> On 9/26/25 6:01 PM, Lorenzo Bianconi wrote:
> > Introduce REGBIT_PKT_SAMPLED (reg0[22]) bit in the logical switch
> > pipeline in order to avoid sampling traffic hitting the ACLs multiple
> > times (e.g. when the traffic is egressing from the patch port connecting
> > the logical switch to a logical router).
> > Preserve the REGBIT_PKT_SAMPLED value passing from the logical switch
> > ingress pipeline to the logical switch egress one.
> > This patch will fix the oversampling issue reported in
> > https://mail.openvswitch.org/pipermail/ovs-discuss/2025-May/053626.html
> >
> > Reported-at: https://issues.redhat.com/browse/FDP-1408
> > Signed-off-by: Lorenzo Bianconi <[email protected]>
> > ---
>
> Hi Lorenzo,
>
> Thanks for the new revision!
Hi Decera,
>
> > Changes in v2:
> > - Do not always clear connection tracking entry for patch port since
> > this will break some allow-related ACL use-cases.
> > ---
> > controller/physical.c | 11 +++-
> > northd/northd.c | 25 ++++++---
> > tests/ovn-northd.at | 86 ++++++++++++++---------------
> > tests/system-ovn.at | 125 ++++++++++++++++++++++++++++++++++++++++++
> > 4 files changed, 193 insertions(+), 54 deletions(-)
> >
> > diff --git a/controller/physical.c b/controller/physical.c
> > index 9ca535a6c..6008a5c24 100644
> > --- a/controller/physical.c
> > +++ b/controller/physical.c
> > @@ -3256,10 +3256,17 @@ physical_run(struct physical_ctx *p_ctx,
> > *
> > * Resubmit packets that don't output to the ingress port (already
> > checked
> > * in table 44) to the logical egress pipeline, clearing the logical
> > - * registers (for consistent behavior with packets that get tunneled).
> > */
> > + * registers (for consistent behavior with packets that get tunneled).
> > + * Do not clear reg0[22] since it contains the bit to allow sampling on
> > + * egress pipeline. */
> > match_init_catchall(&match);
> > ofpbuf_clear(&ofpacts);
> > - for (int i = 0; i < MFF_N_LOG_REGS; i++) {
> > +
> > + ovs_be32 value = htonl(0);
> > + ovs_be32 mask = htonl(~(1 << 22));
> > + ofpact_put_set_field(
> > + &ofpacts, mf_from_id(MFF_REG0), &value, &mask);
> > + for (int i = 1; i < MFF_N_LOG_REGS; i++) {
> > put_load(0, MFF_REG0 + i, 0, 32, &ofpacts);
> > }
>
> I don't really think we should skip clearing a seemingly "random" bit in
> reg0. However, the flags register is already persisted in between the
> ingress and egress pipeline. And we have space in it for a pkt_sampled bit.
>
> I think adding a flags.pkt_sampled would make it a bit cleaner.
ack, fine to me.
>
> > put_resubmit(OFTABLE_LOG_EGRESS_PIPELINE, &ofpacts);
> > diff --git a/northd/northd.c b/northd/northd.c
> > index fe5199a86..fde4a7393 100644
> > --- a/northd/northd.c
> > +++ b/northd/northd.c
> > @@ -135,6 +135,7 @@ static bool vxlan_mode;
> > #define REGBIT_IP_FRAG "reg0[19]"
> > #define REGBIT_ACL_PERSIST_ID "reg0[20]"
> > #define REGBIT_ACL_HINT_ALLOW_PERSISTED "reg0[21]"
> > +#define REGBIT_PKT_SAMPLED "reg0[22]"
> >
> > /* Register definitions for switches and routers. */
> >
> > @@ -5849,7 +5850,7 @@ skip_port_from_conntrack(const struct ovn_datapath
> > *od, struct ovn_port *op,
> > const char *ingress_action = "next;";
> > const char *egress_action = has_stateful_acl
> > ? "next;"
> > - : "ct_clear; next;";
> > + : REGBIT_PKT_SAMPLED" = 0; ct_clear;
> > next;";
> >
> > char *ingress_match = xasprintf("ip && inport == %s", op->json_key);
> > char *egress_match = xasprintf("ip && outport == %s", op->json_key);
> > @@ -6463,7 +6464,8 @@ build_acl_sample_action(struct ds *actions, const
> > struct nbrec_acl *acl,
> > }
> >
> > for (size_t i = 0; i < sample->n_collectors; i++) {
> > - ds_put_format(actions, "sample(probability=%"PRIu16","
> > + ds_put_format(actions, REGBIT_PKT_SAMPLED" = 1; "
>
> We duplicate "REGBIT_PKT_SAMPLED = 1", once for each sample action. We
> could move it out of the loop.
ack, fine.
>
> > + "sample(probability=%"PRIu16","
> > "collector_set=%"PRIu32","
> > "obs_domain=%"PRIu32","
> > "obs_point=%"PRIu32");",
> > @@ -6621,7 +6623,8 @@ build_acl_sample_est_orig_stateful_flows(const struct
> > ovn_datapath *od,
> > ds_clear(actions);
> > ds_clear(match);
> >
> > - ds_put_cstr(match, "ip && ct.trk && "
> > + ds_put_cstr(match, REGBIT_PKT_SAMPLED" == 0 && "
> > + "ip && ct.trk && "
> > "(ct.est || ct.rel) && "
> > "!ct.rpl && ");
> > build_acl_sample_label_match(match, acl, acl->sample_est);
> > @@ -6654,9 +6657,10 @@ build_acl_sample_est_rpl_stateful_flows(const struct
> > ovn_datapath *od,
> > ds_clear(actions);
> > ds_clear(match);
> >
> > - ds_put_cstr(match, "ip && ct.trk && "
> > - "(ct.est || ct.rel) && "
> > - "ct.rpl && ");
> > + ds_put_cstr(match, REGBIT_PKT_SAMPLED" == 0 && "
> > + "ip && ct.trk && "
> > + "(ct.est || ct.rel) && "
> > + "ct.rpl && ");
> > build_acl_sample_label_match(match, acl, acl->sample_est);
> >
> > build_acl_sample_action(actions, acl, acl->sample_est,
> > sample_domain_id);
> > @@ -6731,7 +6735,8 @@ build_acl_sample_generic_new_flows(const struct
> > ovn_datapath *od,
> > (uint8_t) coll->id,
> > (uint8_t) obs_stage);
> >
> > - ds_put_format(actions, "sample(probability=%"PRIu16","
> > + ds_put_format(actions, REGBIT_PKT_SAMPLED" = 1; "
> > + "sample(probability=%"PRIu16","
> > "collector_set=%"PRIu32","
> > "obs_domain=%"PRIu32","
> > "obs_point="REG_OBS_POINT_ID_NEW");"
> > @@ -6761,7 +6766,8 @@ build_acl_sample_generic_est_flows(const struct
> > ovn_datapath *od,
> > ds_clear(match);
> > ds_clear(actions);
> >
> > - ds_put_cstr(match, "ip && ct.trk && (ct.est || ct.rel) && "
> > + ds_put_cstr(match, REGBIT_PKT_SAMPLED" == 0 && "
> > + "ip && ct.trk && (ct.est || ct.rel) && "
> > "ct_label.obs_unused == 0 && ");
> >
> > size_t match_len = match->length;
> > @@ -6770,7 +6776,8 @@ build_acl_sample_generic_est_flows(const struct
> > ovn_datapath *od,
> > (uint8_t) coll->id,
> > (uint8_t) obs_stage);
> >
> > - ds_put_format(actions, "sample(probability=%"PRIu16","
> > + ds_put_format(actions, REGBIT_PKT_SAMPLED" = 1; "
> > + "sample(probability=%"PRIu16","
> > "collector_set=%"PRIu32","
> > "obs_domain=%"PRIu32","
> > "obs_point=ct_label.obs_point_id);"
> > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> > index 83a142d20..f5009946c 100644
> > --- a/tests/ovn-northd.at
> > +++ b/tests/ovn-northd.at
> > @@ -4872,7 +4872,7 @@ check_stateful_flows() {
> > ])
> > }
> >
> > -check_stateful_flows "ct_clear; next;"
> > +check_stateful_flows "reg0[[22]] = 0; ct_clear; next;"
> >
> > # Add few ACLs
> > check ovn-nbctl --wait=sb acl-add sw0 from-lport 1002 "ip4 && tcp &&
> > tcp.dst == 80" allow-related
> > @@ -10913,7 +10913,7 @@ AT_CHECK([ovn-sbctl lflow-list sw | grep
> > ls_in_pre_lb | grep priority=110 | grep
> > ])
> >
> > AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_pre_lb | grep priority=110
> > | grep sw-ln | ovn_strip_lflows], [0], [dnl
> > - table=??(ls_out_pre_lb ), priority=110 , match=(ip && outport ==
> > "sw-ln"), action=(ct_clear; next;)
> > + table=??(ls_out_pre_lb ), priority=110 , match=(ip && outport ==
> > "sw-ln"), action=(reg0[[22]] = 0; ct_clear; next;)
> > ])
> >
> > # Now add a load balancer and ensure that we no longer are skipping
> > conntrack
> > @@ -10939,7 +10939,7 @@ AT_CHECK([ovn-sbctl lflow-list sw | grep
> > ls_in_pre_lb | grep priority=110 | grep
> > ])
> >
> > AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_pre_lb | grep priority=110
> > | grep sw-ln | ovn_strip_lflows], [0], [dnl
> > - table=??(ls_out_pre_lb ), priority=110 , match=(ip && outport ==
> > "sw-ln"), action=(ct_clear; next;)
> > + table=??(ls_out_pre_lb ), priority=110 , match=(ip && outport ==
> > "sw-ln"), action=(reg0[[22]] = 0; ct_clear; next;)
> > ])
> >
> > AT_CLEANUP
> > @@ -13184,10 +13184,10 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_in_acl_sample -e ls_in_acl_eval -e l
> > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
> > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> > reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
> > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new &&
> > reg3 == 4301),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > - table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 &&
> > ct_label.obs_unused == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new &&
> > reg3 == 4301), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1200 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id ==
> > 4302 && ct_label.obs_unused == 0), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 &&
> > ct_label.obs_unused == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1200 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id ==
> > 4302 && ct_label.obs_unused == 0), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > ])
> >
> > dnl Trace new connections.
> > @@ -13217,7 +13217,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_in_acl_sample -e ls_in_acl_eval -e l
> > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
> > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
> > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new &&
> > reg3 == 4301),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new &&
> > reg3 == 4301), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > ])
> >
> > @@ -13247,10 +13247,10 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_in_acl_after_lb_sample -e ls_in_acl_
> > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1
> > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
> > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1
> > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 =
> > 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1;
> > next;)
> > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
> > action=(next;)
> > - table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new
> > && reg3 == 4301),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > - table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk
> > && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 &&
> > ct_label.obs_unused == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > + table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new
> > && reg3 == 4301), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > + table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(reg0[[22]]
> > == 0 && ip && ct.trk && (ct.est || ct.rel) && !ct.rpl &&
> > ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0),
> > action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 &&
> > ct_label.obs_unused == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1200 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id ==
> > 4302 && ct_label.obs_unused == 0), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > ])
> >
> > dnl Trace new connections.
> > @@ -13280,7 +13280,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_in_acl_after_lb_sample -e ls_in_acl_
> > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1
> > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
> > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1
> > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
> > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
> > action=(next;)
> > - table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new
> > && reg3 == 4301),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > + table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new
> > && reg3 == 4301), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > ])
> >
> > @@ -13308,12 +13308,12 @@ check_uuid ovn-nbctl --wait=sb \
> > --sample-new=@sample1 --sample-est=@sample2 acl-add ls to-lport 1 "1"
> > allow-related
> > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
> > ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
> > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
> > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 &&
> > ct_label.obs_unused == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1200 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id ==
> > 4302 && ct_label.obs_unused == 0), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
> > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> > reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new ||
> > !ct.trk) && reg3 == 4301),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > - table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 &&
> > ct_label.obs_unused == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new ||
> > !ct.trk) && reg3 == 4301), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1200 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id ==
> > 4302 && ct_label.obs_unused == 0), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > ])
> >
> > dnl Trace new connections.
> > @@ -13345,7 +13345,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_out_acl_sample -e ls_out_acl_eval -e
> > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
> > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new ||
> > !ct.trk) && reg3 == 4301),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new ||
> > !ct.trk) && reg3 == 4301), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);reg0[[22]]
> > = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > ])
> >
> > dnl Trace new connections.
> > @@ -13405,10 +13405,10 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_in_acl_sample -e ls_in_acl_eval -e l
> > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> > reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
> > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> > reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
> > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new &&
> > reg3 == 4301),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > - table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 &&
> > ct_label.obs_unused == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new &&
> > reg3 == 4301), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1200 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id ==
> > 4302 && ct_label.obs_unused == 0), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 &&
> > ct_label.obs_unused == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1200 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id ==
> > 4302 && ct_label.obs_unused == 0), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> > next;)
> > ])
> >
> > dnl Trace new connections.
> > @@ -13443,10 +13443,10 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_in_acl_sample -e ls_in_acl_eval -e l
> > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> > reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
> > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> > reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
> > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new &&
> > reg8[[0..7]] == 1 && reg8[[19..20]] == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > - table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl &&
> > ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new &&
> > reg8[[0..7]] == 1 && reg8[[19..20]] == 0), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1000 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl
> > && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0),
> > action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> > ct_mark.obs_collector_id == 1),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1000 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> > ct_mark.obs_collector_id == 1), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > ])
> >
> > dnl Trace new connections.
> > @@ -13478,7 +13478,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_in_acl_sample -e ls_in_acl_eval -e l
> > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
> > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
> > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new &&
> > reg8[[0..7]] == 1 && reg8[[19..20]] == 0),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new &&
> > reg8[[0..7]] == 1 && reg8[[19..20]] == 0), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > ])
> >
> > @@ -13511,10 +13511,10 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_in_acl_after_lb_sample -e ls_in_acl_
> > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1
> > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> > reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
> > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1
> > && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 =
> > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1;
> > next;)
> > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
> > action=(next;)
> > - table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new
> > && reg8[[0..7]] == 1 && reg8[[19..20]] == 1),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > - table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk
> > && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl &&
> > ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new
> > && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(reg0[[22]]
> > == 0 && ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 &&
> > !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1),
> > action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> > ct_mark.obs_collector_id == 1),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1000 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> > ct_mark.obs_collector_id == 1), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > ])
> >
> > dnl Trace new connections.
> > @@ -13546,7 +13546,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_in_acl_after_lb_sample -e ls_in_acl_
> > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1
> > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
> > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1
> > && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
> > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
> > action=(next;)
> > - table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new
> > && reg8[[0..7]] == 1 && reg8[[19..20]] == 1),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new
> > && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > ])
> >
> > @@ -13577,12 +13577,12 @@ check_uuid ovn-nbctl --wait=sb
> > \
> > --sample-new=@sample1 --sample-est=@sample2 acl-add ls to-lport 1 "1"
> > allow-related
> > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e
> > ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows |
> > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
> > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> > ct_mark.obs_collector_id == 1),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1000 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> > ct_mark.obs_collector_id == 1), action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> > reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
> > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> > reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new ||
> > !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > - table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl &&
> > ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2),
> > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new ||
> > !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), action=(reg0[[22]] =
> > 1; sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1000 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl
> > && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2),
> > action=(reg0[[22]] = 1;
> > sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > ])
> >
> > dnl Trace new connections.
> > @@ -13616,7 +13616,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> > ls_out_acl_sample -e ls_out_acl_eval -e
> > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
> > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 &&
> > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0;
> > reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
> > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;)
> > - table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new ||
> > !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2),
> > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new ||
> > !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), action=(reg0[[22]] =
> > 1; sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> > next;)
> > ])
> >
> > dnl Trace new connections.
> > @@ -13682,21 +13682,21 @@ check ovn-nbctl --wait=sb sync
> >
> > AT_CHECK([ovn-sbctl lflow-list | grep probability | ovn_strip_lflows],
> > [0], [dnl
> > table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new
> > && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), dnl
> > -action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3);
> > next;)
> > - table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk
> > && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl &&
> > ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 1), dnl
> > -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > +action=(reg0[[22]] = 1;
> > sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3);
> > next;)
> > + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(reg0[[22]]
> > == 0 && ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 &&
> > !ct.rpl && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 1), dnl
> > +action=(reg0[[22]] = 1;
> > sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new &&
> > reg8[[0..7]] == 1 && reg8[[19..20]] == 0), dnl
> > -action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3);
> > next;)
> > - table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl &&
> > ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 0), dnl
> > -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > - table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> > ct_mark.obs_collector_id == 2), dnl
> > -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > +action=(reg0[[22]] = 1;
> > sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1000 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl
> > && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 0), dnl
> > +action=(reg0[[22]] = 1;
> > sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > + table=??(ls_in_acl_sample ), priority=1000 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> > ct_mark.obs_collector_id == 2), dnl
> > +action=(reg0[[22]] = 1;
> > sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new ||
> > !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), dnl
> > -action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3);
> > next;)
> > - table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl &&
> > ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 2), dnl
> > -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > - table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk &&
> > (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> > ct_mark.obs_collector_id == 2), dnl
> > -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > +action=(reg0[[22]] = 1;
> > sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1000 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl
> > && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 2), dnl
> > +action=(reg0[[22]] = 1;
> > sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > + table=??(ls_out_acl_sample ), priority=1000 , match=(reg0[[22]] == 0 &&
> > ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> > ct_mark.obs_collector_id == 2), dnl
> > +action=(reg0[[22]] = 1;
> > sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id);
> > next;)
> > ])
> >
> > AT_CLEANUP
> > diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> > index 3a321f84a..3fed5bce0 100644
> > --- a/tests/system-ovn.at
> > +++ b/tests/system-ovn.at
> > @@ -13969,6 +13969,131 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port
> > patch-.*/d
> > AT_CLEANUP
> > ])
> >
> > +OVN_FOR_EACH_NORTHD([
> > +AT_SETUP([ovn -- ACL Sampling - Stateful ACL - routed traffic])
> > +AT_KEYWORDS([ACL])
> > +
> > +CHECK_CONNTRACK()
> > +CHECK_CONNTRACK_NAT()
> > +ovn_start
> > +OVS_TRAFFIC_VSWITCHD_START()
> > +ADD_BR([br-int])
> > +
> > +dnl Set external-ids in br-int needed for ovn-controller
> > +check ovs-vsctl \
> > + -- set Open_vSwitch . external-ids:system-id=hv1 \
> > + -- set Open_vSwitch .
> > external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \
> > + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \
> > + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \
> > + -- set bridge br-int fail-mode=secure
> > other-config:disable-in-band=true
> > +
> > +dnl Start ovn-controller
> > +start_daemon ovn-controller
> > +
> > +dnl Logical network:
> > +dnl 1 router
> > +dnl 2 logical switch
> > +dnl 2 VIF
> > +
> > +check ovn-nbctl \
> > + -- lr-add lr \
> > + -- lrp-add lr lrp1 00:00:00:00:01:00 42.42.42.1/24 \
> > + -- lrp-add lr lrp2 00:00:00:00:02:00 43.43.43.1/24 \
> > + -- ls-add ls1 \
> > + -- ls-add ls2 \
> > + -- lsp-add ls1 vm1 \
> > + -- lsp-add ls2 vm2 \
> > + -- lsp-set-addresses vm1 00:00:00:00:00:01 \
> > + -- lsp-set-addresses vm2 00:00:00:00:00:02 \
> > + -- lsp-add ls1 ls1-lr \
> > + -- lsp-add ls2 ls2-lr \
> > + -- lsp-set-type ls1-lr router \
> > + -- lsp-set-type ls2-lr router \
> > + -- lsp-set-options ls1-lr router-port=lrp1 \
> > + -- lsp-set-options ls2-lr router-port=lrp2 \
> > + -- lsp-set-addresses ls1-lr router \
> > + -- lsp-set-addresses ls2-lr router
> > +check ovn-nbctl --wait=hv sync
> > +
> > +ADD_NAMESPACES(vm1)
> > +ADD_VETH(vm1, vm1, br-int, "42.42.42.2/24", "00:00:00:00:00:01",
> > "42.42.42.1")
> > +ADD_NAMESPACES(vm2)
> > +ADD_VETH(vm2, vm2, br-int, "43.43.43.2/24", "00:00:00:00:00:02",
> > "43.43.43.1")
> > +
> > +wait_for_ports_up
> > +
> > +NS_CHECK_EXEC([vm1], [ping -q -c 3 -i 0.3 -w 2 43.43.43.2 | FORMAT_PING], \
> > +[0], [dnl
> > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > +])
> > +
> > +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1
> > probability=65535 set_id=100)
> > +collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2
> > probability=65535 set_id=200)
> > +check_row_count nb:Sample_Collector 2
> > +
> > +check_uuid ovn-nbctl create Sampling_App type="acl-est" id="43"
> > +check_row_count nb:Sampling_App 1
> > +
> > +check ovn-nbctl pg-add pg vm1 vm2
> > +check_uuid ovn-nbctl
> > \
> > + -- --id=@sample1 create Sample collector="$collector1" metadata=1001
> > \
> > + -- --sample-est=@sample1 acl-add pg from-lport 200 "inport == @pg &&
> > udp" allow-related \
> > + -- --id=@sample2 create Sample collector="$collector2" metadata=1004
> > \
> > + -- --sample-est=@sample2 acl-add pg to-lport 200 "outport == @pg &&
> > udp" allow-related
> > +check ovn-nbctl --wait=hv sync
> > +check_row_count nb:ACL 2
> > +check_row_count nb:Sample 2
> > +
> > +NETNS_DAEMONIZE([vm1], [nc -l -u 1234], [udp1.pid])
> > +NETNS_DAEMONIZE([vm2], [nc -l -u 1235], [udp2.pid])
> > +
> > +dnl Start an IPFIX collector.
> > +DAEMONIZE([nfcapd -B 1024000 -w . -p 4242 2> collector.err],
> > [collector.pid])
> > +dnl Wait for the collector to be up.
> > +OVS_WAIT_UNTIL([grep -q 'Startup nfcapd.' collector.err])
> > +
> > +dnl Configure the OVS flow sample collector.
> > +ovs-vsctl --id=@br get Bridge br-int \
> > + -- --id=@ipfix1 create IPFIX targets=\"127.0.0.1:4242\"
> > template_interval=1 \
> > + -- --id=@cs1 create Flow_Sample_Collector_Set id=100 bridge=@br
> > ipfix=@ipfix1 \
> > + -- --id=@ipfix2 create IPFIX targets=\"127.0.0.1:4242\"
> > template_interval=1 \
> > + -- --id=@cs2 create Flow_Sample_Collector_Set id=200 bridge=@br
> > ipfix=@ipfix2
> > +
> > +check ovn-nbctl --wait=hv sync
> > +dnl And wait for it to be up and running.
> > +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q '2 ids'])
> > +
> > +# Create the connection in the CT table.
> > +echo "Hello" > Hello
> > +NS_EXEC([vm1], [nc -p 1234 -u 43.43.43.2 1235 < Hello])
> > +NS_EXEC([vm2], [nc -p 1235 -u 42.42.42.2 1234 < Hello])
> > +# Send some more packets.
> > +for i in $(seq 10); do
> > +NS_EXEC([vm1], [nc -p 1234 -u 43.43.43.2 1235 < Hello])
> > +NS_EXEC([vm2], [nc -p 1235 -u 42.42.42.2 1234 < Hello])
> > +done
> > +
> > +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep 'id 100' | grep -q
> > 'sampled pkts=21'])
> > +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep 'id 200' | grep -q
> > 'sampled pkts=21'])
> > +
> > +OVN_CLEANUP_CONTROLLER([hv1])
> > +
> > +as ovn-sb
> > +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> > +
> > +as ovn-nb
> > +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> > +
> > +as northd
> > +OVS_APP_EXIT_AND_WAIT([ovn-northd])
> > +
> > +as
> > +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d
> > +/connection dropped.*/d"])
> > +
> > +AT_CLEANUP
> > +])
> > +
> > OVN_FOR_EACH_NORTHD([
> > AT_SETUP([SB Disconnect - MAC_Binding])
> > ovn_start
>
> The rest looks good to me. I think the change to use a flag bit is
> quite straightforward so, in order to avoid a v3, I prepared an
> incremental suggestion doing that here:
>
> https://github.com/dceara/ovn/commit/d091474
>
> I'd also rephrase a bit the commit message so the resulting commit would be:
>
> http://github.com/dceara/ovn/commit/b240bce
>
> Please let me know if that works for you and, if the CI is green with
> this change, I can push the patch to main. We can't directly backport
> this because it introduces a new logical field so we'd need a patch that
> adds a feature flag for it. But maybe users are OK with waiting for the
> bug fix until 26.03 is released.
ack, it is fine to me. Thanks.
Regards,
Lorenzo
>
> The only other user I know of is ovn-kubernetes but their ACL matches
> are not as wide as the ones that can cause the issue so I think we'd be
> fine with waiting in that case.
>
> Regards,
> Dumitru
>
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
