On 4/28/25 3:47 PM, Mark Michelson wrote:
> On 4/28/25 05:49, Dumitru Ceara wrote:
>> On 4/25/25 9:16 PM, Mark Michelson via dev wrote:
>>> REGBIT_CONNTRACK_COMMIT determines if a packet will be committed to
>>> conntrack when it reaches the STATEFUL stage of a logical switch. When
>>> stateful ACLs are present, the goal is to have this bit set for all
>>> traffic. However, if the packet hit only "pass" ACLs, then the packet
>>> was being allowed but not being committed to conntrack.
>>>
>>> This patch addresses the error by setting REGBIT_CONNTRACK_COMMIT during
>>> the ACL_HINT stage. Any time we set REGBIT_ACL_HINT_ALLOW_NEW, we also
>>> set REGBIT_CONNTRACK_COMMIT. If the packet gets denied by ACLs, then the
>>> packet will get dropped or rejected before REGBIT_CONNTRACK_COMMIT is
>>> used. If the packet is allowed (statelessly, statefully, or by default),
>>> then the packet will be committed to conntrack.
>>>
>>> Reported-at: https://issues.redhat.com/browse/FDP-1321
>>>
>>> Signed-off-by: Mark Michelson <mmich...@redhat.com>
>>> ---
>>
>> Hi Mark,
>>
>> Thanks for the fix but for some reason this patch is a bit corrupted. I
>> manually applied it and pushed it for CI in my fork here:
>>
>> https://github.com/dceara/ovn/tree/refs/heads/review-pws454250-tier-
>> acl-commit
>>
>> ovn-k CI: https://github.com/dceara/ovn/actions/runs/14704219132
>> ovn CI: https://github.com/dceara/ovn/actions/runs/14704219144
>>
>>> northd/northd.c | 20 +++---
>>> tests/ovn-northd.at | 172 ++++++++++++++++++++++----------------------
>>> tests/system-ovn.at | 120 +++++++++++++++++++++++++++++++
>>> 3 files changed, 217 insertions(+), 95 deletions(-)
>>>
>>> diff --git a/northd/northd.c b/northd/northd.c
>>> index 74792e38b..9f66c7469 100644
>>> --- a/northd/northd.c
>>> +++ b/northd/northd.c
>>> @@ -6368,10 +6368,16 @@ build_acl_hints(const struct
>>> ls_stateful_record *ls_stateful_rec,
>>> /* New, not already established connections, may hit either
>>> allow
>>> * or drop ACLs. For allow ACLs, the connection must also
>>> be committed
>>> * to conntrack so we set REGBIT_ACL_HINT_ALLOW_NEW.
>>> + *
>>> + * All new traffic should be committed to conntrack if there
>>> are
>>> + * stateful ACLs present, so set REGBIT_CONNTRACK_COMMIT
>>> here to
>>> + * ensure that the traffic is committed to conntrack in the
>>> STATEFUL
>>> + * stage.
>>> */
>>> ovn_lflow_add(lflows, od, stage, 7, "ct.new && !ct.est",
>>> REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
>>> REGBIT_ACL_HINT_DROP " = 1; "
>>> + REGBIT_CONNTRACK_COMMIT " = 1; "
>>> "next;", lflow_ref);
>>> /* Already established connections in the "request"
>>> direction that
>>> @@ -6379,13 +6385,15 @@ build_acl_hints(const struct
>>> ls_stateful_record *ls_stateful_rec,
>>> * - allow ACLs for connections that were previously
>>> allowed by a
>>> * policy that was deleted and is being readded now. In
>>> this case
>>> * the connection should be recommitted so we set
>>> - * REGBIT_ACL_HINT_ALLOW_NEW.
>>> + * REGBIT_ACL_HINT_ALLOW_NEW. Since we want traffic
>>> recommitted
>>> + * in this case, we also set REGBIT_CONNTRACK_COMMIT.
>>> * - drop ACLs.
>>> */
>>> ovn_lflow_add(lflows, od, stage, 6,
>>> "!ct.new && ct.est && !ct.rpl &&
>>> ct_mark.blocked == 1",
>>> REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
>>> REGBIT_ACL_HINT_DROP " = 1; "
>>> + REGBIT_CONNTRACK_COMMIT " = 1; "
>>> "next;", lflow_ref);
>>
>> I'm not sure this is correct. This matches on sessions that were
>> established at some point (so there was an ACL that allowed them) but
>> later an ACL change happened and the new set of ACLs doesn't allow the
>> sessions anymore.
>>
>> When the ACL change happened ct_mark.blocked was already set to 1 so we
>> don't need to update these sessions.
>>
>> However later, in build_stateful(), we assume that if
>> REGBIT_CONNTRACK_COMMIT == 1 we should recommit (with ct_mark.blocked =
>> 0) which "unblocks" these sessions, breaking ACL behavior.
>
> My change is based on comments in the code. Prior to my patch, the
> comment above this section says:
>
> /* Already established connections in the "request" direction that
> * are already marked as "blocked" may hit either:
> * - allow ACLs for connections that were previously allowed by a
> * policy that was deleted and is being readded now. In this case
> * the connection should be recommitted so we set
> * REGBIT_ACL_HINT_ALLOW_NEW.
> * - drop ACLs.
> */
>
> Then, in consider_acl(), there is this comment:
>
> * It's also possible that a known connection was marked for
> * deletion after a policy was deleted, but the policy was
> * re-added while that connection is still known. We catch
> * that case here and un-set ct_mark.blocked (which will be done
> * by ct_commit in the "stateful" stage) to indicate that the
> * connection should be allowed to resume.
>
> So it seems like the whole idea behind REGBIT_ACL_HINT_ALLOW_NEW in this
> particular scenario is to re-commit the packet, setting ct_mark.blocked
> = 0 in the process. The reasoning is that the session was allowed, then
> the policy was removed, resulting in the packet being blocked. Then the
> policy was re-added, resulting in the packet needing to be re-committed.
>
Sure.
> So I think this won't break ACL behavior, but will maintain the current
> behavior for the obscure case where ACLs are added, removed, and then
> re-added.
>
> One aspect about REGBIT_ACL_HINT_ALLOW_NEW is that it requires the
> packet to re-match ACLs before being allowed. So in the case where the
> packet should be dropped still (because the ACL was removed), then the
> packet should still end up being dropped since the packet will not match
> the removed ACL.
>
Thanks for the clarification. Re-reading the code, you might be right.
However, because we set REGBIT_CONNTRACK_COMMIT = 1 when "!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1", that means we (re)commit
each and every packet that hits this rule. I think that wasn't the case
before.
Packets that end up being dropped shouldn't cause ct_commit{...
ct_mark.blocked = 1,...} if ct_mark.blocked already is "1". I _think_
this behavior change happens due to your patch.
>>
>> I was about to suggest only setting REGBIT_CONNTRACK_COMMIT = 1 in this
>> case if ct_mark.blocked == 0 but I'm afraid that might cause all packets
>> in the original direction that match allow ACLs to be committed.
>>
>> There might still be a way to do this in the hint stage but I'm not so
>> sure it's that easy.
>>
>> Maybe we should change the code that handles "pass" action instead so
>> that it behaves as if action was "allow-related" if the ACLs tier is
>> equal to the max tier for that switch?
> I can certainly go with something like that. My thought here was that
> the way I went about it makes it so that no matter what changes happen
> at the ACL evaluation or action stages, the packets will get committed
> to conntrack in the STATEFUL stage.
>
Maybe a simpler and safer solution is Ales' suggestion here:
https://mail.openvswitch.org/pipermail/ovs-dev/2025-April/423084.html
>>
>>> /* Not tracked traffic can either be allowed or dropped. */
>>> @@ -7041,7 +7049,6 @@ consider_acl(struct lflow_table *lflows, const
>>> struct ovn_datapath *od,
>>> acl->match);
>>> ds_truncate(actions, log_verdict_len);
>>> - ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
>>> if (smap_get_bool(&acl->options, "persist-established",
>>> false)) {
>>> const struct sbrec_acl_id *sb_id;
>>> @@ -7477,22 +7484,17 @@ build_acls(const struct ls_stateful_record
>>> *ls_stateful_rec,
>>> ds_put_format(&match, "ip && ct.est && ct_mark.blocked == 1");
>>> ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1,
>>> ds_cstr(&match),
>>> - REGBIT_CONNTRACK_COMMIT" = 1; "
>>> REGBIT_ACL_VERDICT_ALLOW" = 1; next;",
>>> lflow_ref);
>>> ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1,
>>> ds_cstr(&match),
>>> - REGBIT_CONNTRACK_COMMIT" = 1; "
>>> REGBIT_ACL_VERDICT_ALLOW" = 1; next;",
>>> lflow_ref);
>>> - const char *next_action = default_acl_drop
>>> - ? "next;"
>>> - : REGBIT_CONNTRACK_COMMIT" = 1; next;";
>>> ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1, "ip && !
>>> ct.est",
>>> - next_action, lflow_ref);
>>> + "next;" , lflow_ref);
>>> ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1, "ip
>>> && !ct.est",
>>> - next_action, lflow_ref);
>>> + "next;", lflow_ref);
>>> /* Ingress and Egress ACL Table (Priority 65532).
>>> *
>>> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
>>> index 82dfe92fd..82850e099 100644
>>> --- a/tests/ovn-northd.at
>>> +++ b/tests/ovn-northd.at
>>> @@ -2442,13 +2442,13 @@ ovn-sbctl dump-flows sw1 > sw1flows3
>>> AT_CAPTURE_FILE([sw1flows3])
>>> AT_CHECK([grep "ls_out_acl" sw0flows3 sw1flows3 | grep pg0 |
>>> ovn_strip_lflows], [0], [dnl
>>> -sw0flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>> match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>> = 1; reg0[[1]] = 1; next;)
>>> +sw0flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>> match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>> = 1; next;)
>>> sw0flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>> match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>> = 1; next;)
>>> sw0flows3: table=??(ls_out_acl_eval ), priority=2002 ,
>>> match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)),
>>> action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1;
>>> ct_label.obs_point_id = 0; }; next;)
>>> sw0flows3: table=??(ls_out_acl_eval ), priority=2002 ,
>>> match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)),
>>> action=(reg8[[18]] = 1; next;)
>>> sw0flows3: table=??(ls_out_acl_eval ), priority=2003 ,
>>> match=(reg0[[10]] == 1 && (outport == @pg0 && ip6 && udp)),
>>> action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1;
>>> ct_label.obs_point_id = 0; }; next;)
>>> sw0flows3: table=??(ls_out_acl_eval ), priority=2003 ,
>>> match=(reg0[[9]] == 1 && (outport == @pg0 && ip6 && udp)),
>>> action=(reg8[[18]] = 1; next;)
>>> -sw1flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>> match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>> = 1; reg0[[1]] = 1; next;)
>>> +sw1flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>> match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>> = 1; next;)
>>> sw1flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>> match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>> = 1; next;)
>>> sw1flows3: table=??(ls_out_acl_eval ), priority=2002 ,
>>> match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)),
>>> action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1;
>>> ct_label.obs_point_id = 0; }; next;)
>>> sw1flows3: table=??(ls_out_acl_eval ), priority=2002 ,
>>> match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)),
>>> action=(reg8[[18]] = 1; next;)
>>> @@ -2715,8 +2715,8 @@ check ovn-nbctl --wait=sb \
>>> -- acl-add ls from-lport 2 "udp" allow-related \
>>> -- acl-add ls to-lport 2 "udp" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e
>>> ls_out_acl_hint -e ls_in_acl -e ls_out_acl | grep 'ct\.' |
>>> ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(reg0[[1]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !
>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
>>> 1; next;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
>>> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] =
>>> 1; next;)
>>> @@ -2726,10 +2726,10 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
>>> ls_in_acl_hint -e ls_out_acl_hint -e
>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(reg0[[1]] = 1; next;)
>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg8[[16]] = 1; ct_commit_nat;)
>>> table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !
>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>> action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=65532, match=(ct.est &&
>>> ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
>>> @@ -2739,8 +2739,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
>>> ls_in_acl_hint -e ls_out_acl_hint -e
>>> table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> ])
>>> AS_BOX([Check match ct_state with load balancer])
>>> @@ -2756,9 +2756,9 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
>>> ls_in_acl_hint -e ls_out_acl_hint -e
>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>> match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>> match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(reg0[[1]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>> @@ -2772,12 +2772,12 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
>>> ls_in_acl_hint -e ls_out_acl_hint -e
>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(reg0[[1]] = 1; next;)
>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg8[[16]] = 1; ct_commit_nat;)
>>> @@ -2791,8 +2791,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
>>> ls_in_acl_hint -e ls_out_acl_hint -e
>>> table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> ])
>>> check ovn-nbctl --wait=sb clear logical_switch ls acls
>>> @@ -4912,7 +4912,7 @@ ovn-sbctl dump-flows sw0 > sw0flows
>>> AT_CAPTURE_FILE([sw0flows])
>>> AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
>>> ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 0; next;)
>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
>>> reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
>>> next;)
>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
>>> 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 0; next;)
>>> ])
>>> AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0],
>>> [dnl
>>> @@ -4922,7 +4922,7 @@ AT_CHECK([grep "ls_in_stateful" sw0flows |
>>> ovn_strip_lflows], [0], [dnl
>>> ])
>>> AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 |
>>> ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 2; next;)
>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
>>> reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
>>> next;)
>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
>>> 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 2; next;)
>>> ])
>>> AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0],
>>> [dnl
>>> @@ -4939,8 +4939,8 @@ ovn-sbctl dump-flows sw0 > sw0flows
>>> AT_CAPTURE_FILE([sw0flows])
>>> AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
>>> ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 0; next;)
>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
>>> reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
>>> next;)
>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
>>> 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 0; next;)
>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> ])
>>> @@ -4951,8 +4951,8 @@ AT_CHECK([grep "ls_in_stateful" sw0flows |
>>> ovn_strip_lflows], [0], [dnl
>>> ])
>>> AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 |
>>> ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 2; next;)
>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
>>> reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
>>> next;)
>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
>>> 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 2; next;)
>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> ])
>>> @@ -4970,7 +4970,7 @@ ovn-sbctl dump-flows sw0 > sw0flows
>>> AT_CAPTURE_FILE([sw0flows])
>>> AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
>>> ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> ])
>>> AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0],
>>> [dnl
>>> @@ -4980,7 +4980,7 @@ AT_CHECK([grep "ls_in_stateful" sw0flows |
>>> ovn_strip_lflows], [0], [dnl
>>> ])
>>> AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 |
>>> ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> ])
>>> AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0],
>>> [dnl
>>> @@ -8109,13 +8109,13 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>> match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>> match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(reg0[[1]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[10]]
>>> == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked =
>>> 1; ct_label.obs_point_id = 0; }; next;)
>>> table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[9]]
>>> == 1 && (ip4)), action=(reg8[[17]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] ==
>>> 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] ==
>>> 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]]
>>> == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[10]]
>>> == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1;
>>> ct_commit { ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;)
>>> table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[9]]
>>> == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)
>>> @@ -8131,8 +8131,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> ])
>>> AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl
>>> @@ -8166,9 +8166,9 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>> table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=2001 ,
>>> match=(reg0[[10]] == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit
>>> { ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=2001 ,
>>> match=(reg0[[9]] == 1 && (ip4)), action=(reg8[[17]] = 1; next;)
>>> - table=??(ls_in_acl_after_lb_eval), priority=2002 ,
>>> match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1;
>>> reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_after_lb_eval), priority=2002 ,
>>> match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=2002 ,
>>> match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> - table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>> match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1;
>>> reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>> match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>> match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=2004 ,
>>> match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)),
>>> action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1;
>>> ct_label.obs_point_id = 0; }; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=2004 ,
>>> match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)),
>>> action=(reg8[[17]] = 1; next;)
>>> @@ -8176,8 +8176,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>> match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>> match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(reg0[[1]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !
>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
>>> 1; next;)
>>> @@ -8190,8 +8190,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> ])
>>> AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl
>>> @@ -8231,11 +8231,11 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>> match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>> match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(reg0[[1]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] ==
>>> 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] ==
>>> 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]]
>>> == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>> @@ -8249,8 +8249,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> ])
>>> AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl
>>> @@ -8779,8 +8779,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>> @@ -8794,8 +8794,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_pre_acl ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_pre_acl ), priority=100 , match=(ip),
>>> action=(reg0[[0]] = 1; next;)
>>> @@ -8809,7 +8809,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]]
>>> == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 =
>>> 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit.
>>> */ outport <-> inport; next(pipeline=ingress,table=??); };)
>>> table=??(ls_out_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg8[[16]] = 1; ct_commit_nat;)
>>> table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !
>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>> action=(reg8[[16]] = 1; next;)
>>> @@ -8822,8 +8822,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_pre_acl ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_pre_acl ), priority=100 , match=(ip),
>>> action=(reg0[[0]] = 1; next;)
>>> @@ -8973,7 +8973,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_in_acl_after_lb_action), priority=1000 ,
>>> match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0;
>>> reg8[[18]] = 0; /* drop */)
>>> table=??(ls_in_acl_after_lb_action), priority=1000 ,
>>> match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0;
>>> reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <->
>>> ip.src; is implicit. */ outport <-> inport;
>>> next(pipeline=egress,table=??); };)
>>> table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1),
>>> action=(next;)
>>> - table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1;
>>> reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd ||
>>> nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>> match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
>>> @@ -8981,7 +8981,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !
>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
>>> 1; next;)
>>> @@ -8994,8 +8994,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_pre_acl ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_pre_acl ), priority=100 , match=(ip),
>>> action=(reg0[[0]] = 1; next;)
>>> @@ -9009,7 +9009,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]]
>>> == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 =
>>> 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit.
>>> */ outport <-> inport; next(pipeline=ingress,table=??); };)
>>> table=??(ls_out_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg8[[16]] = 1; ct_commit_nat;)
>>> table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !
>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>> action=(reg8[[16]] = 1; next;)
>>> @@ -9022,8 +9022,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_pre_acl ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_pre_acl ), priority=100 , match=(ip),
>>> action=(reg0[[0]] = 1; next;)
>>> @@ -9179,7 +9179,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>> table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !
>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
>>> 1; next;)
>>> @@ -9192,8 +9192,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_pre_acl ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_pre_acl ), priority=100 , match=(ip),
>>> action=(reg0[[0]] = 1; next;)
>>> @@ -9207,8 +9207,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]]
>>> == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 =
>>> 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit.
>>> */ outport <-> inport; next(pipeline=ingress,table=??); };)
>>> table=??(ls_out_acl_eval ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>> ct.est), action=(next;)
>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est &&
>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>> action=(reg8[[16]] = 1; ct_commit_nat;)
>>> @@ -9222,8 +9222,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>> table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est),
>>> action=(reg0[[9]] = 1; next;)
>>> table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>> reg0[[10]] = 1; next;)
>>> table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk),
>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; next;)
>>> - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>> + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_pre_acl ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_pre_acl ), priority=100 , match=(ip),
>>> action=(reg0[[0]] = 1; next;)
>>> @@ -13197,7 +13197,7 @@ check_uuid ovn-nbctl --wait=sb \
>>> --id=@sample2 create Sample collector="$collector1 $collector2"
>>> metadata=4302 -- \
>>> --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport
>>> 1 "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
>>> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 0; next;)
>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>> = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 0; next;)
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_sample ), priority=1100 , match=(ip &&
>>> ct.new && reg3 == 4301),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>> next;)
>>> @@ -13230,7 +13230,7 @@ check_uuid ovn-nbctl --wait=sb \
>>> --id=@sample1 create Sample collector="$collector1 $collector2"
>>> metadata=4301 -- \
>>> --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
>>> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 0; next;)
>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>> = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
>>> reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
>>> next;)
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_sample ), priority=1100 , match=(ip &&
>>> ct.new && reg3 == 4301),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>> next;)
>>> @@ -13260,7 +13260,7 @@ check_uuid ovn-nbctl --wait=sb \
>>> --id=@sample2 create Sample collector="$collector1 $collector2"
>>> metadata=4302 -- \
>>> --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-
>>> add ls from-lport 1 "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
>>> -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> - table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0;
>>> reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
>>> + table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>> 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0;
>>> reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip &&
>>> ct.new && reg3 == 4301),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>> next;)
>>> @@ -13293,7 +13293,7 @@ check_uuid ovn-nbctl --wait=sb \
>>> --id=@sample1 create Sample collector="$collector1 $collector2"
>>> metadata=4301 -- \
>>> --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1
>>> "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
>>> -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> - table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0;
>>> reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
>>> + table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>> 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>> 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip &&
>>> ct.new && reg3 == 4301),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>> next;)
>>> @@ -13325,7 +13325,7 @@ check_uuid ovn-nbctl --wait=sb \
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
>>> ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_sample ), priority=1200 , match=(ip &&
>>> ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id ==
>>> 4302 && ct_label.obs_unused == 0),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
>>> next;)
>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 2; next;)
>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>> = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 2; next;)
>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_acl_sample ), priority=1100 , match=(ip &&
>>> (ct.new || !ct.trk) && reg3 == 4301),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>> next;)
>>> @@ -13358,7 +13358,7 @@ check_uuid ovn-nbctl --wait=sb \
>>> --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
>>> ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 2; next;)
>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>> = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
>>> reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
>>> next;)
>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_acl_sample ), priority=1100 , match=(ip &&
>>> (ct.new || !ct.trk) && reg3 == 4301),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>> next;)
>>> @@ -13418,7 +13418,7 @@ check_uuid ovn-nbctl --
>>> wait=sb \
>>> --id=@sample2 create Sample collector="$collector1" metadata=4302
>>> -- \
>>> --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport
>>> 1 "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
>>> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>> reg8[[19..20]] = 0; next;)
>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>> = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>> reg8[[19..20]] = 0; next;)
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_sample ), priority=1100 , match=(ip &&
>>> ct.new && reg3 == 4301),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>> next;)
>>> @@ -13456,7 +13456,7 @@ check_uuid ovn-nbctl --
>>> wait=sb \
>>> --id=@sample2 create Sample collector="$collector1" metadata=4302
>>> -- \
>>> --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport
>>> 1 "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
>>> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>> reg8[[19..20]] = 0; next;)
>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>> = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>> reg8[[19..20]] = 0; next;)
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_sample ), priority=1000 , match=(ip &&
>>> ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>> next;)
>>> @@ -13491,7 +13491,7 @@ check_uuid ovn-nbctl --
>>> wait=sb \
>>> --id=@sample1 create Sample collector="$collector1" metadata=4301
>>> -- \
>>> --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
>>> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 0; next;)
>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>> = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
>>> reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
>>> next;)
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_sample ), priority=1000 , match=(ip &&
>>> ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>> next;)
>>> @@ -13524,7 +13524,7 @@ check_uuid ovn-nbctl --
>>> wait=sb \
>>> --id=@sample2 create Sample collector="$collector1" metadata=4302
>>> -- \
>>> --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-
>>> add ls from-lport 1 "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
>>> -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> - table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1;
>>> reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
>>> + table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>> 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>> reg8[[19..20]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1;
>>> reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip &&
>>> ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>> next;)
>>> @@ -13559,7 +13559,7 @@ check_uuid ovn-nbctl --
>>> wait=sb \
>>> --id=@sample1 create Sample collector="$collector1" metadata=4301
>>> -- \
>>> --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1
>>> "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
>>> -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> - table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1;
>>> reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
>>> + table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>> 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>> match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>> 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip &&
>>> ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>> next;)
>>> @@ -13594,7 +13594,7 @@ check_uuid ovn-nbctl --
>>> wait=sb \
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
>>> ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_in_acl_sample ), priority=1000 , match=(ip &&
>>> ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
>>> ct_mark.obs_collector_id == 1),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
>>> next;)
>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>> reg8[[19..20]] = 2; next;)
>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>> = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>> reg8[[19..20]] = 2; next;)
>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_acl_sample ), priority=1000 , match=(ip &&
>>> (ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>> next;)
>>> @@ -13629,7 +13629,7 @@ check_uuid ovn-nbctl --
>>> wait=sb \
>>> --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related
>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
>>> ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>> reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
>>> reg8[[19..20]] = 2; next;)
>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>> = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
>>> reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
>>> next;)
>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>> action=(next;)
>>> table=??(ls_out_acl_sample ), priority=1000 , match=(ip &&
>>> (ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2),
>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>> next;)
>>> @@ -14950,17 +14950,17 @@ check ovn-nbctl acl-add sw to-lport 1002
>>> "ip" allow-related
>>> check ovn-nbctl --apply-after-lb acl-add sw from-lport 1003 "udp"
>>> allow-related
>>> AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep
>>> priority=2001 | ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[8]]
>>> == 1 && (tcp)), action=(reg8[[16]] = 1; next;)
>>> ])
>>> AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval
>>> | grep priority=2003 | ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>> match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] =
>>> 1; next;)
>>> + table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>> match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>> match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> ])
>>> AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep
>>> priority=2002 | ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>> ])
>>> @@ -14980,17 +14980,17 @@ after_lb_id=$(ovn-sbctl get ACL_ID
>>> $after_lb_uuid id)
>>> dnl Now we should see the registers being set to the appropriate
>>> values.
>>> AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_in_acl_eval |
>>> grep priority=2001 | ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] =
>>> $ingress_id; reg0[[20]] = 1; next;)
>>> + table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] ==
>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg2[[16..31]] = $ingress_id;
>>> reg0[[20]] = 1; next;)
>>> table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[8]]
>>> == 1 && (tcp)), action=(reg8[[16]] = 1; next;)
>>> ])
>>> AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep
>>> ls_in_acl_after_lb_eval | grep priority=2003 | ovn_strip_lflows],
>>> [0], [dnl
>>> - table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>> match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] =
>>> 1; reg2[[16..31]] = $after_lb_id; reg0[[20]] = 1; next;)
>>> + table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>> match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1;
>>> reg2[[16..31]] = $after_lb_id; reg0[[20]] = 1; next;)
>>> table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>> match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>> ])
>>> AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_out_acl_eval
>>> | grep priority=2002 | ovn_strip_lflows], [0], [dnl
>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] =
>>> $egress_id; reg0[[20]] = 1; next;)
>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>> 1 && (ip)), action=(reg8[[16]] = 1; reg2[[16..31]] = $egress_id;
>>> reg0[[20]] = 1; next;)
>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>> == 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>> ])
>>> diff --git a/tests/system-ovn.at b/tests/system-ovn.at
>>> index 5fa740cfb..9faadfb1d 100644
>>> --- a/tests/system-ovn.at
>>> +++ b/tests/system-ovn.at
>>> @@ -17618,3 +17618,123 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to
>>> query port patch-.*/d
>>> /connection dropped.*/d"])
>>> AT_CLEANUP
>>> ])
>>> +
>>> +
>>> +OVN_FOR_EACH_NORTHD([
>>> +AT_SETUP([conntrack on pass ACLs])
>>> +
>>> +CHECK_CONNTRACK()
>>> +CHECK_CONNTRACK_NAT()
>>> +ovn_start
>>> +OVS_TRAFFIC_VSWITCHD_START()
>>> +ADD_BR([br-int])
>>> +#
>>> +# Set external-ids in br-int needed for ovn-controller
>>> +check ovs-vsctl \
>>> + -- set Open_vSwitch . external-ids:system-id=hv1 \
>>> + -- set Open_vSwitch . external-ids:ovn-remote=unix:
>>> $ovs_base/ovn-sb/ovn-sb.sock \
>>> + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \
>>> + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \
>>> + -- set bridge br-int fail-mode=secure other-config:disable-
>>> in-band=true
>>> +
>>> +# Start ovn-controller
>>> +start_daemon ovn-controller
>>> +
>>> +# Ensure that when stateful ACLs are present, a "pass"
>>> +# action results in the packet being allowed (since we
>>> +# do not have whatever that thing is called that
>>> +# drops packets by default when using ACLs enabled). If
>>> +# this is the final verdict of all ACL tiers, then the
>>> +# packet should also be committed to conntrack, the same
>>> +# as if an "allow" of "allow-related" verdict were final.
>>> +
>>> +check ovn-nbctl ls-add ls
>>> +check ovn-nbctl lsp-add ls lsp1 \
>>> +-- lsp-set-addresses lsp1 "f0:00:00:00:00:01 192.168.1.1"
>>> +check ovn-nbctl lsp-add ls lsp2 \
>>> +-- lsp-set-addresses lsp2 "f0:00:00:00:00:02 192.168.1.2"
>>> +
>>> +ADD_NAMESPACES(lsp1)
>>> +ADD_VETH(lsp1, lsp1, br-int, "192.168.1.1/24", "f0:00:00:00:00:01", \
>>> + "192.168.1.100")
>>> +
>>> +ADD_NAMESPACES(lsp2)
>>> +ADD_VETH(lsp2, lsp2, br-int, "192.168.1.2/24", "f0:00:00:00:00:02", \
>>> + "192.168.1.100")
>>> +
>>> +# First, set up a "pass" ACL by itself.
>>> +check ovn-nbctl acl-add ls from-lport 1000 "ip4.src == 192.168.1.1"
>>> pass
>>> +check ovn-nbctl acl-add ls to-lport 1000 "ip4.src == 192.168.1.2" pass
>>> +
>>> +# Ping should succeed since from-lport "pass" ACL is the only one
>>> matched.
>>> +NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.2 |
>>> FORMAT_PING], \
>>> +[0], [dnl
>>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
>>> +])
>>> +
>>> +# Ping the other way should also succeed since to-lport "pass" ACL
>>> is matched.
>>> +NS_CHECK_EXEC([lsp2], [ping -q -c 3 -i 0.3 -w 2 192.168.1.1 |
>>> FORMAT_PING], \
>>> +[0], [dnl
>>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
>>> +])
>>> +
>>> +# There should be no conntrack entries created since there are no
>>> stateful ACLs.
>>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.2) | \
>>> +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [1], [dnl
>>> +])
>>> +
>>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.1) | \
>>> +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [1], [dnl
>>> +])
>>> +
>>> +# Now add an arbitrary stateful ACL to the mix. We'll never match on
>>> this
>>> +# ACL, but its presence should change things.
>>> +check ovn-nbctl acl-add ls from-lport 200 "ip4.src == 192.168.1.50"
>>> allow-related
>>> +
>>> +# Pings should still succeed.
>>> +NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.2 |
>>> FORMAT_PING], \
>>> +[0], [dnl
>>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
>>> +])
>>> +NS_CHECK_EXEC([lsp2], [ping -q -c 3 -i 0.3 -w 2 192.168.1.1 |
>>> FORMAT_PING], \
>>> +[0], [dnl
>>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
>>> +])
>>> +
>>> +# Now there should be conntrack entries from the pings
>>> +# We should have an entry for each direction of traffic in
>>> +# each port's zone: a total of four.
>>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.2) | \
>>> +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [0], [dnl
>>> +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
>>> +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
>>> +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
>>> +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
>>> +])
>>> +
>>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.1) | \
>>> +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [0], [dnl
>>> +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
>>> +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
>>> +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
>>> +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
>>> +])
>>> +
>>> +OVN_CLEANUP_CONTROLLER([hv1])
>>> +
>>> +as ovn-sb
>>> +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
>>> +
>>> +as ovn-nb
>>> +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
>>> +
>>> +as northd
>>> +OVS_APP_EXIT_AND_WAIT([ovn-northd])
>>> +
>>> +as
>>> +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d
>>> +/connection dropped.*/d"])
>>> +
>>> +AT_CLEANUP
>>> +])
>>
>> Regards,
>> Dumitru
>>
>
Regards,
Dumitru
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
