Hi Aleksandra, Ales, Dumitru I had a look at the flakes as well (before I saw Ales mail). I think that this is an OVN issue and not a test issue. This is what the test is doing: 1) Generate some TCP traffic through LB using nc -z. 2) Check that it creates a conntrack entry. 3) Flush conntrack entries. 4) Generate traffic not related to LB, and check it does not create conntrack records.
TCP traffic at step 1 does not go through properly: while SYN and SYN/ACK are properly DNATted (LB) and SNATted (Hairpin), the following ACK misses the SNAT. Hence it is not received by the server and gets retransmitted. This retransmitted ACK causes the creation of a conntrack entry. If it happens between step 3 (flush) and step 4 (checking no new conntrack), the test fails. We can easily make the test to reliably fail using e.g. ss -tap and checking that the 1st TCP connection is gone, or (thanks Dumitru) more simply using nc w/0 -z so that nc fails. I'll send a patch later today adding/updating some flows. Thanks Xavier On Thu, Jan 8, 2026 at 11:05 AM Rukomoinikova Aleksandra <[email protected]> wrote: > On 08.01.2026 11:30, Ales Musil wrote: > > > On Mon, Nov 10, 2025 at 3:26 PM Rukomoinikova Aleksandra > <[email protected]><mailto:[email protected]> wrote: > Thanks for the review! > > > On 10.11.2025 17:10, Dumitru Ceara wrote: > > On 11/7/25 5:27 PM, Lorenzo Bianconi via dev wrote: > >>> The commit [1] ("northd: Add support for stateless ACLs with load > balancers") > >>> incorrectly handled connection tracking when > enable-stateless-acl-with-lb is enabled, > >>> causing all stateless traffic in egress to be committed to conntrack. > >>> > >>> This fix properly implements the enable-stateless-acl-with-lb behavior > by: > >>> When enable-stateless-acl-with-lb is enabled: > >>> - Still sending stateless traffic through connection tracker lookup > >>> in egress. > >>> - Adding new flow in ls_out_stateful to skip committing NEW > stateless connections. > >>> - Only committing established connections for proper return > traffic handling. > >>> > >>> Fixes: abbc272ac771 ("northd: Add support for stateless ACLs with load > balancers") > >>> Signed-off-by: Alexandra Rukomoinikova <[email protected] > ><mailto:[email protected]> > >>> Acked-by: Mark Michelson <[email protected]<mailto: > [email protected]>> > >> Acked-by: Lorenzo Bianconi <[email protected]<mailto: > [email protected]>> > >> > >>> --- > >>> v1 --> v2: rebased, added ack > >>> --- > > Hi Alexandra, Mark, Lorenzo, > > > > Thanks for the patch and reviews! > > > >>> northd/northd.c | 26 +++++++- > >>> northd/ovn-northd.8.xml | 10 ++- > >>> tests/ovn-northd.at<http://ovn-northd.at> | 65 > +++++++++---------- > >>> tests/system-ovn.at<http://system-ovn.at> | 138 > +++++++++++++++++++++++++++++----------- > >>> 4 files changed, 164 insertions(+), 75 deletions(-) > >>> > >>> diff --git a/northd/northd.c b/northd/northd.c > >>> index 55e31659f..cdf12ec86 100644 > >>> --- a/northd/northd.c > >>> +++ b/northd/northd.c > >>> @@ -6098,7 +6098,7 @@ build_stateless_filter(const struct ovn_datapath > *od, > >>> action, > >>> &acl->header_, > >>> lflow_ref); > >>> - } else if (!od->lb_with_stateless_mode) { > >>> + } else { > >>> ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, > >>> acl->priority + OVN_ACL_PRI_OFFSET, > >>> acl->match, > >>> @@ -8437,6 +8437,29 @@ build_lrouter_lb_affinity_default_flows(struct > ovn_datapath *od, > >>> lflow_ref); > >>> } > >>> > >>> +static void > >>> +build_lb_rules_for_stateless_acl(struct lflow_table *lflows, > >>> + struct ovn_lb_datapaths *lb_dps) > >>> +{ > >>> + /* When enable-stateless-acl-with-lb is enabled: > >>> + * 1. All stateless traffic must first pass through connection > tracker > >>> + * in egress. > >>> + * 2. New connections (ct.new<http://ct.new>) will bypass commit > phase. > >>> + */ > >>> + struct hmapx_node *hmapx_node; > >>> + struct ovn_datapath *od; > >>> + > >>> + HMAPX_FOR_EACH (hmapx_node, &lb_dps->ls_lb_with_stateless_mode) { > >>> + od = hmapx_node->data; > >>> + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 115, > >>> + REGBIT_ACL_STATELESS" == 1", > >>> + REGBIT_CONNTRACK_NAT" = 1; next;", > lb_dps->lflow_ref); > >>> + ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 110, > >>> + REGBIT_ACL_STATELESS " == 1 && ct.new< > http://ct.new>", > >>> + "next;", lb_dps->lflow_ref); > >>> + } > >>> +} > >>> + > >>> static void > >>> build_lb_rules(struct lflow_table *lflows, struct ovn_lb_datapaths > *lb_dps, > >>> const struct ovn_datapaths *ls_datapaths, > >>> @@ -12857,6 +12880,7 @@ build_lswitch_flows_for_lb(struct > ovn_lb_datapaths *lb_dps, > >>> build_lb_rules_pre_stateful(lflows, lb_dps, ls_datapaths, match, > action); > >>> build_lb_rules(lflows, lb_dps, ls_datapaths, match, action, > >>> meter_groups, svc_mons_data); > >>> + build_lb_rules_for_stateless_acl(lflows, lb_dps); > >>> } > >>> > >>> /* If there are any load balancing rules, we should send the packet > to > >>> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > >>> index b16d2398d..005fd87d1 100644 > >>> --- a/northd/ovn-northd.8.xml > >>> +++ b/northd/ovn-northd.8.xml > >>> @@ -2485,8 +2485,6 @@ output; > >>> <p> > >>> This is similar to ingress table <code>Pre-ACLs</code> except > for > >>> <code>to-lport</code> traffic. > >>> - Except when the option enable-stateless-acl-with-lb is enabled: > >>> - REGBIT_ACL_STATELESS ignored. > >>> </p> > >>> > >>> <p> > >>> @@ -2555,6 +2553,12 @@ output; > >>> logical router datapath from logical switch datapath for > routing. > >>> </p> > >>> > >>> + <p> > >>> + When <code>enable-stateless-acl-with-lb</code> is enabled, > >>> + additional priority-115 flow is added to match traffic with > >>> + <code>REGBIT_ACL_STATELESS</code> set and pass connection > tracking. > >>> + </p> > >>> + > >>> <h3>Egress Table 4: Pre-stateful</h3> > >>> > >>> <p> > >>> @@ -2705,6 +2709,8 @@ output; > >>> <p> > >>> This is similar to ingress table <code>Stateful</code> except > that > >>> there are no rules added for load balancing new connections. > >>> + When <code>enable-stateless-acl-with-lb</code> is enabled, new > >>> + stateless connections bypass connection tracking. > >>> </p> > >>> > >>> <ul> > >>> diff --git a/tests/ovn-northd.at<http://ovn-northd.at> b/tests/ > ovn-northd.at<http://ovn-northd.at> > >>> index b01cf3e95..452a46b9f 100644 > >>> --- a/tests/ovn-northd.at<http://ovn-northd.at> > >>> +++ b/tests/ovn-northd.at<http://ovn-northd.at> > >>> @@ -17423,7 +17423,7 @@ AT_CLEANUP > >>> ]) > >>> > >>> OVN_FOR_EACH_NORTHD_NO_HV([ > >>> -AT_SETUP([enable-stateless-acl-with-lb usage]) > >>> +AT_SETUP([ovn-northd: enable-stateless-acl-with-lb usage]) > > Nit: "ovn-northd:" is superfluous. > > > >>> ovn_start ovn-northd > >>> > >>> AS_BOX([Create logical switches and ports.]) > >>> @@ -17449,51 +17449,44 @@ check ovn-nbctl --wait=sb ls-lb-add sw0 lb1 > >>> > >>> ovn-sbctl dump-flows sw0 > sw0flows > >>> > >>> -AT_CHECK( > >>> - [grep -E 'ls_(in|out)_pre_acl' sw0flows | grep reg0 | > ovn_strip_lflows], [0], [dnl > >>> - table=??(ls_in_pre_acl ), priority=100 , match=(ip), > action=(reg0[[0]] = 1; next;) > >>> - table=??(ls_in_pre_acl ), priority=2001 , match=(ip), > action=(reg0[[16]] = 1; next;) > >>> - table=??(ls_out_pre_acl ), priority=100 , match=(ip), > action=(reg0[[0]] = 1; next;) > >>> - table=??(ls_out_pre_acl ), priority=2001 , match=(ip), > action=(reg0[[16]] = 1; next;) > >>> +AT_CHECK([grep -E 'ls_out_pre_lb' sw0flows | ovn_strip_lflows], [0], > [dnl > >>> + table=??(ls_out_pre_lb ), priority=0 , match=(1), > action=(next;) > >>> + table=??(ls_out_pre_lb ), priority=100 , match=(ip), > action=(reg0[[2]] = 1; next;) > >>> + table=??(ls_out_pre_lb ), priority=110 , match=(eth.mcast), > action=(next;) > >>> + table=??(ls_out_pre_lb ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > >>> + table=??(ls_out_pre_lb ), priority=110 , match=(nd || nd_rs > || nd_ra || mldv1 || mldv2), action=(next;) > >>> + table=??(ls_out_pre_lb ), priority=110 , match=(reg0[[16]] == > 1), action=(next;) > >>> ]) > >>> > >>> -AT_CHECK( > >>> - [grep -E 'ls_out_acl_eval' sw0flows | grep 65532 | > ovn_strip_lflows], [0], [dnl > >>> - table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new<http://ct.new> && ct_mark.blocked == 0), > action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;) > >>> - table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && > !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = > ct_label.nf_group; reg8[[16]] = 1; next;) > >>> - table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && > ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; > reg8[[16]] = 1; next;) > >>> - table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || > (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) > >>> - table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra > || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) > >>> +AT_CHECK([grep -E 'ls_out_stateful' sw0flows | ovn_strip_lflows], > [0], [dnl > >>> + table=??(ls_out_stateful ), priority=0 , match=(1), > action=(next;) > >>> + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == > 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; > ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; > ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;) > >>> + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == > 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; > ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; > ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; > ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; > ct_label.nf_group_id = 0; }; next;) > >>> + table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == > 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { > ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; > ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; > ct_label.nf_group_id = reg0[[22..29]]; }; next;) > >>> + table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == > 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { > ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; > ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = > reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = > reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = > reg0[[22..29]]; }; next;) > >>> ]) > >>> > >>> AS_BOX([Enable enable-stateless-acl-with-lb option.]) > >>> check ovn-nbctl --wait=sb set logical_switch sw0 > other_config:enable-stateless-acl-with-lb=true > >>> ovn-sbctl dump-flows sw0 > sw0flows > >>> -AT_CHECK( > >>> - [grep -E 'ls_(in|out)_pre_acl' sw0flows | grep reg0 | > ovn_strip_lflows], [0], [dnl > >>> - table=??(ls_in_pre_acl ), priority=100 , match=(ip), > action=(reg0[[0]] = 1; next;) > >>> - table=??(ls_in_pre_acl ), priority=2001 , match=(ip), > action=(reg0[[16]] = 1; next;) > >>> - table=??(ls_out_pre_acl ), priority=100 , match=(ip), > action=(reg0[[0]] = 1; next;) > >>> -]) > >>> > >>> -# We do not match conntrack invalid packets in case of load balancers > with stateless ACLs. > >>> -AT_CHECK( > >>> - [grep -E 'ls_out_acl_eval' sw0flows | grep 65532 | > ovn_strip_lflows], [0], [dnl > >>> - table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && > ct.rel && !ct.new<http://ct.new> && ct_mark.blocked == 0), > action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;) > >>> - table=??(ls_out_acl_eval ), priority=65532, match=((ct.est && > ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) > >>> - table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && > !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = > ct_label.nf_group; reg8[[16]] = 1; next;) > >>> - table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && > ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; > reg8[[16]] = 1; next;) > >>> - table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra > || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) > >>> +AT_CHECK([grep -E 'ls_out_stateful' sw0flows | ovn_strip_lflows], > [0], [dnl > >>> + table=??(ls_out_stateful ), priority=0 , match=(1), > action=(next;) > >>> + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == > 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; > ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; > ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;) > >>> + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == > 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; > ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; > ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; > ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; > ct_label.nf_group_id = 0; }; next;) > >>> + table=??(ls_out_stateful ), priority=110 , match=(reg0[[16]] == > 1 && ct.new<http://ct.new>), action=(next;) > >>> + table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == > 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { > ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; > ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; > ct_label.nf_group_id = reg0[[22..29]]; }; next;) > >>> + table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == > 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { > ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; > ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = > reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = > reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = > reg0[[22..29]]; }; next;) > >>> ]) > >>> > >>> -AT_CHECK([grep -E 'ls_in_pre_stateful' sw0flows | ovn_strip_lflows], > [0], [dnl > >>> - table=??(ls_in_pre_stateful ), priority=0 , match=(1), > action=(next;) > >>> - table=??(ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == > 1), action=(ct_next;) > >>> - table=??(ls_in_pre_stateful ), priority=105 , match=(tcp && > ip4.dst == 10.0.0.4), action=(ct_lb_mark;) > >>> - table=??(ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == > 1), action=(ct_lb_mark;) > >>> - table=??(ls_in_pre_stateful ), priority=115 , match=(reg0[[2]] == > 1 && ip.is_frag), action=(reg0[[19]] = 1; ct_lb_mark;) > >>> - table=??(ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == > 1 && ip4.dst == 10.0.0.4 && tcp.dst == 80), action=(reg4 = 10.0.0.4; > reg2[[0..15]] = 80; ct_lb_mark;) > >>> - table=??(ls_in_pre_stateful ), priority=150 , match=(ip4.dst == > 10.0.0.4 && tcp.dst == 80), action=(ct_lb_mark;) > >>> +AT_CHECK([grep -E 'ls_out_pre_lb' sw0flows | ovn_strip_lflows], [0], > [dnl > >>> + table=??(ls_out_pre_lb ), priority=0 , match=(1), > action=(next;) > >>> + table=??(ls_out_pre_lb ), priority=100 , match=(ip), > action=(reg0[[2]] = 1; next;) > >>> + table=??(ls_out_pre_lb ), priority=110 , match=(eth.mcast), > action=(next;) > >>> + table=??(ls_out_pre_lb ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > >>> + table=??(ls_out_pre_lb ), priority=110 , match=(nd || nd_rs > || nd_ra || mldv1 || mldv2), action=(next;) > >>> + table=??(ls_out_pre_lb ), priority=110 , match=(reg0[[16]] == > 1), action=(next;) > >>> + table=??(ls_out_pre_lb ), priority=115 , match=(reg0[[16]] == > 1), action=(reg0[[2]] = 1; next;) > >>> ]) > >>> > >>> AS_BOX([Create Load Balancer without port.]) > >>> diff --git a/tests/system-ovn.at<http://system-ovn.at> b/tests/ > system-ovn.at<http://system-ovn.at> > >>> index 2b880ec37..2567cd779 100644 > >>> --- a/tests/system-ovn.at<http://system-ovn.at> > >>> +++ b/tests/system-ovn.at<http://system-ovn.at> > >>> @@ -5099,13 +5099,14 @@ AT_CLEANUP > >>> ]) > >>> > >>> OVN_FOR_EACH_NORTHD([ > >>> -AT_SETUP([enable-stateless-acl-with-lb usage]) > >>> +AT_SETUP([ovn-system: enable-stateless-acl-with-lb usage]) > > Nit: "ovn-system:" is superfluous. > > > >>> AT_SKIP_IF([test $HAVE_NC = no]) > >>> > >>> +CHECK_CONNTRACK() > >>> ovn_start > >>> OVS_TRAFFIC_VSWITCHD_START() > >>> - > >>> ADD_BR([br-int]) > >>> +ADD_BR([br-ext], [set Bridge br-ext fail-mode=standalone]) > >>> > >>> # Set external-ids in br-int needed for ovn-controller > >>> ovs-vsctl \ > >>> @@ -5115,62 +5116,127 @@ ovs-vsctl \ > >>> -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ > >>> -- set bridge br-int fail-mode=secure > other-config:disable-in-band=true > >>> > >>> +ovs-vsctl set Open_Vswitch . > external_ids:ovn-bridge-mappings=phynet:br-ext > >>> + > >>> # Start ovn-controller > >>> start_daemon ovn-controller > >>> > >>> # Logical network: > >>> -# One logical switch with IPv4 load balancers that hairpin the > traffic. > >>> -check ovn-nbctl ls-add sw > >>> -check ovn-nbctl lsp-add sw lsp1 -- lsp-set-addresses lsp1 > 00:00:00:00:00:01 > >>> -check ovn-nbctl lsp-add sw lsp2 -- lsp-set-addresses lsp2 > 00:00:00:00:00:02 > >>> +# Two LSs and one Lr - outside ls has access to a physical network > >>> +# - ls1 has load balancers > >>> +# outside - lr1 - ls1 > >>> +# Сheck that lb work with stateless acl, external traffic not related > >>> +# to lb doesn't create conntrack records. > >>> +# In switches egress pipeline, on which the balancers and stateless > ACL > >>> +# are condigured together - all traffic is checked for connection > tracker, > >>> +# but only traffic related to balancing is committed (established > connection) > >>> + > >>> +check ovn-nbctl ls-add outside > >>> + > >>> +check ovn-nbctl lsp-add outside public > >>> +check ovn-nbctl lsp-set-type public localnet > > We have new nbctl helpers now, "lsp-add-localnet-port" and > "lsp-add-router-port", > > it's better to use them. > > > >>> +check ovn-nbctl lsp-set-addresses public unknown > >>> +check ovn-nbctl lsp-set-options public network_name=phynet > >>> + > >>> +check ovn-nbctl lsp-add outside outside-down > >>> +check ovn-nbctl lsp-set-addresses outside-down router > >>> +check ovn-nbctl lsp-set-type outside-down router > >>> +check ovn-nbctl lsp-set-options outside-down router-port=lr1-up > >>> > >>> -check ovn-nbctl lb-add lb-ipv4-tcp 88.88.88.88:8080< > http://88.88.88.88:8080> 42.42.42.1:4041<http://42.42.42.1:4041> tcp > >>> -check ovn-nbctl ls-lb-add sw lb-ipv4-tcp > >>> +check ovn-nbctl lr-add lr1 > >>> > >>> -check ovn-nbctl lr-add rtr > >>> -check ovn-nbctl lrp-add rtr rtr-sw 00:00:00:00:01:00 42.42.42.254/24< > http://42.42.42.254/24> > >>> -check ovn-nbctl lsp-add-router-port sw sw-rtr rtr-sw > >>> +check ovn-nbctl lrp-add lr1 lr1-up 00:00:01:01:02:03 169.254.0.1/24< > http://169.254.0.1/24> > >>> +check ovn-nbctl lrp-add lr1 lr1-down 00:00:02:01:02:03 192.168.0.1/24 > <http://192.168.0.1/24> \ > >>> + -- lrp-set-gateway-chassis lr1-up hv1 > >>> + > >>> +check ovn-nbctl ls-add ls1 > >>> + > >>> +check ovn-nbctl lsp-add ls1 ls1-up > >>> +check ovn-nbctl lsp-set-addresses ls1-up router > >>> +check ovn-nbctl lsp-set-type ls1-up router > >>> +check ovn-nbctl lsp-set-options ls1-up router-port=lr1-down > >>> + > >>> +check ovn-nbctl lb-add lb-ipv4-tcp 192.168.0.1:8080< > http://192.168.0.1:8080> 192.168.0.101:4041<http://192.168.0.101:4041> tcp > >>> +check ovn-nbctl ls-lb-add ls1 lb-ipv4-tcp > >>> + > >>> +check ovn-nbctl lb-add lb-ipv4-udp 192.168.0.1:8081< > http://192.168.0.1:8081> 192.168.0.101:4042<http://192.168.0.101:4042> udp > >>> +check ovn-nbctl ls-lb-add ls1 lb-ipv4-udp > >>> > >>> ADD_NAMESPACES(lsp1) > >>> -ADD_VETH(lsp1, lsp1, br-int, "42.42.42.1/24<http://42.42.42.1/24>", > "00:00:00:00:00:01", \ > >>> - "42.42.42.254") > >>> +ADD_VETH(lsp1, lsp1, br-int, "192.168.0.101/24< > http://192.168.0.101/24>", "00:00:00:00:00:01", \ > >>> + "192.168.0.1") > >>> +check ovn-nbctl lsp-add ls1 lsp1 \ > >>> +-- lsp-set-addresses lsp1 "00:00:00:00:00:01 192.168.0.101" > >>> > >>> ADD_NAMESPACES(lsp2) > >>> -ADD_VETH(lsp2, lsp2, br-int, "42.42.42.2/24<http://42.42.42.2/24>", > "00:00:00:00:00:02", \ > >>> - "42.42.42.254") > >>> +ADD_VETH(lsp2, lsp2, br-int, "192.168.0.102/24< > http://192.168.0.102/24>", "00:00:00:00:00:02", \ > >>> + "192.168.0.1") > >>> +check ovn-nbctl lsp-add ls1 lsp2 \ > >>> +-- lsp-set-addresses lsp2 "00:00:00:00:00:02 192.168.0.102" > >>> > >>> # Wait for ovn-controller to catch up. > >>> -wait_for_ports_up > > Instead of removing the check we can restrict it to wait for lsp1 > > and lsp2: > > > > wait_for_ports_up lsp1 lsp2 > > > >>> check ovn-nbctl --wait=hv sync > >>> > >>> -# Start IPv4 TCP server on lsp1. > >>> -NETNS_DAEMONIZE([lsp1], [nc -l -k 42.42.42.1 4041], [lsp1.pid]) > >>> +ADD_NAMESPACES(external) > >>> +ADD_VETH(external, external, br-ext, "169.254.0.101/24< > http://169.254.0.101/24>", "00:00:00:00:00:04", \ > >>> + "169.254.0.1") > >>> > >>> -# Send the packet to VIP. > >>> -NS_CHECK_EXEC([lsp1], [nc -z 88.88.88.88 8080], [0], [ignore], > [ignore]) > >>> -NS_CHECK_EXEC([lsp2], [nc -z 88.88.88.88 8080], [0], [ignore], > [ignore]) > >>> +NS_EXEC([external], [ip r add 192.168.0.0/24<http://192.168.0.0/24> > via 169.254.0.1]) > >>> +NS_EXEC([lsp1], [ip r add 169.254.0.0/24<http://169.254.0.0/24> via > 192.168.0.1]) > >>> +NS_EXEC([lsp2], [ip r add 169.254.0.1/24<http://169.254.0.1/24> via > 192.168.0.1]) > >>> > >>> -check ovn-nbctl --wait=hv acl-add sw to-lport 2000 'ip' > allow-stateless > >>> -check ovn-nbctl --wait=hv acl-add sw from-lport 2000 'ip' > allow-stateless > >>> +# Add stateless acl with load balancers. > >>> +check ovn-nbctl acl-add ls1 to-lport 2000 1 allow-stateless > >>> +check ovn-nbctl acl-add ls1 from-lport 2000 1 allow-stateless > >>> > >>> -# To provide work of load balancer with stateless ACL this is > necessary > >>> -# to set enable-stateless-acl-lb to true. > >>> -check ovn-nbctl set logical_switch sw > other_config:enable-stateless-acl-with-lb=true > >>> +check ovn-nbctl --wait=sb set logical_switch ls1 > other_config:enable-stateless-acl-with-lb=true > >>> > >>> -check ovn-nbctl --wait=hv sync > >>> +# Checking connectivity > >>> +NS_CHECK_EXEC([external], [ping -q -c 3 -i 0.3 -w 2 192.168.0.101 | > FORMAT_PING], \ > >>> +[0], [dnl > >>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms > >>> +]) > >>> > >>> -# Send the packet to VIP after add stateless acl. > >>> -NS_CHECK_EXEC([lsp1], [nc -z 88.88.88.88 8080], [0], [ignore], > [ignore]) > >>> -NS_CHECK_EXEC([lsp2], [nc -z 88.88.88.88 8080], [0], [ignore], > [ignore]) > >>> +NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.0.102 | > FORMAT_PING], \ > >>> +[0], [dnl > >>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms > >>> +]) > >>> > >>> -check ovn-nbctl --wait=hv acl-add sw to-lport 2001 'ip' allow-related > >>> -check ovn-nbctl --wait=hv acl-add sw from-lport 2001 'ip' > allow-related > >>> +zone_lsp1_id=$(ovn-appctl -t ovn-controller ct-zone-list | grep lsp1 > | cut -d ' ' -f2) > >>> +zone_lsp2_id=$(ovn-appctl -t ovn-controller ct-zone-list | grep lsp2 > | cut -d ' ' -f2) > >>> > >>> -# Send the packet to VIP after add related acls. > >>> -NS_CHECK_EXEC([lsp1], [nc -z 88.88.88.88 8080], [0], [ignore], > [ignore]) > >>> -NS_CHECK_EXEC([lsp2], [nc -z 88.88.88.88 8080], [0], [ignore], > [ignore]) > >>> +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > >>> > >>> -OVN_CLEANUP_CONTROLLER([hv1]) > >>> +# Start IPv4 TCP and UDP server on lsp1. > >>> +NETNS_DAEMONIZE([lsp1], [nc -l -k 192.168.0.101 4041], [lsp1_tcp.pid]) > >>> +NETNS_DAEMONIZE([lsp1], [nc -u -l 192.168.0.101 4042], [lsp1_udp.pid]) > >>> + > >>> +# Create another server without load balancer to check that it > >>> +# does not create conntrack records. > >>> +NETNS_DAEMONIZE([lsp1], [nc -l -k 192.168.0.101 4043], > [lsp1_non_lb.pid]) > >>> + > >>> +# Send the packet to VIP from private network. > >>> +NS_CHECK_EXEC([lsp1], [nc -z 192.168.0.1 8080], [0], [ignore], > [ignore]) > >>> + > >>> +# Udp connections > >>> +NS_CHECK_EXEC([lsp1], [echo a | nc -u 192.168.0.1 8081], [ignore], > [ignore], [ignore]) > >>> + > >>> +# Check conntrack zone of lsp1 has tcp entry for lb > >>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack zone=$zone_lsp1_id | \ > >>> +FORMAT_CT(192.168.0.1) | \ > >>> +sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl > >>> > +tcp,orig=(src=192.168.0.101,dst=192.168.0.1,sport=<cleared>,dport=<cleared>),reply=(src=192.168.0.101,dst=192.168.0.101,sport=<cleared>,dport=<cleared>),zone=<cleared>,mark=2,protoinfo=(state=<cleared>) > >>> > +udp,orig=(src=192.168.0.101,dst=192.168.0.1,sport=<cleared>,dport=<cleared>),reply=(src=192.168.0.101,dst=192.168.0.101,sport=<cleared>,dport=<cleared>),zone=<cleared>,mark=2 > >>> +]) > >>> + > >>> +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > >>> + > >>> +# Check that internal traffic not related to lb doesn't create > conntrack records > >>> +NS_CHECK_EXEC([external], [nc -z 192.168.0.101 4043], [0], []) > >>> + > >>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack zone=$zone_lsp1_id | > FORMAT_CT(192.168.0.101) | sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], > [dnl]) > >>> + > >>> +OVS_APP_EXIT_AND_WAIT([ovn-controller]) > >>> > >>> as ovn-sb > >>> OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > >>> -- > >>> 2.48.1 > >>> > > I went ahead and applied the patch to main and 25.09 after fixing > > up the small issues listed above. > > > > Regards, > > Dumitru > > > > > > -- > regards, > Alexandra. > > _______________________________________________ > dev mailing list > [email protected]<mailto:[email protected]> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Hello Alexandra, > > we see a lot of d/s flakes in the "enable-stateless-acl-with-lb usage" > test after this change. > Would you have some time to investigate? See the log below in case you > find it helpful: > > > 59. system-ovn.at:4907<http://system-ovn.at:4907>: testing > enable-stateless-acl-with-lb usage -- parallelization=yes -- > ovn_monitor_all=yes ... > creating ovn-sb database > ovsdb-server -vjsonrpc > --remote=punix:/workspace/ovn-tmp/tests/system-userspace-testsuite.dir/059/ovn-sb/ovn-sb.sock > --remote=db:OVN_Southbound,SB_Global,connections > --private-key=/workspace/ovn-tmp/tests/testpki-test-privkey.pem > --certificate=/workspace/ovn-tmp/tests/testpki-test-cert.pem > --ca-cert=/workspace/ovn-tmp/tests/testpki-cacert.pem > /workspace/ovn-tmp/tests/system-userspace-testsuite.dir/059/ovn-sb/ovn-sb.db > -vconsole:off --detach --no-chdir --pidfile --log-file > creating ovn-nb database > ovsdb-server -vjsonrpc > --remote=punix:/workspace/ovn-tmp/tests/system-userspace-testsuite.dir/059/ovn-nb/ovn-nb.sock > /workspace/ovn-tmp/tests/system-userspace-testsuite.dir/059/ovn-nb/ovn-nb.db > -vconsole:off --detach --no-chdir --pidfile --log-file > starting northd > ovn-northd --n-threads=4 -vjsonrpc > --ovnnb-db=unix:/workspace/ovn-tmp/tests/system-userspace-testsuite.dir/059/ovn-nb/ovn-nb.sock > --ovnsb-db=unix:/workspace/ovn-tmp/tests/system-userspace-testsuite.dir/059/ovn-sb/ovn-sb.sock > -vconsole:off --detach --no-chdir --pidfile --log-file > 2026-01-08T06:59:51Z|00001|ovn_northd|INFO|Using 4 threads > aeb81721-db6f-4d7c-9dc5-bd3c2cecaca5 > ovn-macros.at:667<http://ovn-macros.at:667>: waiting until TCP_PORT=`sed > -n 's/.*0:.*: listening on port \([0-9]*\)$/\1/p' > "$d/ovn-sb/ovsdb-server.log"` && test X != X"$TCP_PORT"... > ovn-macros.at:667<http://ovn-macros.at:667>: wait succeeded immediately > system-ovn.at:4907<http://system-ovn.at:4907>: waiting while ip link show > ovs-netdev... > Device "ovs-netdev" does not exist. > system-ovn.at:4907<http://system-ovn.at:4907>: wait succeeded immediately > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovsdb-tool create > conf.db $ovs_srcdir/vswitchd/vswitch.ovsschema > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovsdb-server --detach > --no-chdir --pidfile --log-file --remote=punix:$OVS_RUNDIR/db.sock > stderr: > 2026-01-08T06:59:51Z|00001|vlog|INFO|opened log file > /workspace/ovn-tmp/tests/system-userspace-testsuite.dir/059/ovsdb-server.log > ./system-ovn.at:4907<http://system-ovn.at:4907>: sed < stderr ' > /vlog|INFO|opened log file/d > /ovsdb_server|INFO|ovsdb-server (Open vSwitch)/d' > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovs-vsctl --no-wait init > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovs-vswitchd > --disable-system --detach --no-chdir --pidfile --log-file -vvconn > -vofproto_dpif -vunixctl > stderr: > 2026-01-08T06:59:52Z|00001|vlog|INFO|opened log file > /workspace/ovn-tmp/tests/system-userspace-testsuite.dir/059/ovs-vswitchd.log > 2026-01-08T06:59:52Z|00002|ovs_numa|INFO|Discovered 12 CPU cores on NUMA > node 0 > 2026-01-08T06:59:52Z|00003|ovs_numa|INFO|Discovered 1 NUMA nodes and 12 > CPU cores > 2026-01-08T06:59:52Z|00004|reconnect|INFO|unix:/workspace/ovn-tmp/tests/system-userspace-testsuite.dir/059/db.sock: > connecting... > 2026-01-08T06:59:52Z|00005|reconnect|INFO|unix:/workspace/ovn-tmp/tests/system-userspace-testsuite.dir/059/db.sock: > connected > ./system-ovn.at:4907<http://system-ovn.at:4907>: sed < stderr ' > /ovs_numa|INFO|Discovered /d > /vlog|INFO|opened log file/d > /vswitchd|INFO|ovs-vswitchd (Open vSwitch)/d > /reconnect|INFO|/d > /dpif_netlink|INFO|Generic Netlink family .ovs_datapath. does not exist/d > /ofproto|INFO|using datapath ID/d > /netdev_linux|INFO|.*device has unknown hardware address family/d > /ofproto|INFO|datapath ID changed to fedcba9876543210/d > /netlink_socket|INFO|netlink: could not enable listening to all nsid/d > /netdev: Flow API/d > /probe tc:/d > /tc: Using policy/d > /dpdk|INFO|/d > /dpdk|WARN|/d' > system-ovn.at:4907<http://system-ovn.at:4907>: waiting while ip link show > br0... > Device "br0" does not exist. > system-ovn.at:4907<http://system-ovn.at:4907>: wait succeeded immediately > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovs-vsctl -- add-br br0 > -- set Bridge br0 datapath_type="netdev" > protocols=OpenFlow10,OpenFlow11,OpenFlow12,OpenFlow13,OpenFlow14,OpenFlow15 > fail-mode=secure -- > ovn-controller -vconsole:off --detach --no-chdir --pidfile --log-file > ovn-nbctl ls-add outside > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl lsp-add-localnet-port outside public phynet > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl lsp-add outside outside-down > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl lsp-set-addresses outside-down router > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl lsp-set-type outside-down router > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl lsp-set-options outside-down router-port=lr1-up > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl lr-add lr1 > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl lrp-add lr1 lr1-up 00:00:01:01:02:03 169.254.0.1/24 > ./ovn-macros.at:898<http://169.254.0.1/24 > ./ovn-macros.at:898>: "$@" > ovn-nbctl lrp-add lr1 lr1-down 00:00:02:01:02:03 192.168.0.1/24< > http://192.168.0.1/24> -- lrp-set-gateway-chassis lr1-up hv1 > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl ls-add ls1 > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl lsp-add-router-port ls1 ls1-up lr1-down > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl lb-add lb-ipv4-tcp 192.168.0.1:8080<http://192.168.0.1:8080> > 192.168.0.101:4041<http://192.168.0.101:4041> tcp > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl ls-lb-add ls1 lb-ipv4-tcp > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl lb-add lb-ipv4-udp 192.168.0.1:8081<http://192.168.0.1:8081> > 192.168.0.101:4042<http://192.168.0.101:4042> udp > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl ls-lb-add ls1 lb-ipv4-udp > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > Cannot remove namespace file "/var/run/netns/lsp1": No such file or > directory > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns add lsp1 || > return 77 > sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_helper: No such > file or directory > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip link add lsp1 type > veth peer name ovs-lsp1 > ./system-ovn.at:4907<http://system-ovn.at:4907>: ethtool -K lsp1 tx off > stderr: > stdout: > Actual changes: > tx-checksum-ip-generic: off > tx-tcp-segmentation: off [not requested] > tx-tcp-ecn-segmentation: off [not requested] > tx-tcp-mangleid-segmentation: off [not requested] > tx-tcp6-segmentation: off [not requested] > tx-udp-segmentation: off [not requested] > tx-checksum-sctp: off > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip link set lsp1 netns > lsp1 > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip link set dev ovs-lsp1 > up > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovs-vsctl add-port > br-int ovs-lsp1 -- \ > set interface ovs-lsp1 external-ids:iface-id="lsp1" > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp1 sh << > NS_EXEC_HEREDOC > ip addr add "192.168.0.101/24<http://192.168.0.101/24>" dev lsp1 > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp1 sh << > NS_EXEC_HEREDOC > ip link set dev lsp1 up > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp1 sh << > NS_EXEC_HEREDOC > ip link set dev lsp1 address "00:00:00:00:00:01" > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp1 sh << > NS_EXEC_HEREDOC > ip route add \ > "192.168.0.1" dev lsp1 > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp1 sh << > NS_EXEC_HEREDOC > ip route add default via \ > "192.168.0.1" > NS_EXEC_HEREDOC > ovn-nbctl lsp-add ls1 lsp1 -- lsp-set-addresses lsp1 00:00:00:00:00:01 > 192.168.0.101 > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > Cannot remove namespace file "/var/run/netns/lsp2": No such file or > directory > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns add lsp2 || > return 77 > sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_helper: No such > file or directory > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip link add lsp2 type > veth peer name ovs-lsp2 > ./system-ovn.at:4907<http://system-ovn.at:4907>: ethtool -K lsp2 tx off > stderr: > stdout: > Actual changes: > tx-checksum-ip-generic: off > tx-tcp-segmentation: off [not requested] > tx-tcp-ecn-segmentation: off [not requested] > tx-tcp-mangleid-segmentation: off [not requested] > tx-tcp6-segmentation: off [not requested] > tx-udp-segmentation: off [not requested] > tx-checksum-sctp: off > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip link set lsp2 netns > lsp2 > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip link set dev ovs-lsp2 > up > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovs-vsctl add-port > br-int ovs-lsp2 -- \ > set interface ovs-lsp2 external-ids:iface-id="lsp2" > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp2 sh << > NS_EXEC_HEREDOC > ip addr add "192.168.0.102/24<http://192.168.0.102/24>" dev lsp2 > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp2 sh << > NS_EXEC_HEREDOC > ip link set dev lsp2 up > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp2 sh << > NS_EXEC_HEREDOC > ip link set dev lsp2 address "00:00:00:00:00:02" > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp2 sh << > NS_EXEC_HEREDOC > ip route add \ > "192.168.0.1" dev lsp2 > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp2 sh << > NS_EXEC_HEREDOC > ip route add default via \ > "192.168.0.1" > NS_EXEC_HEREDOC > ovn-nbctl lsp-add ls1 lsp2 -- lsp-set-addresses lsp2 00:00:00:00:00:02 > 192.168.0.102 > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > Waiting until 1 rows in nb Logical_Switch_Port with up=true name=lsp1... > ovn-macros.at:958<http://ovn-macros.at:958>: waiting until test $count = > $(count_rows $db:$table $a $b $c $d $e)... > ovn-macros.at:958<http://ovn-macros.at:958>: wait succeeded immediately > Waiting until 1 rows in nb Logical_Switch_Port with up=true name=lsp2... > ovn-macros.at:958<http://ovn-macros.at:958>: waiting until test $count = > $(count_rows $db:$table $a $b $c $d $e)... > ovn-macros.at:958<http://ovn-macros.at:958>: wait succeeded immediately > ovn-nbctl --wait=hv sync > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > Cannot remove namespace file "/var/run/netns/external": No such file or > directory > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns add external || > return 77 > sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_helper: No such > file or directory > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip link add external > type veth peer name ovs-external > ./system-ovn.at:4907<http://system-ovn.at:4907>: ethtool -K external tx > off > stderr: > stdout: > Actual changes: > tx-checksum-ip-generic: off > tx-tcp-segmentation: off [not requested] > tx-tcp-ecn-segmentation: off [not requested] > tx-tcp-mangleid-segmentation: off [not requested] > tx-tcp6-segmentation: off [not requested] > tx-udp-segmentation: off [not requested] > tx-checksum-sctp: off > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip link set external > netns external > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip link set dev > ovs-external up > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovs-vsctl add-port > br-ext ovs-external -- \ > set interface ovs-external external-ids:iface-id="external" > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec external > sh << NS_EXEC_HEREDOC > ip addr add "169.254.0.101/24<http://169.254.0.101/24>" dev external > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec external > sh << NS_EXEC_HEREDOC > ip link set dev external up > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec external > sh << NS_EXEC_HEREDOC > ip link set dev external address "00:00:00:00:00:04" > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec external > sh << NS_EXEC_HEREDOC > ip route add \ > "169.254.0.1" dev external > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec external > sh << NS_EXEC_HEREDOC > ip route add default via \ > "169.254.0.1" > NS_EXEC_HEREDOC > Error: Invalid prefix for given prefix length. > ovn-nbctl acl-add ls1 to-lport 2000 1 allow-stateless > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl acl-add ls1 from-lport 2000 1 allow-stateless > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ovn-nbctl --wait=sb set logical_switch ls1 > other_config:enable-stateless-acl-with-lb=true > ./ovn-macros.at:898<http://ovn-macros.at:898>: "$@" > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec external > sh << NS_EXEC_HEREDOC > ping -q -c 3 -i 0.3 -w 2 192.168.0.101 | grep "transmitted" | sed > 's/time.*ms$/time 0ms/' > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp1 sh << > NS_EXEC_HEREDOC > ping -q -c 3 -i 0.3 -w 2 192.168.0.102 | grep "transmitted" | sed > 's/time.*ms$/time 0ms/' > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovs-appctl > dpctl/flush-conntrack > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp1 sh << > NS_EXEC_HEREDOC > nc -z 192.168.0.1 8080 > NS_EXEC_HEREDOC > stderr: > stdout: > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec lsp1 sh << > NS_EXEC_HEREDOC > echo a | nc -u 192.168.0.1 8081 > NS_EXEC_HEREDOC > a > stderr: > stdout: > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovs-appctl > dpctl/dump-conntrack zone=$zone_lsp1_id | \ > grep -F "dst=192.168.0.1," | sed -e 's/port=[0-9]*/port=<cleared>/g' -e > 's/id=[0-9]*/id=<cleared>/g' -e 's/state=[0-9_A-Z]*/state=<cleared>/g' | > sort | uniq | \ > sed -e 's/zone=[0-9]*/zone=<cleared>/' > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovs-appctl > dpctl/flush-conntrack > ./system-ovn.at:4907<http://system-ovn.at:4907>: ip netns exec external > sh << NS_EXEC_HEREDOC > nc -z 192.168.0.101 4043 > NS_EXEC_HEREDOC > ./system-ovn.at:4907<http://system-ovn.at:4907>: ovs-appctl > dpctl/dump-conntrack zone=$zone_lsp1_id | grep -F "dst=192.168.0.101," | > sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' -e > 's/state=[0-9_A-Z]*/state=<cleared>/g' | sort | uniq | sed -e > 's/zone=[0-9]*/zone=<cleared>/' > --- /dev/null 2026-01-08 06:55:58.526358938 +0000 > +++ > /workspace/ovn-tmp/tests/system-userspace-testsuite.dir/at-groups/59/stdout > 2026-01-08 06:59:55.653000000 +0000 > @@ -0,0 +1 @@ > > +tcp,orig=(src=192.168.0.101,dst=192.168.0.1,sport=<cleared>,dport=<cleared>),reply=(src=192.168.0.101,dst=192.168.0.101,sport=<cleared>,dport=<cleared>),zone=<cleared>,mark=2,protoinfo=(state=<cleared>) > 59. system-ovn.at:4907<http://system-ovn.at:4907>: 59. > enable-stateless-acl-with-lb usage -- parallelization=yes -- > ovn_monitor_all=yes (system-ovn.at:4907<http://system-ovn.at:4907>): > FAILED (system-ovn.at:4907<http://system-ovn.at:4907>) > > > Thanks, > Ales > > Hi! I'll take a look, thanks! > > -- > regards, > Alexandra. > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
