On Wed, Apr 15, 2026 at 9:22 AM Dumitru Ceara <[email protected]> wrote:
> On 4/15/26 8:34 AM, Ales Musil wrote: > > On Tue, Apr 14, 2026 at 3:41 PM Dumitru Ceara <[email protected]> wrote: > > > >> Every first-time addition of an existing ls_stateful_record to the > >> crupdated tracking set must call ls_stateful_record_set_acls() to > >> refresh has_stateful_acl and related ACL state. Two places were > >> missing this call: > >> > >> 1. The LB loop in ls_stateful_northd_handler() added to crupdated > >> without calling set_acls(). When a switch had both changed LBs > >> and changed ACLs, the LB loop added the record first (without > >> refreshing ACL state), then the ACL loop's hmapx_add() returned > >> false and skipped the refresh. > >> > >> 2. ls_stateful_acl_handler() added to crupdated without calling > >> set_acls(). When an existing ACL's action changed (e.g., allow > >> to allow-related), has_stateful_acl was never updated. > >> > >> Fixes: fb477aff9286 ("northd: Process ACL changes incrementally.") > >> Assisted-by: Claude, with model: claude-opus-4-6 > >> Signed-off-by: Dumitru Ceara <[email protected]> > >> --- > >> > > > > Hi Dumitru, > > > > thank you for the patch, I have two comments below. > > > > Hi Ales, > > Thanks for the review! > > > > >> northd/en-ls-stateful.c | 21 +++++++++++-- > >> tests/ovn-northd.at | 69 +++++++++++++++++++++++++++++++++++++++++ > >> 2 files changed, 87 insertions(+), 3 deletions(-) > >> > >> diff --git a/northd/en-ls-stateful.c b/northd/en-ls-stateful.c > >> index 4daeab20d7..84e58b5deb 100644 > >> --- a/northd/en-ls-stateful.c > >> +++ b/northd/en-ls-stateful.c > >> @@ -171,8 +171,14 @@ ls_stateful_northd_handler(struct engine_node > *node, > >> void *data_) > >> ovs_assert(ls_stateful_rec); > >> ls_stateful_rec->has_lb_vip = ls_has_lb_vip(od); > >> > >> - /* Add the ls_stateful_rec to the tracking data. */ > >> - hmapx_add(&data->trk_data.crupdated, ls_stateful_rec); > >> + /* Add the ls_stateful_rec to the tracking data. Refresh ACL > >> + * state when first added so that a switch with both changed > LBs > >> + * and changed ACLs gets its ACL state updated regardless of > >> + * which loop runs first. */ > >> + if (hmapx_add(&data->trk_data.crupdated, ls_stateful_rec)) { > >> + ls_stateful_record_set_acls(ls_stateful_rec, od->nbs, > >> + input_data.ls_port_groups); > >> + } > >> } > >> > >> HMAPX_FOR_EACH (hmapx_node, &nd_changes->ls_with_changed_acls) { > >> @@ -243,6 +249,7 @@ ls_stateful_port_group_handler(struct engine_node > >> *node, void *data_) > >> enum engine_input_handler_result > >> ls_stateful_acl_handler(struct engine_node *node, void *data_) > >> { > >> + struct ls_stateful_input input_data = > >> ls_stateful_get_input_data(node); > >> struct ed_type_ls_stateful *data = data_; > >> const struct nbrec_acl_table *nbrec_acl_table = > >> EN_OVSDB_GET(engine_get_input("NB_acl", node)); > >> @@ -259,7 +266,15 @@ ls_stateful_acl_handler(struct engine_node *node, > >> void *data_) > >> LS_STATEFUL_TABLE_FOR_EACH (ls_stateful_rec, &data->table) { > >> if (uuidset_contains(&ls_stateful_rec->related_acls, > >> &acl->header_.uuid)) { > >> - hmapx_add(&data->trk_data.crupdated, ls_stateful_rec); > >> + if (hmapx_add(&data->trk_data.crupdated, > >> ls_stateful_rec)) { > >> + const struct ovn_datapath *od = ovn_datapath_find( > >> + &input_data.ls_datapaths->datapaths, > >> + &ls_stateful_rec->nbs_uuid); > >> > > > > Wouldn't it be better to do "ovn_datapaths_find_by_index()"? > > Also I think that at this point the od cannot be NULL, > > so let's make it an assert WDYT? > > > > Definitely, sounds good to me. > In that case there is no need to do v2: Acked-by: Ales Musil <[email protected]> > > > + if (od) { > >> + ls_stateful_record_set_acls(ls_stateful_rec, > >> od->nbs, > >> + > >> input_data.ls_port_groups); > >> + } > >> + } > >> } > >> } > >> } > >> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > >> index 624e08c1df..796c30daf7 100644 > >> --- a/tests/ovn-northd.at > >> +++ b/tests/ovn-northd.at > >> @@ -18957,6 +18957,75 @@ OVN_CLEANUP_NORTHD > >> AT_CLEANUP > >> ]) > >> > >> +OVN_FOR_EACH_NORTHD_NO_HV([ > >> +AT_SETUP([LS ls_stateful incremental processing]) > >> +AT_KEYWORDS([incremental processing]) > >> +ovn_start > >> + > >> +AS_BOX([LB and ACL added in same transaction]) > >> + > >> +dnl Create a switch with a port. > >> +check ovn-nbctl --wait=sb \ > >> + -- ls-add ls0 \ > >> + -- lsp-add ls0 lsp0 \ > >> + -- lsp-set-addresses lsp0 "00:00:00:00:00:01 10.0.0.1" > >> + > >> +dnl Clear engine stats before the combined transaction. > >> +check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats > >> + > >> +dnl In a single transaction, add both a stateful ACL and a load > balancer. > >> +dnl This exercises the ls_stateful_northd_handler() LB loop path where > >> +dnl the switch is added to crupdated tracking and must also refresh ACL > >> +dnl state via ls_stateful_record_set_acls(). > >> +check ovn-nbctl --wait=sb \ > >> + -- acl-add ls0 from-lport 100 "ip" allow-related \ > >> + -- lb-add lb1 10.0.0.100:80 10.0.0.1:80 \ > >> + -- ls-lb-add ls0 lb1 > >> + > >> +dnl Verify incremental processing was used (no recompute). > >> +check_engine_stats ls_stateful norecompute compute > >> + > >> +dnl Verify the conntrack defrag flow exists in pre_acl at priority 100. > >> +dnl REGBIT_CONNTRACK_DEFRAG (reg0[0] = 1) is only set when > >> +dnl has_stateful_acl is true, proving ls_stateful_record_set_acls() > >> +dnl was called during the combined LB+ACL transaction. > >> +ovn-sbctl dump-flows ls0 > lflows > >> +AT_CHECK([grep 'ls_in_pre_acl' lflows | grep 'priority=100' | grep -q > >> 'reg0\[[0\]] = 1']) > >> + > >> +AS_BOX([ACL action change from allow to allow-related]) > >> + > >> +dnl Create a switch with a non-stateful ACL (allow) and a port. > >> +check ovn-nbctl --wait=sb \ > >> + -- ls-add ls1 \ > >> + -- lsp-add ls1 lsp1 \ > >> + -- lsp-set-addresses lsp1 "00:00:00:00:00:02 10.0.0.2" \ > >> + -- acl-add ls1 from-lport 100 "ip" allow > >> + > >> +dnl Verify NO conntrack defrag flow (non-stateful ACL). > >> +ovn-sbctl dump-flows ls1 > lflows > >> +AT_CHECK([grep 'ls_in_pre_acl' lflows | grep 'priority=100' | grep -q > >> 'reg0\[[0\]] = 1'], [1]) > >> + > >> +dnl Clear engine stats before modifying the ACL. > >> +check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats > >> + > >> +dnl Change the ACL action from allow to allow-related. > >> +dnl This exercises ls_stateful_acl_handler() where a changed ACL must > >> +dnl trigger ls_stateful_record_set_acls() to update has_stateful_acl. > >> +acl_uuid=$(fetch_column nb:Acl _uuid action=allow) > >> +check ovn-nbctl --wait=sb set acl $acl_uuid action=allow-related > >> + > >> +dnl Verify incremental processing was used (no recompute). > >> +check_engine_stats ls_stateful norecompute compute > >> + > >> +dnl Verify the conntrack defrag flow now appears, proving > >> +dnl has_stateful_acl was correctly updated. > >> +ovn-sbctl dump-flows ls1 > lflows > >> +AT_CHECK([grep 'ls_in_pre_acl' lflows | grep 'priority=100' | grep -q > >> 'reg0\[[0\]] = 1']) > >> + > >> +OVN_CLEANUP_NORTHD > >> +AT_CLEANUP > >> +]) > >> + > >> OVN_FOR_EACH_NORTHD_NO_HV([ > >> AT_SETUP([Check network function]) > >> ovn_start > >> -- > >> 2.53.0 > >> > >> > > Regards, > > Ales > > > > Regards, > Dumitru > > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
