The "Tiered ACLs" test was syncing on sb and in one case it wasn't syncing at all. That could lead to some packets passing/being dropped due to race between the northd creating the flows and controller installing them.
Fixes: 119f14e05cb4 ("northd: Add tiered ACL support.") Signed-off-by: Ales Musil <amu...@redhat.com> --- tests/system-ovn.at | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index c2490008d..6f9406c5e 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -11361,7 +11361,7 @@ acl_test() { 0% packet loss ]) # Add an untiered drop ACL. This should cause pings to fail. - check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.dst == 10.0.0.2" drop + check ovn-nbctl --wait=hv $options acl-add $thing $direction 1000 "ip4.dst == 10.0.0.2" drop acl1_uuid=$(ovn-nbctl --bare --columns _uuid find ACL priority=1000) NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl @@ -11370,7 +11370,7 @@ acl_test() { # Change the tier to 3. Despite there being "holes" in tiers 0, 1, and 2, # the ACL should still apply, and pings should fail. - check ovn-nbctl --wait=sb set ACL $acl1_uuid tier=3 + check ovn-nbctl --wait=hv set ACL $acl1_uuid tier=3 NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 100% packet loss @@ -11387,21 +11387,21 @@ acl_test() { # Add a higher-priority tier-0 ACL that passes. This should cause the traffic # to pass over the lower-priority tier-0 "allow" ACL, and move to the tier-3 # ACL that drops the traffic. - check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.dst == 10.0.0.2" pass + check ovn-nbctl --wait=hv $options acl-add $thing $direction 1000 "ip4.dst == 10.0.0.2" pass NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 100% packet loss ]) # Remove the "pass" ACL, and the "allow" rule should kick back in. - check ovn-nbctl --wait=sb --tier=0 acl-del $thing $direction 1000 "ip4.dst == 10.0.0.2" + check ovn-nbctl --wait=hv --tier=0 acl-del $thing $direction 1000 "ip4.dst == 10.0.0.2" NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 0% packet loss ]) # Removing the remaining 0-tier ACL should make traffic go back to being dropped. - check ovn-nbctl --wait=sb acl-del $thing $direction 4 "ip4.dst == 10.0.0.2" + check ovn-nbctl --wait=hv acl-del $thing $direction 4 "ip4.dst == 10.0.0.2" NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 100% packet loss @@ -11410,14 +11410,14 @@ acl_test() { # Adding a higher-priority "pass" ACL at tier 3 should result in using the # default ACL action. Currently, the default is to allow traffic, so the # traffic should be allowed. - check ovn-nbctl --wait=sb --tier=3 $options acl-add $thing $direction 2000 "ip4.dst == 10.0.0.2" pass + check ovn-nbctl --wait=hv --tier=3 $options acl-add $thing $direction 2000 "ip4.dst == 10.0.0.2" pass NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 0% packet loss ]) # Change the default ACL action to drop, and now the traffic should be dropped. - check ovn-nbctl set NB_Global . options:default_acl_drop=true + check ovn-nbctl --wait=hv set NB_Global . options:default_acl_drop=true NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 100% packet loss @@ -11426,7 +11426,7 @@ acl_test() { # Removing all ACLs (and setting the default acl drop back to false) should # make traffic go back to passing. check ovn-nbctl clear NB_Global . options - check ovn-nbctl --wait=sb acl-del $thing + check ovn-nbctl --wait=hv acl-del $thing NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 0% packet loss -- 2.40.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev