> > @@ -1429,9 +1432,9 @@ build_acls(struct ovn_datapath *od, struct hmap > *lflows) > * and then its return traffic would not have an associated > * conntrack entry and would return "+invalid". */ > ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, "ip", > - "ct_commit; next;"); > + REGBIT_CONNTRACK_COMMIT" = 1; next;"); > ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, "ip", > - "ct_commit; next;"); > + REGBIT_CONNTRACK_COMMIT" = 1; next;"); > > Just like I commented in patch 3, try to directly resubmit non-stateful stuff to ARP_RSP table, for they will meet just another "next;" in stateful table.
/* Ingress and Egress ACL Table (Priority 65535). > * > @@ -1484,7 +1487,9 @@ build_acls(struct ovn_datapath *od, struct hmap > *lflows) > * direction may not have any stateful rules, the server's > * may and then its return traffic would not have an > * associated conntrack entry and would return "+invalid". */ > - const char *actions = has_stateful ? "ct_commit; next;" : > "next;"; > + const char *actions = has_stateful > + ? REGBIT_CONNTRACK_COMMIT" = 1; next;" > + : "next;"; > ditto, try to using resubmit. > static void > +build_stateful(struct ovn_datapath *od, struct hmap *lflows) > +{ > + /* Ingress and Egress stateful Table (Priority 0): Packets are > + * allowed by default. */ > + ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 0, "1", "next;"); > + ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 0, "1", "next;"); > if we allow non-stateful stuff to skip PRE_STATEFUL and STATEFUL table, we will don't need the default next action in the two tables. Thanks, Zong Kai, LI _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev