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; > next;) > > - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = > 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) > > + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (udp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; > next;) > > table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (udp)), action=(reg8[[16]] = 1; next;) > > ]) > > @@ -4970,7 +4970,7 @@ ovn-sbctl dump-flows sw0 > sw0flows > > AT_CAPTURE_FILE([sw0flows]) > > > > AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | > ovn_strip_lflows], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (udp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (udp)), action=(reg8[[16]] = 1; next;) > > ]) > > AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl > > @@ -4980,7 +4980,7 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | > ovn_strip_lflows], [0], [dnl > > ]) > > > > AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | > ovn_strip_lflows], [0], [dnl > > - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (udp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (udp)), action=(reg8[[16]] = 1; next;) > > ]) > > AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl > > @@ -8109,13 +8109,13 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e > "ls_in_acl_hint" lsflows | ovn_strip_lflo > > table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] > == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] > == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=0 , match=(1), > action=(next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(reg0[[1]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[10]] == 1 > && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; > ct_label.obs_point_id = 0; }; next;) > > table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[9]] == 1 > && (ip4)), action=(reg8[[17]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 > && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 > && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 > && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[10]] == 1 > && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { > ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;) > > table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[9]] == 1 > && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;) > > @@ -8131,8 +8131,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e > "ls_in_acl_hint" lsflows | ovn_strip_lflo > > table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > ]) > > > > AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl > > @@ -8166,9 +8166,9 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e > "ls_in_acl_hint" lsflows | ovn_strip_lflo > > table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[10]] > == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; > ct_label.obs_point_id = 0; }; next;) > > table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[9]] > == 1 && (ip4)), action=(reg8[[17]] = 1; next;) > > - table=??(ls_in_acl_after_lb_eval), priority=2002 , match=(reg0[[7]] > == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_after_lb_eval), priority=2002 , match=(reg0[[7]] > == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=2002 , match=(reg0[[8]] > == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > - table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] > == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] > == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[8]] > == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[10]] > == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { > ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;) > > table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[9]] > == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;) > > @@ -8176,8 +8176,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e > "ls_in_acl_hint" lsflows | ovn_strip_lflo > > table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] > == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] > == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=0 , match=(1), > action=(next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(reg0[[1]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] > = 1; reg8[[16]] = 1; ct_commit_nat;) > > table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; > next;) > > @@ -8190,8 +8190,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e > "ls_in_acl_hint" lsflows | ovn_strip_lflo > > table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > ]) > > > > AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl > > @@ -8231,11 +8231,11 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e > "ls_in_acl_hint" lsflows | ovn_strip_lflo > > table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] > == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] > == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=0 , match=(1), > action=(next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(reg0[[1]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 > && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 > && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 > && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] > = 1; reg8[[16]] = 1; ct_commit_nat;) > > @@ -8249,8 +8249,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e > "ls_in_acl_hint" lsflows | ovn_strip_lflo > > table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > ]) > > > > AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl > > @@ -8779,8 +8779,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_eval ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] > = 1; reg8[[16]] = 1; ct_commit_nat;) > > @@ -8794,8 +8794,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_pre_acl ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_pre_acl ), priority=100 , match=(ip), > action=(reg0[[0]] = 1; next;) > > @@ -8809,7 +8809,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == > 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; > reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport > <-> inport; next(pipeline=ingress,table=??); };) > > table=??(ls_out_acl_eval ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] > = 1; ct_commit_nat;) > > table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg8[[16]] = 1; next;) > > @@ -8822,8 +8822,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > table=??(ls_out_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_pre_acl ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_pre_acl ), priority=100 , match=(ip), > action=(reg0[[0]] = 1; next;) > > @@ -8973,7 +8973,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_in_acl_after_lb_action), priority=1000 , > match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] > = 0; /* drop */) > > table=??(ls_in_acl_after_lb_action), priority=1000 , > match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] > = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is > implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) > > table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), > action=(next;) > > - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] > == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] > == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] > == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra > || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] > == 1), action=(reg8[[16]] = 1; next;) > > @@ -8981,7 +8981,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_eval ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] > = 1; reg8[[16]] = 1; ct_commit_nat;) > > table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; > next;) > > @@ -8994,8 +8994,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_pre_acl ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_pre_acl ), priority=100 , match=(ip), > action=(reg0[[0]] = 1; next;) > > @@ -9009,7 +9009,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == > 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; > reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport > <-> inport; next(pipeline=ingress,table=??); };) > > table=??(ls_out_acl_eval ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] > = 1; ct_commit_nat;) > > table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg8[[16]] = 1; next;) > > @@ -9022,8 +9022,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > table=??(ls_out_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_pre_acl ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_pre_acl ), priority=100 , match=(ip), > action=(reg0[[0]] = 1; next;) > > @@ -9179,7 +9179,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_eval ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] > = 1; reg8[[16]] = 1; ct_commit_nat;) > > table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), > action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; > next;) > > @@ -9192,8 +9192,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_pre_acl ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_pre_acl ), priority=100 , match=(ip), > action=(reg0[[0]] = 1; next;) > > @@ -9207,8 +9207,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == > 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; > reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport > <-> inport; next(pipeline=ingress,table=??); };) > > table=??(ls_out_acl_eval ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), > action=(next;) > > - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) > > - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && > ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] > = 1; ct_commit_nat;) > > @@ -9222,8 +9222,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | ovn_strip_lflows], [0], [ > > table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est), > action=(reg0[[9]] = 1; next;) > > table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; > reg0[[10]] = 1; next;) > > table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), > action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; next;) > > - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) > > + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && > ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; > reg0[[9]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;) > > table=??(ls_out_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_pre_acl ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_pre_acl ), priority=100 , match=(ip), > action=(reg0[[0]] = 1; next;) > > @@ -13197,7 +13197,7 @@ check_uuid ovn-nbctl --wait=sb \ > > --id=@sample2 create Sample collector="$collector1 $collector2" > metadata=4302 -- \ > > --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 > "1" allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e > ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; > next;) > > + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) > > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; > next;) > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new > && reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > > @@ -13230,7 +13230,7 @@ check_uuid ovn-nbctl --wait=sb \ > > --id=@sample1 create Sample collector="$collector1 $collector2" > metadata=4301 -- \ > > --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e > ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; > next;) > > + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) > > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new > && reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > > @@ -13260,7 +13260,7 @@ check_uuid ovn-nbctl --wait=sb \ > > --id=@sample2 create Sample collector="$collector1 $collector2" > metadata=4302 -- \ > > --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add > ls from-lport 1 "1" allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e > ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; > next;) > > + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = > 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; > next;) > > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && > ct.new && reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > > @@ -13293,7 +13293,7 @@ check_uuid ovn-nbctl --wait=sb \ > > --id=@sample1 create Sample collector="$collector1 $collector2" > metadata=4301 -- \ > > --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" > allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e > ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; > next;) > > + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = > 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = > 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) > > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && > ct.new && reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > > @@ -13325,7 +13325,7 @@ check_uuid ovn-nbctl --wait=sb \ > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e > ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && > (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && > ct_label.obs_unused == 0), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); > next;) > > - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; > next;) > > + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) > > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; > next;) > > table=??(ls_out_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new > || !ct.trk) && reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > > @@ -13358,7 +13358,7 @@ check_uuid ovn-nbctl --wait=sb \ > > --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e > ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; > next;) > > + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) > > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) > > table=??(ls_out_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new > || !ct.trk) && reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > > @@ -13418,7 +13418,7 @@ check_uuid ovn-nbctl --wait=sb > \ > > --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ > > --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 > "1" allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e > ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; > next;) > > + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; > reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) > > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; > next;) > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new > && reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > > @@ -13456,7 +13456,7 @@ check_uuid ovn-nbctl --wait=sb > \ > > --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ > > --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 > "1" allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e > ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; > next;) > > + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; > reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) > > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; > next;) > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new > && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); > next;) > > @@ -13491,7 +13491,7 @@ check_uuid ovn-nbctl --wait=sb > \ > > --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ > > --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e > ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; > next;) > > + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; > reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) > > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; > reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new > && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); > next;) > > @@ -13524,7 +13524,7 @@ check_uuid ovn-nbctl --wait=sb > \ > > --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ > > --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add > ls from-lport 1 "1" allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e > ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; > next;) > > + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = > 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; > next;) > > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && > ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); > next;) > > @@ -13559,7 +13559,7 @@ check_uuid ovn-nbctl --wait=sb > \ > > --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ > > --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" > allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e > ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 1; > next;) > > + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = > 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] > == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = > 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) > > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && > ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); > next;) > > @@ -13594,7 +13594,7 @@ check_uuid ovn-nbctl --wait=sb > \ > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e > ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && > (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && > ct_mark.obs_collector_id == 1), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); > next;) > > - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; > next;) > > + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; > reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) > > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; > next;) > > table=??(ls_out_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new > || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); > next;) > > @@ -13629,7 +13629,7 @@ check_uuid ovn-nbctl --wait=sb > \ > > --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related > > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e > ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > > table=??(ls_in_acl_sample ), priority=0 , match=(1), > action=(next;) > > - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; > next;) > > + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; > reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) > > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; > reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) > > table=??(ls_out_acl_sample ), priority=0 , match=(1), > action=(next;) > > table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new > || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); > next;) > > @@ -14950,17 +14950,17 @@ check ovn-nbctl acl-add sw to-lport 1002 "ip" > allow-related > > check ovn-nbctl --apply-after-lb acl-add sw from-lport 1003 "udp" > allow-related > > > > AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep > priority=2001 | ovn_strip_lflows], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[8]] == 1 > && (tcp)), action=(reg8[[16]] = 1; next;) > > ]) > > > > AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval | grep > priority=2003 | ovn_strip_lflows], [0], [dnl > > - table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] > == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] > == 1 && (udp)), action=(reg8[[16]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[8]] > == 1 && (udp)), action=(reg8[[16]] = 1; next;) > > ]) > > > > AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep > priority=2002 | ovn_strip_lflows], [0], [dnl > > - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (ip)), action=(reg8[[16]] = 1; next;) > > table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (ip)), action=(reg8[[16]] = 1; next;) > > ]) > > > > @@ -14980,17 +14980,17 @@ after_lb_id=$(ovn-sbctl get ACL_ID > $after_lb_uuid id) > > > > dnl Now we should see the registers being set to the appropriate values. > > AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep > priority=2001 | ovn_strip_lflows], [0], [dnl > > - table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] = > $ingress_id; reg0[[20]] = 1; next;) > > + table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] == 1 > && (tcp)), action=(reg8[[16]] = 1; reg2[[16..31]] = $ingress_id; reg0[[20]] > = 1; next;) > > table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[8]] == 1 > && (tcp)), action=(reg8[[16]] = 1; next;) > > ]) > > > > AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep > ls_in_acl_after_lb_eval | grep priority=2003 | ovn_strip_lflows], [0], [dnl > > - table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] > == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] = > $after_lb_id; reg0[[20]] = 1; next;) > > + table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] > == 1 && (udp)), action=(reg8[[16]] = 1; reg2[[16..31]] = $after_lb_id; > reg0[[20]] = 1; next;) > > table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[8]] > == 1 && (udp)), action=(reg8[[16]] = 1; next;) > > ]) > > > > AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | > grep priority=2002 | ovn_strip_lflows], [0], [dnl > > - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] = > $egress_id; reg0[[20]] = 1; next;) > > + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 > && (ip)), action=(reg8[[16]] = 1; reg2[[16..31]] = $egress_id; reg0[[20]] = > 1; next;) > > table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 > && (ip)), action=(reg8[[16]] = 1; next;) > > ]) > > > > diff --git a/tests/system-ovn.at b/tests/system-ovn.at > > index 5fa740cfb..9faadfb1d 100644 > > --- a/tests/system-ovn.at > > +++ b/tests/system-ovn.at > > @@ -17618,3 +17618,123 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query > port patch-.*/d > > /connection dropped.*/d"]) > > AT_CLEANUP > > ]) > > + > > + > > +OVN_FOR_EACH_NORTHD([ > > +AT_SETUP([conntrack on pass ACLs]) > > + > > +CHECK_CONNTRACK() > > +CHECK_CONNTRACK_NAT() > > +ovn_start > > +OVS_TRAFFIC_VSWITCHD_START() > > +ADD_BR([br-int]) > > +# > > +# Set external-ids in br-int needed for ovn-controller > > +check ovs-vsctl \ > > + -- set Open_vSwitch . external-ids:system-id=hv1 \ > > + -- set Open_vSwitch . > external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ > > + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ > > + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ > > + -- set bridge br-int fail-mode=secure > other-config:disable-in-band=true > > + > > +# Start ovn-controller > > +start_daemon ovn-controller > > + > > +# Ensure that when stateful ACLs are present, a "pass" > > +# action results in the packet being allowed (since we > > +# do not have whatever that thing is called that > > +# drops packets by default when using ACLs enabled). If > > +# this is the final verdict of all ACL tiers, then the > > +# packet should also be committed to conntrack, the same > > +# as if an "allow" of "allow-related" verdict were final. > > + > > +check ovn-nbctl ls-add ls > > +check ovn-nbctl lsp-add ls lsp1 \ > > +-- lsp-set-addresses lsp1 "f0:00:00:00:00:01 192.168.1.1" > > +check ovn-nbctl lsp-add ls lsp2 \ > > +-- lsp-set-addresses lsp2 "f0:00:00:00:00:02 192.168.1.2" > > + > > +ADD_NAMESPACES(lsp1) > > +ADD_VETH(lsp1, lsp1, br-int, "192.168.1.1/24", "f0:00:00:00:00:01", \ > > + "192.168.1.100") > > + > > +ADD_NAMESPACES(lsp2) > > +ADD_VETH(lsp2, lsp2, br-int, "192.168.1.2/24", "f0:00:00:00:00:02", \ > > + "192.168.1.100") > > + > > +# First, set up a "pass" ACL by itself. > > +check ovn-nbctl acl-add ls from-lport 1000 "ip4.src == 192.168.1.1" pass > > +check ovn-nbctl acl-add ls to-lport 1000 "ip4.src == 192.168.1.2" pass > > + > > +# Ping should succeed since from-lport "pass" ACL is the only one > matched. > > +NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.2 | > FORMAT_PING], \ > > +[0], [dnl > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms > > +]) > > + > > +# Ping the other way should also succeed since to-lport "pass" ACL is > matched. > > +NS_CHECK_EXEC([lsp2], [ping -q -c 3 -i 0.3 -w 2 192.168.1.1 | > FORMAT_PING], \ > > +[0], [dnl > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms > > +]) > > + > > +# There should be no conntrack entries created since there are no > stateful ACLs. > > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.2) | \ > > +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [1], [dnl > > +]) > > + > > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.1) | \ > > +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [1], [dnl > > +]) > > + > > +# Now add an arbitrary stateful ACL to the mix. We'll never match on > this > > +# ACL, but its presence should change things. > > +check ovn-nbctl acl-add ls from-lport 200 "ip4.src == 192.168.1.50" > allow-related > > + > > +# Pings should still succeed. > > +NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.2 | > FORMAT_PING], \ > > +[0], [dnl > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms > > +]) > > +NS_CHECK_EXEC([lsp2], [ping -q -c 3 -i 0.3 -w 2 192.168.1.1 | > FORMAT_PING], \ > > +[0], [dnl > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms > > +]) > > + > > +# Now there should be conntrack entries from the pings > > +# We should have an entry for each direction of traffic in > > +# each port's zone: a total of four. > > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.2) | \ > > +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [0], [dnl > > > +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared> > > > +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared> > > > +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared> > > > +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared> > > +]) > > + > > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.1) | \ > > +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [0], [dnl > > > +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared> > > > +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared> > > > +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared> > > > +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared> > > +]) > > + > > +OVN_CLEANUP_CONTROLLER([hv1]) > > + > > +as ovn-sb > > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > > + > > +as ovn-nb > > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > > + > > +as northd > > +OVS_APP_EXIT_AND_WAIT([ovn-northd]) > > + > > +as > > +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d > > +/connection dropped.*/d"]) > > + > > +AT_CLEANUP > > +]) > > Regards, > Dumitru > > Thanks, Ales _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
