[ovs-dev] [PATCH v3 ovn 1/2] ovn-northd: Reduce number of flows generated for stateful ACLs.

Mark Michelson mmichels at redhat.com
Fri Sep 11 12:40:24 UTC 2020


Acked-by: Mark Michelson <mmichels at redhat.com>

There's one documentation error down below that can be fixed when this 
is merged. Since the referenced ECMP test case has been fixed already, 
this also won't cause any test failures.

On 9/2/20 11:05 AM, Dumitru Ceara wrote:
> Introduce two new stages in the logical switch pipeline:
> - ls_in_acl_hint
> - ls_out_acl_hint
> 
> Flows in these stages match on various combinations of conntrack flags to
> determine how traffic might be processed in the ACL stage. Four possible
> hints are set (there may be more than one set at the same time per packet):
> - REGBIT_ACL_HINT_ALLOW_NEW: the packet might match an allow-related ACL in
>    which case it will have to commit or update a connection to conntrack.
> - REGBIT_ACL_HINT_ALLOW: the packet might match an allow-related ACL but
>    the session already exists so no commit will be needed.
> - REGBIT_ACL_HINT_DROP: the packet might match a drop/reject ACL but the
>    session already exists so no commit will be needed.
> - REGBIT_ACL_HINT_BLOCK: the packet might match a drop/reject ACL in which
>    case it will have to commit or update a connection in conntrack.
> 
> These hints are used in the ls_in_acl/ls_out_acl tables and simplify the
> match expressions for logical flows generated for ACLs reducing the number
> of disjunctions in the match, therefore reducing the number of openflows
> by a factor of 2 for allow-related ACLs and by a factor of 3 for drop/reject
> ACLs.
> 
> Suggested-by: Han Zhou <hzhou at ovn.org>
> Signed-off-by: Dumitru Ceara <dceara at redhat.com>
> 
> ---
> NOTE: The "ovn -- ECMP symmetric reply" system test will fail with this
> patch applied until the following patch that fixes the test is also merged:
> 
> http://patchwork.ozlabs.org/project/ovn/patch/1599033403-1659-1-git-send-email-dceara@redhat.com/
> ---
>   northd/ovn-northd.8.xml |  134 ++++++++++++++++++++++++++++------
>   northd/ovn-northd.c     |  186 +++++++++++++++++++++++++++++++++++------------
>   tests/ovn-northd.at     |   26 +++----
>   tests/ovn.at            |   58 +++++++--------
>   tests/system-ovn.at     |    4 +
>   5 files changed, 292 insertions(+), 116 deletions(-)
> 
> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> index 989e364..226afc8 100644
> --- a/northd/ovn-northd.8.xml
> +++ b/northd/ovn-northd.8.xml
> @@ -386,7 +386,86 @@
>         <code>ct_next;</code> action.
>       </p>
>   
> -    <h3>Ingress table 6: <code>from-lport</code> ACLs</h3>
> +    <h3>Ingress Table 6: <code>from-lport</code> ACL hints</h3>
> +
> +    <p>
> +      This table consists of logical flows that set hints
> +      (<code>reg0</code> bits) to be used in the next stage, in the ACL
> +      processing table. Multiple hints can be set for the same packet.
> +      The possible hints are:
> +    </p>
> +    <ul>
> +      <li>
> +        <code>reg0[7]</code>: the packet might match an
> +        <code>allow-related</code> ACL and might have to commit the
> +        connection to conntrack.
> +      </li>
> +      <li>
> +        <code>reg0[8]</code>: the packet might match an
> +        <code>allow-related</code> ACL but there will be no need to commit
> +        the connection to conntrack because it already exists.
> +      </li>
> +      <li>
> +        <code>reg0[9]</code>: the packet might match a
> +        <code>drop/reject</code>.
> +      </li>
> +      <li>
> +        <code>reg0[10]</code>: the packet might match a
> +        <code>drop/reject</code> ACL but the connection was previously
> +        allowed so it might have to be committed again with
> +        <code>ct_label=1/1</code>.
> +      </li>
> +    </ul>
> +
> +    <p>
> +      The table contains the following flows:
> +    </p>
> +    <ul>
> +      <li>
> +        A priority-7 flow that matches on packets that initiate a new session.
> +        This flow sets <code>reg0[7]</code> and <code>reg0[9]</code> and
> +        then advances to the next table.
> +      </li>
> +      <li>
> +        A priority-6 flow that matches on packets that are in the request
> +        direction of an already existing session that has been marked
> +        as blocked. This flow sets <code>reg0[7]</code> and
> +        <code>reg0[9]</code> and then advances to the next table.
> +      </li>
> +      <li>
> +        A priority-5 flow that matches untracked packets. This flow sets
> +        <code>reg0[8]</code> and <code>reg0[9]</code> and then advances to
> +        the next table.
> +      </li>
> +      <li>
> +        A priority-4 flow that matches on packets that are in the request
> +        direction of an already existing session that has not been marked
> +        as blocked. This flow sets <code>reg0[8]</code> and
> +        <code>reg0[10]</code> and then advances to the next table.
> +      </li>
> +      <li>
> +        A priority-3 flow that matches on packets that are in not part of
> +        established sessions. This flow sets <code>reg0[9]</code> and then
> +        advances to the next table.
> +      </li>
> +      <li>
> +        A priority-2 flow that matches on packets that are part of an
> +        established session that has been marked as blocked.
> +        This flow sets <code>reg0[9]</code> and then advances to the next
> +        table.
> +      </li>
> +      <li>
> +        A priority-1 flow that matches on packets that are part of an
> +        established session that has not been marked as blocked.
> +        This flow sets <code>reg0[10]</code> and then advances to the next
> +        table.
> +      </li>
> +      <li>
> +        A priority-0 flow to advance to the next table.
> +      </li>
> +    </ul>
> +
> +    <h3>Ingress table 7: <code>from-lport</code> ACLs</h3>
>   
>       <p>
>         Logical flows in this table closely reproduce those in the
> @@ -494,7 +573,7 @@
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 7: <code>from-lport</code> QoS Marking</h3>
> +    <h3>Ingress Table 8: <code>from-lport</code> QoS Marking</h3>
>   
>       <p>
>         Logical flows in this table closely reproduce those in the
> @@ -516,7 +595,7 @@
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 8: <code>from-lport</code> QoS Meter</h3>
> +    <h3>Ingress Table 9: <code>from-lport</code> QoS Meter</h3>
>   
>       <p>
>         Logical flows in this table closely reproduce those in the
> @@ -538,7 +617,7 @@
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 9: LB</h3>
> +    <h3>Ingress Table 10: LB</h3>
>   
>       <p>
>         It contains a priority-0 flow that simply moves traffic to the next
> @@ -564,7 +643,7 @@
>         connection.)
>       </p>
>   
> -    <h3>Ingress Table 10: Stateful</h3>
> +    <h3>Ingress Table 11: Stateful</h3>
>   
>       <ul>
>         <li>
> @@ -612,7 +691,7 @@
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 11: Pre-Hairpin</h3>
> +    <h3>Ingress Table 12: Pre-Hairpin</h3>
>       <ul>
>         <li>
>           For all configured load balancer VIPs a priority-2 flow that
> @@ -632,7 +711,7 @@
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 12: Hairpin</h3>
> +    <h3>Ingress Table 13: Hairpin</h3>
>       <ul>
>         <li>
>           A priority-1 flow that hairpins traffic matched by non-default
> @@ -645,7 +724,7 @@
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 13: ARP/ND responder</h3>
> +    <h3>Ingress Table 14: ARP/ND responder</h3>
>   
>       <p>
>         This table implements ARP/ND responder in a logical switch for known
> @@ -930,7 +1009,7 @@ output;
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 14: DHCP option processing</h3>
> +    <h3>Ingress Table 15: DHCP option processing</h3>
>   
>       <p>
>         This table adds the DHCPv4 options to a DHCPv4 packet from the
> @@ -987,11 +1066,11 @@ next;
>         </li>
>   
>         <li>
> -        A priority-0 flow that matches all packets to advances to table 15.
> +        A priority-0 flow that matches all packets to advances to table 16.
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 15: DHCP responses</h3>
> +    <h3>Ingress Table 16: DHCP responses</h3>
>   
>       <p>
>         This table implements DHCP responder for the DHCP replies generated by
> @@ -1068,11 +1147,11 @@ output;
>         </li>
>   
>         <li>
> -        A priority-0 flow that matches all packets to advances to table 16.
> +        A priority-0 flow that matches all packets to advances to table 17.
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 16 DNS Lookup</h3>
> +    <h3>Ingress Table 17 DNS Lookup</h3>
>   
>       <p>
>         This table looks up and resolves the DNS names to the corresponding
> @@ -1101,7 +1180,7 @@ reg0[4] = dns_lookup(); next;
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 17 DNS Responses</h3>
> +    <h3>Ingress Table 18 DNS Responses</h3>
>   
>       <p>
>         This table implements DNS responder for the DNS replies generated by
> @@ -1136,7 +1215,7 @@ output;
>         </li>
>       </ul>
>   
> -    <h3>Ingress table 18 External ports</h3>
> +    <h3>Ingress table 19 External ports</h3>
>   
>       <p>
>         Traffic from the <code>external</code> logical ports enter the ingress
> @@ -1175,11 +1254,11 @@ output;
>         </li>
>   
>         <li>
> -        A priority-0 flow that matches all packets to advances to table 19.
> +        A priority-0 flow that matches all packets to advances to table 20.
>         </li>
>       </ul>
>   
> -    <h3>Ingress Table 19 Destination Lookup</h3>
> +    <h3>Ingress Table 20 Destination Lookup</h3>
>   
>       <p>
>         This table implements switching behavior.  It contains these logical
> @@ -1412,7 +1491,12 @@ output;
>         This is similar to ingress table <code>LB</code>.
>       </p>
>   
> -    <h3>Egress Table 4: <code>to-lport</code> ACLs</h3>
> +    <h3>Ingress Table 6: <code>from-lport</code> ACL hints</h3>

This appears to be a copy-paste error. This should be Egress Table 4, 
not Ingress Table 6.

> +    <p>
> +      This is similar to ingress table <code>ACL hints</code>.
> +    </p>
> +
> +    <h3>Egress Table 5: <code>to-lport</code> ACLs</h3>
>   
>       <p>
>         This is similar to ingress table <code>ACLs</code> except for
> @@ -1427,14 +1511,14 @@ output;
>           A priority 34000 logical flow is added for each logical port which
>           has DHCPv4 options defined to allow the DHCPv4 reply packet and which has
>           DHCPv6 options defined to allow the DHCPv6 reply packet from the
> -        <code>Ingress Table 15: DHCP responses</code>.
> +        <code>Ingress Table 16: DHCP responses</code>.
>         </li>
>   
>         <li>
>           A priority 34000 logical flow is added for each logical switch datapath
>           configured with DNS records with the match <code>udp.dst = 53</code>
>           to allow the DNS reply packet from the
> -        <code>Ingress Table 17: DNS responses</code>.
> +        <code>Ingress Table 18: DNS responses</code>.
>         </li>
>   
>         <li>
> @@ -1449,28 +1533,28 @@ output;
>         </li>
>       </ul>
>   
> -    <h3>Egress Table 5: <code>to-lport</code> QoS Marking</h3>
> +    <h3>Egress Table 6: <code>to-lport</code> QoS Marking</h3>
>   
>       <p>
>         This is similar to ingress table <code>QoS marking</code> except
>         they apply to <code>to-lport</code> QoS rules.
>       </p>
>   
> -    <h3>Egress Table 6: <code>to-lport</code> QoS Meter</h3>
> +    <h3>Egress Table 7: <code>to-lport</code> QoS Meter</h3>
>   
>       <p>
>         This is similar to ingress table <code>QoS meter</code> except
>         they apply to <code>to-lport</code> QoS rules.
>       </p>
>   
> -    <h3>Egress Table 7: Stateful</h3>
> +    <h3>Egress Table 8: Stateful</h3>
>   
>       <p>
>         This is similar to ingress table <code>Stateful</code> except that
>         there are no rules added for load balancing new connections.
>       </p>
>   
> -    <h3>Egress Table 8: Egress Port Security - IP</h3>
> +    <h3>Egress Table 9: Egress Port Security - IP</h3>
>   
>       <p>
>         This is similar to the port security logic in table
> @@ -1480,7 +1564,7 @@ output;
>         <code>ip4.src</code> and <code>ip6.src</code>
>       </p>
>   
> -    <h3>Egress Table 9: Egress Port Security - L2</h3>
> +    <h3>Egress Table 10: Egress Port Security - L2</h3>
>   
>       <p>
>         This is similar to the ingress port security logic in ingress table
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index 7be0e85..2025446 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -138,32 +138,34 @@ enum ovn_stage {
>       PIPELINE_STAGE(SWITCH, IN,  PRE_ACL,        3, "ls_in_pre_acl")       \
>       PIPELINE_STAGE(SWITCH, IN,  PRE_LB,         4, "ls_in_pre_lb")        \
>       PIPELINE_STAGE(SWITCH, IN,  PRE_STATEFUL,   5, "ls_in_pre_stateful")  \
> -    PIPELINE_STAGE(SWITCH, IN,  ACL,            6, "ls_in_acl")           \
> -    PIPELINE_STAGE(SWITCH, IN,  QOS_MARK,       7, "ls_in_qos_mark")      \
> -    PIPELINE_STAGE(SWITCH, IN,  QOS_METER,      8, "ls_in_qos_meter")     \
> -    PIPELINE_STAGE(SWITCH, IN,  LB,             9, "ls_in_lb")            \
> -    PIPELINE_STAGE(SWITCH, IN,  STATEFUL,      10, "ls_in_stateful")      \
> -    PIPELINE_STAGE(SWITCH, IN,  PRE_HAIRPIN,   11, "ls_in_pre_hairpin")   \
> -    PIPELINE_STAGE(SWITCH, IN,  HAIRPIN,       12, "ls_in_hairpin")       \
> -    PIPELINE_STAGE(SWITCH, IN,  ARP_ND_RSP,    13, "ls_in_arp_rsp")       \
> -    PIPELINE_STAGE(SWITCH, IN,  DHCP_OPTIONS,  14, "ls_in_dhcp_options")  \
> -    PIPELINE_STAGE(SWITCH, IN,  DHCP_RESPONSE, 15, "ls_in_dhcp_response") \
> -    PIPELINE_STAGE(SWITCH, IN,  DNS_LOOKUP,    16, "ls_in_dns_lookup")    \
> -    PIPELINE_STAGE(SWITCH, IN,  DNS_RESPONSE,  17, "ls_in_dns_response")  \
> -    PIPELINE_STAGE(SWITCH, IN,  EXTERNAL_PORT, 18, "ls_in_external_port") \
> -    PIPELINE_STAGE(SWITCH, IN,  L2_LKUP,       19, "ls_in_l2_lkup")       \
> +    PIPELINE_STAGE(SWITCH, IN,  ACL_HINT,       6, "ls_in_acl_hint")      \
> +    PIPELINE_STAGE(SWITCH, IN,  ACL,            7, "ls_in_acl")           \
> +    PIPELINE_STAGE(SWITCH, IN,  QOS_MARK,       8, "ls_in_qos_mark")      \
> +    PIPELINE_STAGE(SWITCH, IN,  QOS_METER,      9, "ls_in_qos_meter")     \
> +    PIPELINE_STAGE(SWITCH, IN,  LB,            10, "ls_in_lb")            \
> +    PIPELINE_STAGE(SWITCH, IN,  STATEFUL,      11, "ls_in_stateful")      \
> +    PIPELINE_STAGE(SWITCH, IN,  PRE_HAIRPIN,   12, "ls_in_pre_hairpin")   \
> +    PIPELINE_STAGE(SWITCH, IN,  HAIRPIN,       13, "ls_in_hairpin")       \
> +    PIPELINE_STAGE(SWITCH, IN,  ARP_ND_RSP,    14, "ls_in_arp_rsp")       \
> +    PIPELINE_STAGE(SWITCH, IN,  DHCP_OPTIONS,  15, "ls_in_dhcp_options")  \
> +    PIPELINE_STAGE(SWITCH, IN,  DHCP_RESPONSE, 16, "ls_in_dhcp_response") \
> +    PIPELINE_STAGE(SWITCH, IN,  DNS_LOOKUP,    17, "ls_in_dns_lookup")    \
> +    PIPELINE_STAGE(SWITCH, IN,  DNS_RESPONSE,  18, "ls_in_dns_response")  \
> +    PIPELINE_STAGE(SWITCH, IN,  EXTERNAL_PORT, 19, "ls_in_external_port") \
> +    PIPELINE_STAGE(SWITCH, IN,  L2_LKUP,       20, "ls_in_l2_lkup")       \
>                                                                             \
>       /* Logical switch egress stages. */                                   \
>       PIPELINE_STAGE(SWITCH, OUT, PRE_LB,       0, "ls_out_pre_lb")         \
>       PIPELINE_STAGE(SWITCH, OUT, PRE_ACL,      1, "ls_out_pre_acl")        \
>       PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful")   \
>       PIPELINE_STAGE(SWITCH, OUT, LB,           3, "ls_out_lb")             \
> -    PIPELINE_STAGE(SWITCH, OUT, ACL,          4, "ls_out_acl")            \
> -    PIPELINE_STAGE(SWITCH, OUT, QOS_MARK,     5, "ls_out_qos_mark")       \
> -    PIPELINE_STAGE(SWITCH, OUT, QOS_METER,    6, "ls_out_qos_meter")      \
> -    PIPELINE_STAGE(SWITCH, OUT, STATEFUL,     7, "ls_out_stateful")       \
> -    PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP,  8, "ls_out_port_sec_ip")    \
> -    PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2,  9, "ls_out_port_sec_l2")    \
> +    PIPELINE_STAGE(SWITCH, OUT, ACL_HINT,     4, "ls_out_acl_hint")       \
> +    PIPELINE_STAGE(SWITCH, OUT, ACL,          5, "ls_out_acl")            \
> +    PIPELINE_STAGE(SWITCH, OUT, QOS_MARK,     6, "ls_out_qos_mark")       \
> +    PIPELINE_STAGE(SWITCH, OUT, QOS_METER,    7, "ls_out_qos_meter")      \
> +    PIPELINE_STAGE(SWITCH, OUT, STATEFUL,     8, "ls_out_stateful")       \
> +    PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP,  9, "ls_out_port_sec_ip")    \
> +    PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 10, "ls_out_port_sec_l2")    \
>                                                                         \
>       /* Logical router ingress stages. */                              \
>       PIPELINE_STAGE(ROUTER, IN,  ADMISSION,       0, "lr_in_admission")    \
> @@ -205,13 +207,17 @@ enum ovn_stage {
>   #define OVN_ACL_PRI_OFFSET 1000
>   
>   /* Register definitions specific to switches. */
> -#define REGBIT_CONNTRACK_DEFRAG  "reg0[0]"
> -#define REGBIT_CONNTRACK_COMMIT  "reg0[1]"
> -#define REGBIT_CONNTRACK_NAT     "reg0[2]"
> -#define REGBIT_DHCP_OPTS_RESULT  "reg0[3]"
> -#define REGBIT_DNS_LOOKUP_RESULT "reg0[4]"
> -#define REGBIT_ND_RA_OPTS_RESULT "reg0[5]"
> -#define REGBIT_HAIRPIN           "reg0[6]"
> +#define REGBIT_CONNTRACK_DEFRAG   "reg0[0]"
> +#define REGBIT_CONNTRACK_COMMIT   "reg0[1]"
> +#define REGBIT_CONNTRACK_NAT      "reg0[2]"
> +#define REGBIT_DHCP_OPTS_RESULT   "reg0[3]"
> +#define REGBIT_DNS_LOOKUP_RESULT  "reg0[4]"
> +#define REGBIT_ND_RA_OPTS_RESULT  "reg0[5]"
> +#define REGBIT_HAIRPIN            "reg0[6]"
> +#define REGBIT_ACL_HINT_ALLOW_NEW "reg0[7]"
> +#define REGBIT_ACL_HINT_ALLOW     "reg0[8]"
> +#define REGBIT_ACL_HINT_DROP      "reg0[9]"
> +#define REGBIT_ACL_HINT_BLOCK     "reg0[10]"
>   
>   /* Register definitions for switches and routers. */
>   
> @@ -246,11 +252,12 @@ enum ovn_stage {
>    * OVS register usage:
>    *
>    * Logical Switch pipeline:
> - * +---------+-------------------------------------+
> - * | R0      | REGBIT_{CONNTRACK/DHCP/DNS/HAIRPIN} |
> - * +---------+-------------------------------------+
> - * | R1 - R9 |              UNUSED                 |
> - * +---------+-------------------------------------+
> + * +---------+----------------------------------------------+
> + * | R0      |     REGBIT_{CONNTRACK/DHCP/DNS/HAIRPIN}      |
> + * |         | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} |
> + * +---------+----------------------------------------------+
> + * | R1 - R9 |                   UNUSED                     |
> + * +---------+----------------------------------------------+
>    *
>    * Logical Router pipeline:
>    * +-----+--------------------------+---+-----------------+---+---------------+
> @@ -5140,6 +5147,96 @@ build_pre_stateful(struct ovn_datapath *od, struct hmap *lflows)
>   }
>   
>   static void
> +build_acl_hints(struct ovn_datapath *od, struct hmap *lflows)
> +{
> +    /* This stage builds hints for the IN/OUT_ACL stage. Based on various
> +     * combinations of ct flags packets may hit only a subset of the logical
> +     * flows in the IN/OUT_ACL stage.
> +     *
> +     * Populating ACL hints first and storing them in registers simplifies
> +     * the logical flow match expressions in the IN/OUT_ACL stage and
> +     * generates less openflows.
> +     *
> +     * Certain combinations of ct flags might be valid matches for multiple
> +     * types of ACL logical flows (e.g., allow/drop). In such cases hints
> +     * corresponding to all potential matches are set.
> +     */
> +
> +    enum ovn_stage stages[] = {
> +        S_SWITCH_IN_ACL_HINT,
> +        S_SWITCH_OUT_ACL_HINT,
> +    };
> +
> +    for (size_t i = 0; i < ARRAY_SIZE(stages); i++) {
> +        enum ovn_stage stage = stages[i];
> +
> +        /* New, not already established connections, may hit either allow
> +         * or drop ACLs. For allow ACLs, the connection must also be committed
> +         * to conntrack so we set REGBIT_ACL_HINT_ALLOW_NEW.
> +         */
> +        ovn_lflow_add(lflows, od, stage, 7, "ct.new && !ct.est",
> +                      REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
> +                      REGBIT_ACL_HINT_DROP " = 1; "
> +                      "next;");
> +
> +        /* Already established connections in the "request" direction that
> +         * are already marked as "blocked" may hit either:
> +         * - allow ACLs for connections that were previously allowed by a
> +         *   policy that was deleted and is being readded now. In this case
> +         *   the connection should be recommitted so we set
> +         *   REGBIT_ACL_HINT_ALLOW_NEW.
> +         * - drop ACLs.
> +         */
> +        ovn_lflow_add(lflows, od, stage, 6,
> +                      "!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1",
> +                      REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
> +                      REGBIT_ACL_HINT_DROP " = 1; "
> +                      "next;");
> +
> +        /* Not tracked traffic can either be allowed or dropped. */
> +        ovn_lflow_add(lflows, od, stage, 5, "!ct.trk",
> +                      REGBIT_ACL_HINT_ALLOW " = 1; "
> +                      REGBIT_ACL_HINT_DROP " = 1; "
> +                      "next;");
> +
> +        /* Already established connections in the "request" direction may hit
> +         * either:
> +         * - allow ACLs in which case the traffic should be allowed so we set
> +         *   REGBIT_ACL_HINT_ALLOW.
> +         * - drop ACLs in which case the traffic should be blocked and the
> +         *   connection must be committed with ct_label.blocked set so we set
> +         *   REGBIT_ACL_HINT_BLOCK.
> +         */
> +        ovn_lflow_add(lflows, od, stage, 4,
> +                      "!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0",
> +                      REGBIT_ACL_HINT_ALLOW " = 1; "
> +                      REGBIT_ACL_HINT_BLOCK " = 1; "
> +                      "next;");
> +
> +        /* Not established or established and already blocked connections may
> +         * hit drop ACLs.
> +         */
> +        ovn_lflow_add(lflows, od, stage, 3, "!ct.est",
> +                      REGBIT_ACL_HINT_DROP " = 1; "
> +                      "next;");
> +        ovn_lflow_add(lflows, od, stage, 2, "ct.est && ct_label.blocked == 1",
> +                      REGBIT_ACL_HINT_DROP " = 1; "
> +                      "next;");
> +
> +        /* Established connections that were previously allowed might hit
> +         * drop ACLs in which case the connection must be committed with
> +         * ct_label.blocked set.
> +         */
> +        ovn_lflow_add(lflows, od, stage, 1, "ct.est && ct_label.blocked == 0",
> +                      REGBIT_ACL_HINT_BLOCK " = 1; "
> +                      "next;");
> +
> +        /* In any case, advance to the next stage. */
> +        ovn_lflow_add(lflows, od, stage, 0, "1", "next;");
> +    }
> +}
> +
> +static void
>   build_acl_log(struct ds *actions, const struct nbrec_acl *acl)
>   {
>       if (!acl->log) {
> @@ -5197,7 +5294,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
>                     "eth.dst <-> eth.src; ip4.dst <-> ip4.src; "
>                     "tcp_reset { outport <-> inport; %s };",
>                     ingress ? "next(pipeline=egress,table=5);"
> -                          : "next(pipeline=ingress,table=19);");
> +                          : "next(pipeline=ingress,table=20);");
>       ovn_lflow_add_with_hint(lflows, od, stage,
>                               acl->priority + OVN_ACL_PRI_OFFSET + 10,
>                               ds_cstr(&match), ds_cstr(&actions), stage_hint);
> @@ -5212,7 +5309,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
>                     "eth.dst <-> eth.src; ip6.dst <-> ip6.src; "
>                     "tcp_reset { outport <-> inport; %s };",
>                     ingress ? "next(pipeline=egress,table=5);"
> -                          : "next(pipeline=ingress,table=19);");
> +                          : "next(pipeline=ingress,table=20);");
>       ovn_lflow_add_with_hint(lflows, od, stage,
>                               acl->priority + OVN_ACL_PRI_OFFSET + 10,
>                               ds_cstr(&match), ds_cstr(&actions), stage_hint);
> @@ -5232,7 +5329,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
>                     "icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; "
>                     "outport <-> inport; %s };",
>                     ingress ? "next(pipeline=egress,table=5);"
> -                          : "next(pipeline=ingress,table=19);");
> +                          : "next(pipeline=ingress,table=20);");
>       ovn_lflow_add_with_hint(lflows, od, stage,
>                               acl->priority + OVN_ACL_PRI_OFFSET,
>                               ds_cstr(&match), ds_cstr(&actions), stage_hint);
> @@ -5250,7 +5347,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
>                     "eth.dst <-> eth.src; ip6.dst <-> ip6.src; "
>                     "outport <-> inport; %s };",
>                     ingress ? "next(pipeline=egress,table=5);"
> -                          : "next(pipeline=ingress,table=19);");
> +                          : "next(pipeline=ingress,table=20);");
>       ovn_lflow_add_with_hint(lflows, od, stage,
>                               acl->priority + OVN_ACL_PRI_OFFSET,
>                               ds_cstr(&match), ds_cstr(&actions), stage_hint);
> @@ -5298,10 +5395,8 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
>                * by ct_commit in the "stateful" stage) to indicate that the
>                * connection should be allowed to resume.
>                */
> -            ds_put_format(&match, "((ct.new && !ct.est)"
> -                                  " || (!ct.new && ct.est && !ct.rpl "
> -                                       "&& ct_label.blocked == 1)) "
> -                                  "&& (%s)", acl->match);
> +            ds_put_format(&match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)",
> +                          acl->match);
>               ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
>               build_acl_log(&actions, acl);
>               ds_put_cstr(&actions, "next;");
> @@ -5319,9 +5414,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
>                * policy. Match untracked packets too. */
>               ds_clear(&match);
>               ds_clear(&actions);
> -            ds_put_format(&match,
> -                          "(!ct.trk || (!ct.new && ct.est && !ct.rpl"
> -                          " && ct_label.blocked == 0)) && (%s)",
> +            ds_put_format(&match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)",
>                             acl->match);
>   
>               build_acl_log(&actions, acl);
> @@ -5346,9 +5439,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
>           if (has_stateful) {
>               /* If the packet is not tracked or not part of an established
>                * connection, then we can simply reject/drop it. */
> -            ds_put_cstr(&match,
> -                        "(!ct.trk || !ct.est"
> -                        " || (ct.est && ct_label.blocked == 1))");
> +            ds_put_cstr(&match, REGBIT_ACL_HINT_DROP " == 1");
>               if (!strcmp(acl->action, "reject")) {
>                   build_reject_acl_rules(od, lflows, stage, acl, &match,
>                                          &actions, &acl->header_);
> @@ -5374,7 +5465,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
>                */
>               ds_clear(&match);
>               ds_clear(&actions);
> -            ds_put_cstr(&match, "ct.est && ct_label.blocked == 0");
> +            ds_put_cstr(&match, REGBIT_ACL_HINT_BLOCK " == 1");
>               ds_put_cstr(&actions, "ct_commit { ct_label.blocked = 1; }; ");
>               if (!strcmp(acl->action, "reject")) {
>                   build_reject_acl_rules(od, lflows, stage, acl, &match,
> @@ -6621,6 +6712,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
>           build_pre_acls(od, lflows);
>           build_pre_lb(od, lflows, meter_groups, lbs);
>           build_pre_stateful(od, lflows);
> +        build_acl_hints(od, lflows);
>           build_acls(od, lflows, port_groups);
>           build_qos(od, lflows);
>           build_lb(od, lflows);
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index 8344c7f..87644bd 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -1185,7 +1185,7 @@ ovn-nbctl --wait=sb ls-lb-add sw0 lb1
>   
>   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
>   ])
>   
>   # Delete the Load_Balancer_Health_Check
> @@ -1194,7 +1194,7 @@ OVS_WAIT_UNTIL([test 0 = `ovn-sbctl list service_monitor |  wc -l`])
>   
>   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
>   ])
>   
>   # Create the Load_Balancer_Health_Check again.
> @@ -1207,7 +1207,7 @@ service_monitor | sed '/^$/d' | wc -l`])
>   
>   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
>   ])
>   
>   # Get the uuid of both the service_monitor
> @@ -1223,7 +1223,7 @@ OVS_WAIT_UNTIL([
>   
>   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
>   ])
>   
>   # Set the service monitor for sw0-p1 to offline
> @@ -1240,7 +1240,7 @@ AT_CHECK([cat lflows.txt], [0], [dnl
>   ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \
>   | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
>   ])
>   
>   # Set the service monitor for sw0-p1 and sw1-p1 to online
> @@ -1253,7 +1253,7 @@ OVS_WAIT_UNTIL([
>   
>   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
>   ])
>   
>   # Set the service monitor for sw1-p1 to error
> @@ -1265,7 +1265,7 @@ OVS_WAIT_UNTIL([
>   ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \
>   | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
>   ])
>   
>   # Add one more vip to lb1
> @@ -1295,8 +1295,8 @@ service_monitor port=1000 | sed '/^$/d' | wc -l`])
>   
>   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000);)
>   ])
>   
>   # Set the service monitor for sw1-p1 to online
> @@ -1308,16 +1308,16 @@ OVS_WAIT_UNTIL([
>   
>   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
>   ])
>   
>   # Associate lb1 to sw1
>   ovn-nbctl --wait=sb ls-lb-add sw1 lb1
>   ovn-sbctl dump-flows sw1 | grep ct_lb | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
>   ])
>   
>   # Now create lb2 same as lb1 but udp protocol.
> diff --git a/tests/ovn.at b/tests/ovn.at
> index 5ad51c0..99861bf 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -14237,17 +14237,17 @@ ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
>   AT_CHECK([ovn-sbctl dump-flows ls1 | grep "offerip = 10.0.0.6" | \
>   wc -l], [0], [0
>   ])
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep tp_src=546 | grep \
>   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep tp_src=546 | grep \
>   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
>   ])
> @@ -14278,17 +14278,17 @@ port_binding logical_port=ls1-lp_ext1`
>   
>   # No DHCPv4/v6 flows for the external port - ls1-lp_ext1 - 10.0.0.6 in hv1 and hv2
>   # as no localnet port added to ls1 yet.
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep tp_src=546 | grep \
>   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep tp_src=546 | grep \
>   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
>   ])
> @@ -14310,38 +14310,38 @@ logical_port=ls1-lp_ext1`
>       test "$chassis" = "$hv1_uuid"])
>   
>   # There should be DHCPv4/v6 OF flows for the ls1-lp_ext1 port in hv1
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep "0a.00.00.06" | grep reg14=0x$ln_public_key | \
>   wc -l], [0], [3
>   ])
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep tp_src=546 | grep \
>   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \
>   grep reg14=0x$ln_public_key | wc -l], [0], [1
>   ])
>   
>   # There should be no DHCPv4/v6 flows for ls1-lp_ext1 on hv2
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep tp_src=546 | grep \
>   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
>   ])
>   
>   # No DHCPv4/v6 flows for the external port - ls1-lp_ext2 - 10.0.0.7 in hv1 and
>   # hv2 as requested-chassis option is not set.
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep "0a.00.00.07" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep "0a.00.00.07" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep tp_src=546 | grep \
>   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.07" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep tp_src=546 | grep \
>   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.07" | wc -l], [0], [0
>   ])
> @@ -14593,21 +14593,21 @@ logical_port=ls1-lp_ext1`
>       test "$chassis" = "$hv2_uuid"])
>   
>   # There should be OF flows for DHCP4/v6 for the ls1-lp_ext1 port in hv2
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep "0a.00.00.06" | grep reg14=0x$ln_public_key | \
>   wc -l], [0], [3
>   ])
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep tp_src=546 | grep \
>   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \
>   grep reg14=0x$ln_public_key | wc -l], [0], [1
>   ])
>   
>   # There should be no DHCPv4/v6 flows for ls1-lp_ext1 on hv1
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
>   ])
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
>   grep controller | grep tp_src=546 | grep \
>   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \
>   grep reg14=0x$ln_public_key | wc -l], [0], [0
> @@ -14873,7 +14873,7 @@ logical_port=ls1-lp_ext1`
>   # There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined
>   # to router mac.
>   AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \
> -table=26,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \
> +table=27,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \
>   grep -c "actions=drop"], [0], [1
>   ])
>   
> @@ -16144,9 +16144,9 @@ ovn-nbctl --wait=hv sync
>   ovn-sbctl dump-flows sw0 | grep ls_in_arp_rsp | grep bind_vport > lflows.txt
>   
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=13(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> -  table=13(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p2" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> -  table=13(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> +  table=14(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> +  table=14(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p2" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> +  table=14(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
>   ])
>   
>   ovn-sbctl dump-flows lr0 | grep lr_in_arp_resolve | grep "reg0 == 10.0.0.10" \
> @@ -16356,8 +16356,8 @@ ovn-nbctl --wait=hv set logical_switch_port sw0-vir options:virtual-ip=10.0.0.10
>   ovn-sbctl dump-flows sw0 | grep ls_in_arp_rsp | grep bind_vport > lflows.txt
>   
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=13(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> -  table=13(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> +  table=14(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> +  table=14(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
>   ])
>   
>   ovn-nbctl --wait=hv remove logical_switch_port sw0-vir options virtual-parents
> @@ -18340,7 +18340,7 @@ test_ip vif11 f00000000011 000001010203 $sip $dip vif-north
>   OVN_CHECK_PACKETS_REMOVE_BROADCAST([hv4/vif-north-tx.pcap], [vif-north.expected])
>   
>   # Confirm that packets did not go out via tunnel port.
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=32 | grep NXM_NX_TUN_METADATA0 | grep n_packets=0 | wc -l], [0], [[0
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=33 | grep NXM_NX_TUN_METADATA0 | grep n_packets=0 | wc -l], [0], [[0
>   ]])
>   
>   # Confirm that packet went out via localnet port
> @@ -19087,7 +19087,7 @@ service_monitor | sed '/^$/d' | wc -l`])
>   
>   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
>   ])
>   
>   ovn-sbctl dump-flows lr0 | grep ct_lb | grep priority=120 > lflows.txt
> @@ -19125,7 +19125,7 @@ grep "405400000003${svc_mon_src_mac}" | wc -l`]
>   ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \
>   | grep priority=120 > lflows.txt
>   AT_CHECK([cat lflows.txt], [0], [dnl
> -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
> +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
>   ])
>   
>   ovn-sbctl dump-flows lr0 | grep lr_in_dnat | grep priority=120 > lflows.txt
> diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> index 40ba6e4..b9b5eaa 100644
> --- a/tests/system-ovn.at
> +++ b/tests/system-ovn.at
> @@ -2163,7 +2163,7 @@ tcp,orig=(src=172.16.1.2,dst=30.0.0.2,sport=<cleared>,dport=<cleared>),reply=(sr
>   ])
>   
>   check_est_flows () {
> -    n=$(ovs-ofctl dump-flows br-int table=14 | grep \
> +    n=$(ovs-ofctl dump-flows br-int table=15 | grep \
>   "priority=120,ct_state=+est+trk,tcp,metadata=0x2,nw_dst=30.0.0.2,tp_dst=8000" \
>   | grep nat | sed -n 's/.*n_packets=\([[0-9]]\{1,\}\).*/\1/p')
>   
> @@ -4548,7 +4548,7 @@ OVS_WAIT_UNTIL([
>   ])
>   
>   OVS_WAIT_UNTIL([
> -    n_pkt=$(ovs-ofctl dump-flows br-int table=44 | grep -v n_packets=0 | \
> +    n_pkt=$(ovs-ofctl dump-flows br-int table=45 | grep -v n_packets=0 | \
>   grep controller | grep tp_dst=84 -c)
>       test $n_pkt -eq 1
>   ])
> 
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> 




More information about the dev mailing list