[ovs-dev] [PATCH v3 ovn 1/2] ovn-northd: Reduce number of flows generated for stateful ACLs.

Numan Siddique numans at ovn.org
Fri Sep 11 13:34:00 UTC 2020


On Fri, Sep 11, 2020 at 6:11 PM Mark Michelson <mmichels at redhat.com> wrote:
>
> Acked-by: Mark Michelson <mmichels at redhat.com>


Thanks Dumitru and Mark and Han for the suggestion.

The patch LGTM. I applied this patch to master.

There was one test case failing - 148: ovn -- lflow cache for conjunctions.
This test case was added by me recently. I fixed the failure before applying.
It failed because of the changed table number for ACL.

Thanks
Numan


>
> There's one documentation error down below that can be fixed when this
> is merged. Since the referenced ECMP test case has been fixed already,
> this also won't cause any test failures.
>
> On 9/2/20 11:05 AM, Dumitru Ceara wrote:
> > Introduce two new stages in the logical switch pipeline:
> > - ls_in_acl_hint
> > - ls_out_acl_hint
> >
> > Flows in these stages match on various combinations of conntrack flags to
> > determine how traffic might be processed in the ACL stage. Four possible
> > hints are set (there may be more than one set at the same time per packet):
> > - REGBIT_ACL_HINT_ALLOW_NEW: the packet might match an allow-related ACL in
> >    which case it will have to commit or update a connection to conntrack.
> > - REGBIT_ACL_HINT_ALLOW: the packet might match an allow-related ACL but
> >    the session already exists so no commit will be needed.
> > - REGBIT_ACL_HINT_DROP: the packet might match a drop/reject ACL but the
> >    session already exists so no commit will be needed.
> > - REGBIT_ACL_HINT_BLOCK: the packet might match a drop/reject ACL in which
> >    case it will have to commit or update a connection in conntrack.
> >
> > These hints are used in the ls_in_acl/ls_out_acl tables and simplify the
> > match expressions for logical flows generated for ACLs reducing the number
> > of disjunctions in the match, therefore reducing the number of openflows
> > by a factor of 2 for allow-related ACLs and by a factor of 3 for drop/reject
> > ACLs.
> >
> > Suggested-by: Han Zhou <hzhou at ovn.org>
> > Signed-off-by: Dumitru Ceara <dceara at redhat.com>
> >
> > ---
> > NOTE: The "ovn -- ECMP symmetric reply" system test will fail with this
> > patch applied until the following patch that fixes the test is also merged:
> >
> > http://patchwork.ozlabs.org/project/ovn/patch/1599033403-1659-1-git-send-email-dceara@redhat.com/
> > ---
> >   northd/ovn-northd.8.xml |  134 ++++++++++++++++++++++++++++------
> >   northd/ovn-northd.c     |  186 +++++++++++++++++++++++++++++++++++------------
> >   tests/ovn-northd.at     |   26 +++----
> >   tests/ovn.at            |   58 +++++++--------
> >   tests/system-ovn.at     |    4 +
> >   5 files changed, 292 insertions(+), 116 deletions(-)
> >
> > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> > index 989e364..226afc8 100644
> > --- a/northd/ovn-northd.8.xml
> > +++ b/northd/ovn-northd.8.xml
> > @@ -386,7 +386,86 @@
> >         <code>ct_next;</code> action.
> >       </p>
> >
> > -    <h3>Ingress table 6: <code>from-lport</code> ACLs</h3>
> > +    <h3>Ingress Table 6: <code>from-lport</code> ACL hints</h3>
> > +
> > +    <p>
> > +      This table consists of logical flows that set hints
> > +      (<code>reg0</code> bits) to be used in the next stage, in the ACL
> > +      processing table. Multiple hints can be set for the same packet.
> > +      The possible hints are:
> > +    </p>
> > +    <ul>
> > +      <li>
> > +        <code>reg0[7]</code>: the packet might match an
> > +        <code>allow-related</code> ACL and might have to commit the
> > +        connection to conntrack.
> > +      </li>
> > +      <li>
> > +        <code>reg0[8]</code>: the packet might match an
> > +        <code>allow-related</code> ACL but there will be no need to commit
> > +        the connection to conntrack because it already exists.
> > +      </li>
> > +      <li>
> > +        <code>reg0[9]</code>: the packet might match a
> > +        <code>drop/reject</code>.
> > +      </li>
> > +      <li>
> > +        <code>reg0[10]</code>: the packet might match a
> > +        <code>drop/reject</code> ACL but the connection was previously
> > +        allowed so it might have to be committed again with
> > +        <code>ct_label=1/1</code>.
> > +      </li>
> > +    </ul>
> > +
> > +    <p>
> > +      The table contains the following flows:
> > +    </p>
> > +    <ul>
> > +      <li>
> > +        A priority-7 flow that matches on packets that initiate a new session.
> > +        This flow sets <code>reg0[7]</code> and <code>reg0[9]</code> and
> > +        then advances to the next table.
> > +      </li>
> > +      <li>
> > +        A priority-6 flow that matches on packets that are in the request
> > +        direction of an already existing session that has been marked
> > +        as blocked. This flow sets <code>reg0[7]</code> and
> > +        <code>reg0[9]</code> and then advances to the next table.
> > +      </li>
> > +      <li>
> > +        A priority-5 flow that matches untracked packets. This flow sets
> > +        <code>reg0[8]</code> and <code>reg0[9]</code> and then advances to
> > +        the next table.
> > +      </li>
> > +      <li>
> > +        A priority-4 flow that matches on packets that are in the request
> > +        direction of an already existing session that has not been marked
> > +        as blocked. This flow sets <code>reg0[8]</code> and
> > +        <code>reg0[10]</code> and then advances to the next table.
> > +      </li>
> > +      <li>
> > +        A priority-3 flow that matches on packets that are in not part of
> > +        established sessions. This flow sets <code>reg0[9]</code> and then
> > +        advances to the next table.
> > +      </li>
> > +      <li>
> > +        A priority-2 flow that matches on packets that are part of an
> > +        established session that has been marked as blocked.
> > +        This flow sets <code>reg0[9]</code> and then advances to the next
> > +        table.
> > +      </li>
> > +      <li>
> > +        A priority-1 flow that matches on packets that are part of an
> > +        established session that has not been marked as blocked.
> > +        This flow sets <code>reg0[10]</code> and then advances to the next
> > +        table.
> > +      </li>
> > +      <li>
> > +        A priority-0 flow to advance to the next table.
> > +      </li>
> > +    </ul>
> > +
> > +    <h3>Ingress table 7: <code>from-lport</code> ACLs</h3>
> >
> >       <p>
> >         Logical flows in this table closely reproduce those in the
> > @@ -494,7 +573,7 @@
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 7: <code>from-lport</code> QoS Marking</h3>
> > +    <h3>Ingress Table 8: <code>from-lport</code> QoS Marking</h3>
> >
> >       <p>
> >         Logical flows in this table closely reproduce those in the
> > @@ -516,7 +595,7 @@
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 8: <code>from-lport</code> QoS Meter</h3>
> > +    <h3>Ingress Table 9: <code>from-lport</code> QoS Meter</h3>
> >
> >       <p>
> >         Logical flows in this table closely reproduce those in the
> > @@ -538,7 +617,7 @@
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 9: LB</h3>
> > +    <h3>Ingress Table 10: LB</h3>
> >
> >       <p>
> >         It contains a priority-0 flow that simply moves traffic to the next
> > @@ -564,7 +643,7 @@
> >         connection.)
> >       </p>
> >
> > -    <h3>Ingress Table 10: Stateful</h3>
> > +    <h3>Ingress Table 11: Stateful</h3>
> >
> >       <ul>
> >         <li>
> > @@ -612,7 +691,7 @@
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 11: Pre-Hairpin</h3>
> > +    <h3>Ingress Table 12: Pre-Hairpin</h3>
> >       <ul>
> >         <li>
> >           For all configured load balancer VIPs a priority-2 flow that
> > @@ -632,7 +711,7 @@
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 12: Hairpin</h3>
> > +    <h3>Ingress Table 13: Hairpin</h3>
> >       <ul>
> >         <li>
> >           A priority-1 flow that hairpins traffic matched by non-default
> > @@ -645,7 +724,7 @@
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 13: ARP/ND responder</h3>
> > +    <h3>Ingress Table 14: ARP/ND responder</h3>
> >
> >       <p>
> >         This table implements ARP/ND responder in a logical switch for known
> > @@ -930,7 +1009,7 @@ output;
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 14: DHCP option processing</h3>
> > +    <h3>Ingress Table 15: DHCP option processing</h3>
> >
> >       <p>
> >         This table adds the DHCPv4 options to a DHCPv4 packet from the
> > @@ -987,11 +1066,11 @@ next;
> >         </li>
> >
> >         <li>
> > -        A priority-0 flow that matches all packets to advances to table 15.
> > +        A priority-0 flow that matches all packets to advances to table 16.
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 15: DHCP responses</h3>
> > +    <h3>Ingress Table 16: DHCP responses</h3>
> >
> >       <p>
> >         This table implements DHCP responder for the DHCP replies generated by
> > @@ -1068,11 +1147,11 @@ output;
> >         </li>
> >
> >         <li>
> > -        A priority-0 flow that matches all packets to advances to table 16.
> > +        A priority-0 flow that matches all packets to advances to table 17.
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 16 DNS Lookup</h3>
> > +    <h3>Ingress Table 17 DNS Lookup</h3>
> >
> >       <p>
> >         This table looks up and resolves the DNS names to the corresponding
> > @@ -1101,7 +1180,7 @@ reg0[4] = dns_lookup(); next;
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 17 DNS Responses</h3>
> > +    <h3>Ingress Table 18 DNS Responses</h3>
> >
> >       <p>
> >         This table implements DNS responder for the DNS replies generated by
> > @@ -1136,7 +1215,7 @@ output;
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress table 18 External ports</h3>
> > +    <h3>Ingress table 19 External ports</h3>
> >
> >       <p>
> >         Traffic from the <code>external</code> logical ports enter the ingress
> > @@ -1175,11 +1254,11 @@ output;
> >         </li>
> >
> >         <li>
> > -        A priority-0 flow that matches all packets to advances to table 19.
> > +        A priority-0 flow that matches all packets to advances to table 20.
> >         </li>
> >       </ul>
> >
> > -    <h3>Ingress Table 19 Destination Lookup</h3>
> > +    <h3>Ingress Table 20 Destination Lookup</h3>
> >
> >       <p>
> >         This table implements switching behavior.  It contains these logical
> > @@ -1412,7 +1491,12 @@ output;
> >         This is similar to ingress table <code>LB</code>.
> >       </p>
> >
> > -    <h3>Egress Table 4: <code>to-lport</code> ACLs</h3>
> > +    <h3>Ingress Table 6: <code>from-lport</code> ACL hints</h3>
>
> This appears to be a copy-paste error. This should be Egress Table 4,
> not Ingress Table 6.
>
> > +    <p>
> > +      This is similar to ingress table <code>ACL hints</code>.
> > +    </p>
> > +
> > +    <h3>Egress Table 5: <code>to-lport</code> ACLs</h3>
> >
> >       <p>
> >         This is similar to ingress table <code>ACLs</code> except for
> > @@ -1427,14 +1511,14 @@ output;
> >           A priority 34000 logical flow is added for each logical port which
> >           has DHCPv4 options defined to allow the DHCPv4 reply packet and which has
> >           DHCPv6 options defined to allow the DHCPv6 reply packet from the
> > -        <code>Ingress Table 15: DHCP responses</code>.
> > +        <code>Ingress Table 16: DHCP responses</code>.
> >         </li>
> >
> >         <li>
> >           A priority 34000 logical flow is added for each logical switch datapath
> >           configured with DNS records with the match <code>udp.dst = 53</code>
> >           to allow the DNS reply packet from the
> > -        <code>Ingress Table 17: DNS responses</code>.
> > +        <code>Ingress Table 18: DNS responses</code>.
> >         </li>
> >
> >         <li>
> > @@ -1449,28 +1533,28 @@ output;
> >         </li>
> >       </ul>
> >
> > -    <h3>Egress Table 5: <code>to-lport</code> QoS Marking</h3>
> > +    <h3>Egress Table 6: <code>to-lport</code> QoS Marking</h3>
> >
> >       <p>
> >         This is similar to ingress table <code>QoS marking</code> except
> >         they apply to <code>to-lport</code> QoS rules.
> >       </p>
> >
> > -    <h3>Egress Table 6: <code>to-lport</code> QoS Meter</h3>
> > +    <h3>Egress Table 7: <code>to-lport</code> QoS Meter</h3>
> >
> >       <p>
> >         This is similar to ingress table <code>QoS meter</code> except
> >         they apply to <code>to-lport</code> QoS rules.
> >       </p>
> >
> > -    <h3>Egress Table 7: Stateful</h3>
> > +    <h3>Egress Table 8: Stateful</h3>
> >
> >       <p>
> >         This is similar to ingress table <code>Stateful</code> except that
> >         there are no rules added for load balancing new connections.
> >       </p>
> >
> > -    <h3>Egress Table 8: Egress Port Security - IP</h3>
> > +    <h3>Egress Table 9: Egress Port Security - IP</h3>
> >
> >       <p>
> >         This is similar to the port security logic in table
> > @@ -1480,7 +1564,7 @@ output;
> >         <code>ip4.src</code> and <code>ip6.src</code>
> >       </p>
> >
> > -    <h3>Egress Table 9: Egress Port Security - L2</h3>
> > +    <h3>Egress Table 10: Egress Port Security - L2</h3>
> >
> >       <p>
> >         This is similar to the ingress port security logic in ingress table
> > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> > index 7be0e85..2025446 100644
> > --- a/northd/ovn-northd.c
> > +++ b/northd/ovn-northd.c
> > @@ -138,32 +138,34 @@ enum ovn_stage {
> >       PIPELINE_STAGE(SWITCH, IN,  PRE_ACL,        3, "ls_in_pre_acl")       \
> >       PIPELINE_STAGE(SWITCH, IN,  PRE_LB,         4, "ls_in_pre_lb")        \
> >       PIPELINE_STAGE(SWITCH, IN,  PRE_STATEFUL,   5, "ls_in_pre_stateful")  \
> > -    PIPELINE_STAGE(SWITCH, IN,  ACL,            6, "ls_in_acl")           \
> > -    PIPELINE_STAGE(SWITCH, IN,  QOS_MARK,       7, "ls_in_qos_mark")      \
> > -    PIPELINE_STAGE(SWITCH, IN,  QOS_METER,      8, "ls_in_qos_meter")     \
> > -    PIPELINE_STAGE(SWITCH, IN,  LB,             9, "ls_in_lb")            \
> > -    PIPELINE_STAGE(SWITCH, IN,  STATEFUL,      10, "ls_in_stateful")      \
> > -    PIPELINE_STAGE(SWITCH, IN,  PRE_HAIRPIN,   11, "ls_in_pre_hairpin")   \
> > -    PIPELINE_STAGE(SWITCH, IN,  HAIRPIN,       12, "ls_in_hairpin")       \
> > -    PIPELINE_STAGE(SWITCH, IN,  ARP_ND_RSP,    13, "ls_in_arp_rsp")       \
> > -    PIPELINE_STAGE(SWITCH, IN,  DHCP_OPTIONS,  14, "ls_in_dhcp_options")  \
> > -    PIPELINE_STAGE(SWITCH, IN,  DHCP_RESPONSE, 15, "ls_in_dhcp_response") \
> > -    PIPELINE_STAGE(SWITCH, IN,  DNS_LOOKUP,    16, "ls_in_dns_lookup")    \
> > -    PIPELINE_STAGE(SWITCH, IN,  DNS_RESPONSE,  17, "ls_in_dns_response")  \
> > -    PIPELINE_STAGE(SWITCH, IN,  EXTERNAL_PORT, 18, "ls_in_external_port") \
> > -    PIPELINE_STAGE(SWITCH, IN,  L2_LKUP,       19, "ls_in_l2_lkup")       \
> > +    PIPELINE_STAGE(SWITCH, IN,  ACL_HINT,       6, "ls_in_acl_hint")      \
> > +    PIPELINE_STAGE(SWITCH, IN,  ACL,            7, "ls_in_acl")           \
> > +    PIPELINE_STAGE(SWITCH, IN,  QOS_MARK,       8, "ls_in_qos_mark")      \
> > +    PIPELINE_STAGE(SWITCH, IN,  QOS_METER,      9, "ls_in_qos_meter")     \
> > +    PIPELINE_STAGE(SWITCH, IN,  LB,            10, "ls_in_lb")            \
> > +    PIPELINE_STAGE(SWITCH, IN,  STATEFUL,      11, "ls_in_stateful")      \
> > +    PIPELINE_STAGE(SWITCH, IN,  PRE_HAIRPIN,   12, "ls_in_pre_hairpin")   \
> > +    PIPELINE_STAGE(SWITCH, IN,  HAIRPIN,       13, "ls_in_hairpin")       \
> > +    PIPELINE_STAGE(SWITCH, IN,  ARP_ND_RSP,    14, "ls_in_arp_rsp")       \
> > +    PIPELINE_STAGE(SWITCH, IN,  DHCP_OPTIONS,  15, "ls_in_dhcp_options")  \
> > +    PIPELINE_STAGE(SWITCH, IN,  DHCP_RESPONSE, 16, "ls_in_dhcp_response") \
> > +    PIPELINE_STAGE(SWITCH, IN,  DNS_LOOKUP,    17, "ls_in_dns_lookup")    \
> > +    PIPELINE_STAGE(SWITCH, IN,  DNS_RESPONSE,  18, "ls_in_dns_response")  \
> > +    PIPELINE_STAGE(SWITCH, IN,  EXTERNAL_PORT, 19, "ls_in_external_port") \
> > +    PIPELINE_STAGE(SWITCH, IN,  L2_LKUP,       20, "ls_in_l2_lkup")       \
> >                                                                             \
> >       /* Logical switch egress stages. */                                   \
> >       PIPELINE_STAGE(SWITCH, OUT, PRE_LB,       0, "ls_out_pre_lb")         \
> >       PIPELINE_STAGE(SWITCH, OUT, PRE_ACL,      1, "ls_out_pre_acl")        \
> >       PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful")   \
> >       PIPELINE_STAGE(SWITCH, OUT, LB,           3, "ls_out_lb")             \
> > -    PIPELINE_STAGE(SWITCH, OUT, ACL,          4, "ls_out_acl")            \
> > -    PIPELINE_STAGE(SWITCH, OUT, QOS_MARK,     5, "ls_out_qos_mark")       \
> > -    PIPELINE_STAGE(SWITCH, OUT, QOS_METER,    6, "ls_out_qos_meter")      \
> > -    PIPELINE_STAGE(SWITCH, OUT, STATEFUL,     7, "ls_out_stateful")       \
> > -    PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP,  8, "ls_out_port_sec_ip")    \
> > -    PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2,  9, "ls_out_port_sec_l2")    \
> > +    PIPELINE_STAGE(SWITCH, OUT, ACL_HINT,     4, "ls_out_acl_hint")       \
> > +    PIPELINE_STAGE(SWITCH, OUT, ACL,          5, "ls_out_acl")            \
> > +    PIPELINE_STAGE(SWITCH, OUT, QOS_MARK,     6, "ls_out_qos_mark")       \
> > +    PIPELINE_STAGE(SWITCH, OUT, QOS_METER,    7, "ls_out_qos_meter")      \
> > +    PIPELINE_STAGE(SWITCH, OUT, STATEFUL,     8, "ls_out_stateful")       \
> > +    PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP,  9, "ls_out_port_sec_ip")    \
> > +    PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 10, "ls_out_port_sec_l2")    \
> >                                                                         \
> >       /* Logical router ingress stages. */                              \
> >       PIPELINE_STAGE(ROUTER, IN,  ADMISSION,       0, "lr_in_admission")    \
> > @@ -205,13 +207,17 @@ enum ovn_stage {
> >   #define OVN_ACL_PRI_OFFSET 1000
> >
> >   /* Register definitions specific to switches. */
> > -#define REGBIT_CONNTRACK_DEFRAG  "reg0[0]"
> > -#define REGBIT_CONNTRACK_COMMIT  "reg0[1]"
> > -#define REGBIT_CONNTRACK_NAT     "reg0[2]"
> > -#define REGBIT_DHCP_OPTS_RESULT  "reg0[3]"
> > -#define REGBIT_DNS_LOOKUP_RESULT "reg0[4]"
> > -#define REGBIT_ND_RA_OPTS_RESULT "reg0[5]"
> > -#define REGBIT_HAIRPIN           "reg0[6]"
> > +#define REGBIT_CONNTRACK_DEFRAG   "reg0[0]"
> > +#define REGBIT_CONNTRACK_COMMIT   "reg0[1]"
> > +#define REGBIT_CONNTRACK_NAT      "reg0[2]"
> > +#define REGBIT_DHCP_OPTS_RESULT   "reg0[3]"
> > +#define REGBIT_DNS_LOOKUP_RESULT  "reg0[4]"
> > +#define REGBIT_ND_RA_OPTS_RESULT  "reg0[5]"
> > +#define REGBIT_HAIRPIN            "reg0[6]"
> > +#define REGBIT_ACL_HINT_ALLOW_NEW "reg0[7]"
> > +#define REGBIT_ACL_HINT_ALLOW     "reg0[8]"
> > +#define REGBIT_ACL_HINT_DROP      "reg0[9]"
> > +#define REGBIT_ACL_HINT_BLOCK     "reg0[10]"
> >
> >   /* Register definitions for switches and routers. */
> >
> > @@ -246,11 +252,12 @@ enum ovn_stage {
> >    * OVS register usage:
> >    *
> >    * Logical Switch pipeline:
> > - * +---------+-------------------------------------+
> > - * | R0      | REGBIT_{CONNTRACK/DHCP/DNS/HAIRPIN} |
> > - * +---------+-------------------------------------+
> > - * | R1 - R9 |              UNUSED                 |
> > - * +---------+-------------------------------------+
> > + * +---------+----------------------------------------------+
> > + * | R0      |     REGBIT_{CONNTRACK/DHCP/DNS/HAIRPIN}      |
> > + * |         | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} |
> > + * +---------+----------------------------------------------+
> > + * | R1 - R9 |                   UNUSED                     |
> > + * +---------+----------------------------------------------+
> >    *
> >    * Logical Router pipeline:
> >    * +-----+--------------------------+---+-----------------+---+---------------+
> > @@ -5140,6 +5147,96 @@ build_pre_stateful(struct ovn_datapath *od, struct hmap *lflows)
> >   }
> >
> >   static void
> > +build_acl_hints(struct ovn_datapath *od, struct hmap *lflows)
> > +{
> > +    /* This stage builds hints for the IN/OUT_ACL stage. Based on various
> > +     * combinations of ct flags packets may hit only a subset of the logical
> > +     * flows in the IN/OUT_ACL stage.
> > +     *
> > +     * Populating ACL hints first and storing them in registers simplifies
> > +     * the logical flow match expressions in the IN/OUT_ACL stage and
> > +     * generates less openflows.
> > +     *
> > +     * Certain combinations of ct flags might be valid matches for multiple
> > +     * types of ACL logical flows (e.g., allow/drop). In such cases hints
> > +     * corresponding to all potential matches are set.
> > +     */
> > +
> > +    enum ovn_stage stages[] = {
> > +        S_SWITCH_IN_ACL_HINT,
> > +        S_SWITCH_OUT_ACL_HINT,
> > +    };
> > +
> > +    for (size_t i = 0; i < ARRAY_SIZE(stages); i++) {
> > +        enum ovn_stage stage = stages[i];
> > +
> > +        /* New, not already established connections, may hit either allow
> > +         * or drop ACLs. For allow ACLs, the connection must also be committed
> > +         * to conntrack so we set REGBIT_ACL_HINT_ALLOW_NEW.
> > +         */
> > +        ovn_lflow_add(lflows, od, stage, 7, "ct.new && !ct.est",
> > +                      REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
> > +                      REGBIT_ACL_HINT_DROP " = 1; "
> > +                      "next;");
> > +
> > +        /* Already established connections in the "request" direction that
> > +         * are already marked as "blocked" may hit either:
> > +         * - allow ACLs for connections that were previously allowed by a
> > +         *   policy that was deleted and is being readded now. In this case
> > +         *   the connection should be recommitted so we set
> > +         *   REGBIT_ACL_HINT_ALLOW_NEW.
> > +         * - drop ACLs.
> > +         */
> > +        ovn_lflow_add(lflows, od, stage, 6,
> > +                      "!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1",
> > +                      REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
> > +                      REGBIT_ACL_HINT_DROP " = 1; "
> > +                      "next;");
> > +
> > +        /* Not tracked traffic can either be allowed or dropped. */
> > +        ovn_lflow_add(lflows, od, stage, 5, "!ct.trk",
> > +                      REGBIT_ACL_HINT_ALLOW " = 1; "
> > +                      REGBIT_ACL_HINT_DROP " = 1; "
> > +                      "next;");
> > +
> > +        /* Already established connections in the "request" direction may hit
> > +         * either:
> > +         * - allow ACLs in which case the traffic should be allowed so we set
> > +         *   REGBIT_ACL_HINT_ALLOW.
> > +         * - drop ACLs in which case the traffic should be blocked and the
> > +         *   connection must be committed with ct_label.blocked set so we set
> > +         *   REGBIT_ACL_HINT_BLOCK.
> > +         */
> > +        ovn_lflow_add(lflows, od, stage, 4,
> > +                      "!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0",
> > +                      REGBIT_ACL_HINT_ALLOW " = 1; "
> > +                      REGBIT_ACL_HINT_BLOCK " = 1; "
> > +                      "next;");
> > +
> > +        /* Not established or established and already blocked connections may
> > +         * hit drop ACLs.
> > +         */
> > +        ovn_lflow_add(lflows, od, stage, 3, "!ct.est",
> > +                      REGBIT_ACL_HINT_DROP " = 1; "
> > +                      "next;");
> > +        ovn_lflow_add(lflows, od, stage, 2, "ct.est && ct_label.blocked == 1",
> > +                      REGBIT_ACL_HINT_DROP " = 1; "
> > +                      "next;");
> > +
> > +        /* Established connections that were previously allowed might hit
> > +         * drop ACLs in which case the connection must be committed with
> > +         * ct_label.blocked set.
> > +         */
> > +        ovn_lflow_add(lflows, od, stage, 1, "ct.est && ct_label.blocked == 0",
> > +                      REGBIT_ACL_HINT_BLOCK " = 1; "
> > +                      "next;");
> > +
> > +        /* In any case, advance to the next stage. */
> > +        ovn_lflow_add(lflows, od, stage, 0, "1", "next;");
> > +    }
> > +}
> > +
> > +static void
> >   build_acl_log(struct ds *actions, const struct nbrec_acl *acl)
> >   {
> >       if (!acl->log) {
> > @@ -5197,7 +5294,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
> >                     "eth.dst <-> eth.src; ip4.dst <-> ip4.src; "
> >                     "tcp_reset { outport <-> inport; %s };",
> >                     ingress ? "next(pipeline=egress,table=5);"
> > -                          : "next(pipeline=ingress,table=19);");
> > +                          : "next(pipeline=ingress,table=20);");
> >       ovn_lflow_add_with_hint(lflows, od, stage,
> >                               acl->priority + OVN_ACL_PRI_OFFSET + 10,
> >                               ds_cstr(&match), ds_cstr(&actions), stage_hint);
> > @@ -5212,7 +5309,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
> >                     "eth.dst <-> eth.src; ip6.dst <-> ip6.src; "
> >                     "tcp_reset { outport <-> inport; %s };",
> >                     ingress ? "next(pipeline=egress,table=5);"
> > -                          : "next(pipeline=ingress,table=19);");
> > +                          : "next(pipeline=ingress,table=20);");
> >       ovn_lflow_add_with_hint(lflows, od, stage,
> >                               acl->priority + OVN_ACL_PRI_OFFSET + 10,
> >                               ds_cstr(&match), ds_cstr(&actions), stage_hint);
> > @@ -5232,7 +5329,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
> >                     "icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; "
> >                     "outport <-> inport; %s };",
> >                     ingress ? "next(pipeline=egress,table=5);"
> > -                          : "next(pipeline=ingress,table=19);");
> > +                          : "next(pipeline=ingress,table=20);");
> >       ovn_lflow_add_with_hint(lflows, od, stage,
> >                               acl->priority + OVN_ACL_PRI_OFFSET,
> >                               ds_cstr(&match), ds_cstr(&actions), stage_hint);
> > @@ -5250,7 +5347,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
> >                     "eth.dst <-> eth.src; ip6.dst <-> ip6.src; "
> >                     "outport <-> inport; %s };",
> >                     ingress ? "next(pipeline=egress,table=5);"
> > -                          : "next(pipeline=ingress,table=19);");
> > +                          : "next(pipeline=ingress,table=20);");
> >       ovn_lflow_add_with_hint(lflows, od, stage,
> >                               acl->priority + OVN_ACL_PRI_OFFSET,
> >                               ds_cstr(&match), ds_cstr(&actions), stage_hint);
> > @@ -5298,10 +5395,8 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
> >                * by ct_commit in the "stateful" stage) to indicate that the
> >                * connection should be allowed to resume.
> >                */
> > -            ds_put_format(&match, "((ct.new && !ct.est)"
> > -                                  " || (!ct.new && ct.est && !ct.rpl "
> > -                                       "&& ct_label.blocked == 1)) "
> > -                                  "&& (%s)", acl->match);
> > +            ds_put_format(&match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)",
> > +                          acl->match);
> >               ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
> >               build_acl_log(&actions, acl);
> >               ds_put_cstr(&actions, "next;");
> > @@ -5319,9 +5414,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
> >                * policy. Match untracked packets too. */
> >               ds_clear(&match);
> >               ds_clear(&actions);
> > -            ds_put_format(&match,
> > -                          "(!ct.trk || (!ct.new && ct.est && !ct.rpl"
> > -                          " && ct_label.blocked == 0)) && (%s)",
> > +            ds_put_format(&match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)",
> >                             acl->match);
> >
> >               build_acl_log(&actions, acl);
> > @@ -5346,9 +5439,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
> >           if (has_stateful) {
> >               /* If the packet is not tracked or not part of an established
> >                * connection, then we can simply reject/drop it. */
> > -            ds_put_cstr(&match,
> > -                        "(!ct.trk || !ct.est"
> > -                        " || (ct.est && ct_label.blocked == 1))");
> > +            ds_put_cstr(&match, REGBIT_ACL_HINT_DROP " == 1");
> >               if (!strcmp(acl->action, "reject")) {
> >                   build_reject_acl_rules(od, lflows, stage, acl, &match,
> >                                          &actions, &acl->header_);
> > @@ -5374,7 +5465,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
> >                */
> >               ds_clear(&match);
> >               ds_clear(&actions);
> > -            ds_put_cstr(&match, "ct.est && ct_label.blocked == 0");
> > +            ds_put_cstr(&match, REGBIT_ACL_HINT_BLOCK " == 1");
> >               ds_put_cstr(&actions, "ct_commit { ct_label.blocked = 1; }; ");
> >               if (!strcmp(acl->action, "reject")) {
> >                   build_reject_acl_rules(od, lflows, stage, acl, &match,
> > @@ -6621,6 +6712,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
> >           build_pre_acls(od, lflows);
> >           build_pre_lb(od, lflows, meter_groups, lbs);
> >           build_pre_stateful(od, lflows);
> > +        build_acl_hints(od, lflows);
> >           build_acls(od, lflows, port_groups);
> >           build_qos(od, lflows);
> >           build_lb(od, lflows);
> > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> > index 8344c7f..87644bd 100644
> > --- a/tests/ovn-northd.at
> > +++ b/tests/ovn-northd.at
> > @@ -1185,7 +1185,7 @@ ovn-nbctl --wait=sb ls-lb-add sw0 lb1
> >
> >   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> >   ])
> >
> >   # Delete the Load_Balancer_Health_Check
> > @@ -1194,7 +1194,7 @@ OVS_WAIT_UNTIL([test 0 = `ovn-sbctl list service_monitor |  wc -l`])
> >
> >   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> >   ])
> >
> >   # Create the Load_Balancer_Health_Check again.
> > @@ -1207,7 +1207,7 @@ service_monitor | sed '/^$/d' | wc -l`])
> >
> >   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> >   ])
> >
> >   # Get the uuid of both the service_monitor
> > @@ -1223,7 +1223,7 @@ OVS_WAIT_UNTIL([
> >
> >   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
> >   ])
> >
> >   # Set the service monitor for sw0-p1 to offline
> > @@ -1240,7 +1240,7 @@ AT_CHECK([cat lflows.txt], [0], [dnl
> >   ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \
> >   | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
> >   ])
> >
> >   # Set the service monitor for sw0-p1 and sw1-p1 to online
> > @@ -1253,7 +1253,7 @@ OVS_WAIT_UNTIL([
> >
> >   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> >   ])
> >
> >   # Set the service monitor for sw1-p1 to error
> > @@ -1265,7 +1265,7 @@ OVS_WAIT_UNTIL([
> >   ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \
> >   | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
> >   ])
> >
> >   # Add one more vip to lb1
> > @@ -1295,8 +1295,8 @@ service_monitor port=1000 | sed '/^$/d' | wc -l`])
> >
> >   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000);)
> >   ])
> >
> >   # Set the service monitor for sw1-p1 to online
> > @@ -1308,16 +1308,16 @@ OVS_WAIT_UNTIL([
> >
> >   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
> >   ])
> >
> >   # Associate lb1 to sw1
> >   ovn-nbctl --wait=sb ls-lb-add sw1 lb1
> >   ovn-sbctl dump-flows sw1 | grep ct_lb | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
> >   ])
> >
> >   # Now create lb2 same as lb1 but udp protocol.
> > diff --git a/tests/ovn.at b/tests/ovn.at
> > index 5ad51c0..99861bf 100644
> > --- a/tests/ovn.at
> > +++ b/tests/ovn.at
> > @@ -14237,17 +14237,17 @@ ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
> >   AT_CHECK([ovn-sbctl dump-flows ls1 | grep "offerip = 10.0.0.6" | \
> >   wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep tp_src=546 | grep \
> >   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep tp_src=546 | grep \
> >   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
> >   ])
> > @@ -14278,17 +14278,17 @@ port_binding logical_port=ls1-lp_ext1`
> >
> >   # No DHCPv4/v6 flows for the external port - ls1-lp_ext1 - 10.0.0.6 in hv1 and hv2
> >   # as no localnet port added to ls1 yet.
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep tp_src=546 | grep \
> >   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep tp_src=546 | grep \
> >   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
> >   ])
> > @@ -14310,38 +14310,38 @@ logical_port=ls1-lp_ext1`
> >       test "$chassis" = "$hv1_uuid"])
> >
> >   # There should be DHCPv4/v6 OF flows for the ls1-lp_ext1 port in hv1
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep "0a.00.00.06" | grep reg14=0x$ln_public_key | \
> >   wc -l], [0], [3
> >   ])
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep tp_src=546 | grep \
> >   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \
> >   grep reg14=0x$ln_public_key | wc -l], [0], [1
> >   ])
> >
> >   # There should be no DHCPv4/v6 flows for ls1-lp_ext1 on hv2
> > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep tp_src=546 | grep \
> >   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
> >   ])
> >
> >   # No DHCPv4/v6 flows for the external port - ls1-lp_ext2 - 10.0.0.7 in hv1 and
> >   # hv2 as requested-chassis option is not set.
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep "0a.00.00.07" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep "0a.00.00.07" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep tp_src=546 | grep \
> >   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.07" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep tp_src=546 | grep \
> >   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.07" | wc -l], [0], [0
> >   ])
> > @@ -14593,21 +14593,21 @@ logical_port=ls1-lp_ext1`
> >       test "$chassis" = "$hv2_uuid"])
> >
> >   # There should be OF flows for DHCP4/v6 for the ls1-lp_ext1 port in hv2
> > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep "0a.00.00.06" | grep reg14=0x$ln_public_key | \
> >   wc -l], [0], [3
> >   ])
> > -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep tp_src=546 | grep \
> >   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \
> >   grep reg14=0x$ln_public_key | wc -l], [0], [1
> >   ])
> >
> >   # There should be no DHCPv4/v6 flows for ls1-lp_ext1 on hv1
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep "0a.00.00.06" | wc -l], [0], [0
> >   ])
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
> >   grep controller | grep tp_src=546 | grep \
> >   "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \
> >   grep reg14=0x$ln_public_key | wc -l], [0], [0
> > @@ -14873,7 +14873,7 @@ logical_port=ls1-lp_ext1`
> >   # There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined
> >   # to router mac.
> >   AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \
> > -table=26,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \
> > +table=27,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \
> >   grep -c "actions=drop"], [0], [1
> >   ])
> >
> > @@ -16144,9 +16144,9 @@ ovn-nbctl --wait=hv sync
> >   ovn-sbctl dump-flows sw0 | grep ls_in_arp_rsp | grep bind_vport > lflows.txt
> >
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=13(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> > -  table=13(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p2" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> > -  table=13(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> > +  table=14(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> > +  table=14(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p2" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> > +  table=14(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> >   ])
> >
> >   ovn-sbctl dump-flows lr0 | grep lr_in_arp_resolve | grep "reg0 == 10.0.0.10" \
> > @@ -16356,8 +16356,8 @@ ovn-nbctl --wait=hv set logical_switch_port sw0-vir options:virtual-ip=10.0.0.10
> >   ovn-sbctl dump-flows sw0 | grep ls_in_arp_rsp | grep bind_vport > lflows.txt
> >
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=13(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> > -  table=13(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> > +  table=14(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> > +  table=14(ls_in_arp_rsp      ), priority=100  , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
> >   ])
> >
> >   ovn-nbctl --wait=hv remove logical_switch_port sw0-vir options virtual-parents
> > @@ -18340,7 +18340,7 @@ test_ip vif11 f00000000011 000001010203 $sip $dip vif-north
> >   OVN_CHECK_PACKETS_REMOVE_BROADCAST([hv4/vif-north-tx.pcap], [vif-north.expected])
> >
> >   # Confirm that packets did not go out via tunnel port.
> > -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=32 | grep NXM_NX_TUN_METADATA0 | grep n_packets=0 | wc -l], [0], [[0
> > +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=33 | grep NXM_NX_TUN_METADATA0 | grep n_packets=0 | wc -l], [0], [[0
> >   ]])
> >
> >   # Confirm that packet went out via localnet port
> > @@ -19087,7 +19087,7 @@ service_monitor | sed '/^$/d' | wc -l`])
> >
> >   ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
> >   ])
> >
> >   ovn-sbctl dump-flows lr0 | grep ct_lb | grep priority=120 > lflows.txt
> > @@ -19125,7 +19125,7 @@ grep "405400000003${svc_mon_src_mac}" | wc -l`]
> >   ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \
> >   | grep priority=120 > lflows.txt
> >   AT_CHECK([cat lflows.txt], [0], [dnl
> > -  table=10(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
> > +  table=11(ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
> >   ])
> >
> >   ovn-sbctl dump-flows lr0 | grep lr_in_dnat | grep priority=120 > lflows.txt
> > diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> > index 40ba6e4..b9b5eaa 100644
> > --- a/tests/system-ovn.at
> > +++ b/tests/system-ovn.at
> > @@ -2163,7 +2163,7 @@ tcp,orig=(src=172.16.1.2,dst=30.0.0.2,sport=<cleared>,dport=<cleared>),reply=(sr
> >   ])
> >
> >   check_est_flows () {
> > -    n=$(ovs-ofctl dump-flows br-int table=14 | grep \
> > +    n=$(ovs-ofctl dump-flows br-int table=15 | grep \
> >   "priority=120,ct_state=+est+trk,tcp,metadata=0x2,nw_dst=30.0.0.2,tp_dst=8000" \
> >   | grep nat | sed -n 's/.*n_packets=\([[0-9]]\{1,\}\).*/\1/p')
> >
> > @@ -4548,7 +4548,7 @@ OVS_WAIT_UNTIL([
> >   ])
> >
> >   OVS_WAIT_UNTIL([
> > -    n_pkt=$(ovs-ofctl dump-flows br-int table=44 | grep -v n_packets=0 | \
> > +    n_pkt=$(ovs-ofctl dump-flows br-int table=45 | grep -v n_packets=0 | \
> >   grep controller | grep tp_dst=84 -c)
> >       test $n_pkt -eq 1
> >   ])
> >
> >
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
>
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>


More information about the dev mailing list