Hello, Incus makes pretty active use of port groups and ACLs to handle firewalling/micro-segmentation within its networks. One thing we use quite a bit within our ACLs is the ability to refer to port groups in `inport` and `outport` (@ syntax).
An issue we've noticed with that is that ovn-northd seems to only populate Port_Group entries in SB if they currently contain a port. For ease of maintenance, we pretty often will generate ACLs that reference a port group that's currently empty. This seems to be causing some problems as it appears that port groups without any ports currently in them will not be populated in the Southbound database. The result is a bunch of errors like this: ``` 2025-12-06T22:51:58Z|00002|ovntrace|WARN|reg0[8] == 1 && ((inport == @incus_acl10_egress_reversed) && (outport == "incus-net6-ls-int-lsp-router") && (tcp) && (tcp.dst == 80)): parsing expression failed (Syntax error at `@incus_acl10_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00003|ovntrace|WARN|reg0[7] == 1 && ((inport == @incus_acl10_egress_reversed) && (outport == "incus-net6-ls-int-lsp-router") && (tcp) && (tcp.dst == 443)): parsing expression failed (Syntax error at `@incus_acl10_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00004|ovntrace|WARN|reg0[7] == 1 && ((inport == @incus_acl40_egress_reversed) && (outport == "incus-net9-ls-int-lsp-router") && (tcp) && (tcp.dst == 443)): parsing expression failed (Syntax error at `@incus_acl40_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00005|ovntrace|WARN|reg0[8] == 1 && ((inport == @incus_acl48_egress_reversed) && (outport == "incus-net9-ls-int-lsp-router")): parsing expression failed (Syntax error at `@incus_acl48_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00006|ovntrace|WARN|reg0[8] == 1 && ((inport == @incus_acl40_egress_reversed) && (outport == "incus-net9-ls-int-lsp-router") && (tcp) && (tcp.dst == 80)): parsing expression failed (Syntax error at `@incus_acl40_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00007|ovntrace|WARN|reg0[7] == 1 && ((inport == @incus_acl10_egress_reversed) && (outport == "incus-net6-ls-int-lsp-router") && (tcp) && (tcp.dst == 80)): parsing expression failed (Syntax error at `@incus_acl10_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00008|ovntrace|WARN|reg0[8] == 1 && ((inport == @incus_acl9_egress_reversed) && (outport == "incus-net6-ls-int-lsp-router")): parsing expression failed (Syntax error at `@incus_acl9_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00009|ovntrace|WARN|reg0[8] == 1 && ((inport == @incus_acl10_egress_reversed) && (outport == "incus-net6-ls-int-lsp-router") && (tcp) && (tcp.dst == 443)): parsing expression failed (Syntax error at `@incus_acl10_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00010|ovntrace|WARN|reg0[7] == 1 && ((inport == @incus_acl9_egress_reversed) && (outport == "incus-net6-ls-int-lsp-router")): parsing expression failed (Syntax error at `@incus_acl9_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00011|ovntrace|WARN|reg0[7] == 1 && ((inport == @incus_acl48_egress_reversed) && (outport == "incus-net9-ls-int-lsp-router")): parsing expression failed (Syntax error at `@incus_acl48_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00012|ovntrace|WARN|reg0[8] == 1 && ((inport == @incus_acl40_egress_reversed) && (outport == "incus-net9-ls-int-lsp-router") && (tcp) && (tcp.dst == 443)): parsing expression failed (Syntax error at `@incus_acl40_egress_reversed' expecting port group name.) 2025-12-06T22:51:58Z|00013|ovntrace|WARN|reg0[7] == 1 && ((inport == @incus_acl40_egress_reversed) && (outport == "incus-net9-ls-int-lsp-router") && (tcp) && (tcp.dst == 80)): parsing expression failed (Syntax error at `@incus_acl40_egress_reversed' expecting port group name.) ``` The output above is what we get as a prelude to running ovn-trace in this case, but it also shows up in other contexts, it was just the easiest way to get all of them out in one shot. To me it feels like, northd should either: - Count usage in an ACL as a valid reference requiring the inclusion of the port group into the SB DB - Somehow optimize the ACL rules in SB to handle the missing port groups, re-writing them back to their normal content when the port group does become active Above is on current OVS 3.6.1 and OVN 25.09.2. Stéphane _______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
