GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.2/patches/2223426/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2223426,
    "url": "http://patchwork.ozlabs.org/api/1.2/patches/2223426/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ovn/patch/20260415102733.1044923-1-dceara@redhat.com/",
    "project": {
        "id": 68,
        "url": "http://patchwork.ozlabs.org/api/1.2/projects/68/?format=api",
        "name": "Open Virtual Network development",
        "link_name": "ovn",
        "list_id": "ovs-dev.openvswitch.org",
        "list_email": "ovs-dev@openvswitch.org",
        "web_url": "http://openvswitch.org/",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260415102733.1044923-1-dceara@redhat.com>",
    "list_archive_url": null,
    "date": "2026-04-15T10:27:33",
    "name": "[ovs-dev,v2] northd: Skip conntrack for EVPN remote VTEP traffic.",
    "commit_ref": null,
    "pull_url": null,
    "state": "accepted",
    "archived": false,
    "hash": "4b1df57bce48af165a95477c79c871b276ead80e",
    "submitter": {
        "id": 76591,
        "url": "http://patchwork.ozlabs.org/api/1.2/people/76591/?format=api",
        "name": "Dumitru Ceara",
        "email": "dceara@redhat.com"
    },
    "delegate": {
        "id": 132642,
        "url": "http://patchwork.ozlabs.org/api/1.2/users/132642/?format=api",
        "username": "amusil",
        "first_name": "Ales",
        "last_name": "Musil",
        "email": "amusil@redhat.com"
    },
    "mbox": "http://patchwork.ozlabs.org/project/ovn/patch/20260415102733.1044923-1-dceara@redhat.com/mbox/",
    "series": [
        {
            "id": 499961,
            "url": "http://patchwork.ozlabs.org/api/1.2/series/499961/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ovn/list/?series=499961",
            "date": "2026-04-15T10:27:33",
            "name": "[ovs-dev,v2] northd: Skip conntrack for EVPN remote VTEP traffic.",
            "version": 2,
            "mbox": "http://patchwork.ozlabs.org/series/499961/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2223426/comments/",
    "check": "success",
    "checks": "http://patchwork.ozlabs.org/api/patches/2223426/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<ovs-dev-bounces@openvswitch.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "ovs-dev@openvswitch.org"
        ],
        "Delivered-To": [
            "patchwork-incoming@legolas.ozlabs.org",
            "ovs-dev@lists.linuxfoundation.org"
        ],
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=ia++9Vd2;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)",
            "smtp4.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=ia++9Vd2",
            "smtp4.osuosl.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com"
        ],
        "Received": [
            "from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwcm36mlxz1yHM\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 20:27:47 +1000 (AEST)",
            "from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id EA4A44B3D5;\n\tWed, 15 Apr 2026 10:27:45 +0000 (UTC)",
            "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id jBfnDX1_wawg; Wed, 15 Apr 2026 10:27:44 +0000 (UTC)",
            "from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp4.osuosl.org (Postfix) with ESMTPS id ACD6F4B126;\n\tWed, 15 Apr 2026 10:27:44 +0000 (UTC)",
            "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 8B365C054A;\n\tWed, 15 Apr 2026 10:27:44 +0000 (UTC)",
            "from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 65228C0549\n for <ovs-dev@openvswitch.org>; Wed, 15 Apr 2026 10:27:43 +0000 (UTC)",
            "from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 91F0B4ADA3\n for <ovs-dev@openvswitch.org>; Wed, 15 Apr 2026 10:27:42 +0000 (UTC)",
            "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id yOl6ZLEVX8lk for <ovs-dev@openvswitch.org>;\n Wed, 15 Apr 2026 10:27:41 +0000 (UTC)",
            "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 392954B0ED\n for <ovs-dev@openvswitch.org>; Wed, 15 Apr 2026 10:27:40 +0000 (UTC)",
            "from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-683-zGZtqNXQNDaxy2GJ3-f2oA-1; Wed,\n 15 Apr 2026 06:27:38 -0400",
            "from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id B49601956062\n for <ovs-dev@openvswitch.org>; Wed, 15 Apr 2026 10:27:37 +0000 (UTC)",
            "from cecil-rh.redhat.com (unknown [10.44.49.133])\n by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id 7733B30001A4; Wed, 15 Apr 2026 10:27:36 +0000 (UTC)"
        ],
        "X-Virus-Scanned": [
            "amavis at osuosl.org",
            "amavis at osuosl.org"
        ],
        "X-Comment": "SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ",
        "DKIM-Filter": [
            "OpenDKIM Filter v2.11.0 smtp4.osuosl.org ACD6F4B126",
            "OpenDKIM Filter v2.11.0 smtp4.osuosl.org 392954B0ED"
        ],
        "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124;\n helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com;\n receiver=<UNKNOWN>",
        "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp4.osuosl.org 392954B0ED",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776248859;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=dMiUDHgP3kwL93GZ2JDOIyZNJazqvuaDNy8W2IfhxDA=;\n b=ia++9Vd2cF9TKv6dSW/ejNw4/X0BYfqUREhdKDSnsx7jDR/e1KlAoFjyc6rJr2I9najaf0\n R37cYRY1X3O9KbOZXZULTwjeg1KGsmdgTty0FQFTRvKjsOMAhwnw7ybUjQHX0qrVlAQX1y\n e9X4TGH70AvEF0yepXwpTN/qhguU0Pg=",
        "X-MC-Unique": "zGZtqNXQNDaxy2GJ3-f2oA-1",
        "X-Mimecast-MFC-AGG-ID": "zGZtqNXQNDaxy2GJ3-f2oA_1776248857",
        "To": "ovs-dev@openvswitch.org",
        "Date": "Wed, 15 Apr 2026 12:27:33 +0200",
        "Message-ID": "<20260415102733.1044923-1-dceara@redhat.com>",
        "MIME-Version": "1.0",
        "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.4",
        "X-Mimecast-Spam-Score": "0",
        "X-Mimecast-MFC-PROC-ID": "fcBGgJCAVIkkwd4bz7Qfn3HbTuhd_GbKJVVSVf84mLU_1776248857",
        "X-Mimecast-Originator": "redhat.com",
        "Subject": "[ovs-dev] [PATCH ovn v2] northd: Skip conntrack for EVPN remote\n VTEP traffic.",
        "X-BeenThere": "ovs-dev@openvswitch.org",
        "X-Mailman-Version": "2.1.30",
        "Precedence": "list",
        "List-Id": "<ovs-dev.openvswitch.org>",
        "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>",
        "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>",
        "List-Post": "<mailto:ovs-dev@openvswitch.org>",
        "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>",
        "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>",
        "From": "Dumitru Ceara via dev <ovs-dev@openvswitch.org>",
        "Reply-To": "Dumitru Ceara <dceara@redhat.com>",
        "Content-Type": "text/plain; charset=\"us-ascii\"",
        "Content-Transfer-Encoding": "7bit",
        "Errors-To": "ovs-dev-bounces@openvswitch.org",
        "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>"
    },
    "content": "When a logical switch has stateful ACLs (allow-related) or load\nbalancers configured, all IP traffic is sent to conntrack in the\nPRE_ACL and PRE_LB pipeline stages.  Traffic from/to remote VTEPs\nhas no conntrack zone assigned, so conntrack lookups return\nct_state=+trk+inv, causing the traffic to be dropped.\n\nFix this by adding priority-110 flows that bypass conntrack for\nEVPN remote VTEP traffic, identified by the from_evpn_vtep and\nto_evpn_vtep predicates.  These predicates check bit 31 of the\nlogical inport/outport registers, which is always set for EVPN\nbinding keys (OVN_MIN_EVPN_KEY = 1 << 31).\n\nThe EVPN skip in PRE_ACL is only added when stateful ACLs are\npresent (matching the existing pattern for localnet/router/switch\nports).  The EVPN skip in PRE_LB is unconditional, unlike localnet\nports which are gated on !has_lb_vip -- remote VTEPs have no\nconntrack zones so conntrack would always fail regardless of LB\nconfiguration.\n\nFixes: 9081afcf8698 (\"controller: Create physical flows based on EVPN structures.\")\nReported-at: https://redhat.atlassian.net/browse/FDP-3462\nSuggested-by: Ales Musil <amusil@redhat.com>\nAssisted-by: Claude, with model: claude-opus-4-6\nSigned-off-by: Dumitru Ceara <dceara@redhat.com>\n---\nV2:\n- Addressed Ales' comments:\n  - Register inport/outport backing fields as \"__inport\"/\"__outport\"\n    instead of dynamically computing \"reg14\"/\"reg15\" names.\n  - Use bit-index predicates (__inport[31]/__outport[31]) instead of\n    mask-based predicates (reg14 == 0x80000000/0x80000000).\n  - Extract the EVPN key bit position into OVN_EVPN_KEY_FLAG (31) in\n    ovn-util.h; redefine OVN_MIN_EVPN_KEY in terms of it.\n  - Fix \"action parsing\" test: reg15 is no longer a registered symbol,\n    so \"reg15 = get_fdb(eth.dst)\" must expect a syntax error again.\n  - Restore \"registers\" test to its pre-patch expected output (no\n    reg14/reg15 entries since they are no longer registered as symbols).\n---\n lib/logical-fields.c | 15 +++++++\n lib/ovn-util.c       |  2 +-\n lib/ovn-util.h       |  3 +-\n northd/northd.c      | 37 ++++++++++++++++++\n tests/multinode.at   | 30 ++++++++++++++\n tests/ovn-northd.at  | 93 ++++++++++++++++++++++++++++++++++++++++++++\n tests/ovn.at         |  8 ++++\n 7 files changed, 186 insertions(+), 2 deletions(-)",
    "diff": "diff --git a/lib/logical-fields.c b/lib/logical-fields.c\nindex 9b04762a17..807bb4db48 100644\n--- a/lib/logical-fields.c\n+++ b/lib/logical-fields.c\n@@ -16,6 +16,7 @@\n #include <config.h>\n \n #include \"openvswitch/shash.h\"\n+#include \"ovn-util.h\"\n #include \"ovn/expr.h\"\n #include \"ovn/logical-fields.h\"\n #include \"ovs-thread.h\"\n@@ -72,6 +73,20 @@ ovn_init_symtab(struct shash *symtab)\n     expr_symtab_add_string(symtab, \"inport\", MFF_LOG_INPORT, NULL);\n     expr_symtab_add_string(symtab, \"outport\", MFF_LOG_OUTPORT, NULL);\n \n+    /* Also register the inport/outport backing registers as numeric fields\n+     * so that predicates can reference specific bits (e.g., the EVPN key\n+     * indicator at bit 31). */\n+    expr_symtab_add_field(symtab, \"__inport\", MFF_LOG_INPORT, NULL, false);\n+    expr_symtab_add_field(symtab, \"__outport\", MFF_LOG_OUTPORT, NULL, false);\n+\n+    /* Define predicates to identify traffic from/to remote VTEPs so that\n+     * northd can skip conntrack without hard-coding register indices. */\n+    char vtep_pred[16];\n+    snprintf(vtep_pred, sizeof vtep_pred, \"__inport[%d]\", OVN_EVPN_KEY_FLAG);\n+    expr_symtab_add_predicate(symtab, \"from_evpn_vtep\", vtep_pred);\n+    snprintf(vtep_pred, sizeof vtep_pred, \"__outport[%d]\", OVN_EVPN_KEY_FLAG);\n+    expr_symtab_add_predicate(symtab, \"to_evpn_vtep\", vtep_pred);\n+\n     /* The port isn't reserved along the pipeline it's just defined as symbol\n      * to support matching on string and moving between string registers. */\n     expr_symtab_add_string(symtab, \"remote_outport\",\ndiff --git a/lib/ovn-util.c b/lib/ovn-util.c\nindex 65fdb3a59c..fb02825ac4 100644\n--- a/lib/ovn-util.c\n+++ b/lib/ovn-util.c\n@@ -1027,7 +1027,7 @@ ip_address_and_port_from_lb_key(const char *key, char **ip_address,\n  * NOTE: If OVN_NORTHD_PIPELINE_CSUM is updated make sure to double check\n  * whether an update of OVN_INTERNAL_MINOR_VER is required. */\n #define OVN_NORTHD_PIPELINE_CSUM \"3760014456 11249\"\n-#define OVN_INTERNAL_MINOR_VER 13\n+#define OVN_INTERNAL_MINOR_VER 14\n \n /* Returns the OVN version. The caller must free the returned value. */\n char *\ndiff --git a/lib/ovn-util.h b/lib/ovn-util.h\nindex 4ccf6dc2db..bcb344de44 100644\n--- a/lib/ovn-util.h\n+++ b/lib/ovn-util.h\n@@ -183,7 +183,8 @@ struct ovsdb_idl_txn *run_idl_loop(struct ovsdb_idl_loop *idl_loop,\n #define OVN_MIN_DP_VXLAN_KEY_GLOBAL (OVN_MAX_DP_VXLAN_KEY_LOCAL + 1)\n #define OVN_MAX_DP_VXLAN_KEY_GLOBAL ((1u << 12) - 1)\n \n-#define OVN_MIN_EVPN_KEY (1u << 31)\n+#define OVN_EVPN_KEY_FLAG 31\n+#define OVN_MIN_EVPN_KEY (1u << OVN_EVPN_KEY_FLAG)\n #define OVN_MAX_EVPN_KEY (OVN_MAX_DP_GLOBAL_NUM | OVN_MIN_EVPN_KEY)\n \n struct hmap;\ndiff --git a/northd/northd.c b/northd/northd.c\nindex bc817073e2..0b52db6cf6 100644\n--- a/northd/northd.c\n+++ b/northd/northd.c\n@@ -6418,6 +6418,31 @@ skip_port_from_conntrack(const struct ovn_datapath *od, struct ovn_port *op,\n     free(egress_match);\n }\n \n+/* Skip conntrack for traffic from/to EVPN remote VTEPs.\n+ * Remote VTEPs do not have conntrack zones assigned, so\n+ * conntrack lookups would return +trk+inv and cause drops. */\n+static void\n+skip_evpn_from_conntrack(const struct ovn_datapath *od,\n+                         bool has_stateful_acl,\n+                         const struct ovn_stage *in_stage,\n+                         const struct ovn_stage *out_stage, uint16_t priority,\n+                         struct lflow_table *lflows,\n+                         struct lflow_ref *lflow_ref)\n+{\n+    if (!od->has_evpn_vni) {\n+        return;\n+    }\n+\n+    const char *egress_action = has_stateful_acl\n+                                ? \"next;\"\n+                                : \"flags.pkt_sampled = 0; ct_clear; next;\";\n+\n+    ovn_lflow_add(lflows, od, in_stage, priority,\n+                  \"from_evpn_vtep\", \"next;\", lflow_ref);\n+    ovn_lflow_add(lflows, od, out_stage, priority,\n+                  \"to_evpn_vtep\", egress_action, lflow_ref);\n+}\n+\n static void\n build_stateless_filter(const struct ovn_datapath *od,\n                        const struct nbrec_acl *acl,\n@@ -6520,6 +6545,10 @@ build_ls_stateful_rec_pre_acls(\n                                      lflow_ref);\n         }\n \n+        skip_evpn_from_conntrack(od, true,\n+                                 S_SWITCH_IN_PRE_ACL, S_SWITCH_OUT_PRE_ACL,\n+                                 110, lflows, lflow_ref);\n+\n         /* stateless filters always take precedence over stateful ACLs. */\n         build_stateless_filters(od, ls_port_groups, lflows, lflow_ref);\n \n@@ -6751,6 +6780,14 @@ build_ls_stateful_rec_pre_lb(const struct ls_stateful_record *ls_stateful_rec,\n         }\n     }\n \n+    /* EVPN remote VTEPs do not have conntrack zones, so their traffic\n+     * must always skip conntrack regardless of whether LB VIPs are\n+     * configured.  This differs from localnet ports which DO have\n+     * conntrack zones and can participate in load balancing. */\n+    skip_evpn_from_conntrack(od, ls_stateful_rec->has_stateful_acl,\n+                             S_SWITCH_IN_PRE_LB, S_SWITCH_OUT_PRE_LB,\n+                             110, lflows, lflow_ref);\n+\n     /* 'REGBIT_CONNTRACK_NAT' is set to let the pre-stateful table send\n      * packet to conntrack for defragmentation and possibly for unNATting.\n      *\ndiff --git a/tests/multinode.at b/tests/multinode.at\nindex c2587b68ae..d07660797c 100644\n--- a/tests/multinode.at\n+++ b/tests/multinode.at\n@@ -3829,6 +3829,36 @@ OVS_WAIT_UNTIL([m_as ovn-gw-1 ip netns exec fabric_workload ping -6 -W 1 -c 1 10\n OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping    -W 1 -c 1 10.0.0.12])\n OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping -6 -W 1 -c 1 10::12])\n \n+AS_BOX([Check EVPN traffic with stateful ACLs])\n+dnl Adding a stateful ACL should not break traffic from/to remote VTEPs.\n+dnl Without the conntrack skip flows (from_evpn_vtep / to_evpn_vtep),\n+dnl conntrack would return +trk+inv for VXLAN traffic and drop it.\n+check multinode_nbctl --wait=hv \\\n+    -- acl-add ls from-lport 100 \"ip\" allow-related \\\n+    -- acl-add ls to-lport 100 \"ip\" allow-related\n+\n+dnl Verify fabric-to-workload pings still work with stateful ACL.\n+OVS_WAIT_UNTIL([m_as ovn-gw-1 ip netns exec fabric_workload ping    -W 1 -c 1 10.0.0.11])\n+OVS_WAIT_UNTIL([m_as ovn-gw-1 ip netns exec fabric_workload ping -6 -W 1 -c 1 10::11])\n+OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping    -W 1 -c 1 10.0.0.12])\n+OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping -6 -W 1 -c 1 10::12])\n+\n+dnl Also add a load balancer and verify pings still work.\n+check multinode_nbctl --wait=hv \\\n+    -- lb-add lb1 10.0.0.100:80 10.0.0.11:80 \\\n+    -- ls-lb-add ls lb1\n+\n+OVS_WAIT_UNTIL([m_as ovn-gw-1 ip netns exec fabric_workload ping    -W 1 -c 1 10.0.0.11])\n+OVS_WAIT_UNTIL([m_as ovn-gw-1 ip netns exec fabric_workload ping -6 -W 1 -c 1 10::11])\n+OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping    -W 1 -c 1 10.0.0.12])\n+OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping -6 -W 1 -c 1 10::12])\n+\n+dnl Cleanup ACL and LB.\n+check multinode_nbctl --wait=hv \\\n+    -- acl-del ls \\\n+    -- ls-lb-del ls lb1 \\\n+    -- lb-del lb1\n+\n AS_BOX([Check type-2 MAC+IP EVPN route advertisements])\n # Ping from the frr-ns to the fabric workload so that its IP is learned on\n # the fabric EVPN peer (and advertised to OVN).\ndiff --git a/tests/ovn-northd.at b/tests/ovn-northd.at\nindex 796c30daf7..1d7bd6c288 100644\n--- a/tests/ovn-northd.at\n+++ b/tests/ovn-northd.at\n@@ -19026,6 +19026,99 @@ OVN_CLEANUP_NORTHD\n AT_CLEANUP\n ])\n \n+OVN_FOR_EACH_NORTHD_NO_HV([\n+AT_SETUP([LS EVPN conntrack skip with stateful ACLs and LBs])\n+AT_KEYWORDS([dynamic-routing])\n+ovn_start\n+\n+AS_BOX([EVPN switch, no ACLs or LBs])\n+check ovn-nbctl --wait=sb \\\n+    -- ls-add ls-evpn \\\n+    -- set logical_switch ls-evpn other_config:dynamic-routing-vni=10 \\\n+    -- lsp-add ls-evpn lsp0 \\\n+    -- lsp-set-addresses lsp0 \"00:00:00:00:00:01 10.0.0.1\"\n+\n+ovn-sbctl dump-flows ls-evpn > lflows\n+\n+dnl No stateful ACL, so no EVPN skip flows in pre_acl.\n+AT_CHECK([grep 'pre_acl' lflows | grep 'from_evpn_vtep'], [1])\n+AT_CHECK([grep 'pre_acl' lflows | grep 'to_evpn_vtep'], [1])\n+\n+dnl pre_lb EVPN skip flows are always present for EVPN switches.\n+AT_CHECK([grep 'pre_lb' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+  table=??(ls_in_pre_lb       ), priority=110  , match=(from_evpn_vtep), action=(next;)\n+  table=??(ls_out_pre_lb      ), priority=110  , match=(to_evpn_vtep), action=(flags.pkt_sampled = 0; ct_clear; next;)\n+])\n+\n+AS_BOX([EVPN switch + stateful ACL])\n+check ovn-nbctl --wait=sb acl-add ls-evpn from-lport 100 \"ip\" allow-related\n+\n+ovn-sbctl dump-flows ls-evpn > lflows\n+\n+dnl Stateful ACL present, so EVPN skip flows appear in pre_acl.\n+AT_CHECK([grep 'pre_acl' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+  table=??(ls_in_pre_acl      ), priority=110  , match=(from_evpn_vtep), action=(next;)\n+  table=??(ls_out_pre_acl     ), priority=110  , match=(to_evpn_vtep), action=(next;)\n+])\n+\n+dnl pre_lb EVPN skip flows with next; action (has_stateful_acl is true).\n+AT_CHECK([grep 'pre_lb' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+  table=??(ls_in_pre_lb       ), priority=110  , match=(from_evpn_vtep), action=(next;)\n+  table=??(ls_out_pre_lb      ), priority=110  , match=(to_evpn_vtep), action=(next;)\n+])\n+\n+AS_BOX([EVPN switch + LB only])\n+check ovn-nbctl --wait=sb \\\n+    -- acl-del ls-evpn \\\n+    -- lb-add lb1 10.0.0.100:80 10.0.0.1:80 \\\n+    -- ls-lb-add ls-evpn lb1\n+\n+ovn-sbctl dump-flows ls-evpn > lflows\n+\n+dnl No stateful ACL, so no EVPN skip flows in pre_acl.\n+AT_CHECK([grep 'pre_acl' lflows | grep 'from_evpn_vtep'], [1])\n+AT_CHECK([grep 'pre_acl' lflows | grep 'to_evpn_vtep'], [1])\n+\n+dnl pre_lb EVPN skip flows with ct_clear egress (no stateful ACL).\n+AT_CHECK([grep 'pre_lb' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+  table=??(ls_in_pre_lb       ), priority=110  , match=(from_evpn_vtep), action=(next;)\n+  table=??(ls_out_pre_lb      ), priority=110  , match=(to_evpn_vtep), action=(flags.pkt_sampled = 0; ct_clear; next;)\n+])\n+\n+AS_BOX([EVPN switch + ACL + LB])\n+check ovn-nbctl --wait=sb acl-add ls-evpn from-lport 100 \"ip\" allow-related\n+\n+ovn-sbctl dump-flows ls-evpn > lflows\n+\n+dnl Stateful ACL present again, so EVPN skip flows appear in pre_acl.\n+AT_CHECK([grep 'pre_acl' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+  table=??(ls_in_pre_acl      ), priority=110  , match=(from_evpn_vtep), action=(next;)\n+  table=??(ls_out_pre_acl     ), priority=110  , match=(to_evpn_vtep), action=(next;)\n+])\n+\n+dnl pre_lb egress action is next; because has_stateful_acl is true.\n+AT_CHECK([grep 'pre_lb' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+  table=??(ls_in_pre_lb       ), priority=110  , match=(from_evpn_vtep), action=(next;)\n+  table=??(ls_out_pre_lb      ), priority=110  , match=(to_evpn_vtep), action=(next;)\n+])\n+\n+AS_BOX([Non-EVPN switch + ACL])\n+check ovn-nbctl --wait=sb \\\n+    -- ls-add ls-plain \\\n+    -- lsp-add ls-plain lsp1 \\\n+    -- lsp-set-addresses lsp1 \"00:00:00:00:00:02 10.0.0.2\" \\\n+    -- acl-add ls-plain from-lport 100 \"ip\" allow-related\n+\n+ovn-sbctl dump-flows ls-plain > lflows\n+\n+dnl Non-EVPN switch must not have any EVPN skip flows.\n+AT_CHECK([grep 'from_evpn_vtep' lflows], [1])\n+AT_CHECK([grep 'to_evpn_vtep' lflows], [1])\n+\n+OVN_CLEANUP_NORTHD\n+AT_CLEANUP\n+])\n+\n OVN_FOR_EACH_NORTHD_NO_HV([\n AT_SETUP([Check network function])\n ovn_start\ndiff --git a/tests/ovn.at b/tests/ovn.at\nindex cec3bb9a73..0d8c223cc8 100644\n--- a/tests/ovn.at\n+++ b/tests/ovn.at\n@@ -128,6 +128,14 @@ xxreg1 = NXM_NX_XXREG1\n ]])\n AT_CLEANUP\n \n+dnl Check EVPN VTEP predicate definitions.\n+AT_SETUP([EVPN VTEP fields])\n+AT_CHECK([ovstest test-ovn dump-symtab | grep evpn_vtep | sort], [0],\n+[[from_evpn_vtep = __inport[31]\n+to_evpn_vtep = __outport[31]\n+]])\n+AT_CLEANUP\n+\n dnl Check that the OVN conntrack field definitions are correct.\n AT_SETUP([conntrack fields])\n AT_CHECK([ovstest test-ovn dump-symtab | grep ^ct | sort], [0],\n",
    "prefixes": [
        "ovs-dev",
        "v2"
    ]
}