Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2223120/?format=api
{ "id": 2223120, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2223120/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/patch/20260414134043.924997-4-dceara@redhat.com/", "project": { "id": 68, "url": "http://patchwork.ozlabs.org/api/1.1/projects/68/?format=api", "name": "Open Virtual Network development", "link_name": "ovn", "list_id": "ovs-dev.openvswitch.org", "list_email": "ovs-dev@openvswitch.org", "web_url": "http://openvswitch.org/", "scm_url": "", "webscm_url": "" }, "msgid": "<20260414134043.924997-4-dceara@redhat.com>", "date": "2026-04-14T13:40:42", "name": "[ovs-dev,3/4] northd: Fix ls_stateful_record_set_acls() not called in I-P handlers.", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "4fe95b881a3b14e8798ecde97c9e3fa8b1bdd8cd", "submitter": { "id": 76591, "url": "http://patchwork.ozlabs.org/api/1.1/people/76591/?format=api", "name": "Dumitru Ceara", "email": "dceara@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/ovn/patch/20260414134043.924997-4-dceara@redhat.com/mbox/", "series": [ { "id": 499847, "url": "http://patchwork.ozlabs.org/api/1.1/series/499847/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/list/?series=499847", "date": "2026-04-14T13:40:39", "name": "Fix conntrack handling for traffic to/from EVPN vteps.", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/499847/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2223120/comments/", "check": "success", "checks": "http://patchwork.ozlabs.org/api/patches/2223120/checks/", "tags": {}, "headers": { "Return-Path": "<ovs-dev-bounces@openvswitch.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "ovs-dev@openvswitch.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "ovs-dev@lists.linuxfoundation.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=T/2ticss;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=140.211.166.136; helo=smtp3.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)", "smtp3.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=T/2ticss", "smtp1.osuosl.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com", "smtp1.osuosl.org;\n dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com\n header.a=rsa-sha256 header.s=mimecast20190719 header.b=T/2ticss" ], "Received": [ "from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fw56D73kzz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 23:41:40 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id E72C26F254;\n\tTue, 14 Apr 2026 13:41:38 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id pwyWwpG1MdjZ; Tue, 14 Apr 2026 13:41:38 +0000 (UTC)", "from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp3.osuosl.org (Postfix) with ESMTPS id 09FD96EFB5;\n\tTue, 14 Apr 2026 13:41:38 +0000 (UTC)", "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id D9478C054A;\n\tTue, 14 Apr 2026 13:41:37 +0000 (UTC)", "from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 5F71DC0549\n for <ovs-dev@openvswitch.org>; Tue, 14 Apr 2026 13:41:36 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id F131984A27\n for <ovs-dev@openvswitch.org>; Tue, 14 Apr 2026 13:41:26 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id XXPknISTeRqZ for <ovs-dev@openvswitch.org>;\n Tue, 14 Apr 2026 13:41:25 +0000 (UTC)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n by smtp1.osuosl.org (Postfix) with ESMTPS id DCB9D849E8\n for <ovs-dev@openvswitch.org>; Tue, 14 Apr 2026 13:41:24 +0000 (UTC)", "from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-301-Yp54SgE9PRC6_uPZPiC3mA-1; Tue,\n 14 Apr 2026 09:41:22 -0400", "from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 96EBD1955DB9\n for <ovs-dev@openvswitch.org>; Tue, 14 Apr 2026 13:41:21 +0000 (UTC)", "from cecil-rh.redhat.com (unknown [10.44.33.229])\n by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id 5B32F19560B7; Tue, 14 Apr 2026 13:41:20 +0000 (UTC)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 09FD96EFB5", "OpenDKIM Filter v2.11.0 smtp1.osuosl.org DCB9D849E8" ], "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124;\n helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com;\n receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp1.osuosl.org DCB9D849E8", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776174083;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=KTJNsM7MZ4Ajn1SJ2AVFSfuO5tEJrPD/11i/5JDTcB0=;\n b=T/2ticssmzG5OED8Oio1Xthsx1Wiw9sVJwC2qX5MOxdy8ywsaorAhvjRcE0PPnWsL74nMv\n QxkQnrVIsEM70FLORa/9NZk7lqLFZWJ12o8dQysmAyGOKZkMYWBX6vm5pWMAuoUjegPOXM\n sgRcKEU9CR+C7HqsFsjKYIcbqkl8FiE=", "X-MC-Unique": "Yp54SgE9PRC6_uPZPiC3mA-1", "X-Mimecast-MFC-AGG-ID": "Yp54SgE9PRC6_uPZPiC3mA_1776174081", "To": "ovs-dev@openvswitch.org", "Date": "Tue, 14 Apr 2026 15:40:42 +0200", "Message-ID": "<20260414134043.924997-4-dceara@redhat.com>", "In-Reply-To": "<20260414134043.924997-1-dceara@redhat.com>", "References": "<20260414134043.924997-1-dceara@redhat.com>", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 3.0 on 10.30.177.12", "X-Mimecast-Spam-Score": "0", "X-Mimecast-MFC-PROC-ID": "Fj4DXScW5xCCJEgZz9KKqUH3Y0T7YpMwnQRp-y6pbzc_1776174081", "X-Mimecast-Originator": "redhat.com", "Subject": "[ovs-dev] [PATCH ovn 3/4] northd: Fix ls_stateful_record_set_acls()\n not called in I-P handlers.", "X-BeenThere": "ovs-dev@openvswitch.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "<ovs-dev.openvswitch.org>", "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>", "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>", "List-Post": "<mailto:ovs-dev@openvswitch.org>", "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>", "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>", "From": "Dumitru Ceara via dev <ovs-dev@openvswitch.org>", "Reply-To": "Dumitru Ceara <dceara@redhat.com>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "ovs-dev-bounces@openvswitch.org", "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>" }, "content": "Every first-time addition of an existing ls_stateful_record to the\ncrupdated tracking set must call ls_stateful_record_set_acls() to\nrefresh has_stateful_acl and related ACL state. Two places were\nmissing this call:\n\n1. The LB loop in ls_stateful_northd_handler() added to crupdated\n without calling set_acls(). When a switch had both changed LBs\n and changed ACLs, the LB loop added the record first (without\n refreshing ACL state), then the ACL loop's hmapx_add() returned\n false and skipped the refresh.\n\n2. ls_stateful_acl_handler() added to crupdated without calling\n set_acls(). When an existing ACL's action changed (e.g., allow\n to allow-related), has_stateful_acl was never updated.\n\nFixes: fb477aff9286 (\"northd: Process ACL changes incrementally.\")\nAssisted-by: Claude, with model: claude-opus-4-6\nSigned-off-by: Dumitru Ceara <dceara@redhat.com>\n---\n northd/en-ls-stateful.c | 21 +++++++++++--\n tests/ovn-northd.at | 69 +++++++++++++++++++++++++++++++++++++++++\n 2 files changed, 87 insertions(+), 3 deletions(-)", "diff": "diff --git a/northd/en-ls-stateful.c b/northd/en-ls-stateful.c\nindex 4daeab20d7..84e58b5deb 100644\n--- a/northd/en-ls-stateful.c\n+++ b/northd/en-ls-stateful.c\n@@ -171,8 +171,14 @@ ls_stateful_northd_handler(struct engine_node *node, void *data_)\n ovs_assert(ls_stateful_rec);\n ls_stateful_rec->has_lb_vip = ls_has_lb_vip(od);\n \n- /* Add the ls_stateful_rec to the tracking data. */\n- hmapx_add(&data->trk_data.crupdated, ls_stateful_rec);\n+ /* Add the ls_stateful_rec to the tracking data. Refresh ACL\n+ * state when first added so that a switch with both changed LBs\n+ * and changed ACLs gets its ACL state updated regardless of\n+ * which loop runs first. */\n+ if (hmapx_add(&data->trk_data.crupdated, ls_stateful_rec)) {\n+ ls_stateful_record_set_acls(ls_stateful_rec, od->nbs,\n+ input_data.ls_port_groups);\n+ }\n }\n \n HMAPX_FOR_EACH (hmapx_node, &nd_changes->ls_with_changed_acls) {\n@@ -243,6 +249,7 @@ ls_stateful_port_group_handler(struct engine_node *node, void *data_)\n enum engine_input_handler_result\n ls_stateful_acl_handler(struct engine_node *node, void *data_)\n {\n+ struct ls_stateful_input input_data = ls_stateful_get_input_data(node);\n struct ed_type_ls_stateful *data = data_;\n const struct nbrec_acl_table *nbrec_acl_table =\n EN_OVSDB_GET(engine_get_input(\"NB_acl\", node));\n@@ -259,7 +266,15 @@ ls_stateful_acl_handler(struct engine_node *node, void *data_)\n LS_STATEFUL_TABLE_FOR_EACH (ls_stateful_rec, &data->table) {\n if (uuidset_contains(&ls_stateful_rec->related_acls,\n &acl->header_.uuid)) {\n- hmapx_add(&data->trk_data.crupdated, ls_stateful_rec);\n+ if (hmapx_add(&data->trk_data.crupdated, ls_stateful_rec)) {\n+ const struct ovn_datapath *od = ovn_datapath_find(\n+ &input_data.ls_datapaths->datapaths,\n+ &ls_stateful_rec->nbs_uuid);\n+ if (od) {\n+ ls_stateful_record_set_acls(ls_stateful_rec, od->nbs,\n+ input_data.ls_port_groups);\n+ }\n+ }\n }\n }\n }\ndiff --git a/tests/ovn-northd.at b/tests/ovn-northd.at\nindex 624e08c1df..796c30daf7 100644\n--- a/tests/ovn-northd.at\n+++ b/tests/ovn-northd.at\n@@ -18957,6 +18957,75 @@ OVN_CLEANUP_NORTHD\n AT_CLEANUP\n ])\n \n+OVN_FOR_EACH_NORTHD_NO_HV([\n+AT_SETUP([LS ls_stateful incremental processing])\n+AT_KEYWORDS([incremental processing])\n+ovn_start\n+\n+AS_BOX([LB and ACL added in same transaction])\n+\n+dnl Create a switch with a port.\n+check ovn-nbctl --wait=sb \\\n+ -- ls-add ls0 \\\n+ -- lsp-add ls0 lsp0 \\\n+ -- lsp-set-addresses lsp0 \"00:00:00:00:00:01 10.0.0.1\"\n+\n+dnl Clear engine stats before the combined transaction.\n+check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats\n+\n+dnl In a single transaction, add both a stateful ACL and a load balancer.\n+dnl This exercises the ls_stateful_northd_handler() LB loop path where\n+dnl the switch is added to crupdated tracking and must also refresh ACL\n+dnl state via ls_stateful_record_set_acls().\n+check ovn-nbctl --wait=sb \\\n+ -- acl-add ls0 from-lport 100 \"ip\" allow-related \\\n+ -- lb-add lb1 10.0.0.100:80 10.0.0.1:80 \\\n+ -- ls-lb-add ls0 lb1\n+\n+dnl Verify incremental processing was used (no recompute).\n+check_engine_stats ls_stateful norecompute compute\n+\n+dnl Verify the conntrack defrag flow exists in pre_acl at priority 100.\n+dnl REGBIT_CONNTRACK_DEFRAG (reg0[0] = 1) is only set when\n+dnl has_stateful_acl is true, proving ls_stateful_record_set_acls()\n+dnl was called during the combined LB+ACL transaction.\n+ovn-sbctl dump-flows ls0 > lflows\n+AT_CHECK([grep 'ls_in_pre_acl' lflows | grep 'priority=100' | grep -q 'reg0\\[[0\\]] = 1'])\n+\n+AS_BOX([ACL action change from allow to allow-related])\n+\n+dnl Create a switch with a non-stateful ACL (allow) and a port.\n+check ovn-nbctl --wait=sb \\\n+ -- ls-add ls1 \\\n+ -- lsp-add ls1 lsp1 \\\n+ -- lsp-set-addresses lsp1 \"00:00:00:00:00:02 10.0.0.2\" \\\n+ -- acl-add ls1 from-lport 100 \"ip\" allow\n+\n+dnl Verify NO conntrack defrag flow (non-stateful ACL).\n+ovn-sbctl dump-flows ls1 > lflows\n+AT_CHECK([grep 'ls_in_pre_acl' lflows | grep 'priority=100' | grep -q 'reg0\\[[0\\]] = 1'], [1])\n+\n+dnl Clear engine stats before modifying the ACL.\n+check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats\n+\n+dnl Change the ACL action from allow to allow-related.\n+dnl This exercises ls_stateful_acl_handler() where a changed ACL must\n+dnl trigger ls_stateful_record_set_acls() to update has_stateful_acl.\n+acl_uuid=$(fetch_column nb:Acl _uuid action=allow)\n+check ovn-nbctl --wait=sb set acl $acl_uuid action=allow-related\n+\n+dnl Verify incremental processing was used (no recompute).\n+check_engine_stats ls_stateful norecompute compute\n+\n+dnl Verify the conntrack defrag flow now appears, proving\n+dnl has_stateful_acl was correctly updated.\n+ovn-sbctl dump-flows ls1 > lflows\n+AT_CHECK([grep 'ls_in_pre_acl' lflows | grep 'priority=100' | grep -q 'reg0\\[[0\\]] = 1'])\n+\n+OVN_CLEANUP_NORTHD\n+AT_CLEANUP\n+])\n+\n OVN_FOR_EACH_NORTHD_NO_HV([\n AT_SETUP([Check network function])\n ovn_start\n", "prefixes": [ "ovs-dev", "3/4" ] }