On Fri, Sep 11, 2020 at 6:11 PM Mark Michelson <mmich...@redhat.com> wrote: > > Acked-by: Mark Michelson <mmich...@redhat.com>
Thanks Dumitru and Mark and Han for the suggestion. The patch LGTM. I applied this patch to master. There was one test case failing - 148: ovn -- lflow cache for conjunctions. This test case was added by me recently. I fixed the failure before applying. It failed because of the changed table number for ACL. Thanks Numan > > There's one documentation error down below that can be fixed when this > is merged. Since the referenced ECMP test case has been fixed already, > this also won't cause any test failures. > > On 9/2/20 11:05 AM, Dumitru Ceara wrote: > > Introduce two new stages in the logical switch pipeline: > > - ls_in_acl_hint > > - ls_out_acl_hint > > > > Flows in these stages match on various combinations of conntrack flags to > > determine how traffic might be processed in the ACL stage. Four possible > > hints are set (there may be more than one set at the same time per packet): > > - REGBIT_ACL_HINT_ALLOW_NEW: the packet might match an allow-related ACL in > > which case it will have to commit or update a connection to conntrack. > > - REGBIT_ACL_HINT_ALLOW: the packet might match an allow-related ACL but > > the session already exists so no commit will be needed. > > - REGBIT_ACL_HINT_DROP: the packet might match a drop/reject ACL but the > > session already exists so no commit will be needed. > > - REGBIT_ACL_HINT_BLOCK: the packet might match a drop/reject ACL in which > > case it will have to commit or update a connection in conntrack. > > > > These hints are used in the ls_in_acl/ls_out_acl tables and simplify the > > match expressions for logical flows generated for ACLs reducing the number > > of disjunctions in the match, therefore reducing the number of openflows > > by a factor of 2 for allow-related ACLs and by a factor of 3 for drop/reject > > ACLs. > > > > Suggested-by: Han Zhou <hz...@ovn.org> > > Signed-off-by: Dumitru Ceara <dce...@redhat.com> > > > > --- > > NOTE: The "ovn -- ECMP symmetric reply" system test will fail with this > > patch applied until the following patch that fixes the test is also merged: > > > > http://patchwork.ozlabs.org/project/ovn/patch/1599033403-1659-1-git-send-email-dce...@redhat.com/ > > --- > > northd/ovn-northd.8.xml | 134 ++++++++++++++++++++++++++++------ > > northd/ovn-northd.c | 186 > > +++++++++++++++++++++++++++++++++++------------ > > tests/ovn-northd.at | 26 +++---- > > tests/ovn.at | 58 +++++++-------- > > tests/system-ovn.at | 4 + > > 5 files changed, 292 insertions(+), 116 deletions(-) > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > index 989e364..226afc8 100644 > > --- a/northd/ovn-northd.8.xml > > +++ b/northd/ovn-northd.8.xml > > @@ -386,7 +386,86 @@ > > <code>ct_next;</code> action. > > </p> > > > > - <h3>Ingress table 6: <code>from-lport</code> ACLs</h3> > > + <h3>Ingress Table 6: <code>from-lport</code> ACL hints</h3> > > + > > + <p> > > + This table consists of logical flows that set hints > > + (<code>reg0</code> bits) to be used in the next stage, in the ACL > > + processing table. Multiple hints can be set for the same packet. > > + The possible hints are: > > + </p> > > + <ul> > > + <li> > > + <code>reg0[7]</code>: the packet might match an > > + <code>allow-related</code> ACL and might have to commit the > > + connection to conntrack. > > + </li> > > + <li> > > + <code>reg0[8]</code>: the packet might match an > > + <code>allow-related</code> ACL but there will be no need to commit > > + the connection to conntrack because it already exists. > > + </li> > > + <li> > > + <code>reg0[9]</code>: the packet might match a > > + <code>drop/reject</code>. > > + </li> > > + <li> > > + <code>reg0[10]</code>: the packet might match a > > + <code>drop/reject</code> ACL but the connection was previously > > + allowed so it might have to be committed again with > > + <code>ct_label=1/1</code>. > > + </li> > > + </ul> > > + > > + <p> > > + The table contains the following flows: > > + </p> > > + <ul> > > + <li> > > + A priority-7 flow that matches on packets that initiate a new > > session. > > + This flow sets <code>reg0[7]</code> and <code>reg0[9]</code> and > > + then advances to the next table. > > + </li> > > + <li> > > + A priority-6 flow that matches on packets that are in the request > > + direction of an already existing session that has been marked > > + as blocked. This flow sets <code>reg0[7]</code> and > > + <code>reg0[9]</code> and then advances to the next table. > > + </li> > > + <li> > > + A priority-5 flow that matches untracked packets. This flow sets > > + <code>reg0[8]</code> and <code>reg0[9]</code> and then advances to > > + the next table. > > + </li> > > + <li> > > + A priority-4 flow that matches on packets that are in the request > > + direction of an already existing session that has not been marked > > + as blocked. This flow sets <code>reg0[8]</code> and > > + <code>reg0[10]</code> and then advances to the next table. > > + </li> > > + <li> > > + A priority-3 flow that matches on packets that are in not part of > > + established sessions. This flow sets <code>reg0[9]</code> and then > > + advances to the next table. > > + </li> > > + <li> > > + A priority-2 flow that matches on packets that are part of an > > + established session that has been marked as blocked. > > + This flow sets <code>reg0[9]</code> and then advances to the next > > + table. > > + </li> > > + <li> > > + A priority-1 flow that matches on packets that are part of an > > + established session that has not been marked as blocked. > > + This flow sets <code>reg0[10]</code> and then advances to the next > > + table. > > + </li> > > + <li> > > + A priority-0 flow to advance to the next table. > > + </li> > > + </ul> > > + > > + <h3>Ingress table 7: <code>from-lport</code> ACLs</h3> > > > > <p> > > Logical flows in this table closely reproduce those in the > > @@ -494,7 +573,7 @@ > > </li> > > </ul> > > > > - <h3>Ingress Table 7: <code>from-lport</code> QoS Marking</h3> > > + <h3>Ingress Table 8: <code>from-lport</code> QoS Marking</h3> > > > > <p> > > Logical flows in this table closely reproduce those in the > > @@ -516,7 +595,7 @@ > > </li> > > </ul> > > > > - <h3>Ingress Table 8: <code>from-lport</code> QoS Meter</h3> > > + <h3>Ingress Table 9: <code>from-lport</code> QoS Meter</h3> > > > > <p> > > Logical flows in this table closely reproduce those in the > > @@ -538,7 +617,7 @@ > > </li> > > </ul> > > > > - <h3>Ingress Table 9: LB</h3> > > + <h3>Ingress Table 10: LB</h3> > > > > <p> > > It contains a priority-0 flow that simply moves traffic to the next > > @@ -564,7 +643,7 @@ > > connection.) > > </p> > > > > - <h3>Ingress Table 10: Stateful</h3> > > + <h3>Ingress Table 11: Stateful</h3> > > > > <ul> > > <li> > > @@ -612,7 +691,7 @@ > > </li> > > </ul> > > > > - <h3>Ingress Table 11: Pre-Hairpin</h3> > > + <h3>Ingress Table 12: Pre-Hairpin</h3> > > <ul> > > <li> > > For all configured load balancer VIPs a priority-2 flow that > > @@ -632,7 +711,7 @@ > > </li> > > </ul> > > > > - <h3>Ingress Table 12: Hairpin</h3> > > + <h3>Ingress Table 13: Hairpin</h3> > > <ul> > > <li> > > A priority-1 flow that hairpins traffic matched by non-default > > @@ -645,7 +724,7 @@ > > </li> > > </ul> > > > > - <h3>Ingress Table 13: ARP/ND responder</h3> > > + <h3>Ingress Table 14: ARP/ND responder</h3> > > > > <p> > > This table implements ARP/ND responder in a logical switch for known > > @@ -930,7 +1009,7 @@ output; > > </li> > > </ul> > > > > - <h3>Ingress Table 14: DHCP option processing</h3> > > + <h3>Ingress Table 15: DHCP option processing</h3> > > > > <p> > > This table adds the DHCPv4 options to a DHCPv4 packet from the > > @@ -987,11 +1066,11 @@ next; > > </li> > > > > <li> > > - A priority-0 flow that matches all packets to advances to table 15. > > + A priority-0 flow that matches all packets to advances to table 16. > > </li> > > </ul> > > > > - <h3>Ingress Table 15: DHCP responses</h3> > > + <h3>Ingress Table 16: DHCP responses</h3> > > > > <p> > > This table implements DHCP responder for the DHCP replies generated > > by > > @@ -1068,11 +1147,11 @@ output; > > </li> > > > > <li> > > - A priority-0 flow that matches all packets to advances to table 16. > > + A priority-0 flow that matches all packets to advances to table 17. > > </li> > > </ul> > > > > - <h3>Ingress Table 16 DNS Lookup</h3> > > + <h3>Ingress Table 17 DNS Lookup</h3> > > > > <p> > > This table looks up and resolves the DNS names to the corresponding > > @@ -1101,7 +1180,7 @@ reg0[4] = dns_lookup(); next; > > </li> > > </ul> > > > > - <h3>Ingress Table 17 DNS Responses</h3> > > + <h3>Ingress Table 18 DNS Responses</h3> > > > > <p> > > This table implements DNS responder for the DNS replies generated by > > @@ -1136,7 +1215,7 @@ output; > > </li> > > </ul> > > > > - <h3>Ingress table 18 External ports</h3> > > + <h3>Ingress table 19 External ports</h3> > > > > <p> > > Traffic from the <code>external</code> logical ports enter the > > ingress > > @@ -1175,11 +1254,11 @@ output; > > </li> > > > > <li> > > - A priority-0 flow that matches all packets to advances to table 19. > > + A priority-0 flow that matches all packets to advances to table 20. > > </li> > > </ul> > > > > - <h3>Ingress Table 19 Destination Lookup</h3> > > + <h3>Ingress Table 20 Destination Lookup</h3> > > > > <p> > > This table implements switching behavior. It contains these logical > > @@ -1412,7 +1491,12 @@ output; > > This is similar to ingress table <code>LB</code>. > > </p> > > > > - <h3>Egress Table 4: <code>to-lport</code> ACLs</h3> > > + <h3>Ingress Table 6: <code>from-lport</code> ACL hints</h3> > > This appears to be a copy-paste error. This should be Egress Table 4, > not Ingress Table 6. > > > + <p> > > + This is similar to ingress table <code>ACL hints</code>. > > + </p> > > + > > + <h3>Egress Table 5: <code>to-lport</code> ACLs</h3> > > > > <p> > > This is similar to ingress table <code>ACLs</code> except for > > @@ -1427,14 +1511,14 @@ output; > > A priority 34000 logical flow is added for each logical port which > > has DHCPv4 options defined to allow the DHCPv4 reply packet and > > which has > > DHCPv6 options defined to allow the DHCPv6 reply packet from the > > - <code>Ingress Table 15: DHCP responses</code>. > > + <code>Ingress Table 16: DHCP responses</code>. > > </li> > > > > <li> > > A priority 34000 logical flow is added for each logical switch > > datapath > > configured with DNS records with the match <code>udp.dst = > > 53</code> > > to allow the DNS reply packet from the > > - <code>Ingress Table 17: DNS responses</code>. > > + <code>Ingress Table 18: DNS responses</code>. > > </li> > > > > <li> > > @@ -1449,28 +1533,28 @@ output; > > </li> > > </ul> > > > > - <h3>Egress Table 5: <code>to-lport</code> QoS Marking</h3> > > + <h3>Egress Table 6: <code>to-lport</code> QoS Marking</h3> > > > > <p> > > This is similar to ingress table <code>QoS marking</code> except > > they apply to <code>to-lport</code> QoS rules. > > </p> > > > > - <h3>Egress Table 6: <code>to-lport</code> QoS Meter</h3> > > + <h3>Egress Table 7: <code>to-lport</code> QoS Meter</h3> > > > > <p> > > This is similar to ingress table <code>QoS meter</code> except > > they apply to <code>to-lport</code> QoS rules. > > </p> > > > > - <h3>Egress Table 7: Stateful</h3> > > + <h3>Egress Table 8: Stateful</h3> > > > > <p> > > This is similar to ingress table <code>Stateful</code> except that > > there are no rules added for load balancing new connections. > > </p> > > > > - <h3>Egress Table 8: Egress Port Security - IP</h3> > > + <h3>Egress Table 9: Egress Port Security - IP</h3> > > > > <p> > > This is similar to the port security logic in table > > @@ -1480,7 +1564,7 @@ output; > > <code>ip4.src</code> and <code>ip6.src</code> > > </p> > > > > - <h3>Egress Table 9: Egress Port Security - L2</h3> > > + <h3>Egress Table 10: Egress Port Security - L2</h3> > > > > <p> > > This is similar to the ingress port security logic in ingress table > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > index 7be0e85..2025446 100644 > > --- a/northd/ovn-northd.c > > +++ b/northd/ovn-northd.c > > @@ -138,32 +138,34 @@ enum ovn_stage { > > PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 3, "ls_in_pre_acl") > > \ > > PIPELINE_STAGE(SWITCH, IN, PRE_LB, 4, "ls_in_pre_lb") > > \ > > PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 5, "ls_in_pre_stateful") > > \ > > - PIPELINE_STAGE(SWITCH, IN, ACL, 6, "ls_in_acl") \ > > - PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 7, "ls_in_qos_mark") \ > > - PIPELINE_STAGE(SWITCH, IN, QOS_METER, 8, "ls_in_qos_meter") \ > > - PIPELINE_STAGE(SWITCH, IN, LB, 9, "ls_in_lb") \ > > - PIPELINE_STAGE(SWITCH, IN, STATEFUL, 10, "ls_in_stateful") \ > > - PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 11, "ls_in_pre_hairpin") \ > > - PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 12, "ls_in_hairpin") \ > > - PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 13, "ls_in_arp_rsp") \ > > - PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 14, "ls_in_dhcp_options") \ > > - PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 15, "ls_in_dhcp_response") \ > > - PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 16, "ls_in_dns_lookup") \ > > - PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 17, "ls_in_dns_response") \ > > - PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 18, "ls_in_external_port") \ > > - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 19, "ls_in_l2_lkup") \ > > + PIPELINE_STAGE(SWITCH, IN, ACL_HINT, 6, "ls_in_acl_hint") \ > > + PIPELINE_STAGE(SWITCH, IN, ACL, 7, "ls_in_acl") \ > > + PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 8, "ls_in_qos_mark") \ > > + PIPELINE_STAGE(SWITCH, IN, QOS_METER, 9, "ls_in_qos_meter") \ > > + PIPELINE_STAGE(SWITCH, IN, LB, 10, "ls_in_lb") \ > > + PIPELINE_STAGE(SWITCH, IN, STATEFUL, 11, "ls_in_stateful") \ > > + PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 12, "ls_in_pre_hairpin") \ > > + PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 13, "ls_in_hairpin") \ > > + PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 14, "ls_in_arp_rsp") \ > > + PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 15, "ls_in_dhcp_options") \ > > + PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 16, "ls_in_dhcp_response") \ > > + PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 17, "ls_in_dns_lookup") \ > > + PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 18, "ls_in_dns_response") \ > > + PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 19, "ls_in_external_port") \ > > + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 20, "ls_in_l2_lkup") \ > > > > \ > > /* Logical switch egress stages. */ > > \ > > PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 0, "ls_out_pre_lb") > > \ > > PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 1, "ls_out_pre_acl") > > \ > > PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") > > \ > > PIPELINE_STAGE(SWITCH, OUT, LB, 3, "ls_out_lb") > > \ > > - PIPELINE_STAGE(SWITCH, OUT, ACL, 4, "ls_out_acl") \ > > - PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 5, "ls_out_qos_mark") \ > > - PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 6, "ls_out_qos_meter") \ > > - PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 7, "ls_out_stateful") \ > > - PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP, 8, "ls_out_port_sec_ip") \ > > - PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 9, "ls_out_port_sec_l2") \ > > + PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 4, "ls_out_acl_hint") \ > > + PIPELINE_STAGE(SWITCH, OUT, ACL, 5, "ls_out_acl") \ > > + PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 6, "ls_out_qos_mark") \ > > + PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 7, "ls_out_qos_meter") \ > > + PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 8, "ls_out_stateful") \ > > + PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP, 9, "ls_out_port_sec_ip") \ > > + PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 10, "ls_out_port_sec_l2") \ > > \ > > /* Logical router ingress stages. */ \ > > PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") > > \ > > @@ -205,13 +207,17 @@ enum ovn_stage { > > #define OVN_ACL_PRI_OFFSET 1000 > > > > /* Register definitions specific to switches. */ > > -#define REGBIT_CONNTRACK_DEFRAG "reg0[0]" > > -#define REGBIT_CONNTRACK_COMMIT "reg0[1]" > > -#define REGBIT_CONNTRACK_NAT "reg0[2]" > > -#define REGBIT_DHCP_OPTS_RESULT "reg0[3]" > > -#define REGBIT_DNS_LOOKUP_RESULT "reg0[4]" > > -#define REGBIT_ND_RA_OPTS_RESULT "reg0[5]" > > -#define REGBIT_HAIRPIN "reg0[6]" > > +#define REGBIT_CONNTRACK_DEFRAG "reg0[0]" > > +#define REGBIT_CONNTRACK_COMMIT "reg0[1]" > > +#define REGBIT_CONNTRACK_NAT "reg0[2]" > > +#define REGBIT_DHCP_OPTS_RESULT "reg0[3]" > > +#define REGBIT_DNS_LOOKUP_RESULT "reg0[4]" > > +#define REGBIT_ND_RA_OPTS_RESULT "reg0[5]" > > +#define REGBIT_HAIRPIN "reg0[6]" > > +#define REGBIT_ACL_HINT_ALLOW_NEW "reg0[7]" > > +#define REGBIT_ACL_HINT_ALLOW "reg0[8]" > > +#define REGBIT_ACL_HINT_DROP "reg0[9]" > > +#define REGBIT_ACL_HINT_BLOCK "reg0[10]" > > > > /* Register definitions for switches and routers. */ > > > > @@ -246,11 +252,12 @@ enum ovn_stage { > > * OVS register usage: > > * > > * Logical Switch pipeline: > > - * +---------+-------------------------------------+ > > - * | R0 | REGBIT_{CONNTRACK/DHCP/DNS/HAIRPIN} | > > - * +---------+-------------------------------------+ > > - * | R1 - R9 | UNUSED | > > - * +---------+-------------------------------------+ > > + * +---------+----------------------------------------------+ > > + * | R0 | REGBIT_{CONNTRACK/DHCP/DNS/HAIRPIN} | > > + * | | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} | > > + * +---------+----------------------------------------------+ > > + * | R1 - R9 | UNUSED | > > + * +---------+----------------------------------------------+ > > * > > * Logical Router pipeline: > > * > > +-----+--------------------------+---+-----------------+---+---------------+ > > @@ -5140,6 +5147,96 @@ build_pre_stateful(struct ovn_datapath *od, struct > > hmap *lflows) > > } > > > > static void > > +build_acl_hints(struct ovn_datapath *od, struct hmap *lflows) > > +{ > > + /* This stage builds hints for the IN/OUT_ACL stage. Based on various > > + * combinations of ct flags packets may hit only a subset of the > > logical > > + * flows in the IN/OUT_ACL stage. > > + * > > + * Populating ACL hints first and storing them in registers simplifies > > + * the logical flow match expressions in the IN/OUT_ACL stage and > > + * generates less openflows. > > + * > > + * Certain combinations of ct flags might be valid matches for multiple > > + * types of ACL logical flows (e.g., allow/drop). In such cases hints > > + * corresponding to all potential matches are set. > > + */ > > + > > + enum ovn_stage stages[] = { > > + S_SWITCH_IN_ACL_HINT, > > + S_SWITCH_OUT_ACL_HINT, > > + }; > > + > > + for (size_t i = 0; i < ARRAY_SIZE(stages); i++) { > > + enum ovn_stage stage = stages[i]; > > + > > + /* New, not already established connections, may hit either allow > > + * or drop ACLs. For allow ACLs, the connection must also be > > committed > > + * to conntrack so we set REGBIT_ACL_HINT_ALLOW_NEW. > > + */ > > + ovn_lflow_add(lflows, od, stage, 7, "ct.new && !ct.est", > > + REGBIT_ACL_HINT_ALLOW_NEW " = 1; " > > + REGBIT_ACL_HINT_DROP " = 1; " > > + "next;"); > > + > > + /* Already established connections in the "request" direction that > > + * are already marked as "blocked" may hit either: > > + * - allow ACLs for connections that were previously allowed by a > > + * policy that was deleted and is being readded now. In this case > > + * the connection should be recommitted so we set > > + * REGBIT_ACL_HINT_ALLOW_NEW. > > + * - drop ACLs. > > + */ > > + ovn_lflow_add(lflows, od, stage, 6, > > + "!ct.new && ct.est && !ct.rpl && ct_label.blocked == > > 1", > > + REGBIT_ACL_HINT_ALLOW_NEW " = 1; " > > + REGBIT_ACL_HINT_DROP " = 1; " > > + "next;"); > > + > > + /* Not tracked traffic can either be allowed or dropped. */ > > + ovn_lflow_add(lflows, od, stage, 5, "!ct.trk", > > + REGBIT_ACL_HINT_ALLOW " = 1; " > > + REGBIT_ACL_HINT_DROP " = 1; " > > + "next;"); > > + > > + /* Already established connections in the "request" direction may > > hit > > + * either: > > + * - allow ACLs in which case the traffic should be allowed so we > > set > > + * REGBIT_ACL_HINT_ALLOW. > > + * - drop ACLs in which case the traffic should be blocked and the > > + * connection must be committed with ct_label.blocked set so we > > set > > + * REGBIT_ACL_HINT_BLOCK. > > + */ > > + ovn_lflow_add(lflows, od, stage, 4, > > + "!ct.new && ct.est && !ct.rpl && ct_label.blocked == > > 0", > > + REGBIT_ACL_HINT_ALLOW " = 1; " > > + REGBIT_ACL_HINT_BLOCK " = 1; " > > + "next;"); > > + > > + /* Not established or established and already blocked connections > > may > > + * hit drop ACLs. > > + */ > > + ovn_lflow_add(lflows, od, stage, 3, "!ct.est", > > + REGBIT_ACL_HINT_DROP " = 1; " > > + "next;"); > > + ovn_lflow_add(lflows, od, stage, 2, "ct.est && ct_label.blocked == > > 1", > > + REGBIT_ACL_HINT_DROP " = 1; " > > + "next;"); > > + > > + /* Established connections that were previously allowed might hit > > + * drop ACLs in which case the connection must be committed with > > + * ct_label.blocked set. > > + */ > > + ovn_lflow_add(lflows, od, stage, 1, "ct.est && ct_label.blocked == > > 0", > > + REGBIT_ACL_HINT_BLOCK " = 1; " > > + "next;"); > > + > > + /* In any case, advance to the next stage. */ > > + ovn_lflow_add(lflows, od, stage, 0, "1", "next;"); > > + } > > +} > > + > > +static void > > build_acl_log(struct ds *actions, const struct nbrec_acl *acl) > > { > > if (!acl->log) { > > @@ -5197,7 +5294,7 @@ build_reject_acl_rules(struct ovn_datapath *od, > > struct hmap *lflows, > > "eth.dst <-> eth.src; ip4.dst <-> ip4.src; " > > "tcp_reset { outport <-> inport; %s };", > > ingress ? "next(pipeline=egress,table=5);" > > - : "next(pipeline=ingress,table=19);"); > > + : "next(pipeline=ingress,table=20);"); > > ovn_lflow_add_with_hint(lflows, od, stage, > > acl->priority + OVN_ACL_PRI_OFFSET + 10, > > ds_cstr(&match), ds_cstr(&actions), > > stage_hint); > > @@ -5212,7 +5309,7 @@ build_reject_acl_rules(struct ovn_datapath *od, > > struct hmap *lflows, > > "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " > > "tcp_reset { outport <-> inport; %s };", > > ingress ? "next(pipeline=egress,table=5);" > > - : "next(pipeline=ingress,table=19);"); > > + : "next(pipeline=ingress,table=20);"); > > ovn_lflow_add_with_hint(lflows, od, stage, > > acl->priority + OVN_ACL_PRI_OFFSET + 10, > > ds_cstr(&match), ds_cstr(&actions), > > stage_hint); > > @@ -5232,7 +5329,7 @@ build_reject_acl_rules(struct ovn_datapath *od, > > struct hmap *lflows, > > "icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; " > > "outport <-> inport; %s };", > > ingress ? "next(pipeline=egress,table=5);" > > - : "next(pipeline=ingress,table=19);"); > > + : "next(pipeline=ingress,table=20);"); > > ovn_lflow_add_with_hint(lflows, od, stage, > > acl->priority + OVN_ACL_PRI_OFFSET, > > ds_cstr(&match), ds_cstr(&actions), > > stage_hint); > > @@ -5250,7 +5347,7 @@ build_reject_acl_rules(struct ovn_datapath *od, > > struct hmap *lflows, > > "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " > > "outport <-> inport; %s };", > > ingress ? "next(pipeline=egress,table=5);" > > - : "next(pipeline=ingress,table=19);"); > > + : "next(pipeline=ingress,table=20);"); > > ovn_lflow_add_with_hint(lflows, od, stage, > > acl->priority + OVN_ACL_PRI_OFFSET, > > ds_cstr(&match), ds_cstr(&actions), > > stage_hint); > > @@ -5298,10 +5395,8 @@ consider_acl(struct hmap *lflows, struct > > ovn_datapath *od, > > * by ct_commit in the "stateful" stage) to indicate that the > > * connection should be allowed to resume. > > */ > > - ds_put_format(&match, "((ct.new && !ct.est)" > > - " || (!ct.new && ct.est && !ct.rpl " > > - "&& ct_label.blocked == 1)) " > > - "&& (%s)", acl->match); > > + ds_put_format(&match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && > > (%s)", > > + acl->match); > > ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; "); > > build_acl_log(&actions, acl); > > ds_put_cstr(&actions, "next;"); > > @@ -5319,9 +5414,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath > > *od, > > * policy. Match untracked packets too. */ > > ds_clear(&match); > > ds_clear(&actions); > > - ds_put_format(&match, > > - "(!ct.trk || (!ct.new && ct.est && !ct.rpl" > > - " && ct_label.blocked == 0)) && (%s)", > > + ds_put_format(&match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)", > > acl->match); > > > > build_acl_log(&actions, acl); > > @@ -5346,9 +5439,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath > > *od, > > if (has_stateful) { > > /* If the packet is not tracked or not part of an established > > * connection, then we can simply reject/drop it. */ > > - ds_put_cstr(&match, > > - "(!ct.trk || !ct.est" > > - " || (ct.est && ct_label.blocked == 1))"); > > + ds_put_cstr(&match, REGBIT_ACL_HINT_DROP " == 1"); > > if (!strcmp(acl->action, "reject")) { > > build_reject_acl_rules(od, lflows, stage, acl, &match, > > &actions, &acl->header_); > > @@ -5374,7 +5465,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath > > *od, > > */ > > ds_clear(&match); > > ds_clear(&actions); > > - ds_put_cstr(&match, "ct.est && ct_label.blocked == 0"); > > + ds_put_cstr(&match, REGBIT_ACL_HINT_BLOCK " == 1"); > > ds_put_cstr(&actions, "ct_commit { ct_label.blocked = 1; }; > > "); > > if (!strcmp(acl->action, "reject")) { > > build_reject_acl_rules(od, lflows, stage, acl, &match, > > @@ -6621,6 +6712,7 @@ build_lswitch_flows(struct hmap *datapaths, struct > > hmap *ports, > > build_pre_acls(od, lflows); > > build_pre_lb(od, lflows, meter_groups, lbs); > > build_pre_stateful(od, lflows); > > + build_acl_hints(od, lflows); > > build_acls(od, lflows, port_groups); > > build_qos(od, lflows); > > build_lb(od, lflows); > > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > > index 8344c7f..87644bd 100644 > > --- a/tests/ovn-northd.at > > +++ b/tests/ovn-northd.at > > @@ -1185,7 +1185,7 @@ ovn-nbctl --wait=sb ls-lb-add sw0 lb1 > > > > ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > ]) > > > > # Delete the Load_Balancer_Health_Check > > @@ -1194,7 +1194,7 @@ OVS_WAIT_UNTIL([test 0 = `ovn-sbctl list > > service_monitor | wc -l`]) > > > > ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > ]) > > > > # Create the Load_Balancer_Health_Check again. > > @@ -1207,7 +1207,7 @@ service_monitor | sed '/^$/d' | wc -l`]) > > > > ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > ]) > > > > # Get the uuid of both the service_monitor > > @@ -1223,7 +1223,7 @@ OVS_WAIT_UNTIL([ > > > > ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);) > > ]) > > > > # Set the service monitor for sw0-p1 to offline > > @@ -1240,7 +1240,7 @@ AT_CHECK([cat lflows.txt], [0], [dnl > > ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \ > > | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), action=(drop;) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), action=(drop;) > > ]) > > > > # Set the service monitor for sw0-p1 and sw1-p1 to online > > @@ -1253,7 +1253,7 @@ OVS_WAIT_UNTIL([ > > > > ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > ]) > > > > # Set the service monitor for sw1-p1 to error > > @@ -1265,7 +1265,7 @@ OVS_WAIT_UNTIL([ > > ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \ > > | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);) > > ]) > > > > # Add one more vip to lb1 > > @@ -1295,8 +1295,8 @@ service_monitor port=1000 | sed '/^$/d' | wc -l`]) > > > > ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);) > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000);) > > ]) > > > > # Set the service monitor for sw1-p1 to online > > @@ -1308,16 +1308,16 @@ OVS_WAIT_UNTIL([ > > > > ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.40 && tcp.dst == 1000), > > action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.40 && tcp.dst == 1000), > > action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);) > > ]) > > > > # Associate lb1 to sw1 > > ovn-nbctl --wait=sb ls-lb-add sw1 lb1 > > ovn-sbctl dump-flows sw1 | grep ct_lb | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.40 && tcp.dst == 1000), > > action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.40 && tcp.dst == 1000), > > action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);) > > ]) > > > > # Now create lb2 same as lb1 but udp protocol. > > diff --git a/tests/ovn.at b/tests/ovn.at > > index 5ad51c0..99861bf 100644 > > --- a/tests/ovn.at > > +++ b/tests/ovn.at > > @@ -14237,17 +14237,17 @@ ovs-vsctl set open . > > external-ids:ovn-bridge-mappings=phys:br-phys > > AT_CHECK([ovn-sbctl dump-flows ls1 | grep "offerip = 10.0.0.6" | \ > > wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep "0a.00.00.06" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep "0a.00.00.06" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep tp_src=546 | grep \ > > "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep tp_src=546 | grep \ > > "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0 > > ]) > > @@ -14278,17 +14278,17 @@ port_binding logical_port=ls1-lp_ext1` > > > > # No DHCPv4/v6 flows for the external port - ls1-lp_ext1 - 10.0.0.6 in > > hv1 and hv2 > > # as no localnet port added to ls1 yet. > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep "0a.00.00.06" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep "0a.00.00.06" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep tp_src=546 | grep \ > > "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep tp_src=546 | grep \ > > "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0 > > ]) > > @@ -14310,38 +14310,38 @@ logical_port=ls1-lp_ext1` > > test "$chassis" = "$hv1_uuid"]) > > > > # There should be DHCPv4/v6 OF flows for the ls1-lp_ext1 port in hv1 > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep "0a.00.00.06" | grep reg14=0x$ln_public_key | \ > > wc -l], [0], [3 > > ]) > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep tp_src=546 | grep \ > > "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \ > > grep reg14=0x$ln_public_key | wc -l], [0], [1 > > ]) > > > > # There should be no DHCPv4/v6 flows for ls1-lp_ext1 on hv2 > > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep "0a.00.00.06" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep tp_src=546 | grep \ > > "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0 > > ]) > > > > # No DHCPv4/v6 flows for the external port - ls1-lp_ext2 - 10.0.0.7 in > > hv1 and > > # hv2 as requested-chassis option is not set. > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep "0a.00.00.07" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep "0a.00.00.07" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep tp_src=546 | grep \ > > "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.07" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep tp_src=546 | grep \ > > "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.07" | wc -l], [0], [0 > > ]) > > @@ -14593,21 +14593,21 @@ logical_port=ls1-lp_ext1` > > test "$chassis" = "$hv2_uuid"]) > > > > # There should be OF flows for DHCP4/v6 for the ls1-lp_ext1 port in hv2 > > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep "0a.00.00.06" | grep reg14=0x$ln_public_key | \ > > wc -l], [0], [3 > > ]) > > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep tp_src=546 | grep \ > > "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \ > > grep reg14=0x$ln_public_key | wc -l], [0], [1 > > ]) > > > > # There should be no DHCPv4/v6 flows for ls1-lp_ext1 on hv1 > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep "0a.00.00.06" | wc -l], [0], [0 > > ]) > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \ > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \ > > grep controller | grep tp_src=546 | grep \ > > "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \ > > grep reg14=0x$ln_public_key | wc -l], [0], [0 > > @@ -14873,7 +14873,7 @@ logical_port=ls1-lp_ext1` > > # There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined > > # to router mac. > > AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \ > > -table=26,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ > > +table=27,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ > > grep -c "actions=drop"], [0], [1 > > ]) > > > > @@ -16144,9 +16144,9 @@ ovn-nbctl --wait=hv sync > > ovn-sbctl dump-flows sw0 | grep ls_in_arp_rsp | grep bind_vport > > > lflows.txt > > > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=13(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p1" > > && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || > > (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", > > inport); next;) > > - table=13(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p2" > > && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || > > (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", > > inport); next;) > > - table=13(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p3" > > && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || > > (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", > > inport); next;) > > + table=14(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p1" > > && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || > > (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", > > inport); next;) > > + table=14(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p2" > > && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || > > (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", > > inport); next;) > > + table=14(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p3" > > && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || > > (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", > > inport); next;) > > ]) > > > > ovn-sbctl dump-flows lr0 | grep lr_in_arp_resolve | grep "reg0 == > > 10.0.0.10" \ > > @@ -16356,8 +16356,8 @@ ovn-nbctl --wait=hv set logical_switch_port sw0-vir > > options:virtual-ip=10.0.0.10 > > ovn-sbctl dump-flows sw0 | grep ls_in_arp_rsp | grep bind_vport > > > lflows.txt > > > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=13(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p1" > > && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || > > (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", > > inport); next;) > > - table=13(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p3" > > && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || > > (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", > > inport); next;) > > + table=14(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p1" > > && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || > > (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", > > inport); next;) > > + table=14(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p3" > > && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || > > (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", > > inport); next;) > > ]) > > > > ovn-nbctl --wait=hv remove logical_switch_port sw0-vir options > > virtual-parents > > @@ -18340,7 +18340,7 @@ test_ip vif11 f00000000011 000001010203 $sip $dip > > vif-north > > OVN_CHECK_PACKETS_REMOVE_BROADCAST([hv4/vif-north-tx.pcap], > > [vif-north.expected]) > > > > # Confirm that packets did not go out via tunnel port. > > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=32 | grep > > NXM_NX_TUN_METADATA0 | grep n_packets=0 | wc -l], [0], [[0 > > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=33 | grep > > NXM_NX_TUN_METADATA0 | grep n_packets=0 | wc -l], [0], [[0 > > ]]) > > > > # Confirm that packet went out via localnet port > > @@ -19087,7 +19087,7 @@ service_monitor | sed '/^$/d' | wc -l`]) > > > > ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), > > action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);) > > ]) > > > > ovn-sbctl dump-flows lr0 | grep ct_lb | grep priority=120 > lflows.txt > > @@ -19125,7 +19125,7 @@ grep "405400000003${svc_mon_src_mac}" | wc -l`] > > ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \ > > | grep priority=120 > lflows.txt > > AT_CHECK([cat lflows.txt], [0], [dnl > > - table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), action=(drop;) > > + table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst > > == 10.0.0.10 && tcp.dst == 80), action=(drop;) > > ]) > > > > ovn-sbctl dump-flows lr0 | grep lr_in_dnat | grep priority=120 > > > lflows.txt > > diff --git a/tests/system-ovn.at b/tests/system-ovn.at > > index 40ba6e4..b9b5eaa 100644 > > --- a/tests/system-ovn.at > > +++ b/tests/system-ovn.at > > @@ -2163,7 +2163,7 @@ > > tcp,orig=(src=172.16.1.2,dst=30.0.0.2,sport=<cleared>,dport=<cleared>),reply=(sr > > ]) > > > > check_est_flows () { > > - n=$(ovs-ofctl dump-flows br-int table=14 | grep \ > > + n=$(ovs-ofctl dump-flows br-int table=15 | grep \ > > > > "priority=120,ct_state=+est+trk,tcp,metadata=0x2,nw_dst=30.0.0.2,tp_dst=8000" > > \ > > | grep nat | sed -n 's/.*n_packets=\([[0-9]]\{1,\}\).*/\1/p') > > > > @@ -4548,7 +4548,7 @@ OVS_WAIT_UNTIL([ > > ]) > > > > OVS_WAIT_UNTIL([ > > - n_pkt=$(ovs-ofctl dump-flows br-int table=44 | grep -v n_packets=0 | \ > > + n_pkt=$(ovs-ofctl dump-flows br-int table=45 | grep -v n_packets=0 | \ > > grep controller | grep tp_dst=84 -c) > > test $n_pkt -eq 1 > > ]) > > > > > > _______________________________________________ > > dev mailing list > > d...@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > > _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev