diff mbox series

[ovs-dev] northd: Always commit ct.est sampled traffic in the original direction.

Message ID 1a406a9ac3fa5cb78f623cf4aced20fb0bb72bd5.1729173921.git.lorenzo.bianconi@redhat.com
State Accepted
Headers show
Series [ovs-dev] northd: Always commit ct.est sampled traffic in the original direction. | expand

Checks

Context Check Description
ovsrobot/apply-robot warning apply and check: warning
ovsrobot/github-robot-_Build_and_Test success github build: passed
ovsrobot/github-robot-_ovn-kubernetes success github build: passed

Commit Message

Lorenzo Bianconi Oct. 17, 2024, 2:09 p.m. UTC
Considering the following configuration:

$ovn-nbctl acl-list sw01
from-lport   100 (inport == "sw01-port1" && udp.dst == 5201) allow-related [after-lb]
from-lport    10 (inport == "sw01-port1" && udp) allow-related [after-lb]

$ovn-nbctl list acl
_uuid               : e440336a-84d3-4a6d-95a9-edd1db1c3631
action              : allow-related
direction           : from-lport
external_ids        : {}
label               : 0
log                 : false
match               : "inport == \"sw01-port1\" && udp"
meter               : []
name                : []
options             : {apply-after-lb="true"}
priority            : 10
sample_est          : ac6a6efc-a2e0-4d68-b5f8-8cd91113e554
sample_new          : 5cdad2ab-4390-4772-ac40-74aa2980c06e
severity            : []
tier                : 0

_uuid               : 85ef08d7-aacc-41d7-b808-6ab011edd753
action              : allow-related
direction           : from-lport
external_ids        : {}
label               : 0
log                 : false
match               : "inport == \"sw01-port1\" && udp.dst == 5201"
meter               : []
name                : []
options             : {apply-after-lb="true"}
priority            : 100
sample_est          : 143ce7e2-fd13-4d5e-930c-133d5cf87d0d
sample_new          : 1d1a0a05-2a8a-4c72-ad35-77d7e2908183
severity            : []
tier                : 0

If the priority-100 acl is removed, the udp traffic with destination port
5201 will hit the second ACL, however ovn-controller will continue
sampling the existing connection with the observationPointID associated to
the removed ACL.
Fix the issue always committing ct.est sampled traffic in the original
direction in order to update the observationPointID stored in the connection
tracking table.

Fixes: d15b12da6fe6 ("northd: Add ACL Sampling.")
Repoerted-at: https://issues.redhat.com/browse/FDP-848
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
---
 northd/northd.c     |  2 +-
 tests/ovn-northd.at | 21 ++++++++++++++-------
 2 files changed, 15 insertions(+), 8 deletions(-)

Comments

Ales Musil Nov. 7, 2024, 8:03 a.m. UTC | #1
On Thu, Oct 17, 2024 at 4:09 PM Lorenzo Bianconi <
lorenzo.bianconi@redhat.com> wrote:

> Considering the following configuration:
>
> $ovn-nbctl acl-list sw01
> from-lport   100 (inport == "sw01-port1" && udp.dst == 5201) allow-related
> [after-lb]
> from-lport    10 (inport == "sw01-port1" && udp) allow-related [after-lb]
>
> $ovn-nbctl list acl
> _uuid               : e440336a-84d3-4a6d-95a9-edd1db1c3631
> action              : allow-related
> direction           : from-lport
> external_ids        : {}
> label               : 0
> log                 : false
> match               : "inport == \"sw01-port1\" && udp"
> meter               : []
> name                : []
> options             : {apply-after-lb="true"}
> priority            : 10
> sample_est          : ac6a6efc-a2e0-4d68-b5f8-8cd91113e554
> sample_new          : 5cdad2ab-4390-4772-ac40-74aa2980c06e
> severity            : []
> tier                : 0
>
> _uuid               : 85ef08d7-aacc-41d7-b808-6ab011edd753
> action              : allow-related
> direction           : from-lport
> external_ids        : {}
> label               : 0
> log                 : false
> match               : "inport == \"sw01-port1\" && udp.dst == 5201"
> meter               : []
> name                : []
> options             : {apply-after-lb="true"}
> priority            : 100
> sample_est          : 143ce7e2-fd13-4d5e-930c-133d5cf87d0d
> sample_new          : 1d1a0a05-2a8a-4c72-ad35-77d7e2908183
> severity            : []
> tier                : 0
>
> If the priority-100 acl is removed, the udp traffic with destination port
> 5201 will hit the second ACL, however ovn-controller will continue
> sampling the existing connection with the observationPointID associated to
> the removed ACL.
> Fix the issue always committing ct.est sampled traffic in the original
> direction in order to update the observationPointID stored in the
> connection
> tracking table.
>
> Fixes: d15b12da6fe6 ("northd: Add ACL Sampling.")
> Repoerted-at: https://issues.redhat.com/browse/FDP-848
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
> ---
>  northd/northd.c     |  2 +-
>  tests/ovn-northd.at | 21 ++++++++++++++-------
>  2 files changed, 15 insertions(+), 8 deletions(-)
>
> diff --git a/northd/northd.c b/northd/northd.c
> index 0aa0de637..5bac6b703 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -7153,7 +7153,7 @@ consider_acl(struct lflow_table *lflows, const
> struct ovn_datapath *od,
>          ds_truncate(actions, log_verdict_len);
>          ds_put_format(match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)",
>                        acl->match);
> -        if (acl->label) {
> +        if (acl->label || acl->sample_est) {
>              ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
>          }
>
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index d6a8c4640..8979a2615 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -12703,7 +12703,7 @@ ovn-nbctl --wait=sb \
>    --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1"
> allow-related
>  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
> -  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
> +  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
>    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
>    table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new &&
> reg3 == 4301),
> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> next;)
>    table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk &&
> (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 &&
> ct_label.obs_unused == 0),
> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> next;)
> @@ -12723,6 +12723,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" |
> TRACE_FILTER], [0], [dnl
>  dnl Trace estasblished connections.
>  flow="$base_flow && ct_label.obs_point_id == 4302"
>  AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0],
> [dnl
> +    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
> ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
>      reg9 = 4302;
>
>  sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);
>
>  sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);
> @@ -12765,7 +12766,7 @@ ovn-nbctl --wait=sb \
>    --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls
> from-lport 1 "1" allow-related
>  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e
> ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>    table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] ==
> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 =
> 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1;
> next;)
> -  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] ==
> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 =
> 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
> +  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] ==
> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 =
> 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1;
> next;)
>    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1),
> action=(next;)
>    table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip &&
> ct.new && reg3 == 4301),
> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> next;)
>    table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip &&
> ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 &&
> ct_label.obs_unused == 0),
> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> next;)
> @@ -12785,6 +12786,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" |
> TRACE_FILTER], [0], [dnl
>  dnl Trace estasblished connections.
>  flow="$base_flow && ct_label.obs_point_id == 4302"
>  AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0],
> [dnl
> +    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
> ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
>      reg9 = 4302;
>
>  sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);
>
>  sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);
> @@ -12829,7 +12831,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> ls_out_acl_sample -e ls_out_acl_eval -e
>    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
>    table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk &&
> (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 &&
> ct_label.obs_unused == 0),
> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> next;)
>    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
> -  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
> +  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
>    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
>    table=??(ls_out_acl_sample  ), priority=1100 , match=(ip && (ct.new ||
> !ct.trk) && reg3 == 4301),
> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> next;)
>    table=??(ls_out_acl_sample  ), priority=1200 , match=(ip && ct.trk &&
> (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 &&
> ct_label.obs_unused == 0),
> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> next;)
> @@ -12848,6 +12850,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls
> "$flow" | TRACE_FILTER], [0],
>  dnl Trace estasblished connections.
>  flow="$base_flow && ct_label.obs_point_id == 4302"
>  AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" |
> TRACE_FILTER], [0], [dnl
> +    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
> ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
>      reg9 = 4302;
>
>  sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);
>
>  sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);
> @@ -12921,7 +12924,7 @@ ovn-nbctl --wait=sb
>                     \
>    --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1"
> allow-related
>  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
> -  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
> +  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
>    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
>    table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new &&
> reg3 == 4301),
> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
> next;)
>    table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk &&
> (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 &&
> ct_label.obs_unused == 0),
> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
> next;)
> @@ -12942,6 +12945,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" |
> TRACE_FILTER], [0], [dnl
>  dnl Trace estasblished connections.
>  flow="$base_flow && ct_label.obs_point_id == 4302"
>  AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0],
> [dnl
> +    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
> ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
>      reg8[[0..7]] = 1;
>      reg8[[8..15]] = 1;
>      reg9 = 4302;
> @@ -12958,7 +12962,7 @@ ovn-nbctl --wait=sb
>                     \
>    --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1"
> allow-related
>  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e
> ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows |
> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
> -  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
> +  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
>    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
>    table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.new &&
> reg8[[0..7]] == 1 && reg8[[19..20]] == 0),
> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> next;)
>    table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.trk &&
> (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl &&
> ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0),
> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> next;)
> @@ -12979,6 +12983,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" |
> TRACE_FILTER], [0], [dnl
>  dnl Trace estasblished connections.
>  flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage ==
> 0 && ct_mark.obs_collector_id == 1"
>  AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0],
> [dnl
> +    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
> ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
>      reg8[[0..7]] = 1;
>      reg8[[8..15]] = 1;
>      reg9 = 4302;
> @@ -13025,7 +13030,7 @@ ovn-nbctl --wait=sb
>                     \
>    --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls
> from-lport 1 "1" allow-related
>  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e
> ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows |
> ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
>    table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] ==
> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 =
> 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1;
> next;)
> -  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] ==
> 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 =
> 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
> +  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] ==
> 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 =
> 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1;
> next;)
>    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1),
> action=(next;)
>    table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip &&
> ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1),
> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> next;)
>    table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip &&
> ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl &&
> ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1),
> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> next;)
> @@ -13046,6 +13051,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" |
> TRACE_FILTER], [0], [dnl
>  dnl Trace estasblished connections.
>  flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage ==
> 1 && ct_mark.obs_collector_id == 1"
>  AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0],
> [dnl
> +    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
> ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
>      reg8[[0..7]] = 1;
>      reg8[[8..15]] = 1;
>      reg9 = 4302;
> @@ -13094,7 +13100,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
> ls_out_acl_sample -e ls_out_acl_eval -e
>    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
>    table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.trk &&
> (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl &&
> ct_mark.obs_collector_id == 1),
> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> next;)
>    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
> -  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302;
> reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
> +  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 &&
> (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301;
> reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
>    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
>    table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && (ct.new ||
> !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2),
> action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3);
> next;)
>    table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && ct.trk &&
> (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl &&
> ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2),
> action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id);
> next;)
> @@ -13114,6 +13120,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls
> "$flow" | TRACE_FILTER], [0],
>  dnl Trace estasblished connections.
>  flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage ==
> 2 && ct_mark.obs_collector_id == 1"
>  AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" |
> TRACE_FILTER], [0], [dnl
> +    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
> ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
>      reg8[[0..7]] = 1;
>      reg8[[8..15]] = 1;
>      reg9 = 4302;
> --
> 2.47.0
>
>
Looks good to me.

Acked-by: Ales Musil <amusil@redhat.com>

Thanks,
Ales
Dumitru Ceara Dec. 2, 2024, 2:58 p.m. UTC | #2
On 11/7/24 9:03 AM, Ales Musil wrote:
> On Thu, Oct 17, 2024 at 4:09 PM Lorenzo Bianconi <
> lorenzo.bianconi@redhat.com> wrote:
> 
>> Considering the following configuration:
>>
>> $ovn-nbctl acl-list sw01
>> from-lport   100 (inport == "sw01-port1" && udp.dst == 5201) allow-related
>> [after-lb]
>> from-lport    10 (inport == "sw01-port1" && udp) allow-related [after-lb]
>>
>> $ovn-nbctl list acl
>> _uuid               : e440336a-84d3-4a6d-95a9-edd1db1c3631
>> action              : allow-related
>> direction           : from-lport
>> external_ids        : {}
>> label               : 0
>> log                 : false
>> match               : "inport == \"sw01-port1\" && udp"
>> meter               : []
>> name                : []
>> options             : {apply-after-lb="true"}
>> priority            : 10
>> sample_est          : ac6a6efc-a2e0-4d68-b5f8-8cd91113e554
>> sample_new          : 5cdad2ab-4390-4772-ac40-74aa2980c06e
>> severity            : []
>> tier                : 0
>>
>> _uuid               : 85ef08d7-aacc-41d7-b808-6ab011edd753
>> action              : allow-related
>> direction           : from-lport
>> external_ids        : {}
>> label               : 0
>> log                 : false
>> match               : "inport == \"sw01-port1\" && udp.dst == 5201"
>> meter               : []
>> name                : []
>> options             : {apply-after-lb="true"}
>> priority            : 100
>> sample_est          : 143ce7e2-fd13-4d5e-930c-133d5cf87d0d
>> sample_new          : 1d1a0a05-2a8a-4c72-ad35-77d7e2908183
>> severity            : []
>> tier                : 0
>>
>> If the priority-100 acl is removed, the udp traffic with destination port
>> 5201 will hit the second ACL, however ovn-controller will continue
>> sampling the existing connection with the observationPointID associated to
>> the removed ACL.
>> Fix the issue always committing ct.est sampled traffic in the original
>> direction in order to update the observationPointID stored in the
>> connection
>> tracking table.
>>
>> Fixes: d15b12da6fe6 ("northd: Add ACL Sampling.")
>> Repoerted-at: https://issues.redhat.com/browse/FDP-848
>> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
>> ---

Thanks, Lorenzo and Ales!  Applied to main and 24.09.

Regards,
Dumitru
diff mbox series

Patch

diff --git a/northd/northd.c b/northd/northd.c
index 0aa0de637..5bac6b703 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -7153,7 +7153,7 @@  consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od,
         ds_truncate(actions, log_verdict_len);
         ds_put_format(match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)",
                       acl->match);
-        if (acl->label) {
+        if (acl->label || acl->sample_est) {
             ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
         }
 
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index d6a8c4640..8979a2615 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -12703,7 +12703,7 @@  ovn-nbctl --wait=sb \
   --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related
 AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
   table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
   table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
   table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;)
   table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;)
@@ -12723,6 +12723,7 @@  AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
 dnl Trace estasblished connections.
 flow="$base_flow && ct_label.obs_point_id == 4302"
 AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
     reg9 = 4302;
     sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);
     sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);
@@ -12765,7 +12766,7 @@  ovn-nbctl --wait=sb \
   --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related
 AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
   table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
   table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), action=(next;)
   table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;)
   table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;)
@@ -12785,6 +12786,7 @@  AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
 dnl Trace estasblished connections.
 flow="$base_flow && ct_label.obs_point_id == 4302"
 AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
     reg9 = 4302;
     sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);
     sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);
@@ -12829,7 +12831,7 @@  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e
   table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
   table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;)
   table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
   table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
   table=??(ls_out_acl_sample  ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;)
   table=??(ls_out_acl_sample  ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;)
@@ -12848,6 +12850,7 @@  AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0],
 dnl Trace estasblished connections.
 flow="$base_flow && ct_label.obs_point_id == 4302"
 AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
     reg9 = 4302;
     sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);
     sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);
@@ -12921,7 +12924,7 @@  ovn-nbctl --wait=sb                                                    \
   --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related
 AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
   table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
   table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
   table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;)
   table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;)
@@ -12942,6 +12945,7 @@  AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
 dnl Trace estasblished connections.
 flow="$base_flow && ct_label.obs_point_id == 4302"
 AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
     reg8[[0..7]] = 1;
     reg8[[8..15]] = 1;
     reg9 = 4302;
@@ -12958,7 +12962,7 @@  ovn-nbctl --wait=sb                                                    \
   --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related
 AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
   table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
   table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
   table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
   table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
@@ -12979,6 +12983,7 @@  AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
 dnl Trace estasblished connections.
 flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 1"
 AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
     reg8[[0..7]] = 1;
     reg8[[8..15]] = 1;
     reg9 = 4302;
@@ -13025,7 +13030,7 @@  ovn-nbctl --wait=sb                                                    \
   --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related
 AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
   table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
   table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), action=(next;)
   table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
   table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
@@ -13046,6 +13051,7 @@  AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
 dnl Trace estasblished connections.
 flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 1 && ct_mark.obs_collector_id == 1"
 AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
     reg8[[0..7]] = 1;
     reg8[[8..15]] = 1;
     reg9 = 4302;
@@ -13094,7 +13100,7 @@  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e
   table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
   table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
   table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
   table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
   table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && (ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
   table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
@@ -13114,6 +13120,7 @@  AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0],
 dnl Trace estasblished connections.
 flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 1"
 AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
+    ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
     reg8[[0..7]] = 1;
     reg8[[8..15]] = 1;
     reg9 = 4302;