Every first-time addition of an existing ls_stateful_record to the
crupdated tracking set must call ls_stateful_record_set_acls() to
refresh has_stateful_acl and related ACL state. Two places were
missing this call:
1. The LB loop in ls_stateful_northd_handler() added to crupdated
without calling set_acls(). When a switch had both changed LBs
and changed ACLs, the LB loop added the record first (without
refreshing ACL state), then the ACL loop's hmapx_add() returned
false and skipped the refresh.
2. ls_stateful_acl_handler() added to crupdated without calling
set_acls(). When an existing ACL's action changed (e.g., allow
to allow-related), has_stateful_acl was never updated.
Fixes: fb477aff9286 ("northd: Process ACL changes incrementally.")
Assisted-by: Claude, with model: claude-opus-4-6
Signed-off-by: Dumitru Ceara <[email protected]>
---
northd/en-ls-stateful.c | 21 +++++++++++--
tests/ovn-northd.at | 69 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 87 insertions(+), 3 deletions(-)
diff --git a/northd/en-ls-stateful.c b/northd/en-ls-stateful.c
index 4daeab20d7..84e58b5deb 100644
--- a/northd/en-ls-stateful.c
+++ b/northd/en-ls-stateful.c
@@ -171,8 +171,14 @@ ls_stateful_northd_handler(struct engine_node *node, void
*data_)
ovs_assert(ls_stateful_rec);
ls_stateful_rec->has_lb_vip = ls_has_lb_vip(od);
- /* Add the ls_stateful_rec to the tracking data. */
- hmapx_add(&data->trk_data.crupdated, ls_stateful_rec);
+ /* Add the ls_stateful_rec to the tracking data. Refresh ACL
+ * state when first added so that a switch with both changed LBs
+ * and changed ACLs gets its ACL state updated regardless of
+ * which loop runs first. */
+ if (hmapx_add(&data->trk_data.crupdated, ls_stateful_rec)) {
+ ls_stateful_record_set_acls(ls_stateful_rec, od->nbs,
+ input_data.ls_port_groups);
+ }
}
HMAPX_FOR_EACH (hmapx_node, &nd_changes->ls_with_changed_acls) {
@@ -243,6 +249,7 @@ ls_stateful_port_group_handler(struct engine_node *node,
void *data_)
enum engine_input_handler_result
ls_stateful_acl_handler(struct engine_node *node, void *data_)
{
+ struct ls_stateful_input input_data = ls_stateful_get_input_data(node);
struct ed_type_ls_stateful *data = data_;
const struct nbrec_acl_table *nbrec_acl_table =
EN_OVSDB_GET(engine_get_input("NB_acl", node));
@@ -259,7 +266,15 @@ ls_stateful_acl_handler(struct engine_node *node, void
*data_)
LS_STATEFUL_TABLE_FOR_EACH (ls_stateful_rec, &data->table) {
if (uuidset_contains(&ls_stateful_rec->related_acls,
&acl->header_.uuid)) {
- hmapx_add(&data->trk_data.crupdated, ls_stateful_rec);
+ if (hmapx_add(&data->trk_data.crupdated, ls_stateful_rec)) {
+ const struct ovn_datapath *od = ovn_datapath_find(
+ &input_data.ls_datapaths->datapaths,
+ &ls_stateful_rec->nbs_uuid);
+ if (od) {
+ ls_stateful_record_set_acls(ls_stateful_rec, od->nbs,
+ input_data.ls_port_groups);
+ }
+ }
}
}
}
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 624e08c1df..796c30daf7 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -18957,6 +18957,75 @@ OVN_CLEANUP_NORTHD
AT_CLEANUP
])
+OVN_FOR_EACH_NORTHD_NO_HV([
+AT_SETUP([LS ls_stateful incremental processing])
+AT_KEYWORDS([incremental processing])
+ovn_start
+
+AS_BOX([LB and ACL added in same transaction])
+
+dnl Create a switch with a port.
+check ovn-nbctl --wait=sb \
+ -- ls-add ls0 \
+ -- lsp-add ls0 lsp0 \
+ -- lsp-set-addresses lsp0 "00:00:00:00:00:01 10.0.0.1"
+
+dnl Clear engine stats before the combined transaction.
+check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats
+
+dnl In a single transaction, add both a stateful ACL and a load balancer.
+dnl This exercises the ls_stateful_northd_handler() LB loop path where
+dnl the switch is added to crupdated tracking and must also refresh ACL
+dnl state via ls_stateful_record_set_acls().
+check ovn-nbctl --wait=sb \
+ -- acl-add ls0 from-lport 100 "ip" allow-related \
+ -- lb-add lb1 10.0.0.100:80 10.0.0.1:80 \
+ -- ls-lb-add ls0 lb1
+
+dnl Verify incremental processing was used (no recompute).
+check_engine_stats ls_stateful norecompute compute
+
+dnl Verify the conntrack defrag flow exists in pre_acl at priority 100.
+dnl REGBIT_CONNTRACK_DEFRAG (reg0[0] = 1) is only set when
+dnl has_stateful_acl is true, proving ls_stateful_record_set_acls()
+dnl was called during the combined LB+ACL transaction.
+ovn-sbctl dump-flows ls0 > lflows
+AT_CHECK([grep 'ls_in_pre_acl' lflows | grep 'priority=100' | grep -q
'reg0\[[0\]] = 1'])
+
+AS_BOX([ACL action change from allow to allow-related])
+
+dnl Create a switch with a non-stateful ACL (allow) and a port.
+check ovn-nbctl --wait=sb \
+ -- ls-add ls1 \
+ -- lsp-add ls1 lsp1 \
+ -- lsp-set-addresses lsp1 "00:00:00:00:00:02 10.0.0.2" \
+ -- acl-add ls1 from-lport 100 "ip" allow
+
+dnl Verify NO conntrack defrag flow (non-stateful ACL).
+ovn-sbctl dump-flows ls1 > lflows
+AT_CHECK([grep 'ls_in_pre_acl' lflows | grep 'priority=100' | grep -q
'reg0\[[0\]] = 1'], [1])
+
+dnl Clear engine stats before modifying the ACL.
+check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats
+
+dnl Change the ACL action from allow to allow-related.
+dnl This exercises ls_stateful_acl_handler() where a changed ACL must
+dnl trigger ls_stateful_record_set_acls() to update has_stateful_acl.
+acl_uuid=$(fetch_column nb:Acl _uuid action=allow)
+check ovn-nbctl --wait=sb set acl $acl_uuid action=allow-related
+
+dnl Verify incremental processing was used (no recompute).
+check_engine_stats ls_stateful norecompute compute
+
+dnl Verify the conntrack defrag flow now appears, proving
+dnl has_stateful_acl was correctly updated.
+ovn-sbctl dump-flows ls1 > lflows
+AT_CHECK([grep 'ls_in_pre_acl' lflows | grep 'priority=100' | grep -q
'reg0\[[0\]] = 1'])
+
+OVN_CLEANUP_NORTHD
+AT_CLEANUP
+])
+
OVN_FOR_EACH_NORTHD_NO_HV([
AT_SETUP([Check network function])
ovn_start
--
2.53.0
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
