[ovs-dev] [PATCH ovn] northd: Remove the usage of 'ct.inv' in logical flows.
Numan Siddique
numans at ovn.org
Mon Mar 22 17:46:23 UTC 2021
On Fri, Mar 5, 2021 at 11:05 PM Numan Siddique <numans at ovn.org> wrote:
>
> On Fri, Mar 5, 2021 at 11:53 AM Han Zhou <hzhou at ovn.org> wrote:
> >
> > On Thu, Mar 4, 2021 at 5:25 PM Numan Siddique <numans at ovn.org> wrote:
> > >
> > > On Fri, Mar 5, 2021 at 4:22 AM Han Zhou <hzhou at ovn.org> wrote:
> > > >
> > > > On Mon, Mar 1, 2021 at 5:40 AM Numan Siddique <numans at ovn.org> wrote:
> > > > >
> > > > > On Fri, Feb 26, 2021 at 1:15 AM Han Zhou <hzhou at ovn.org> wrote:
> > > > > >
> > > > > > On Thu, Feb 25, 2021 at 1:25 AM Numan Siddique <numans at ovn.org>
> > wrote:
> > > > > > >
> > > > > > > On Thu, Feb 25, 2021 at 1:12 PM Han Zhou <hzhou at ovn.org> wrote:
> > > > > > > >
> > > > > > > > On Wed, Feb 24, 2021 at 5:27 AM <numans at ovn.org> wrote:
> > > > > > > > >
> > > > > > > > > From: Numan Siddique <numans at ovn.org>
> > > > > > > > >
> > > > > > > > > Presently we add 65535 priority lflows in the stages -
> > > > > > > > > 'ls_in_acl' and 'ls_out_acl' to drop packets which
> > > > > > > > > match on 'ct.inv'.
> > > > > > > > >
> > > > > > > > > As per the 'ovs-fields' man page, this
> > > > > > > > > ct state field can be used to identify problems such as:
> > > > > > > > > • L3/L4 protocol handler is not loaded/unavailable.
> > > > > > > > >
> > > > > > > > > • L3/L4 protocol handler determines that the packet is
> > > > > > > > > malformed.
> > > > > > > > >
> > > > > > > > > • Packets are unexpected length for protocol.
> > > > > > > > >
> > > > > > > > > This patch removes the usage of this field for the following
> > > > > > > > > reasons:
> > > > > > > > >
> > > > > > > > > • Some of the smart NICs which support offloading datapath
> > > > > > > > > flows don't support this field.
> > > > > > > >
> > > > > > > > What do you mean by "don't support this field"? Do you mean the
> > NIC
> > > > > > > > offloading supports connection tracking, but cannot detect if a
> > > > packet
> > > > > > is
> > > > > > > > invalid and always populate the ct.inv as 0?
> > > > > > >
> > > > > > > I think so. From what I understand, the kernel conntrack feature
> > is
> > > > used
> > > > > > > for the actual connection tracking. So NIC can't tell if the
> > packet is
> > > > > > > invalid or not
> > > > > > > (say due to out-of-window tcp errors).
> > > > > > >
> > > > > > I know some NICs support CT offloading and some doesn't.
> > > > > > So here what you are referring are the NICs that doesn't support CT
> > > > > > offloading, which falls back to kernel datapath when CT is used, is
> > it?
> > > > If
> > > > > > this is the case, then even without ct.inv it still couldn't support
> > > > > > ct.est, etc. right?
> > > > > > Or, do you mean this is specifically for NICs that support CT
> > offloading
> > > > > > but not ct.inv, i.e. it can do regular conntrack in NIC but just
> > can't
> > > > > > identify out-of-window packets, and that's why it supports ct.est
> > but
> > > > not
> > > > > > ct.inv?
> > > > > > I am still quite confused. Could clarify a little more, which types
> > of
> > > > NICs
> > > > > > would benefit from this, and how?
> > > > >
> > > > > I'm not sure if I can explain the issue well. Can you please look
> > > > > into this bugzilla -
> > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1921946
> > > > > We can discuss further if you have further questions or comments.
> > > > >
> > > > Unfortunately this one seems to require access permission.
> > >
> > > Ok. Let me try to share in some other way.
> > >
> > > >
> > > > >
> > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > > • A recent commit in kernel ovs datapath sets the committed
> > > > > > > > > connection tracking entry to be liberal for out-of-window
> > > > > > > > > tcp packets (nf_ct_set_tcp_be_liberal()). Such TCP
> > > > > > > > > packets will not be marked as invalid.
> > > > > > > > >
> > > > > > > >
> > > > > > > > Could you share a link to this commit?
> > > > > > >
> > > > > > > Sure.
> > > > > > >
> > > > > >
> > > >
> > https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/net-next/+/e2ef5203c817a60bfb591343ffd851b6537370ff
> > > > > > >
> > > > > > Thanks for sharing. So OVS is not capable of detecting a
> > out-of-window
> > > > > > packet now. Could you explain more about the motivation? I couldn't
> > get
> > > > the
> > > > > > full picture from commit message of that patch. Do you have a link
> > that
> > > > > > discusses more details?
> > > > >
> > > > > Let me share with you the patch which I first submitted to handle this
> > > > issue.
> > > > > During the review, @Florian Westphal suggested being liberal for
> > > > out-of-window
> > > > > packets to solve this issue.
> > > > >
> > > > > I think the patch discussions have enough information. Please let me
> > know
> > > > > if you have further questions or comments and we can discuss further.
> > > > >
> > > > > Initial approach taken by me -
> > > > >
> > > >
> > https://patchwork.ozlabs.org/project/netdev/patch/20201006083355.121018-1-nusiddiq@redhat.com/
> > > > > Final approach taken -
> > > > >
> > > >
> > https://patchwork.ozlabs.org/project/netdev/patch/20201109072930.14048-1-nusiddiq@redhat.com/
> > > > >
> > > > Thanks for the pointers. Now I have a better context. It seems all these
> > > > work was to deal with (optimize) the LB (stateful) + stateless ACL use
> > > > cases.
> > > > 1. we don't want to track packets coming from VIF (because there is no
> > > > stateful ACL)
> > > > 2. but packets to VIF need to go through CT because there is LB
> > configured
> > > > which requires CT (for nat), which regarded return packets as invalid.
> > > >
> > > > With the above patch, the return packets won't be invalid any more in
> > the
> > > > above scenario.
> > > > However, isn't the stateful ACL support also insufficient now? With the
> > > > above patch, middle-of-traffic packets without established connection
> > will
> > > > be regarded as "new", instead of "invalid", right? Then I wonder if we
> > lose
> > > > the value of stateful ACL completely. Any considerations here? (I am
> > not a
> > > > fan of stateful ACLs but just thinking if our implementation reflects
> > what
> > > > we are declaring to the users)
> > >
> > > That was true even before the kernel patch. conntrack will not mark an
> > already
> > > established tcp connection packet to invalid, if the packet is sent to
> > conntrack
> > > after the connection is established. Since its state will be new, OVN
> > > will be committing
> > > to the conntrack.
> > >
> > > Without the kernel patch you can try flushing the conntrack entries
> > > (conntrack -F)
> > > and send a packet from an already established session and you will see
> > that
> > > the connection will be committed again.
> >
> > Here was a test I did in the past (maybe it was never submitted for review):
> > https://github.com/hzhou8/ovs/commit/20d448645877cafc4e402efb07244c029b5b31d6#diff-1ae6327d359b0249584e7aad093f331f5240ddaded53ffb9a34eabb2e473d628R5846
> >
> > In this patch I happened to test "invalid" packets (to test the ACL logging
> > feature for invalid packets). The packet I constructed as "invalid" was a
> > TCP packet without SYN flag (the other "valid" packets in the same test
> > case were set as tcp.flag = 2, meaning SYN packet, which will be regarded
> > as "new"). Obviously there was no connection established for that packet,
> > and the test case did pass, i.e. logged as INVALID.
>
> Before I comment on it, I need to test it with the kernel datapath as the test
> which you're exercising will be run with the userspace conntrack.
>
> Have you tried with the kernel datapath ?
>
> From what I know, there are some gaps between userspace conntrack and
> kernel conntrack and the gap between needs to be closed.
Hi Han,
I'm sorry that I'm replying to the thread a bit late.
I think there are few items which are still open in this discussion.
Let me try to address all of them.
1. Here is the bugzilla information -
https://gist.github.com/numansiddique/4fb5b78402e7a3e166ea773328fef639
2. Regarding the invalid packets due to wrong syn flag or due to
checksums, I tested it out and I can confirm
that such packets when sent to conntrack will be marked as invalid
(ct.inv) even if tcp be liberal flag is set.
In such cases, if ovn-northd doesn't add a flow to drop ct.inv
packets, those packets will be delivered
to the destination ports. And it will be the responsibility of
the destination VM/pod networking stack to
handle. I think it is not ok for this patch to be accepted AS IS.
Hence I submitted another version of this patch which added a new
option - use_ct_inv_match with the
default value of true. I added this new version as part of a 2 patch
series - https://patchwork.ozlabs.org/project/ovn/list/?series=235227.
I kindly request to take a look at it.
Please let me know if you've any questions.
Thanks
Numan
>
> Thanks
> Numan
>
> >
> > So, I think this is a typical case of "invalid" from conntrack. Did I
> > misunderstand anything?
> > If I am correct, with the above kernel patch I guess we lose this
> > capability, right?
> >
> > >
> > > Let me check on the checksum use case you mentioned.
> > >
> > > Thanks
> > >
> > > Numan
> > >
> > >
> > >
> > > >
> > > > >
> > > > >
> > > > > >
> > > > > > > >
> > > > > > > > > • Even if a ct.inv packet is delivered to a VIF, the
> > > > > > > > > networking stack of the VIF's kernel can handle such
> > > > > > > > > packets.
> > > > > > > >
> > > > > > > > I have some concern for this point. We shouldn't make
> > assumptions
> > > > for
> > > > > > > > what's configured in the VIF's kernel, because it is
> > independent of
> > > > > > what's
> > > > > > > > expected from OVN ACLs. In addition, egress rules are expected
> > to
> > > > drop
> > > > > > > > invalid packets sent by the VIF (regardless of how the VIF's
> > kernel
> > > > is
> > > > > > > > configured).
> > > > > > >
> > > > > > > Agree. I can delete this point from the commit message.
> > > > > > >
> > > > > > > >
> > > > > > > > However, I am not against this patch, but just want to double
> > > > confirm. I
> > > > > > > > think this deserves a description in NEWS if we do so.
> > > > > > >
> > > > > > > Sure. I will add to the NEWS.
> > > > > > >
> > > > > > > If there are concerns about removing this, how about we use
> > ct.inv by
> > > > > > > default and
> > > > > > > add a config option to not use this flag in ovn-northd ?
> > > > > > > Deployments who want to make use of HWOL nics can turn on this
> > option
> > > > ?
> > > > > > >
> > > > > > Yes, I think an option would help. However, before moving there, I
> > am
> > > > > > wondering if the user could simply use stateless ACLs to achieve the
> > > > same
> > > > > > outcome. What's the benefit of using stateful ACLs without the
> > ability
> > > > to
> > > > > > detect invalid packets v.s. using stateless ACLs?
> > > > >
> > > > > Given that we enable conntrack for all the packets if a logical switch
> > > > > has "allow-related"
> > > > > ACLs or a load balancers associated, I don't think we can take this
> > > > > path. In the case
> > > > > of ovn-k8s, the node logical switch will have a load balancer
> > > > > associated with it.
> > > > >
> > > > OK, so removing ct.inv is necessary (and ok) for a user who doesn't use
> > > > stateful ACL but uses LB and needs to deal with NIC offloading
> > limitations.
> > > >
> > > > However, for a user who really needs stateful ACL in OVN, it is now not
> > > > really supported by the CT actions because:
> > > > 1. out-of-window packets and middle-of-traffic packets without
> > established
> > > > connection are not checked (due to the net-next patch)
> > > > 2. and with this patch, checksum errors are not checked.
> > > > Is this correct understanding?
> > > >
> > > > Regardless of the above questions, I am totally ok with an option that
> > > > controls the behavior, but need to make the implications clear in the
> > > > document.
> > > >
> > > > Thanks,
> > > > Han
> > > >
> > > > > Thanks
> > > > > Numan
> > > > >
> > > > > >
> > > > > > > Thanks for the review.
> > > > > > >
> > > > > > > Numan
> > > > > > >
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Han
> > > > > > > >
> > > > > > > > >
> > > > > > > > > Signed-off-by: Numan Siddique <numans at ovn.org>
> > > > > > > > > ---
> > > > > > > > > northd/ovn-northd.c | 24 ++++++++++++------------
> > > > > > > > > tests/ovn-northd.at | 24 ++++++++++++------------
> > > > > > > > > 2 files changed, 24 insertions(+), 24 deletions(-)
> > > > > > > > >
> > > > > > > > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> > > > > > > > > index dcdb777a2..e30fb532c 100644
> > > > > > > > > --- a/northd/ovn-northd.c
> > > > > > > > > +++ b/northd/ovn-northd.c
> > > > > > > > > @@ -5617,10 +5617,10 @@ build_acls(struct ovn_datapath *od,
> > struct
> > > > > > hmap
> > > > > > > > *lflows,
> > > > > > > > > *
> > > > > > > > > * This is enforced at a higher priority than ACLs
> > can be
> > > > > > > > defined. */
> > > > > > > > > ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL,
> > UINT16_MAX,
> > > > > > > > > - "ct.inv || (ct.est && ct.rpl &&
> > > > > > ct_label.blocked
> > > > > > > > == 1)",
> > > > > > > > > + "ct.est && ct.rpl && ct_label.blocked
> > ==
> > > > 1",
> > > > > > > > > "drop;");
> > > > > > > > > ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL,
> > UINT16_MAX,
> > > > > > > > > - "ct.inv || (ct.est && ct.rpl &&
> > > > > > ct_label.blocked
> > > > > > > > == 1)",
> > > > > > > > > + "ct.est && ct.rpl && ct_label.blocked
> > ==
> > > > 1",
> > > > > > > > > "drop;");
> > > > > > > > >
> > > > > > > > > /* Ingress and Egress ACL Table (Priority 65535).
> > > > > > > > > @@ -5633,12 +5633,12 @@ build_acls(struct ovn_datapath *od,
> > struct
> > > > > > hmap
> > > > > > > > *lflows,
> > > > > > > > > *
> > > > > > > > > * This is enforced at a higher priority than ACLs
> > can be
> > > > > > > > defined. */
> > > > > > > > > ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL,
> > UINT16_MAX,
> > > > > > > > > - "ct.est && !ct.rel && !ct.new &&
> > !ct.inv "
> > > > > > > > > - "&& ct.rpl && ct_label.blocked == 0",
> > > > > > > > > + "ct.est && !ct.rel && !ct.new && "
> > > > > > > > > + "ct.rpl && ct_label.blocked == 0",
> > > > > > > > > "next;");
> > > > > > > > > ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL,
> > UINT16_MAX,
> > > > > > > > > - "ct.est && !ct.rel && !ct.new &&
> > !ct.inv "
> > > > > > > > > - "&& ct.rpl && ct_label.blocked == 0",
> > > > > > > > > + "ct.est && !ct.rel && !ct.new && "
> > > > > > > > > + "ct.rpl && ct_label.blocked == 0",
> > > > > > > > > "next;");
> > > > > > > > >
> > > > > > > > > /* Ingress and Egress ACL Table (Priority 65535).
> > > > > > > > > @@ -5653,12 +5653,12 @@ build_acls(struct ovn_datapath *od,
> > struct
> > > > > > hmap
> > > > > > > > *lflows,
> > > > > > > > > * related traffic such as an ICMP Port Unreachable
> > > > through
> > > > > > > > > * that's generated from a non-listening UDP port.
> > */
> > > > > > > > > ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL,
> > UINT16_MAX,
> > > > > > > > > - "!ct.est && ct.rel && !ct.new &&
> > !ct.inv "
> > > > > > > > > - "&& ct_label.blocked == 0",
> > > > > > > > > + "!ct.est && ct.rel && !ct.new && "
> > > > > > > > > + "ct_label.blocked == 0",
> > > > > > > > > "next;");
> > > > > > > > > ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL,
> > UINT16_MAX,
> > > > > > > > > - "!ct.est && ct.rel && !ct.new &&
> > !ct.inv "
> > > > > > > > > - "&& ct_label.blocked == 0",
> > > > > > > > > + "!ct.est && ct.rel && !ct.new && "
> > > > > > > > > + "ct_label.blocked == 0",
> > > > > > > > > "next;");
> > > > > > > > >
> > > > > > > > > /* Ingress and Egress ACL Table (Priority 65535).
> > > > > > > > > @@ -5846,11 +5846,11 @@ build_lb(struct ovn_datapath *od,
> > struct
> > > > hmap
> > > > > > > > *lflows)
> > > > > > > > > *
> > > > > > > > > * Send established traffic through conntrack for
> > just
> > > > NAT.
> > > > > > */
> > > > > > > > > ovn_lflow_add(lflows, od, S_SWITCH_IN_LB, UINT16_MAX
> > - 1,
> > > > > > > > > - "ct.est && !ct.rel && !ct.new &&
> > !ct.inv
> > > > && "
> > > > > > > > > + "ct.est && !ct.rel && !ct.new && "
> > > > > > > > > "ct_label.natted == 1",
> > > > > > > > > REGBIT_CONNTRACK_NAT" = 1; next;");
> > > > > > > > > ovn_lflow_add(lflows, od, S_SWITCH_OUT_LB,
> > UINT16_MAX -
> > > > 1,
> > > > > > > > > - "ct.est && !ct.rel && !ct.new &&
> > !ct.inv
> > > > && "
> > > > > > > > > + "ct.est && !ct.rel && !ct.new && "
> > > > > > > > > "ct_label.natted == 1",
> > > > > > > > > REGBIT_CONNTRACK_NAT" = 1; next;");
> > > > > > > > > }
> > > > > > > > > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> > > > > > > > > index ad0f9f562..dc49c2543 100644
> > > > > > > > > --- a/tests/ovn-northd.at
> > > > > > > > > +++ b/tests/ovn-northd.at
> > > > > > > > > @@ -1940,9 +1940,9 @@ AT_CHECK([ovn-sbctl lflow-list ls |
> > grep -e
> > > > > > > > ls_in_acl_hint -e ls_out_acl_hint -e
> > > > > > > > > table=4 (ls_out_acl_hint ), priority=6 ,
> > match=(!ct.new
> > > > &&
> > > > > > > > ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]]
> > = 1;
> > > > > > > > reg0[[9]] = 1; next;)
> > > > > > > > > table=4 (ls_out_acl_hint ), priority=7 ,
> > match=(ct.new &&
> > > > > > > > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
> > > > > > > > > table=5 (ls_out_acl ), priority=1 , match=(ip &&
> > > > > > (!ct.est
> > > > > > > > || (ct.est && ct_label.blocked == 1))), action=(reg0[[1]] = 1;
> > > > next;)
> > > > > > > > > - table=5 (ls_out_acl ), priority=65535,
> > match=(!ct.est
> > > > &&
> > > > > > > > ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0),
> > > > action=(next;)
> > > > > > > > > - table=5 (ls_out_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > > > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked ==
> > 0),
> > > > > > > > action=(next;)
> > > > > > > > > - table=5 (ls_out_acl ), priority=65535,
> > match=(ct.inv ||
> > > > > > > > (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
> > > > > > > > > + table=5 (ls_out_acl ), priority=65535,
> > match=(!ct.est
> > > > &&
> > > > > > > > ct.rel && !ct.new && ct_label.blocked == 0), action=(next;)
> > > > > > > > > + table=5 (ls_out_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > > > !ct.rel && !ct.new && ct.rpl && ct_label.blocked == 0),
> > > > action=(next;)
> > > > > > > > > + table=5 (ls_out_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > ct.rpl
> > > > > > > > && ct_label.blocked == 1), action=(drop;)
> > > > > > > > > table=8 (ls_in_acl_hint ), priority=1 ,
> > match=(ct.est &&
> > > > > > > > ct_label.blocked == 0), action=(reg0[[10]] = 1; next;)
> > > > > > > > > table=8 (ls_in_acl_hint ), priority=2 ,
> > match=(ct.est &&
> > > > > > > > ct_label.blocked == 1), action=(reg0[[9]] = 1; next;)
> > > > > > > > > table=8 (ls_in_acl_hint ), priority=3 ,
> > match=(!ct.est),
> > > > > > > > action=(reg0[[9]] = 1; next;)
> > > > > > > > > @@ -1951,9 +1951,9 @@ AT_CHECK([ovn-sbctl lflow-list ls |
> > grep -e
> > > > > > > > ls_in_acl_hint -e ls_out_acl_hint -e
> > > > > > > > > table=8 (ls_in_acl_hint ), priority=6 ,
> > match=(!ct.new
> > > > &&
> > > > > > > > ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]]
> > = 1;
> > > > > > > > reg0[[9]] = 1; next;)
> > > > > > > > > table=8 (ls_in_acl_hint ), priority=7 ,
> > match=(ct.new &&
> > > > > > > > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
> > > > > > > > > table=9 (ls_in_acl ), priority=1 , match=(ip &&
> > > > > > (!ct.est
> > > > > > > > || (ct.est && ct_label.blocked == 1))), action=(reg0[[1]] = 1;
> > > > next;)
> > > > > > > > > - table=9 (ls_in_acl ), priority=65535,
> > match=(!ct.est
> > > > &&
> > > > > > > > ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0),
> > > > action=(next;)
> > > > > > > > > - table=9 (ls_in_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > > > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked ==
> > 0),
> > > > > > > > action=(next;)
> > > > > > > > > - table=9 (ls_in_acl ), priority=65535,
> > match=(ct.inv ||
> > > > > > > > (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
> > > > > > > > > + table=9 (ls_in_acl ), priority=65535,
> > match=(!ct.est
> > > > &&
> > > > > > > > ct.rel && !ct.new && ct_label.blocked == 0), action=(next;)
> > > > > > > > > + table=9 (ls_in_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > > > !ct.rel && !ct.new && ct.rpl && ct_label.blocked == 0),
> > > > action=(next;)
> > > > > > > > > + table=9 (ls_in_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > ct.rpl
> > > > > > > > && ct_label.blocked == 1), action=(drop;)
> > > > > > > > > ])
> > > > > > > > >
> > > > > > > > > AS_BOX([Check match ct_state with load balancer])
> > > > > > > > > @@ -1972,9 +1972,9 @@ AT_CHECK([ovn-sbctl lflow-list ls |
> > grep -e
> > > > > > > > ls_in_acl_hint -e ls_out_acl_hint -e
> > > > > > > > > table=4 (ls_out_acl_hint ), priority=6 ,
> > match=(!ct.new
> > > > &&
> > > > > > > > ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]]
> > = 1;
> > > > > > > > reg0[[9]] = 1; next;)
> > > > > > > > > table=4 (ls_out_acl_hint ), priority=7 ,
> > match=(ct.new &&
> > > > > > > > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
> > > > > > > > > table=5 (ls_out_acl ), priority=1 , match=(ip &&
> > > > > > (!ct.est
> > > > > > > > || (ct.est && ct_label.blocked == 1))), action=(reg0[[1]] = 1;
> > > > next;)
> > > > > > > > > - table=5 (ls_out_acl ), priority=65535,
> > match=(!ct.est
> > > > &&
> > > > > > > > ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0),
> > > > action=(next;)
> > > > > > > > > - table=5 (ls_out_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > > > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked ==
> > 0),
> > > > > > > > action=(next;)
> > > > > > > > > - table=5 (ls_out_acl ), priority=65535,
> > match=(ct.inv ||
> > > > > > > > (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
> > > > > > > > > + table=5 (ls_out_acl ), priority=65535,
> > match=(!ct.est
> > > > &&
> > > > > > > > ct.rel && !ct.new && ct_label.blocked == 0), action=(next;)
> > > > > > > > > + table=5 (ls_out_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > > > !ct.rel && !ct.new && ct.rpl && ct_label.blocked == 0),
> > > > action=(next;)
> > > > > > > > > + table=5 (ls_out_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > ct.rpl
> > > > > > > > && ct_label.blocked == 1), action=(drop;)
> > > > > > > > > table=8 (ls_in_acl_hint ), priority=1 ,
> > match=(ct.est &&
> > > > > > > > ct_label.blocked == 0), action=(reg0[[10]] = 1; next;)
> > > > > > > > > table=8 (ls_in_acl_hint ), priority=2 ,
> > match=(ct.est &&
> > > > > > > > ct_label.blocked == 1), action=(reg0[[9]] = 1; next;)
> > > > > > > > > table=8 (ls_in_acl_hint ), priority=3 ,
> > match=(!ct.est),
> > > > > > > > action=(reg0[[9]] = 1; next;)
> > > > > > > > > @@ -1983,9 +1983,9 @@ AT_CHECK([ovn-sbctl lflow-list ls |
> > grep -e
> > > > > > > > ls_in_acl_hint -e ls_out_acl_hint -e
> > > > > > > > > table=8 (ls_in_acl_hint ), priority=6 ,
> > match=(!ct.new
> > > > &&
> > > > > > > > ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]]
> > = 1;
> > > > > > > > reg0[[9]] = 1; next;)
> > > > > > > > > table=8 (ls_in_acl_hint ), priority=7 ,
> > match=(ct.new &&
> > > > > > > > !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
> > > > > > > > > table=9 (ls_in_acl ), priority=1 , match=(ip &&
> > > > > > (!ct.est
> > > > > > > > || (ct.est && ct_label.blocked == 1))), action=(reg0[[1]] = 1;
> > > > next;)
> > > > > > > > > - table=9 (ls_in_acl ), priority=65535,
> > match=(!ct.est
> > > > &&
> > > > > > > > ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0),
> > > > action=(next;)
> > > > > > > > > - table=9 (ls_in_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > > > !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked ==
> > 0),
> > > > > > > > action=(next;)
> > > > > > > > > - table=9 (ls_in_acl ), priority=65535,
> > match=(ct.inv ||
> > > > > > > > (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
> > > > > > > > > + table=9 (ls_in_acl ), priority=65535,
> > match=(!ct.est
> > > > &&
> > > > > > > > ct.rel && !ct.new && ct_label.blocked == 0), action=(next;)
> > > > > > > > > + table=9 (ls_in_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > > > !ct.rel && !ct.new && ct.rpl && ct_label.blocked == 0),
> > > > action=(next;)
> > > > > > > > > + table=9 (ls_in_acl ), priority=65535,
> > match=(ct.est &&
> > > > > > ct.rpl
> > > > > > > > && ct_label.blocked == 1), action=(drop;)
> > > > > > > > > ])
> > > > > > > > >
> > > > > > > > > AT_CLEANUP
> > > > > > > > > --
> > > > > > > > > 2.29.2
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > dev mailing list
> > > > > > > > > dev at openvswitch.org
> > > > > > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> > > > > > > > _______________________________________________
> > > > > > > > dev mailing list
> > > > > > > > dev at openvswitch.org
> > > > > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> > > > > > _______________________________________________
> > > > > > dev mailing list
> > > > > > dev at openvswitch.org
> > > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> > > > _______________________________________________
> > > > dev mailing list
> > > > dev at openvswitch.org
> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
More information about the dev
mailing list