Re: [ovs-dev] [PATCH ovn] northd: Set REGBIT_CONNTRACK_COMMIT earlier.

Mon, 28 Apr 2025 07:34:30 -0700 

On 4/28/25 10:00, Dumitru Ceara wrote:

On 4/28/25 3:47 PM, Mark Michelson wrote:

On 4/28/25 05:49, Dumitru Ceara wrote:

On 4/25/25 9:16 PM, Mark Michelson via dev wrote:

REGBIT_CONNTRACK_COMMIT determines if a packet will be committed to
conntrack when it reaches the STATEFUL stage of a logical switch. When
stateful ACLs are present, the goal is to have this bit set for all
traffic. However, if the packet hit only "pass" ACLs, then the packet
was being allowed but not being committed to conntrack.

This patch addresses the error by setting REGBIT_CONNTRACK_COMMIT during
the ACL_HINT stage. Any time we set REGBIT_ACL_HINT_ALLOW_NEW, we also
set REGBIT_CONNTRACK_COMMIT. If the packet gets denied by ACLs, then the
packet will get dropped or rejected before REGBIT_CONNTRACK_COMMIT is
used. If the packet is allowed (statelessly, statefully, or by default),
then the packet will be committed to conntrack.

Reported-at: https://issues.redhat.com/browse/FDP-1321

Signed-off-by: Mark Michelson <mmich...@redhat.com>
---


Hi Mark,

Thanks for the fix but for some reason this patch is a bit corrupted.  I
manually applied it and pushed it for CI in my fork here:

https://github.com/dceara/ovn/tree/refs/heads/review-pws454250-tier-
acl-commit

ovn-k CI: https://github.com/dceara/ovn/actions/runs/14704219132
ovn CI: https://github.com/dceara/ovn/actions/runs/14704219144


   northd/northd.c     |  20 +++---
   tests/ovn-northd.at | 172 ++++++++++++++++++++++----------------------
   tests/system-ovn.at | 120 +++++++++++++++++++++++++++++++
   3 files changed, 217 insertions(+), 95 deletions(-)

diff --git a/northd/northd.c b/northd/northd.c
index 74792e38b..9f66c7469 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -6368,10 +6368,16 @@ build_acl_hints(const struct
ls_stateful_record *ls_stateful_rec,
           /* New, not already established connections, may hit either
allow
            * or drop ACLs. For allow ACLs, the connection must also
be committed
            * to conntrack so we set REGBIT_ACL_HINT_ALLOW_NEW.
+         *
+         * All new traffic should be committed to conntrack if there
are
+         * stateful ACLs present, so set REGBIT_CONNTRACK_COMMIT
here to
+         * ensure that the traffic is committed to conntrack in the
STATEFUL
+         * stage.
            */
           ovn_lflow_add(lflows, od, stage, 7, "ct.new && !ct.est",
                         REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
                         REGBIT_ACL_HINT_DROP " = 1; "
+                      REGBIT_CONNTRACK_COMMIT " = 1; "
                         "next;", lflow_ref);
             /* Already established connections in the "request"
direction that
@@ -6379,13 +6385,15 @@ build_acl_hints(const struct
ls_stateful_record *ls_stateful_rec,
            * - allow ACLs for connections that were previously
allowed by a
            *   policy that was deleted and is being readded now. In
this case
            *   the connection should be recommitted so we set
-         *   REGBIT_ACL_HINT_ALLOW_NEW.
+         *   REGBIT_ACL_HINT_ALLOW_NEW. Since we want traffic
recommitted
+         *   in this case, we also set REGBIT_CONNTRACK_COMMIT.
            * - drop ACLs.
            */
           ovn_lflow_add(lflows, od, stage, 6,
                         "!ct.new && ct.est && !ct.rpl &&
ct_mark.blocked == 1",
                         REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
                         REGBIT_ACL_HINT_DROP " = 1; "
+                      REGBIT_CONNTRACK_COMMIT " = 1; "
                         "next;", lflow_ref);


I'm not sure this is correct.  This matches on sessions that were
established at some point (so there was an ACL that allowed them) but
later an ACL change happened and the new set of ACLs doesn't allow the
sessions anymore.

When the ACL change happened ct_mark.blocked was already set to 1 so we
don't need to update these sessions.

However later, in build_stateful(), we assume that if
REGBIT_CONNTRACK_COMMIT == 1 we should recommit (with ct_mark.blocked =
0) which "unblocks" these sessions, breaking ACL behavior.


My change is based on comments in the code. Prior to my patch, the
comment above this section says:

   /* Already established connections in the "request" direction that
    * are already marked as "blocked" may hit either:
    * - allow ACLs for connections that were previously allowed by a
    *   policy that was deleted and is being readded now. In this case
    *   the connection should be recommitted so we set
    *   REGBIT_ACL_HINT_ALLOW_NEW.
    * - drop ACLs.
    */

Then, in consider_acl(), there is this comment:

    * It's also possible that a known connection was marked for
    * deletion after a policy was deleted, but the policy was
    * re-added while that connection is still known.  We catch
    * that case here and un-set ct_mark.blocked (which will be done
    * by ct_commit in the "stateful" stage) to indicate that the
    * connection should be allowed to resume.

So it seems like the whole idea behind REGBIT_ACL_HINT_ALLOW_NEW in this
particular scenario is to re-commit the packet, setting ct_mark.blocked
= 0 in the process. The reasoning is that the session was allowed, then
the policy was removed, resulting in the packet being blocked. Then the
policy was re-added, resulting in the packet needing to be re-committed.



Sure.


So I think this won't break ACL behavior, but will maintain the current
behavior for the obscure case where ACLs are added, removed, and then
re-added.

One aspect about REGBIT_ACL_HINT_ALLOW_NEW is that it requires the
packet to re-match ACLs before being allowed. So in the case where the
packet should be dropped still (because the ACL was removed), then the
packet should still end up being dropped since the packet will not match
the removed ACL.



Thanks for the clarification.  Re-reading the code, you might be right.

However, because we set REGBIT_CONNTRACK_COMMIT = 1 when "!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1", that means we (re)commit
each and every packet that hits this rule.  I think that wasn't the case
before.
We only recommit packets if they are not dropped by ACLs first. Consider the scenario before my patch. Before my patch, if a packet matched "!ct.new && ct.est && !ct.rpl && ct.mark.blocked == 1", then REGBIT_ACL_HINT_ALLOW_NEW was set. Then in the ACL_EVAL stage, this ACLs are re-evaluated. If the packet matched an allow or allow-related ACL, or if the packet matched no ACLs and the default policy was not to drop the packet, then we would set REGBIT_CONNTRACK_COMMIT. In other words, previous code was also committing every packet that hits the rule, so long as the packet then went on to match an allow ACL or get by the ACL_EVAL stage by default. When you commit the new packet, then you get a new CT entry with ct_mark.blocked == 0. Then, the next packet that arrives will not have REGBIT_ACL_HINT_ALLOW_NEW set on it since ct_mark.blocked is no longer 1. As a result, subsequent packets will not be recommitted.
So now with my patch, the same behavior should be present. The difference is that we also set REGBIT_CONNTRACK_COMMIT so that no matter what the ACL evaluation result is, the packet will be committed to conntrack if the packet reaches the STATEFUL stage. It doesn't matter if the result is "allow", "allow-related", "pass", default ACL rules, or anything new that may be introduced later. However, if the packet is dropped or rejected during ACL stages, then the packet will not hit the STATEFUL stage at all, so nothing will get recommitted.
I think to prove that my change is causing problems, you need to find a scenario where REGBIT_ACL_HINT_ALLOW_NEW was being set, and then REGBIT_CONNTRACK_COMMIT was *not* being set later. The only scenarios I'm aware of where this would happen are:
* Having "pass" be the final ACL verdict. This is a bug and is fixed by this patch. * The packet is dropped or rejected before reaching the STATEFUL stage. This should still be the case after my patch. 



Packets that end up being dropped shouldn't cause ct_commit{...
ct_mark.blocked = 1,...} if ct_mark.blocked already is "1".  I _think_
this behavior change happens due to your patch.
Is this something you've observed with my patch? If so, then I can try to figure out what is causing it.
But just looking at the code, the only time we ct_commit() with ct_mark.blocked = 1, is when hitting a "drop" or "reject" ACL when REGBIT_ACL_HINT_BLOCK == 1. REGBIT_ACL_HINT_BLOCK is only ever set to 1 if ct_mark.blocked == 0. So therefore, if ct_mark.blocked is already 1, it should not be possible to re-commit with ct_mark.blocked set to 1 again. 





I was about to suggest only setting REGBIT_CONNTRACK_COMMIT = 1 in this
case if ct_mark.blocked == 0 but I'm afraid that might cause all packets
in the original direction that match allow ACLs to be committed.

There might still be a way to do this in the hint stage but I'm not so
sure it's that easy.

Maybe we should change the code that handles "pass" action instead so
that it behaves as if action was "allow-related" if the ACLs tier is
equal to the max tier for that switch?

I can certainly go with something like that. My thought here was that
the way I went about it makes it so that no matter what changes happen
at the ACL evaluation or action stages, the packets will get committed
to conntrack in the STATEFUL stage.



Maybe a simpler and safer solution is Ales' suggestion here:
https://mail.openvswitch.org/pipermail/ovs-dev/2025-April/423084.html


It's definitely simpler. My main problems with this are

1) It keeps the poor separation of concerns that the current code has.
2) It leaves us open to the same problem if new ACL actions are introduced.






             /* Not tracked traffic can either be allowed or dropped. */
@@ -7041,7 +7049,6 @@ consider_acl(struct lflow_table *lflows, const
struct ovn_datapath *od,
                         acl->match);
             ds_truncate(actions, log_verdict_len);
-        ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
             if (smap_get_bool(&acl->options, "persist-established",
false)) {
               const struct sbrec_acl_id *sb_id;
@@ -7477,22 +7484,17 @@ build_acls(const struct ls_stateful_record
*ls_stateful_rec,
           ds_put_format(&match, "ip && ct.est && ct_mark.blocked == 1");
           ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1,
                         ds_cstr(&match),
-                      REGBIT_CONNTRACK_COMMIT" = 1; "
                         REGBIT_ACL_VERDICT_ALLOW" = 1; next;",
                         lflow_ref);
           ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1,
                         ds_cstr(&match),
-                      REGBIT_CONNTRACK_COMMIT" = 1; "
                         REGBIT_ACL_VERDICT_ALLOW" = 1; next;",
                         lflow_ref);
   -        const char *next_action = default_acl_drop
-                             ? "next;"
-                             : REGBIT_CONNTRACK_COMMIT" = 1; next;";
           ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1, "ip && !
ct.est",
-                      next_action, lflow_ref);
+                      "next;" , lflow_ref);
           ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1, "ip
&& !ct.est",
-                      next_action, lflow_ref);
+                      "next;", lflow_ref);
             /* Ingress and Egress ACL Table (Priority 65532).
            *
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 82dfe92fd..82850e099 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -2442,13 +2442,13 @@ ovn-sbctl dump-flows sw1 > sw1flows3
   AT_CAPTURE_FILE([sw1flows3])
     AT_CHECK([grep "ls_out_acl" sw0flows3 sw1flows3 | grep pg0 |
ovn_strip_lflows], [0], [dnl
-sw0flows3:  table=??(ls_out_acl_eval    ), priority=2001 ,
match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
= 1; reg0[[1]] = 1; next;)
+sw0flows3:  table=??(ls_out_acl_eval    ), priority=2001 ,
match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
= 1; next;)
   sw0flows3:  table=??(ls_out_acl_eval    ), priority=2001 ,
match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
= 1; next;)
   sw0flows3:  table=??(ls_out_acl_eval    ), priority=2002 ,
match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)),
action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1;
ct_label.obs_point_id = 0; }; next;)
   sw0flows3:  table=??(ls_out_acl_eval    ), priority=2002 ,
match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)),
action=(reg8[[18]] = 1; next;)
   sw0flows3:  table=??(ls_out_acl_eval    ), priority=2003 ,
match=(reg0[[10]] == 1 && (outport == @pg0 && ip6 && udp)),
action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1;
ct_label.obs_point_id = 0; }; next;)
   sw0flows3:  table=??(ls_out_acl_eval    ), priority=2003 ,
match=(reg0[[9]] == 1 && (outport == @pg0 && ip6 && udp)),
action=(reg8[[18]] = 1; next;)
-sw1flows3:  table=??(ls_out_acl_eval    ), priority=2001 ,
match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
= 1; reg0[[1]] = 1; next;)
+sw1flows3:  table=??(ls_out_acl_eval    ), priority=2001 ,
match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
= 1; next;)
   sw1flows3:  table=??(ls_out_acl_eval    ), priority=2001 ,
match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
= 1; next;)
   sw1flows3:  table=??(ls_out_acl_eval    ), priority=2002 ,
match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)),
action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1;
ct_label.obs_point_id = 0; }; next;)
   sw1flows3:  table=??(ls_out_acl_eval    ), priority=2002 ,
match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)),
action=(reg8[[18]] = 1; next;)
@@ -2715,8 +2715,8 @@ check ovn-nbctl --wait=sb \
       -- acl-add ls from-lport 2 "udp" allow-related \
       -- acl-add ls to-lport 2 "udp" allow-related
   AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e
ls_out_acl_hint -e ls_in_acl -e ls_out_acl | grep 'ct\.' |
ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !
ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
1; next;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] =
1; next;)
@@ -2726,10 +2726,10 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
     table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !
ct.est), action=(reg0[[1]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !
ct.est), action=(next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg8[[16]] = 1; ct_commit_nat;)
     table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !
ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
@@ -2739,8 +2739,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
     table=??(ls_out_acl_hint    ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_out_acl_hint    ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_out_acl_hint    ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
   ])
     AS_BOX([Check match ct_state with load balancer])
@@ -2756,9 +2756,9 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
     table=??(ls_in_acl_after_lb_eval), priority=65532,
match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=65532,
match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=0    , match=(1),
action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (ip)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]]
== 1 && (ip)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
@@ -2772,12 +2772,12 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
     table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=0    , match=(1),
action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !
ct.est), action=(reg0[[1]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !
ct.est), action=(next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (ip)), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]]
== 1 && (ip)), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg8[[16]] = 1; ct_commit_nat;)
@@ -2791,8 +2791,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
     table=??(ls_out_acl_hint    ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_out_acl_hint    ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_out_acl_hint    ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
   ])
     check ovn-nbctl --wait=sb clear logical_switch ls acls
@@ -4912,7 +4912,7 @@ ovn-sbctl dump-flows sw0 > sw0flows
   AT_CAPTURE_FILE([sw0flows])
     AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
next;)
     table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]]
== 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 0; next;)
   ])
   AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0],
[dnl
@@ -4922,7 +4922,7 @@ AT_CHECK([grep "ls_in_stateful" sw0flows |
ovn_strip_lflows], [0], [dnl
   ])
     AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 |
ovn_strip_lflows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
next;)
     table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]]
== 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 2; next;)
   ])
   AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0],
[dnl
@@ -4939,8 +4939,8 @@ ovn-sbctl dump-flows sw0 > sw0flows
   AT_CAPTURE_FILE([sw0flows])
     AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 0; next;)
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (udp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]]
== 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 0; next;)
     table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]]
== 1 && (udp)), action=(reg8[[16]] = 1; next;)
   ])
@@ -4951,8 +4951,8 @@ AT_CHECK([grep "ls_in_stateful" sw0flows |
ovn_strip_lflows], [0], [dnl
   ])
     AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 |
ovn_strip_lflows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 2; next;)
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (udp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]]
== 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 2; next;)
     table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]]
== 1 && (udp)), action=(reg8[[16]] = 1; next;)
   ])
@@ -4970,7 +4970,7 @@ ovn-sbctl dump-flows sw0 > sw0flows
   AT_CAPTURE_FILE([sw0flows])
     AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (udp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]]
== 1 && (udp)), action=(reg8[[16]] = 1; next;)
   ])
   AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0],
[dnl
@@ -4980,7 +4980,7 @@ AT_CHECK([grep "ls_in_stateful" sw0flows |
ovn_strip_lflows], [0], [dnl
   ])
     AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 |
ovn_strip_lflows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (udp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]]
== 1 && (udp)), action=(reg8[[16]] = 1; next;)
   ])
   AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0],
[dnl
@@ -8109,13 +8109,13 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
"ls_in_acl_hint" lsflows | ovn_strip_lflo
     table=??(ls_in_acl_after_lb_eval), priority=65532,
match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=65532,
match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=0    , match=(1),
action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[10]]
== 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked =
1; ct_label.obs_point_id = 0; }; next;)
     table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[9]]
== 1 && (ip4)), action=(reg8[[17]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]]
== 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] ==
1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] ==
1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[8]]
== 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=2004 , match=(reg0[[10]]
== 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1;
ct_commit { ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;)
     table=??(ls_in_acl_eval     ), priority=2004 , match=(reg0[[9]]
== 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)
@@ -8131,8 +8131,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
"ls_in_acl_hint" lsflows | ovn_strip_lflo
     table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
   ])
     AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl
@@ -8166,9 +8166,9 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
"ls_in_acl_hint" lsflows | ovn_strip_lflo
     table=??(ls_in_acl_after_lb_eval), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_after_lb_eval), priority=2001 ,
match=(reg0[[10]] == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit
{ ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;)
     table=??(ls_in_acl_after_lb_eval), priority=2001 ,
match=(reg0[[9]] == 1 && (ip4)), action=(reg8[[17]] = 1; next;)
-  table=??(ls_in_acl_after_lb_eval), priority=2002 ,
match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1;
reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=2002 ,
match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=2002 ,
match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_after_lb_eval), priority=2003 ,
match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1;
reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=2003 ,
match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=2003 ,
match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=2004 ,
match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)),
action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1;
ct_label.obs_point_id = 0; }; next;)
     table=??(ls_in_acl_after_lb_eval), priority=2004 ,
match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)),
action=(reg8[[17]] = 1; next;)
@@ -8176,8 +8176,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
"ls_in_acl_hint" lsflows | ovn_strip_lflo
     table=??(ls_in_acl_after_lb_eval), priority=65532,
match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=65532,
match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=0    , match=(1),
action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !
ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
1; next;)
@@ -8190,8 +8190,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
"ls_in_acl_hint" lsflows | ovn_strip_lflo
     table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
   ])
     AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl
@@ -8231,11 +8231,11 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
"ls_in_acl_hint" lsflows | ovn_strip_lflo
     table=??(ls_in_acl_after_lb_eval), priority=65532,
match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=65532,
match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=0    , match=(1),
action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] ==
1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]]
== 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] ==
1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] ==
1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[8]]
== 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
@@ -8249,8 +8249,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
"ls_in_acl_hint" lsflows | ovn_strip_lflo
     table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
   ])
     AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl
@@ -8779,8 +8779,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_eval     ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]]
== 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
@@ -8794,8 +8794,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_pre_acl      ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_pre_acl      ), priority=100  , match=(ip),
action=(reg0[[0]] = 1; next;)
@@ -8809,7 +8809,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[18]]
== 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 =
0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit.
*/ outport <-> inport; next(pipeline=ingress,table=??); };)
     table=??(ls_out_acl_eval    ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !
ct.est), action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg8[[16]] = 1; ct_commit_nat;)
     table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !
ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
action=(reg8[[16]] = 1; next;)
@@ -8822,8 +8822,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_out_acl_hint    ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_out_acl_hint    ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_out_acl_hint    ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
     table=??(ls_out_acl_sample  ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_pre_acl     ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_pre_acl     ), priority=100  , match=(ip),
action=(reg0[[0]] = 1; next;)
@@ -8973,7 +8973,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_in_acl_after_lb_action), priority=1000 ,
match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0;
reg8[[18]] = 0; /* drop */)
     table=??(ls_in_acl_after_lb_action), priority=1000 ,
match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0;
reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <->
ip.src; is implicit. */ outport <-> inport;
next(pipeline=egress,table=??); };)
     table=??(ls_in_acl_after_lb_eval), priority=0    , match=(1),
action=(next;)
-  table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1;
reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd ||
nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=65532,
match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
@@ -8981,7 +8981,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_eval     ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !
ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
1; next;)
@@ -8994,8 +8994,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_pre_acl      ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_pre_acl      ), priority=100  , match=(ip),
action=(reg0[[0]] = 1; next;)
@@ -9009,7 +9009,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[18]]
== 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 =
0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit.
*/ outport <-> inport; next(pipeline=ingress,table=??); };)
     table=??(ls_out_acl_eval    ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !
ct.est), action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg8[[16]] = 1; ct_commit_nat;)
     table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !
ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
action=(reg8[[16]] = 1; next;)
@@ -9022,8 +9022,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_out_acl_hint    ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_out_acl_hint    ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_out_acl_hint    ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
     table=??(ls_out_acl_sample  ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_pre_acl     ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_pre_acl     ), priority=100  , match=(ip),
action=(reg0[[0]] = 1; next;)
@@ -9179,7 +9179,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_eval     ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !
ct.est), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
     table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !
ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
1; next;)
@@ -9192,8 +9192,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_pre_acl      ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_pre_acl      ), priority=100  , match=(ip),
action=(reg0[[0]] = 1; next;)
@@ -9207,8 +9207,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[18]]
== 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 =
0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit.
*/ outport <-> inport; next(pipeline=ingress,table=??); };)
     table=??(ls_out_acl_eval    ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !
ct.est), action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est
&& ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]]
== 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est &&
ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
action=(reg8[[16]] = 1; ct_commit_nat;)
@@ -9222,8 +9222,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
"ls_.*_acl" | ovn_strip_lflows], [0], [
     table=??(ls_out_acl_hint    ), priority=3    , match=(!ct.est),
action=(reg0[[9]] = 1; next;)
     table=??(ls_out_acl_hint    ), priority=4    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
reg0[[10]] = 1; next;)
     table=??(ls_out_acl_hint    ), priority=5    , match=(!ct.trk),
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new &&
ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !
ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
     table=??(ls_out_acl_sample  ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_pre_acl     ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_pre_acl     ), priority=100  , match=(ip),
action=(reg0[[0]] = 1; next;)
@@ -13197,7 +13197,7 @@ check_uuid ovn-nbctl --wait=sb \
     --id=@sample2 create Sample collector="$collector1 $collector2"
metadata=4302 -- \
     --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport
1 "1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
= 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
     table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]]
== 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 0; next;)
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_sample   ), priority=1100 , match=(ip &&
ct.new && reg3 == 4301),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13230,7 +13230,7 @@ check_uuid ovn-nbctl --wait=sb \
     --id=@sample1 create Sample collector="$collector1 $collector2"
metadata=4301 -- \
     --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
= 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
     table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]]
== 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
next;)
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_sample   ), priority=1100 , match=(ip &&
ct.new && reg3 == 4301),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13260,7 +13260,7 @@ check_uuid ovn-nbctl --wait=sb \
     --id=@sample2 create Sample collector="$collector1 $collector2"
metadata=4302 -- \
     --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-
add ls from-lport 1 "1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
-e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0;
reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0;
reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
     table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip &&
ct.new && reg3 == 4301),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13293,7 +13293,7 @@ check_uuid ovn-nbctl --wait=sb \
     --id=@sample1 create Sample collector="$collector1 $collector2"
metadata=4301 -- \
     --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1
"1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
-e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0;
reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 1; next;)
     table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip &&
ct.new && reg3 == 4301),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13325,7 +13325,7 @@ check_uuid ovn-nbctl --wait=sb \
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_sample   ), priority=1200 , match=(ip &&
ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id ==
4302 && ct_label.obs_unused == 0),
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
 next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
= 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
     table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]]
== 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 2; next;)
     table=??(ls_out_acl_sample  ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_acl_sample  ), priority=1100 , match=(ip &&
(ct.new || !ct.trk) && reg3 == 4301),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13358,7 +13358,7 @@ check_uuid ovn-nbctl --wait=sb \
     --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
= 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
     table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]]
== 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
next;)
     table=??(ls_out_acl_sample  ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_acl_sample  ), priority=1100 , match=(ip &&
(ct.new || !ct.trk) && reg3 == 4301),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13418,7 +13418,7 @@ check_uuid ovn-nbctl --
wait=sb                                         \
     --id=@sample2 create Sample collector="$collector1" metadata=4302
-- \
     --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport
1 "1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
= 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
     table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]]
== 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
reg8[[19..20]] = 0; next;)
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_sample   ), priority=1100 , match=(ip &&
ct.new && reg3 == 4301),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13456,7 +13456,7 @@ check_uuid ovn-nbctl --
wait=sb                                         \
     --id=@sample2 create Sample collector="$collector1" metadata=4302
-- \
     --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport
1 "1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
= 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
     table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]]
== 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
reg8[[19..20]] = 0; next;)
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_sample   ), priority=1000 , match=(ip &&
ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
 next;)
@@ -13491,7 +13491,7 @@ check_uuid ovn-nbctl --
wait=sb                                         \
     --id=@sample1 create Sample collector="$collector1" metadata=4301
-- \
     --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
= 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
     table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]]
== 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
next;)
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_sample   ), priority=1000 , match=(ip &&
ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
 next;)
@@ -13524,7 +13524,7 @@ check_uuid ovn-nbctl --
wait=sb                                         \
     --id=@sample2 create Sample collector="$collector1" metadata=4302
-- \
     --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-
add ls from-lport 1 "1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
-e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1;
reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
reg8[[19..20]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1;
reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
     table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip &&
ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
 next;)
@@ -13559,7 +13559,7 @@ check_uuid ovn-nbctl --
wait=sb                                         \
     --id=@sample1 create Sample collector="$collector1" metadata=4301
-- \
     --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1
"1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
-e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1;
reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
reg8[[19..20]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=1001 ,
match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
reg8[[19..20]] = 1; next;)
     table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip &&
ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
 next;)
@@ -13594,7 +13594,7 @@ check_uuid ovn-nbctl --
wait=sb                                         \
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
     table=??(ls_in_acl_sample   ), priority=1000 , match=(ip &&
ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
ct_mark.obs_collector_id == 1),
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
 next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
= 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
     table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]]
== 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
reg8[[19..20]] = 2; next;)
     table=??(ls_out_acl_sample  ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_acl_sample  ), priority=1000 , match=(ip &&
(ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
 next;)
@@ -13629,7 +13629,7 @@ check_uuid ovn-nbctl --
wait=sb                                         \
     --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related
   AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
     table=??(ls_in_acl_sample   ), priority=0    , match=(1),
action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] ==
1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
= 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
     table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]]
== 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
next;)
     table=??(ls_out_acl_sample  ), priority=0    , match=(1),
action=(next;)
     table=??(ls_out_acl_sample  ), priority=1000 , match=(ip &&
(ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2),
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
 next;)
@@ -14950,17 +14950,17 @@ check ovn-nbctl acl-add sw to-lport 1002
"ip" allow-related
   check ovn-nbctl --apply-after-lb acl-add sw from-lport 1003 "udp"
allow-related
     AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep
priority=2001 | ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[8]]
== 1 && (tcp)), action=(reg8[[16]] = 1; next;)
   ])
     AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval
| grep priority=2003 | ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=2003 ,
match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] =
1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=2003 ,
match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=2003 ,
match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;)
   ])
     AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep
priority=2002 | ovn_strip_lflows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (ip)), action=(reg8[[16]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]]
== 1 && (ip)), action=(reg8[[16]] = 1; next;)
   ])
   @@ -14980,17 +14980,17 @@ after_lb_id=$(ovn-sbctl get ACL_ID
$after_lb_uuid id)
     dnl Now we should see the registers being set to the appropriate
values.
   AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_in_acl_eval |
grep priority=2001 | ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] =
$ingress_id; reg0[[20]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[7]] ==
1 && (tcp)), action=(reg8[[16]] = 1; reg2[[16..31]] = $ingress_id;
reg0[[20]] = 1; next;)
     table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[8]]
== 1 && (tcp)), action=(reg8[[16]] = 1; next;)
   ])
     AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep
ls_in_acl_after_lb_eval | grep priority=2003 | ovn_strip_lflows],
[0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=2003 ,
match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] =
1; reg2[[16..31]] = $after_lb_id; reg0[[20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=2003 ,
match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1;
reg2[[16..31]] = $after_lb_id; reg0[[20]] = 1; next;)
     table=??(ls_in_acl_after_lb_eval), priority=2003 ,
match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;)
   ])
     AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_out_acl_eval
| grep priority=2002 | ovn_strip_lflows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] =
$egress_id; reg0[[20]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] ==
1 && (ip)), action=(reg8[[16]] = 1; reg2[[16..31]] = $egress_id;
reg0[[20]] = 1; next;)
     table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]]
== 1 && (ip)), action=(reg8[[16]] = 1; next;)
   ])
   diff --git a/tests/system-ovn.at b/tests/system-ovn.at
index 5fa740cfb..9faadfb1d 100644
--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
@@ -17618,3 +17618,123 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to
query port patch-.*/d
   /connection dropped.*/d"])
   AT_CLEANUP
   ])
+
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([conntrack on pass ACLs])
+
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_NAT()
+ovn_start
+OVS_TRAFFIC_VSWITCHD_START()
+ADD_BR([br-int])
+#
+# Set external-ids in br-int needed for ovn-controller
+check ovs-vsctl \
+        -- set Open_vSwitch . external-ids:system-id=hv1 \
+        -- set Open_vSwitch . external-ids:ovn-remote=unix:
$ovs_base/ovn-sb/ovn-sb.sock \
+        -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \
+        -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \
+        -- set bridge br-int fail-mode=secure other-config:disable-
in-band=true
+
+# Start ovn-controller
+start_daemon ovn-controller
+
+# Ensure that when stateful ACLs are present, a "pass"
+# action results in the packet being allowed (since we
+# do not have whatever that thing is called that
+# drops packets by default when using ACLs enabled). If
+# this is the final verdict of all ACL tiers, then the
+# packet should also be committed to conntrack, the same
+# as if an "allow" of "allow-related" verdict were final.
+
+check ovn-nbctl ls-add ls
+check ovn-nbctl lsp-add ls lsp1 \
+-- lsp-set-addresses lsp1 "f0:00:00:00:00:01 192.168.1.1"
+check ovn-nbctl lsp-add ls lsp2 \
+-- lsp-set-addresses lsp2 "f0:00:00:00:00:02 192.168.1.2"
+
+ADD_NAMESPACES(lsp1)
+ADD_VETH(lsp1, lsp1, br-int, "192.168.1.1/24", "f0:00:00:00:00:01", \
+         "192.168.1.100")
+
+ADD_NAMESPACES(lsp2)
+ADD_VETH(lsp2, lsp2, br-int, "192.168.1.2/24", "f0:00:00:00:00:02", \
+         "192.168.1.100")
+
+# First, set up a "pass" ACL by itself.
+check ovn-nbctl acl-add ls from-lport 1000 "ip4.src == 192.168.1.1"
pass
+check ovn-nbctl acl-add ls to-lport 1000 "ip4.src == 192.168.1.2" pass
+
+# Ping should succeed since from-lport "pass" ACL is the only one
matched.
+NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.2 |
FORMAT_PING], \
+[0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+# Ping the other way should also succeed since to-lport "pass" ACL
is matched.
+NS_CHECK_EXEC([lsp2], [ping -q -c 3 -i 0.3 -w 2 192.168.1.1 |
FORMAT_PING], \
+[0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+# There should be no conntrack entries created since there are no
stateful ACLs.
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.2) | \
+sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [1], [dnl
+])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.1) | \
+sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [1], [dnl
+])
+
+# Now add an arbitrary stateful ACL to the mix. We'll never match on
this
+# ACL, but its presence should change things.
+check ovn-nbctl acl-add ls from-lport 200 "ip4.src == 192.168.1.50"
allow-related
+
+# Pings should still succeed.
+NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.2 |
FORMAT_PING], \
+[0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+NS_CHECK_EXEC([lsp2], [ping -q -c 3 -i 0.3 -w 2 192.168.1.1 |
FORMAT_PING], \
+[0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+# Now there should be conntrack entries from the pings
+# We should have an entry for each direction of traffic in
+# each port's zone: a total of four.
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.2) | \
+sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [0], [dnl
+icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
+])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.1) | \
+sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [0], [dnl
+icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
+])
+
+OVN_CLEANUP_CONTROLLER([hv1])
+
+as ovn-sb
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+
+as ovn-nb
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+
+as northd
+OVS_APP_EXIT_AND_WAIT([ovn-northd])
+
+as
+OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d
+/connection dropped.*/d"])
+
+AT_CLEANUP
+])


Regards,
Dumitru





Regards,
Dumitru



_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to