On 4/28/25 4:33 PM, Mark Michelson wrote:
> On 4/28/25 10:00, Dumitru Ceara wrote:
>> On 4/28/25 3:47 PM, Mark Michelson wrote:
>>> On 4/28/25 05:49, Dumitru Ceara wrote:
>>>> On 4/25/25 9:16 PM, Mark Michelson via dev wrote:
>>>>> REGBIT_CONNTRACK_COMMIT determines if a packet will be committed to
>>>>> conntrack when it reaches the STATEFUL stage of a logical switch. When
>>>>> stateful ACLs are present, the goal is to have this bit set for all
>>>>> traffic. However, if the packet hit only "pass" ACLs, then the packet
>>>>> was being allowed but not being committed to conntrack.
>>>>>
>>>>> This patch addresses the error by setting REGBIT_CONNTRACK_COMMIT
>>>>> during
>>>>> the ACL_HINT stage. Any time we set REGBIT_ACL_HINT_ALLOW_NEW, we also
>>>>> set REGBIT_CONNTRACK_COMMIT. If the packet gets denied by ACLs,
>>>>> then the
>>>>> packet will get dropped or rejected before REGBIT_CONNTRACK_COMMIT is
>>>>> used. If the packet is allowed (statelessly, statefully, or by
>>>>> default),
>>>>> then the packet will be committed to conntrack.
>>>>>
>>>>> Reported-at: https://issues.redhat.com/browse/FDP-1321
>>>>>
>>>>> Signed-off-by: Mark Michelson <mmich...@redhat.com>
>>>>> ---
>>>>
>>>> Hi Mark,
>>>>
>>>> Thanks for the fix but for some reason this patch is a bit
>>>> corrupted. I
>>>> manually applied it and pushed it for CI in my fork here:
>>>>
>>>> https://github.com/dceara/ovn/tree/refs/heads/review-pws454250-tier-
>>>> acl-commit
>>>>
>>>> ovn-k CI: https://github.com/dceara/ovn/actions/runs/14704219132
>>>> ovn CI: https://github.com/dceara/ovn/actions/runs/14704219144
>>>>
>>>>> northd/northd.c | 20 +++---
>>>>> tests/ovn-northd.at | 172 +++++++++++++++++++++
>>>>> +----------------------
>>>>> tests/system-ovn.at | 120 +++++++++++++++++++++++++++++++
>>>>> 3 files changed, 217 insertions(+), 95 deletions(-)
>>>>>
>>>>> diff --git a/northd/northd.c b/northd/northd.c
>>>>> index 74792e38b..9f66c7469 100644
>>>>> --- a/northd/northd.c
>>>>> +++ b/northd/northd.c
>>>>> @@ -6368,10 +6368,16 @@ build_acl_hints(const struct
>>>>> ls_stateful_record *ls_stateful_rec,
>>>>> /* New, not already established connections, may hit either
>>>>> allow
>>>>> * or drop ACLs. For allow ACLs, the connection must also
>>>>> be committed
>>>>> * to conntrack so we set REGBIT_ACL_HINT_ALLOW_NEW.
>>>>> + *
>>>>> + * All new traffic should be committed to conntrack if there
>>>>> are
>>>>> + * stateful ACLs present, so set REGBIT_CONNTRACK_COMMIT
>>>>> here to
>>>>> + * ensure that the traffic is committed to conntrack in the
>>>>> STATEFUL
>>>>> + * stage.
>>>>> */
>>>>> ovn_lflow_add(lflows, od, stage, 7, "ct.new && !ct.est",
>>>>> REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
>>>>> REGBIT_ACL_HINT_DROP " = 1; "
>>>>> + REGBIT_CONNTRACK_COMMIT " = 1; "
>>>>> "next;", lflow_ref);
>>>>> /* Already established connections in the "request"
>>>>> direction that
>>>>> @@ -6379,13 +6385,15 @@ build_acl_hints(const struct
>>>>> ls_stateful_record *ls_stateful_rec,
>>>>> * - allow ACLs for connections that were previously
>>>>> allowed by a
>>>>> * policy that was deleted and is being readded now. In
>>>>> this case
>>>>> * the connection should be recommitted so we set
>>>>> - * REGBIT_ACL_HINT_ALLOW_NEW.
>>>>> + * REGBIT_ACL_HINT_ALLOW_NEW. Since we want traffic
>>>>> recommitted
>>>>> + * in this case, we also set REGBIT_CONNTRACK_COMMIT.
>>>>> * - drop ACLs.
>>>>> */
>>>>> ovn_lflow_add(lflows, od, stage, 6,
>>>>> "!ct.new && ct.est && !ct.rpl &&
>>>>> ct_mark.blocked == 1",
>>>>> REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
>>>>> REGBIT_ACL_HINT_DROP " = 1; "
>>>>> + REGBIT_CONNTRACK_COMMIT " = 1; "
>>>>> "next;", lflow_ref);
>>>>
>>>> I'm not sure this is correct. This matches on sessions that were
>>>> established at some point (so there was an ACL that allowed them) but
>>>> later an ACL change happened and the new set of ACLs doesn't allow the
>>>> sessions anymore.
>>>>
>>>> When the ACL change happened ct_mark.blocked was already set to 1 so we
>>>> don't need to update these sessions.
>>>>
>>>> However later, in build_stateful(), we assume that if
>>>> REGBIT_CONNTRACK_COMMIT == 1 we should recommit (with ct_mark.blocked =
>>>> 0) which "unblocks" these sessions, breaking ACL behavior.
>>>
>>> My change is based on comments in the code. Prior to my patch, the
>>> comment above this section says:
>>>
>>> /* Already established connections in the "request" direction that
>>> * are already marked as "blocked" may hit either:
>>> * - allow ACLs for connections that were previously allowed by a
>>> * policy that was deleted and is being readded now. In this case
>>> * the connection should be recommitted so we set
>>> * REGBIT_ACL_HINT_ALLOW_NEW.
>>> * - drop ACLs.
>>> */
>>>
>>> Then, in consider_acl(), there is this comment:
>>>
>>> * It's also possible that a known connection was marked for
>>> * deletion after a policy was deleted, but the policy was
>>> * re-added while that connection is still known. We catch
>>> * that case here and un-set ct_mark.blocked (which will be done
>>> * by ct_commit in the "stateful" stage) to indicate that the
>>> * connection should be allowed to resume.
>>>
>>> So it seems like the whole idea behind REGBIT_ACL_HINT_ALLOW_NEW in this
>>> particular scenario is to re-commit the packet, setting ct_mark.blocked
>>> = 0 in the process. The reasoning is that the session was allowed, then
>>> the policy was removed, resulting in the packet being blocked. Then the
>>> policy was re-added, resulting in the packet needing to be re-committed.
>>>
>>
>> Sure.
>>
>>> So I think this won't break ACL behavior, but will maintain the current
>>> behavior for the obscure case where ACLs are added, removed, and then
>>> re-added.
>>>
>>> One aspect about REGBIT_ACL_HINT_ALLOW_NEW is that it requires the
>>> packet to re-match ACLs before being allowed. So in the case where the
>>> packet should be dropped still (because the ACL was removed), then the
>>> packet should still end up being dropped since the packet will not match
>>> the removed ACL.
>>>
>>
>> Thanks for the clarification. Re-reading the code, you might be right.
>>
>> However, because we set REGBIT_CONNTRACK_COMMIT = 1 when "!ct.new &&
>> ct.est && !ct.rpl && ct_mark.blocked == 1", that means we (re)commit
>> each and every packet that hits this rule. I think that wasn't the case
>> before.
>
> We only recommit packets if they are not dropped by ACLs first. Consider
> the scenario before my patch. Before my patch, if a packet matched "!
> ct.new && ct.est && !ct.rpl && ct.mark.blocked == 1", then
> REGBIT_ACL_HINT_ALLOW_NEW was set. Then in the ACL_EVAL stage, this ACLs
> are re-evaluated. If the packet matched an allow or allow-related ACL,
> or if the packet matched no ACLs and the default policy was not to drop
> the packet, then we would set REGBIT_CONNTRACK_COMMIT. In other words,
> previous code was also committing every packet that hits the rule, so
> long as the packet then went on to match an allow ACL or get by the
> ACL_EVAL stage by default. When you commit the new packet, then you get
> a new CT entry with ct_mark.blocked == 0. Then, the next packet that
> arrives will not have REGBIT_ACL_HINT_ALLOW_NEW set on it since
> ct_mark.blocked is no longer 1. As a result, subsequent packets will not
> be recommitted.
>
> So now with my patch, the same behavior should be present. The
> difference is that we also set REGBIT_CONNTRACK_COMMIT so that no matter
> what the ACL evaluation result is, the packet will be committed to
> conntrack if the packet reaches the STATEFUL stage. It doesn't matter if
> the result is "allow", "allow-related", "pass", default ACL rules, or
> anything new that may be introduced later. However, if the packet is
> dropped or rejected during ACL stages, then the packet will not hit the
> STATEFUL stage at all, so nothing will get recommitted.
>
> I think to prove that my change is causing problems, you need to find a
> scenario where REGBIT_ACL_HINT_ALLOW_NEW was being set, and then
> REGBIT_CONNTRACK_COMMIT was *not* being set later. The only scenarios
> I'm aware of where this would happen are:
>
> * Having "pass" be the final ACL verdict. This is a bug and is fixed by
> this patch.
> * The packet is dropped or rejected before reaching the STATEFUL stage.
> This should still be the case after my patch.
>
>>
>> Packets that end up being dropped shouldn't cause ct_commit{...
>> ct_mark.blocked = 1,...} if ct_mark.blocked already is "1". I _think_
>> this behavior change happens due to your patch.
>
> Is this something you've observed with my patch? If so, then I can try
> to figure out what is causing it.
>
> But just looking at the code, the only time we ct_commit() with
> ct_mark.blocked = 1, is when hitting a "drop" or "reject" ACL when
> REGBIT_ACL_HINT_BLOCK == 1. REGBIT_ACL_HINT_BLOCK is only ever set to 1
> if ct_mark.blocked == 0. So therefore, if ct_mark.blocked is already 1,
> it should not be possible to re-commit with ct_mark.blocked set to 1 again.
>
You're right. I got all the different flags confused. While trying to
confirm I set it up in a sandbox:
> ovn-nbctl ls-add ls \
-- lsp-add ls lsp1 \
-- lsp-add ls lsp2 \
-- acl-add ls from-lport 1 1 allow-related \
-- acl-add ls from-lport 100 'ip4.src == 1.1.1.1' drop
Then simulated traffic that should be already blocked:
> ovn-trace --ct trk,est 'inport=="lsp1" && ip4.src == 1.1.1.1 && ip4.dst ==
> 1.1.1.2 && ct_mark.blocked == 1'
#
ct_mark=0x1,ip,reg14=0x2,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00,nw_src=1.1.1.1,nw_dst=1.1.1.2,nw_proto=0,nw_tos=0,nw_ecn=0,nw_ttl=0,nw_frag=no
ingress(dp="ls", inport="lsp1")
-------------------------------
0. ls_in_check_port_sec (northd.c:9413): 1, priority 50, uuid c2e61c9a
reg0[15] = check_in_port_sec();
next;
4. ls_in_pre_acl (northd.c:6068): ip, priority 100, uuid c85d61f9
reg0[0] = 1;
next;
6. ls_in_pre_stateful (northd.c:6318): reg0[0] == 1, priority 100, uuid
0255733f
ct_next(dnat);
ct_next(ct_state=est|trk)
-------------------------
7. ls_in_acl_hint (northd.c:6392): !ct.new && ct.est && !ct.rpl &&
ct_mark.blocked == 1, priority 6, uuid a450edee
reg0[7] = 1;
reg0[9] = 1;
reg0[1] = 1;
next;
8. ls_in_acl_eval (northd.c:7124): reg0[9] == 1 && (ip4.src == 1.1.1.1),
priority 1100, uuid 774d7f96
reg8[17] = 1;
next;
10. ls_in_acl_action (northd.c:7295): reg8[17] == 1, priority 1000, uuid
9409bdf7
reg8[16] = 0;
reg8[17] = 0;
reg8[18] = 0;
So, like you said, no additional commit.
>>
>>>>
>>>> I was about to suggest only setting REGBIT_CONNTRACK_COMMIT = 1 in this
>>>> case if ct_mark.blocked == 0 but I'm afraid that might cause all
>>>> packets
>>>> in the original direction that match allow ACLs to be committed.
>>>>
>>>> There might still be a way to do this in the hint stage but I'm not so
>>>> sure it's that easy.
>>>>
>>>> Maybe we should change the code that handles "pass" action instead so
>>>> that it behaves as if action was "allow-related" if the ACLs tier is
>>>> equal to the max tier for that switch?
>>> I can certainly go with something like that. My thought here was that
>>> the way I went about it makes it so that no matter what changes happen
>>> at the ACL evaluation or action stages, the packets will get committed
>>> to conntrack in the STATEFUL stage.
>>>
>>
>> Maybe a simpler and safer solution is Ales' suggestion here:
>> https://mail.openvswitch.org/pipermail/ovs-dev/2025-April/423084.html
>
> It's definitely simpler. My main problems with this are
>
> 1) It keeps the poor separation of concerns that the current code has.
OK.
> 2) It leaves us open to the same problem if new ACL actions are introduced.
>
Sure, although, I really hope we don't add new ACL actions. :)
>>
>>>>
>>>>> /* Not tracked traffic can either be allowed or
>>>>> dropped. */
>>>>> @@ -7041,7 +7049,6 @@ consider_acl(struct lflow_table *lflows, const
>>>>> struct ovn_datapath *od,
>>>>> acl->match);
>>>>> ds_truncate(actions, log_verdict_len);
>>>>> - ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
>>>>> if (smap_get_bool(&acl->options, "persist-established",
>>>>> false)) {
>>>>> const struct sbrec_acl_id *sb_id;
>>>>> @@ -7477,22 +7484,17 @@ build_acls(const struct ls_stateful_record
>>>>> *ls_stateful_rec,
>>>>> ds_put_format(&match, "ip && ct.est && ct_mark.blocked
>>>>> == 1");
>>>>> ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1,
>>>>> ds_cstr(&match),
>>>>> - REGBIT_CONNTRACK_COMMIT" = 1; "
>>>>> REGBIT_ACL_VERDICT_ALLOW" = 1; next;",
>>>>> lflow_ref);
>>>>> ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1,
>>>>> ds_cstr(&match),
>>>>> - REGBIT_CONNTRACK_COMMIT" = 1; "
>>>>> REGBIT_ACL_VERDICT_ALLOW" = 1; next;",
>>>>> lflow_ref);
>>>>> - const char *next_action = default_acl_drop
>>>>> - ? "next;"
>>>>> - : REGBIT_CONNTRACK_COMMIT" = 1; next;";
>>>>> ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1, "ip && !
>>>>> ct.est",
>>>>> - next_action, lflow_ref);
>>>>> + "next;" , lflow_ref);
>>>>> ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1, "ip
>>>>> && !ct.est",
>>>>> - next_action, lflow_ref);
>>>>> + "next;", lflow_ref);
>>>>> /* Ingress and Egress ACL Table (Priority 65532).
>>>>> *
>>>>> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
>>>>> index 82dfe92fd..82850e099 100644
>>>>> --- a/tests/ovn-northd.at
>>>>> +++ b/tests/ovn-northd.at
>>>>> @@ -2442,13 +2442,13 @@ ovn-sbctl dump-flows sw1 > sw1flows3
>>>>> AT_CAPTURE_FILE([sw1flows3])
>>>>> AT_CHECK([grep "ls_out_acl" sw0flows3 sw1flows3 | grep pg0 |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> -sw0flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>>>> match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>>>> = 1; reg0[[1]] = 1; next;)
>>>>> +sw0flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>>>> match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>>>> = 1; next;)
>>>>> sw0flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>>>> match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>>>> = 1; next;)
>>>>> sw0flows3: table=??(ls_out_acl_eval ), priority=2002 ,
>>>>> match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)),
>>>>> action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1;
>>>>> ct_label.obs_point_id = 0; }; next;)
>>>>> sw0flows3: table=??(ls_out_acl_eval ), priority=2002 ,
>>>>> match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)),
>>>>> action=(reg8[[18]] = 1; next;)
>>>>> sw0flows3: table=??(ls_out_acl_eval ), priority=2003 ,
>>>>> match=(reg0[[10]] == 1 && (outport == @pg0 && ip6 && udp)),
>>>>> action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1;
>>>>> ct_label.obs_point_id = 0; }; next;)
>>>>> sw0flows3: table=??(ls_out_acl_eval ), priority=2003 ,
>>>>> match=(reg0[[9]] == 1 && (outport == @pg0 && ip6 && udp)),
>>>>> action=(reg8[[18]] = 1; next;)
>>>>> -sw1flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>>>> match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>>>> = 1; reg0[[1]] = 1; next;)
>>>>> +sw1flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>>>> match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>>>> = 1; next;)
>>>>> sw1flows3: table=??(ls_out_acl_eval ), priority=2001 ,
>>>>> match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]]
>>>>> = 1; next;)
>>>>> sw1flows3: table=??(ls_out_acl_eval ), priority=2002 ,
>>>>> match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)),
>>>>> action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1;
>>>>> ct_label.obs_point_id = 0; }; next;)
>>>>> sw1flows3: table=??(ls_out_acl_eval ), priority=2002 ,
>>>>> match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)),
>>>>> action=(reg8[[18]] = 1; next;)
>>>>> @@ -2715,8 +2715,8 @@ check ovn-nbctl --wait=sb \
>>>>> -- acl-add ls from-lport 2 "udp" allow-related \
>>>>> -- acl-add ls to-lport 2 "udp" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e
>>>>> ls_out_acl_hint -e ls_in_acl -e ls_out_acl | grep 'ct\.' |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(reg0[[1]] = 1; next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !
>>>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>>>> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
>>>>> 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
>>>>> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] =
>>>>> 1; next;)
>>>>> @@ -2726,10 +2726,10 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
>>>>> ls_in_acl_hint -e ls_out_acl_hint -e
>>>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(reg0[[1]] = 1; next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg8[[16]] = 1; ct_commit_nat;)
>>>>> table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !
>>>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>>>> action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=65532, match=(ct.est &&
>>>>> ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
>>>>> @@ -2739,8 +2739,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
>>>>> ls_in_acl_hint -e ls_out_acl_hint -e
>>>>> table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> ])
>>>>> AS_BOX([Check match ct_state with load balancer])
>>>>> @@ -2756,9 +2756,9 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
>>>>> ls_in_acl_hint -e ls_out_acl_hint -e
>>>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>>>> match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>>>> match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(reg0[[1]] = 1; next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>>>> @@ -2772,12 +2772,12 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
>>>>> ls_in_acl_hint -e ls_out_acl_hint -e
>>>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(reg0[[1]] = 1; next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
>>>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg8[[16]] = 1; ct_commit_nat;)
>>>>> @@ -2791,8 +2791,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
>>>>> ls_in_acl_hint -e ls_out_acl_hint -e
>>>>> table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> ])
>>>>> check ovn-nbctl --wait=sb clear logical_switch ls acls
>>>>> @@ -4912,7 +4912,7 @@ ovn-sbctl dump-flows sw0 > sw0flows
>>>>> AT_CAPTURE_FILE([sw0flows])
>>>>> AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
>>>>> reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
>>>>> next;)
>>>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
>>>>> 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> ])
>>>>> AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0],
>>>>> [dnl
>>>>> @@ -4922,7 +4922,7 @@ AT_CHECK([grep "ls_in_stateful" sw0flows |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> ])
>>>>> AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 2; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
>>>>> reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
>>>>> next;)
>>>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
>>>>> 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 2; next;)
>>>>> ])
>>>>> AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0],
>>>>> [dnl
>>>>> @@ -4939,8 +4939,8 @@ ovn-sbctl dump-flows sw0 > sw0flows
>>>>> AT_CAPTURE_FILE([sw0flows])
>>>>> AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
>>>>> reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
>>>>> next;)
>>>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
>>>>> 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> ])
>>>>> @@ -4951,8 +4951,8 @@ AT_CHECK([grep "ls_in_stateful" sw0flows |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> ])
>>>>> AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 2; next;)
>>>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234;
>>>>> reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
>>>>> next;)
>>>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] =
>>>>> 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 2; next;)
>>>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> ])
>>>>> @@ -4970,7 +4970,7 @@ ovn-sbctl dump-flows sw0 > sw0flows
>>>>> AT_CAPTURE_FILE([sw0flows])
>>>>> AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> ])
>>>>> AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0],
>>>>> [dnl
>>>>> @@ -4980,7 +4980,7 @@ AT_CHECK([grep "ls_in_stateful" sw0flows |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> ])
>>>>> AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 |
>>>>> ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> ])
>>>>> AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0],
>>>>> [dnl
>>>>> @@ -8109,13 +8109,13 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>>>> match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>>>> match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(reg0[[1]] = 1; next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[10]]
>>>>> == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked =
>>>>> 1; ct_label.obs_point_id = 0; }; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[9]]
>>>>> == 1 && (ip4)), action=(reg8[[17]] = 1; next;)
>>>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> - table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]]
>>>>> == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[10]]
>>>>> == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1;
>>>>> ct_commit { ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[9]]
>>>>> == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)
>>>>> @@ -8131,8 +8131,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> ])
>>>>> AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows],
>>>>> [0], [dnl
>>>>> @@ -8166,9 +8166,9 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>>>> table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=2001 ,
>>>>> match=(reg0[[10]] == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit
>>>>> { ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=2001 ,
>>>>> match=(reg0[[9]] == 1 && (ip4)), action=(reg8[[17]] = 1; next;)
>>>>> - table=??(ls_in_acl_after_lb_eval), priority=2002 ,
>>>>> match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1;
>>>>> reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_after_lb_eval), priority=2002 ,
>>>>> match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=2002 ,
>>>>> match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> - table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>>>> match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1;
>>>>> reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>>>> match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1;
>>>>> next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>>>> match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1;
>>>>> next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=2004 ,
>>>>> match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)),
>>>>> action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1;
>>>>> ct_label.obs_point_id = 0; }; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=2004 ,
>>>>> match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)),
>>>>> action=(reg8[[17]] = 1; next;)
>>>>> @@ -8176,8 +8176,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>>>> match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>>>> match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(reg0[[1]] = 1; next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !
>>>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>>>> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
>>>>> 1; next;)
>>>>> @@ -8190,8 +8190,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> ])
>>>>> AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows],
>>>>> [0], [dnl
>>>>> @@ -8231,11 +8231,11 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>>>> match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>>>> match=(reg0[[21]] == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(reg0[[1]] = 1; next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> - table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]]
>>>>> == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>>>> @@ -8249,8 +8249,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
>>>>> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>>>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> ])
>>>>> AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows],
>>>>> [0], [dnl
>>>>> @@ -8779,8 +8779,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>>>> @@ -8794,8 +8794,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_pre_acl ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_pre_acl ), priority=100 , match=(ip),
>>>>> action=(reg0[[0]] = 1; next;)
>>>>> @@ -8809,7 +8809,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]]
>>>>> == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 =
>>>>> 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit.
>>>>> */ outport <-> inport; next(pipeline=ingress,table=??); };)
>>>>> table=??(ls_out_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
>>>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg8[[16]] = 1; ct_commit_nat;)
>>>>> table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !
>>>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>>>> action=(reg8[[16]] = 1; next;)
>>>>> @@ -8822,8 +8822,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_pre_acl ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_pre_acl ), priority=100 , match=(ip),
>>>>> action=(reg0[[0]] = 1; next;)
>>>>> @@ -8973,7 +8973,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_in_acl_after_lb_action), priority=1000 ,
>>>>> match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0;
>>>>> reg8[[18]] = 0; /* drop */)
>>>>> table=??(ls_in_acl_after_lb_action), priority=1000 ,
>>>>> match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0;
>>>>> reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <->
>>>>> ip.src; is implicit. */ outport <-> inport;
>>>>> next(pipeline=egress,table=??); };)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> - table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1;
>>>>> reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd ||
>>>>> nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=65532,
>>>>> match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;)
>>>>> @@ -8981,7 +8981,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !
>>>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>>>> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
>>>>> 1; next;)
>>>>> @@ -8994,8 +8994,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_pre_acl ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_pre_acl ), priority=100 , match=(ip),
>>>>> action=(reg0[[0]] = 1; next;)
>>>>> @@ -9009,7 +9009,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]]
>>>>> == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 =
>>>>> 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit.
>>>>> */ outport <-> inport; next(pipeline=ingress,table=??); };)
>>>>> table=??(ls_out_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
>>>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg8[[16]] = 1; ct_commit_nat;)
>>>>> table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !
>>>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>>>> action=(reg8[[16]] = 1; next;)
>>>>> @@ -9022,8 +9022,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_pre_acl ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_pre_acl ), priority=100 , match=(ip),
>>>>> action=(reg0[[0]] = 1; next;)
>>>>> @@ -9179,7 +9179,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> - table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
>>>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
>>>>> table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !
>>>>> ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
>>>>> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] =
>>>>> 1; next;)
>>>>> @@ -9192,8 +9192,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_in_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_pre_acl ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_pre_acl ), priority=100 , match=(ip),
>>>>> action=(reg0[[0]] = 1; next;)
>>>>> @@ -9207,8 +9207,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]]
>>>>> == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 =
>>>>> 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit.
>>>>> */ outport <-> inport; next(pipeline=ingress,table=??); };)
>>>>> table=??(ls_out_acl_eval ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_acl_eval ), priority=1 , match=(ip && !
>>>>> ct.est), action=(next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1;
>>>>> next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est
>>>>> && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
>>>>> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est &&
>>>>> ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0),
>>>>> action=(reg8[[16]] = 1; ct_commit_nat;)
>>>>> @@ -9222,8 +9222,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E
>>>>> "ls_.*_acl" | ovn_strip_lflows], [0], [
>>>>> table=??(ls_out_acl_hint ), priority=3 , match=(!ct.est),
>>>>> action=(reg0[[9]] = 1; next;)
>>>>> table=??(ls_out_acl_hint ), priority=4 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1;
>>>>> reg0[[10]] = 1; next;)
>>>>> table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk),
>>>>> action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; next;)
>>>>> - table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
>>>>> + table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new &&
>>>>> ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1;
>>>>> reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !
>>>>> ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>>>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_pre_acl ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_pre_acl ), priority=100 , match=(ip),
>>>>> action=(reg0[[0]] = 1; next;)
>>>>> @@ -13197,7 +13197,7 @@ check_uuid ovn-nbctl --wait=sb \
>>>>> --id=@sample2 create Sample collector="$collector1 $collector2"
>>>>> metadata=4302 -- \
>>>>> --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport
>>>>> 1 "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
>>>>> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>>>> = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
>>>>> next;)
>>>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_sample ), priority=1100 , match=(ip &&
>>>>> ct.new && reg3 == 4301),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>>>> next;)
>>>>> @@ -13230,7 +13230,7 @@ check_uuid ovn-nbctl --wait=sb \
>>>>> --id=@sample1 create Sample collector="$collector1 $collector2"
>>>>> metadata=4301 -- \
>>>>> --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
>>>>> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>>>> = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
>>>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
>>>>> reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
>>>>> next;)
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_sample ), priority=1100 , match=(ip &&
>>>>> ct.new && reg3 == 4301),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>>>> next;)
>>>>> @@ -13260,7 +13260,7 @@ check_uuid ovn-nbctl --wait=sb \
>>>>> --id=@sample2 create Sample collector="$collector1 $collector2"
>>>>> metadata=4302 -- \
>>>>> --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-
>>>>> add ls from-lport 1 "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
>>>>> -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> - table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0;
>>>>> reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
>>>>> + table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>>>> 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0;
>>>>> reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip &&
>>>>> ct.new && reg3 == 4301),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>>>> next;)
>>>>> @@ -13293,7 +13293,7 @@ check_uuid ovn-nbctl --wait=sb \
>>>>> --id=@sample1 create Sample collector="$collector1 $collector2"
>>>>> metadata=4301 -- \
>>>>> --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1
>>>>> "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
>>>>> -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> - table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0;
>>>>> reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
>>>>> + table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>>>> 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>>>> 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip &&
>>>>> ct.new && reg3 == 4301),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>>>> next;)
>>>>> @@ -13325,7 +13325,7 @@ check_uuid ovn-nbctl --wait=sb \
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
>>>>> ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_sample ), priority=1200 , match=(ip &&
>>>>> ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id ==
>>>>> 4302 && ct_label.obs_unused == 0),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
>>>>> next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 2; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>>>> = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
>>>>> next;)
>>>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 2; next;)
>>>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_acl_sample ), priority=1100 , match=(ip &&
>>>>> (ct.new || !ct.trk) && reg3 == 4301),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>>>> next;)
>>>>> @@ -13358,7 +13358,7 @@ check_uuid ovn-nbctl --wait=sb \
>>>>> --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
>>>>> ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 2; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>>>> = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
>>>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
>>>>> reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
>>>>> next;)
>>>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_acl_sample ), priority=1100 , match=(ip &&
>>>>> (ct.new || !ct.trk) && reg3 == 4301),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>>>> next;)
>>>>> @@ -13418,7 +13418,7 @@ check_uuid ovn-nbctl --
>>>>> wait=sb \
>>>>> --id=@sample2 create Sample collector="$collector1" metadata=4302
>>>>> -- \
>>>>> --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport
>>>>> 1 "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
>>>>> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>>>> = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0;
>>>>> next;)
>>>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_sample ), priority=1100 , match=(ip &&
>>>>> ct.new && reg3 == 4301),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
>>>>> next;)
>>>>> @@ -13456,7 +13456,7 @@ check_uuid ovn-nbctl --
>>>>> wait=sb \
>>>>> --id=@sample2 create Sample collector="$collector1" metadata=4302
>>>>> -- \
>>>>> --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport
>>>>> 1 "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
>>>>> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>>>> = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0;
>>>>> next;)
>>>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_sample ), priority=1000 , match=(ip &&
>>>>> ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>>>> next;)
>>>>> @@ -13491,7 +13491,7 @@ check_uuid ovn-nbctl --
>>>>> wait=sb \
>>>>> --id=@sample1 create Sample collector="$collector1" metadata=4301
>>>>> -- \
>>>>> --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
>>>>> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 0; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>>>> = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
>>>>> table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
>>>>> reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0;
>>>>> next;)
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_sample ), priority=1000 , match=(ip &&
>>>>> ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>>>> next;)
>>>>> @@ -13524,7 +13524,7 @@ check_uuid ovn-nbctl --
>>>>> wait=sb \
>>>>> --id=@sample2 create Sample collector="$collector1" metadata=4302
>>>>> -- \
>>>>> --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-
>>>>> add ls from-lport 1 "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
>>>>> -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> - table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1;
>>>>> reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
>>>>> + table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>>>> 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>>>> reg8[[19..20]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1;
>>>>> reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip &&
>>>>> ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>>>> next;)
>>>>> @@ -13559,7 +13559,7 @@ check_uuid ovn-nbctl --
>>>>> wait=sb \
>>>>> --id=@sample1 create Sample collector="$collector1" metadata=4301
>>>>> -- \
>>>>> --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1
>>>>> "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample
>>>>> -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> - table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1;
>>>>> reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1;
>>>>> reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
>>>>> + table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>>>> 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=1001 ,
>>>>> match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] =
>>>>> 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip &&
>>>>> ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>>>> next;)
>>>>> @@ -13594,7 +13594,7 @@ check_uuid ovn-nbctl --
>>>>> wait=sb \
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
>>>>> ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_in_acl_sample ), priority=1000 , match=(ip &&
>>>>> ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
>>>>> ct_mark.obs_collector_id == 1),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
>>>>> next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>>>> reg8[[19..20]] = 2; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>>>> = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2;
>>>>> next;)
>>>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1;
>>>>> reg8[[19..20]] = 2; next;)
>>>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_acl_sample ), priority=1000 , match=(ip &&
>>>>> (ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>>>> next;)
>>>>> @@ -13629,7 +13629,7 @@ check_uuid ovn-nbctl --
>>>>> wait=sb \
>>>>> --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
>>>>> ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
>>>>> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>>>>> table=??(ls_in_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1;
>>>>> reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0;
>>>>> reg8[[19..20]] = 2; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] ==
>>>>> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9
>>>>> = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
>>>>> table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]]
>>>>> == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301;
>>>>> reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2;
>>>>> next;)
>>>>> table=??(ls_out_acl_sample ), priority=0 , match=(1),
>>>>> action=(next;)
>>>>> table=??(ls_out_acl_sample ), priority=1000 , match=(ip &&
>>>>> (ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2),
>>>>> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
>>>>> next;)
>>>>> @@ -14950,17 +14950,17 @@ check ovn-nbctl acl-add sw to-lport 1002
>>>>> "ip" allow-related
>>>>> check ovn-nbctl --apply-after-lb acl-add sw from-lport 1003 "udp"
>>>>> allow-related
>>>>> AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep
>>>>> priority=2001 | ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[8]]
>>>>> == 1 && (tcp)), action=(reg8[[16]] = 1; next;)
>>>>> ])
>>>>> AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval
>>>>> | grep priority=2003 | ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>>>> match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] =
>>>>> 1; next;)
>>>>> + table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>>>> match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>>>> match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> ])
>>>>> AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep
>>>>> priority=2002 | ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>>>> ])
>>>>> @@ -14980,17 +14980,17 @@ after_lb_id=$(ovn-sbctl get ACL_ID
>>>>> $after_lb_uuid id)
>>>>> dnl Now we should see the registers being set to the appropriate
>>>>> values.
>>>>> AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_in_acl_eval |
>>>>> grep priority=2001 | ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] =
>>>>> $ingress_id; reg0[[20]] = 1; next;)
>>>>> + table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] ==
>>>>> 1 && (tcp)), action=(reg8[[16]] = 1; reg2[[16..31]] = $ingress_id;
>>>>> reg0[[20]] = 1; next;)
>>>>> table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[8]]
>>>>> == 1 && (tcp)), action=(reg8[[16]] = 1; next;)
>>>>> ])
>>>>> AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep
>>>>> ls_in_acl_after_lb_eval | grep priority=2003 | ovn_strip_lflows],
>>>>> [0], [dnl
>>>>> - table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>>>> match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] =
>>>>> 1; reg2[[16..31]] = $after_lb_id; reg0[[20]] = 1; next;)
>>>>> + table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>>>> match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1;
>>>>> reg2[[16..31]] = $after_lb_id; reg0[[20]] = 1; next;)
>>>>> table=??(ls_in_acl_after_lb_eval), priority=2003 ,
>>>>> match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;)
>>>>> ])
>>>>> AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_out_acl_eval
>>>>> | grep priority=2002 | ovn_strip_lflows], [0], [dnl
>>>>> - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] =
>>>>> $egress_id; reg0[[20]] = 1; next;)
>>>>> + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] ==
>>>>> 1 && (ip)), action=(reg8[[16]] = 1; reg2[[16..31]] = $egress_id;
>>>>> reg0[[20]] = 1; next;)
>>>>> table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]]
>>>>> == 1 && (ip)), action=(reg8[[16]] = 1; next;)
>>>>> ])
>>>>> diff --git a/tests/system-ovn.at b/tests/system-ovn.at
>>>>> index 5fa740cfb..9faadfb1d 100644
>>>>> --- a/tests/system-ovn.at
>>>>> +++ b/tests/system-ovn.at
>>>>> @@ -17618,3 +17618,123 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to
>>>>> query port patch-.*/d
>>>>> /connection dropped.*/d"])
>>>>> AT_CLEANUP
>>>>> ])
>>>>> +
>>>>> +
>>>>> +OVN_FOR_EACH_NORTHD([
>>>>> +AT_SETUP([conntrack on pass ACLs])
>>>>> +
>>>>> +CHECK_CONNTRACK()
>>>>> +CHECK_CONNTRACK_NAT()
>>>>> +ovn_start
>>>>> +OVS_TRAFFIC_VSWITCHD_START()
>>>>> +ADD_BR([br-int])
>>>>> +#
>>>>> +# Set external-ids in br-int needed for ovn-controller
>>>>> +check ovs-vsctl \
>>>>> + -- set Open_vSwitch . external-ids:system-id=hv1 \
>>>>> + -- set Open_vSwitch . external-ids:ovn-remote=unix:
>>>>> $ovs_base/ovn-sb/ovn-sb.sock \
>>>>> + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \
>>>>> + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \
>>>>> + -- set bridge br-int fail-mode=secure other-config:disable-
>>>>> in-band=true
>>>>> +
>>>>> +# Start ovn-controller
>>>>> +start_daemon ovn-controller
>>>>> +
>>>>> +# Ensure that when stateful ACLs are present, a "pass"
>>>>> +# action results in the packet being allowed (since we
>>>>> +# do not have whatever that thing is called that
>>>>> +# drops packets by default when using ACLs enabled). If
>>>>> +# this is the final verdict of all ACL tiers, then the
>>>>> +# packet should also be committed to conntrack, the same
>>>>> +# as if an "allow" of "allow-related" verdict were final.
>>>>> +
>>>>> +check ovn-nbctl ls-add ls
>>>>> +check ovn-nbctl lsp-add ls lsp1 \
>>>>> +-- lsp-set-addresses lsp1 "f0:00:00:00:00:01 192.168.1.1"
>>>>> +check ovn-nbctl lsp-add ls lsp2 \
>>>>> +-- lsp-set-addresses lsp2 "f0:00:00:00:00:02 192.168.1.2"
>>>>> +
>>>>> +ADD_NAMESPACES(lsp1)
>>>>> +ADD_VETH(lsp1, lsp1, br-int, "192.168.1.1/24", "f0:00:00:00:00:01", \
>>>>> + "192.168.1.100")
>>>>> +
>>>>> +ADD_NAMESPACES(lsp2)
>>>>> +ADD_VETH(lsp2, lsp2, br-int, "192.168.1.2/24", "f0:00:00:00:00:02", \
>>>>> + "192.168.1.100")
>>>>> +
>>>>> +# First, set up a "pass" ACL by itself.
>>>>> +check ovn-nbctl acl-add ls from-lport 1000 "ip4.src == 192.168.1.1"
>>>>> pass
>>>>> +check ovn-nbctl acl-add ls to-lport 1000 "ip4.src == 192.168.1.2"
>>>>> pass
>>>>> +
>>>>> +# Ping should succeed since from-lport "pass" ACL is the only one
>>>>> matched.
>>>>> +NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.2 |
>>>>> FORMAT_PING], \
>>>>> +[0], [dnl
>>>>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
>>>>> +])
>>>>> +
>>>>> +# Ping the other way should also succeed since to-lport "pass" ACL
>>>>> is matched.
>>>>> +NS_CHECK_EXEC([lsp2], [ping -q -c 3 -i 0.3 -w 2 192.168.1.1 |
>>>>> FORMAT_PING], \
>>>>> +[0], [dnl
>>>>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
>>>>> +])
>>>>> +
>>>>> +# There should be no conntrack entries created since there are no
>>>>> stateful ACLs.
>>>>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.2)
>>>>> | \
>>>>> +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [1], [dnl
>>>>> +])
>>>>> +
>>>>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.1)
>>>>> | \
>>>>> +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [1], [dnl
>>>>> +])
>>>>> +
>>>>> +# Now add an arbitrary stateful ACL to the mix. We'll never match on
>>>>> this
>>>>> +# ACL, but its presence should change things.
>>>>> +check ovn-nbctl acl-add ls from-lport 200 "ip4.src == 192.168.1.50"
>>>>> allow-related
>>>>> +
>>>>> +# Pings should still succeed.
>>>>> +NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.2 |
>>>>> FORMAT_PING], \
>>>>> +[0], [dnl
>>>>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
>>>>> +])
>>>>> +NS_CHECK_EXEC([lsp2], [ping -q -c 3 -i 0.3 -w 2 192.168.1.1 |
>>>>> FORMAT_PING], \
>>>>> +[0], [dnl
>>>>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
>>>>> +])
>>>>> +
>>>>> +# Now there should be conntrack entries from the pings
>>>>> +# We should have an entry for each direction of traffic in
>>>>> +# each port's zone: a total of four.
>>>>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.2)
>>>>> | \
>>>>> +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [0], [dnl
>>>>> +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
>>>>> +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
>>>>> +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
>>>>> +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
>>>>> +])
>>>>> +
>>>>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.1)
>>>>> | \
>>>>> +sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [0], [dnl
>>>>> +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
>>>>> +icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
>>>>> +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
>>>>> +icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
>>>>> +])
>>>>> +
>>>>> +OVN_CLEANUP_CONTROLLER([hv1])
>>>>> +
>>>>> +as ovn-sb
>>>>> +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
>>>>> +
>>>>> +as ovn-nb
>>>>> +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
>>>>> +
>>>>> +as northd
>>>>> +OVS_APP_EXIT_AND_WAIT([ovn-northd])
>>>>> +
>>>>> +as
>>>>> +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d
>>>>> +/connection dropped.*/d"])
>>>>> +
>>>>> +AT_CLEANUP
>>>>> +])
>>>>
>>>> Regards,
>>>> Dumitru
>>>>
>>>
>>
>> Regards,
>> Dumitru
>>
>
Regards,
Dumitru
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
