diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h index dc3f3caf54..d6c4a9b6b3 100644 --- a/include/ovn/logical-fields.h +++ b/include/ovn/logical-fields.h @@ -197,13 +197,13 @@ const struct ovn_field *ovn_field_from_name(const char *name); #define OVN_CT_NATTED_BIT 1 #define OVN_CT_LB_SKIP_SNAT_BIT 2 #define OVN_CT_LB_FORCE_SNAT_BIT 3 -#define OVN_CT_OBS_AFTER_LB_BIT 4 +#define OVN_CT_OBS_STAGE_1ST_BIT 4 +#define OVN_CT_OBS_STAGE_END_BIT 5 #define OVN_CT_BLOCKED 1 #define OVN_CT_NATTED 2 #define OVN_CT_LB_SKIP_SNAT 4 #define OVN_CT_LB_FORCE_SNAT 8 -#define OVN_CT_OBS_AFTER_LB 16 #define OVN_CT_ECMP_ETH_1ST_BIT 32 #define OVN_CT_ECMP_ETH_END_BIT 79 diff --git a/lib/logical-fields.c b/lib/logical-fields.c index 4e95aba4b3..134d2674fd 100644 --- a/lib/logical-fields.c +++ b/lib/logical-fields.c @@ -165,9 +165,10 @@ ovn_init_symtab(struct shash *symtab) OVN_CT_STR(OVN_CT_LB_FORCE_SNAT_BIT) "]", WR_CT_COMMIT); - expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_after_lb", NULL, + expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_stage", NULL, "ct_mark[" - OVN_CT_STR(OVN_CT_OBS_AFTER_LB_BIT) + OVN_CT_STR(OVN_CT_OBS_STAGE_1ST_BIT) ".." + OVN_CT_STR(OVN_CT_OBS_STAGE_END_BIT) "]", WR_CT_COMMIT); expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_collector_id", NULL, diff --git a/northd/northd.c b/northd/northd.c index 6c41f52cc8..97bc54129c 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -144,8 +144,20 @@ static bool vxlan_mode; #define REGBIT_ACL_VERDICT_ALLOW "reg8[16]" #define REGBIT_ACL_VERDICT_DROP "reg8[17]" #define REGBIT_ACL_VERDICT_REJECT "reg8[18]" +#define REGBIT_ACL_OBS_STAGE "reg8[19..20]" #define REG_ACL_TIER "reg8[30..31]" +enum acl_observation_stage { + ACL_OBS_FROM_LPORT, + ACL_OBS_FROM_LPORT_AFTER_LB, + ACL_OBS_TO_LPORT, + ACL_OBS_STAGE_MAX +}; + +/* enum acl_observation_stage_t values must fit in the 2 bits of + * REGBIT_ACL_OBS_STAGE .*/ +BUILD_ASSERT_DECL(ACL_OBS_STAGE_MAX < (1 << 2)); + /* Indicate that this packet has been recirculated using egress * loopback. This allows certain checks to be bypassed, such as a * logical router dropping packets with source IP address equals @@ -191,7 +203,6 @@ static bool vxlan_mode; #define REG_OBS_POINT_ID_EST "reg9" #define REG_OBS_COLLECTOR_ID_NEW "reg8[0..7]" #define REG_OBS_COLLECTOR_ID_EST "reg2[16..23]" -#define REGBIT_OBS_AFTER_LB "reg8[19]" /* Register used for temporarily store ECMP eth.src to avoid masked ct_label * access. It doesn't really occupy registers because the content of the @@ -6525,7 +6536,7 @@ static void build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, const struct nbrec_sample *sample_new, const struct nbrec_sample *sample_est, - bool obs_after_lb) + enum acl_observation_stage obs_stage) { if (!acl->label && !sample_new && !sample_est) { return; @@ -6559,10 +6570,10 @@ build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, REG_OBS_POINT_ID_EST " = %"PRIu32"; " REG_OBS_COLLECTOR_ID_NEW " = %"PRIu8"; " REG_OBS_COLLECTOR_ID_EST " = %"PRIu8"; " - REGBIT_OBS_AFTER_LB " = %c; ", + REGBIT_ACL_OBS_STAGE " = %"PRIu8"; ", point_id_new, point_id_est, collector_id_new, collector_id_est, - obs_after_lb ? '1' : '0'); + (uint8_t) obs_stage); } /* This builds an ACL logical flow specific match that selects traffic @@ -6737,6 +6748,7 @@ static void build_acl_sample_generic_new_flows(const struct ovn_datapath *od, struct lflow_table *lflows, enum ovn_stage stage, + enum acl_observation_stage obs_stage, struct ds *match, struct ds *actions, const struct nbrec_sample_collector *coll, uint8_t sample_domain_id, bool stateful, @@ -6746,10 +6758,10 @@ build_acl_sample_generic_new_flows(const struct ovn_datapath *od, ds_clear(actions); ds_put_format(match, "ip %s&& "REG_OBS_COLLECTOR_ID_NEW" == %"PRIu8" && " - REGBIT_OBS_AFTER_LB" == %c", + REGBIT_ACL_OBS_STAGE " == %"PRIu8, stateful ? "&& ct.new " : "", (uint8_t) coll->set_id, - stage == S_SWITCH_IN_ACL_AFTER_LB_SAMPLE ? '1' : '0'); + (uint8_t) obs_stage); ds_put_format(actions, "sample(probability=%"PRIu16"," "collector_set=%"PRIu8"," @@ -6772,6 +6784,7 @@ static void build_acl_sample_generic_est_flows(const struct ovn_datapath *od, struct lflow_table *lflows, enum ovn_stage stage, + enum acl_observation_stage obs_stage, struct ds *match, struct ds *actions, const struct nbrec_sample_collector *coll, uint8_t sample_domain_id, @@ -6785,9 +6798,9 @@ build_acl_sample_generic_est_flows(const struct ovn_datapath *od, size_t match_len = match->length; ds_put_format(match, "!ct.rpl && ct_mark.obs_collector_id == %"PRIu8" && " - "ct_mark.obs_after_lb == %c", + "ct_mark.obs_stage == %"PRIu8, (uint8_t) coll->set_id, - stage == S_SWITCH_IN_ACL_AFTER_LB_SAMPLE ? '1' : '0'); + (uint8_t) obs_stage); ds_put_format(actions, "sample(probability=%"PRIu16"," "collector_set=%"PRIu8"," @@ -6857,13 +6870,17 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, bool ingress = !strcmp(acl->direction, "from-lport") ? true : false; enum ovn_stage stage; + enum acl_observation_stage obs_stage; if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { stage = S_SWITCH_IN_ACL_AFTER_LB_SAMPLE; + obs_stage = ACL_OBS_FROM_LPORT_AFTER_LB; } else if (ingress) { stage = S_SWITCH_IN_ACL_SAMPLE; + obs_stage = ACL_OBS_FROM_LPORT; } else { stage = S_SWITCH_OUT_ACL_SAMPLE; + obs_stage = ACL_OBS_TO_LPORT; } uint8_t sample_new_domain_id = @@ -6872,7 +6889,8 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, sampling_app_get_id(sampling_apps, SAMPLING_APP_ACL_EST_TRAFFIC); if (acl_use_generic_sample_flows(acl->sample_new, features)) { - build_acl_sample_generic_new_flows(od, lflows, stage, match, actions, + build_acl_sample_generic_new_flows(od, lflows, stage, obs_stage, + match, actions, acl->sample_new->collectors[0], sample_new_domain_id, stateful_match, lflow_ref); @@ -6887,7 +6905,8 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, } if (acl_use_generic_sample_flows(acl->sample_est, features)) { - build_acl_sample_generic_est_flows(od, lflows, stage, match, actions, + build_acl_sample_generic_est_flows(od, lflows, stage, obs_stage, + match, actions, acl->sample_est->collectors[0], sample_est_domain_id, lflow_ref); } else { @@ -6922,15 +6941,17 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, { bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; enum ovn_stage stage; + enum acl_observation_stage obs_stage; - bool apply_after_lb = false; if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { stage = S_SWITCH_IN_ACL_AFTER_LB_EVAL; - apply_after_lb = true; + obs_stage = ACL_OBS_FROM_LPORT_AFTER_LB; } else if (ingress) { stage = S_SWITCH_IN_ACL_EVAL; + obs_stage = ACL_OBS_FROM_LPORT; } else { stage = S_SWITCH_OUT_ACL_EVAL; + obs_stage = ACL_OBS_TO_LPORT; } const char *verdict; @@ -6965,7 +6986,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For stateless ACLs just sample "new" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, - apply_after_lb); + obs_stage); ds_put_cstr(actions, "next;"); ds_put_format(match, "(%s)", acl->match); @@ -7004,7 +7025,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For stateful ACLs sample "new" and "established" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, - acl->sample_est, apply_after_lb); + acl->sample_est, obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -7028,7 +7049,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For stateful ACLs sample "new" and "established" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, - acl->sample_est, apply_after_lb); + acl->sample_est, obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -7049,7 +7070,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For drop ACLs just sample all packets as "new" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, - apply_after_lb); + obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -7073,7 +7094,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For drop ACLs just sample all packets as "new" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, - apply_after_lb); + obs_stage); ds_put_cstr(actions, "ct_commit { ct_mark.blocked = 1; }; next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -8195,7 +8216,7 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows, ds_put_cstr(&actions, "ct_commit { " "ct_mark.blocked = 0; " - "ct_mark.obs_after_lb = " REGBIT_OBS_AFTER_LB "; " + "ct_mark.obs_stage = " REGBIT_ACL_OBS_STAGE "; " "ct_mark.obs_collector_id = " REG_OBS_COLLECTOR_ID_EST "; " "ct_label.obs_point_id = " REG_OBS_POINT_ID_EST "; " "}; next;"); diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index c8a16d1892..f4adff1a81 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -4608,7 +4608,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4632,7 +4632,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) } @@ -4674,7 +4674,7 @@ AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4695,7 +4695,7 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) # LB with event=false and reject=false @@ -4724,23 +4724,23 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 0; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 2; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) # Add new ACL without label @@ -4751,27 +4751,27 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) # Delete new ACL with label @@ -4788,7 +4788,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0] AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl @@ -4798,7 +4798,7 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0 AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP ]) @@ -4826,7 +4826,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1 dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; ]) AS_BOX([from-lport --apply-after-lb allow-related ACL]) @@ -4834,7 +4834,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; ]) AS_BOX([to-lport allow-related ACL]) @@ -4842,7 +4842,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; ]) AT_CLEANUP @@ -7678,7 +7678,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with the apply-after-lb option]) @@ -7733,7 +7733,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option]) @@ -7788,7 +7788,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP @@ -12599,8 +12599,8 @@ AS_BOX([from-lport ACL sampling (new, est)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12611,7 +12611,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); @@ -12629,8 +12629,8 @@ AS_BOX([from-lport ACL sampling (new)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --sample-new=$sample1 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) @@ -12639,7 +12639,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; reg9 = 0; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); @@ -12656,8 +12656,8 @@ AS_BOX([from-lport-after-lb ACL sampling (new, est)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --apply-after-lb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 1; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12668,7 +12668,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_ dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); @@ -12686,8 +12686,8 @@ AS_BOX([from-lport-after-lb ACL sampling (new)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --apply-after-lb --sample-new=$sample1 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 1; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) @@ -12696,7 +12696,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_ dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; reg9 = 0; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); @@ -12715,8 +12715,8 @@ check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12725,7 +12725,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; ct_commit { ct_mark.blocked = 0; }; reg9 = 4302; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); @@ -12745,8 +12745,8 @@ check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --sample-new=$sample1 acl-add ls to-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg2[[16..23]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) ]) @@ -12754,7 +12754,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; ct_commit { ct_mark.blocked = 0; }; reg9 = 0; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); @@ -12806,8 +12806,8 @@ check ovn-sbctl chassis-add gw1 geneve 127.0.0.1 \ check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19]] = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12818,7 +12818,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; reg2[[16..23]] = 1; reg9 = 4302; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); @@ -12839,11 +12839,11 @@ AS_BOX([from-lport ACL sampling (new, est)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19]] = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) - table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_after_lb == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) ]) @@ -12851,14 +12851,14 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; reg2[[16..23]] = 1; reg9 = 4302; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=reg3); ]) dnl Trace estasblished connections. -flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_after_lb == 0 && ct_mark.obs_collector_id == 1" +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 1" AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl reg2[[16..23]] = 1; reg9 = 4302; @@ -12869,17 +12869,17 @@ AS_BOX([from-lport ACL sampling (new)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --sample-new=$sample1 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) ]) dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; reg2[[16..23]] = 0; reg9 = 0; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=reg3); @@ -12887,7 +12887,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl dnl Trace established connections (no point id was committed in the label in dnl the original direction). -flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_after_lb == 0 && ct_mark.obs_collector_id == 0" +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 0" AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl reg2[[16..23]] = 0; reg9 = 0; @@ -12897,11 +12897,11 @@ AS_BOX([from-lport-after-lb ACL sampling (new, est)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --apply-after-lb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19]] = 1; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) - table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_after_lb == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) ]) @@ -12909,14 +12909,14 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_ dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; reg2[[16..23]] = 1; reg9 = 4302; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=reg3); ]) dnl Trace estasblished connections. -flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_after_lb == 1 && ct_mark.obs_collector_id == 1" +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 1 && ct_mark.obs_collector_id == 1" AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl reg2[[16..23]] = 1; reg9 = 4302; @@ -12927,17 +12927,17 @@ AS_BOX([from-lport-after-lb ACL sampling (new)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --apply-after-lb --sample-new=$sample1 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19]] = 1; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) ]) dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; reg2[[16..23]] = 0; reg9 = 0; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=reg3); @@ -12945,7 +12945,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl dnl Trace established connections (no point id was committed in the label in dnl the original direction). -flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_after_lb == 0 && ct_mark.obs_collector_id == 0" +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 0" AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl reg2[[16..23]] = 0; reg9 = 0; @@ -12957,17 +12957,17 @@ check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19]] = 0; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19]] = 0; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg2[[16..23]] = 1; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) - table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_after_lb == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) ]) dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; ct_commit { ct_mark.blocked = 0; }; reg2[[16..23]] = 1; reg9 = 4302; @@ -12975,7 +12975,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], ]) dnl Trace estasblished connections. -flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_after_lb == 0 && ct_mark.obs_collector_id == 1" +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 1" AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl reg2[[16..23]] = 1; reg9 = 4302; @@ -12987,16 +12987,16 @@ check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --sample-new=$sample1 acl-add ls to-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19]] = 0; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg2[[16..23]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) ]) dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_mark.obs_after_lb = reg8[[19]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg2[[16..23]]; ct_label.obs_point_id = reg9; }; ct_commit { ct_mark.blocked = 0; }; reg2[[16..23]] = 0; reg9 = 0; @@ -13005,7 +13005,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], dnl Trace established connections (no point id was committed in the label in dnl the original direction). -flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_after_lb == 0 && ct_mark.obs_collector_id == 0" +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 0" AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl reg2[[16..23]] = 0; reg9 = 0; diff --git a/tests/ovn.at b/tests/ovn.at index 122cac5529..b4cf495acd 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -336,8 +336,8 @@ ct_mark.blocked = ct_mark[0] ct_mark.ecmp_reply_port = ct_mark[16..31] ct_mark.force_snat = ct_mark[3] ct_mark.natted = ct_mark[1] -ct_mark.obs_after_lb = ct_mark[4] ct_mark.obs_collector_id = ct_mark[16..23] +ct_mark.obs_stage = ct_mark[4..5] ct_mark.skip_snat = ct_mark[2] ct_state = NXM_NX_CT_STATE ]]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index b440b6d489..a9cb54b452 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -7724,7 +7724,7 @@ NS_CHECK_EXEC([sw0-p3], [ping -q -c 10 -i 0.3 -w 15 10.0.0.2 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.2) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,mark=32,labels=0x4d3000000000000000000000000 icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone= ]) @@ -7866,7 +7866,7 @@ NS_CHECK_EXEC([sw0-p3], [ping -q -c 10 -i 0.3 -w 15 10.0.0.2 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.2) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,mark=32,labels=0x4d3000000000000000000000000 icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone= ])