Message ID | 1a406a9ac3fa5cb78f623cf4aced20fb0bb72bd5.1729173921.git.lorenzo.bianconi@redhat.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev] northd: Always commit ct.est sampled traffic in the original direction. | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | warning | apply and check: warning |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
ovsrobot/github-robot-_ovn-kubernetes | success | github build: passed |
On Thu, Oct 17, 2024 at 4:09 PM Lorenzo Bianconi < lorenzo.bianconi@redhat.com> wrote: > Considering the following configuration: > > $ovn-nbctl acl-list sw01 > from-lport 100 (inport == "sw01-port1" && udp.dst == 5201) allow-related > [after-lb] > from-lport 10 (inport == "sw01-port1" && udp) allow-related [after-lb] > > $ovn-nbctl list acl > _uuid : e440336a-84d3-4a6d-95a9-edd1db1c3631 > action : allow-related > direction : from-lport > external_ids : {} > label : 0 > log : false > match : "inport == \"sw01-port1\" && udp" > meter : [] > name : [] > options : {apply-after-lb="true"} > priority : 10 > sample_est : ac6a6efc-a2e0-4d68-b5f8-8cd91113e554 > sample_new : 5cdad2ab-4390-4772-ac40-74aa2980c06e > severity : [] > tier : 0 > > _uuid : 85ef08d7-aacc-41d7-b808-6ab011edd753 > action : allow-related > direction : from-lport > external_ids : {} > label : 0 > log : false > match : "inport == \"sw01-port1\" && udp.dst == 5201" > meter : [] > name : [] > options : {apply-after-lb="true"} > priority : 100 > sample_est : 143ce7e2-fd13-4d5e-930c-133d5cf87d0d > sample_new : 1d1a0a05-2a8a-4c72-ad35-77d7e2908183 > severity : [] > tier : 0 > > If the priority-100 acl is removed, the udp traffic with destination port > 5201 will hit the second ACL, however ovn-controller will continue > sampling the existing connection with the observationPointID associated to > the removed ACL. > Fix the issue always committing ct.est sampled traffic in the original > direction in order to update the observationPointID stored in the > connection > tracking table. > > Fixes: d15b12da6fe6 ("northd: Add ACL Sampling.") > Repoerted-at: https://issues.redhat.com/browse/FDP-848 > Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> > --- > northd/northd.c | 2 +- > tests/ovn-northd.at | 21 ++++++++++++++------- > 2 files changed, 15 insertions(+), 8 deletions(-) > > diff --git a/northd/northd.c b/northd/northd.c > index 0aa0de637..5bac6b703 100644 > --- a/northd/northd.c > +++ b/northd/northd.c > @@ -7153,7 +7153,7 @@ consider_acl(struct lflow_table *lflows, const > struct ovn_datapath *od, > ds_truncate(actions, log_verdict_len); > ds_put_format(match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)", > acl->match); > - if (acl->label) { > + if (acl->label || acl->sample_est) { > ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); > } > > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > index d6a8c4640..8979a2615 100644 > --- a/tests/ovn-northd.at > +++ b/tests/ovn-northd.at > @@ -12703,7 +12703,7 @@ ovn-nbctl --wait=sb \ > --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" > allow-related > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e > ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; > reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) > - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) > + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; > reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && > reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && > (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && > ct_label.obs_unused == 0), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); > next;) > @@ -12723,6 +12723,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | > TRACE_FILTER], [0], [dnl > dnl Trace estasblished connections. > flow="$base_flow && ct_label.obs_point_id == 4302" > AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], > [dnl > + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; > ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; > reg9 = 4302; > > sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); > > sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); > @@ -12765,7 +12766,7 @@ ovn-nbctl --wait=sb \ > --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls > from-lport 1 "1" allow-related > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e > ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == > 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; > next;) > - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == > 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = > 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) > + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == > 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; > next;) > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), > action=(next;) > table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && > ct.new && reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && > ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && > ct_label.obs_unused == 0), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); > next;) > @@ -12785,6 +12786,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | > TRACE_FILTER], [0], [dnl > dnl Trace estasblished connections. > flow="$base_flow && ct_label.obs_point_id == 4302" > AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], > [dnl > + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; > ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; > reg9 = 4302; > > sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); > > sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); > @@ -12829,7 +12831,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e > ls_out_acl_sample -e ls_out_acl_eval -e > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && > (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && > ct_label.obs_unused == 0), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); > next;) > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; > reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) > - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; > reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) > + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; > reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) > table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || > !ct.trk) && reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && > (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && > ct_label.obs_unused == 0), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); > next;) > @@ -12848,6 +12850,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls > "$flow" | TRACE_FILTER], [0], > dnl Trace estasblished connections. > flow="$base_flow && ct_label.obs_point_id == 4302" > AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | > TRACE_FILTER], [0], [dnl > + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; > ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; > reg9 = 4302; > > sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); > > sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); > @@ -12921,7 +12924,7 @@ ovn-nbctl --wait=sb > \ > --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" > allow-related > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e > ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; > reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) > - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; > reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) > + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; > reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && > reg3 == 4301), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); > next;) > table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && > (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && > ct_label.obs_unused == 0), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); > next;) > @@ -12942,6 +12945,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | > TRACE_FILTER], [0], [dnl > dnl Trace estasblished connections. > flow="$base_flow && ct_label.obs_point_id == 4302" > AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], > [dnl > + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; > ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; > reg8[[0..7]] = 1; > reg8[[8..15]] = 1; > reg9 = 4302; > @@ -12958,7 +12962,7 @@ ovn-nbctl --wait=sb > \ > --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" > allow-related > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e > ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; > reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) > - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; > reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) > + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; > reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && > reg8[[0..7]] == 1 && reg8[[19..20]] == 0), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); > next;) > table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && > (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && > ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); > next;) > @@ -12979,6 +12983,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | > TRACE_FILTER], [0], [dnl > dnl Trace estasblished connections. > flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == > 0 && ct_mark.obs_collector_id == 1" > AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], > [dnl > + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; > ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; > reg8[[0..7]] = 1; > reg8[[8..15]] = 1; > reg9 = 4302; > @@ -13025,7 +13030,7 @@ ovn-nbctl --wait=sb > \ > --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls > from-lport 1 "1" allow-related > AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e > ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | > ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl > table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == > 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; > next;) > - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == > 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = > 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;) > + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == > 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = > 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; > next;) > table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), > action=(next;) > table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && > ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); > next;) > table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && > ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && > ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); > next;) > @@ -13046,6 +13051,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | > TRACE_FILTER], [0], [dnl > dnl Trace estasblished connections. > flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == > 1 && ct_mark.obs_collector_id == 1" > AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], > [dnl > + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; > ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; > reg8[[0..7]] = 1; > reg8[[8..15]] = 1; > reg9 = 4302; > @@ -13094,7 +13100,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e > ls_out_acl_sample -e ls_out_acl_eval -e > table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && > (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && > ct_mark.obs_collector_id == 1), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); > next;) > table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; > reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) > - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; > reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) > + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && > (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; > reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) > table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) > table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new || > !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), > action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); > next;) > table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && > (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && > ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2), > action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); > next;) > @@ -13114,6 +13120,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls > "$flow" | TRACE_FILTER], [0], > dnl Trace estasblished connections. > flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == > 2 && ct_mark.obs_collector_id == 1" > AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | > TRACE_FILTER], [0], [dnl > + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; > ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; > reg8[[0..7]] = 1; > reg8[[8..15]] = 1; > reg9 = 4302; > -- > 2.47.0 > > Looks good to me. Acked-by: Ales Musil <amusil@redhat.com> Thanks, Ales
On 11/7/24 9:03 AM, Ales Musil wrote: > On Thu, Oct 17, 2024 at 4:09 PM Lorenzo Bianconi < > lorenzo.bianconi@redhat.com> wrote: > >> Considering the following configuration: >> >> $ovn-nbctl acl-list sw01 >> from-lport 100 (inport == "sw01-port1" && udp.dst == 5201) allow-related >> [after-lb] >> from-lport 10 (inport == "sw01-port1" && udp) allow-related [after-lb] >> >> $ovn-nbctl list acl >> _uuid : e440336a-84d3-4a6d-95a9-edd1db1c3631 >> action : allow-related >> direction : from-lport >> external_ids : {} >> label : 0 >> log : false >> match : "inport == \"sw01-port1\" && udp" >> meter : [] >> name : [] >> options : {apply-after-lb="true"} >> priority : 10 >> sample_est : ac6a6efc-a2e0-4d68-b5f8-8cd91113e554 >> sample_new : 5cdad2ab-4390-4772-ac40-74aa2980c06e >> severity : [] >> tier : 0 >> >> _uuid : 85ef08d7-aacc-41d7-b808-6ab011edd753 >> action : allow-related >> direction : from-lport >> external_ids : {} >> label : 0 >> log : false >> match : "inport == \"sw01-port1\" && udp.dst == 5201" >> meter : [] >> name : [] >> options : {apply-after-lb="true"} >> priority : 100 >> sample_est : 143ce7e2-fd13-4d5e-930c-133d5cf87d0d >> sample_new : 1d1a0a05-2a8a-4c72-ad35-77d7e2908183 >> severity : [] >> tier : 0 >> >> If the priority-100 acl is removed, the udp traffic with destination port >> 5201 will hit the second ACL, however ovn-controller will continue >> sampling the existing connection with the observationPointID associated to >> the removed ACL. >> Fix the issue always committing ct.est sampled traffic in the original >> direction in order to update the observationPointID stored in the >> connection >> tracking table. >> >> Fixes: d15b12da6fe6 ("northd: Add ACL Sampling.") >> Repoerted-at: https://issues.redhat.com/browse/FDP-848 >> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> >> --- Thanks, Lorenzo and Ales! Applied to main and 24.09. Regards, Dumitru
diff --git a/northd/northd.c b/northd/northd.c index 0aa0de637..5bac6b703 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -7153,7 +7153,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_truncate(actions, log_verdict_len); ds_put_format(match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)", acl->match); - if (acl->label) { + if (acl->label || acl->sample_est) { ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); } diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index d6a8c4640..8979a2615 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -12703,7 +12703,7 @@ ovn-nbctl --wait=sb \ --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12723,6 +12723,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl dnl Trace estasblished connections. flow="$base_flow && ct_label.obs_point_id == 4302" AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); @@ -12765,7 +12766,7 @@ ovn-nbctl --wait=sb \ --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12785,6 +12786,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl dnl Trace estasblished connections. flow="$base_flow && ct_label.obs_point_id == 4302" AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); @@ -12829,7 +12831,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12848,6 +12850,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], dnl Trace estasblished connections. flow="$base_flow && ct_label.obs_point_id == 4302" AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); @@ -12921,7 +12924,7 @@ ovn-nbctl --wait=sb \ --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12942,6 +12945,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl dnl Trace estasblished connections. flow="$base_flow && ct_label.obs_point_id == 4302" AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg9 = 4302; @@ -12958,7 +12962,7 @@ ovn-nbctl --wait=sb \ --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) @@ -12979,6 +12983,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl dnl Trace estasblished connections. flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 1" AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg9 = 4302; @@ -13025,7 +13030,7 @@ ovn-nbctl --wait=sb \ --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) @@ -13046,6 +13051,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl dnl Trace estasblished connections. flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 1 && ct_mark.obs_collector_id == 1" AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg9 = 4302; @@ -13094,7 +13100,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) @@ -13114,6 +13120,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], dnl Trace estasblished connections. flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 1" AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg9 = 4302;
Considering the following configuration: $ovn-nbctl acl-list sw01 from-lport 100 (inport == "sw01-port1" && udp.dst == 5201) allow-related [after-lb] from-lport 10 (inport == "sw01-port1" && udp) allow-related [after-lb] $ovn-nbctl list acl _uuid : e440336a-84d3-4a6d-95a9-edd1db1c3631 action : allow-related direction : from-lport external_ids : {} label : 0 log : false match : "inport == \"sw01-port1\" && udp" meter : [] name : [] options : {apply-after-lb="true"} priority : 10 sample_est : ac6a6efc-a2e0-4d68-b5f8-8cd91113e554 sample_new : 5cdad2ab-4390-4772-ac40-74aa2980c06e severity : [] tier : 0 _uuid : 85ef08d7-aacc-41d7-b808-6ab011edd753 action : allow-related direction : from-lport external_ids : {} label : 0 log : false match : "inport == \"sw01-port1\" && udp.dst == 5201" meter : [] name : [] options : {apply-after-lb="true"} priority : 100 sample_est : 143ce7e2-fd13-4d5e-930c-133d5cf87d0d sample_new : 1d1a0a05-2a8a-4c72-ad35-77d7e2908183 severity : [] tier : 0 If the priority-100 acl is removed, the udp traffic with destination port 5201 will hit the second ACL, however ovn-controller will continue sampling the existing connection with the observationPointID associated to the removed ACL. Fix the issue always committing ct.est sampled traffic in the original direction in order to update the observationPointID stored in the connection tracking table. Fixes: d15b12da6fe6 ("northd: Add ACL Sampling.") Repoerted-at: https://issues.redhat.com/browse/FDP-848 Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> --- northd/northd.c | 2 +- tests/ovn-northd.at | 21 ++++++++++++++------- 2 files changed, 15 insertions(+), 8 deletions(-)