Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2195729/?format=api
{ "id": 2195729, "url": "http://patchwork.ozlabs.org/api/patches/2195729/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/patch/20260211175841.3756146-3-aditya.mehakare@nutanix.com/", "project": { "id": 68, "url": "http://patchwork.ozlabs.org/api/projects/68/?format=api", "name": "Open Virtual Network development", "link_name": "ovn", "list_id": "ovs-dev.openvswitch.org", "list_email": "ovs-dev@openvswitch.org", "web_url": "http://openvswitch.org/", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260211175841.3756146-3-aditya.mehakare@nutanix.com>", "list_archive_url": null, "date": "2026-02-11T17:58:41", "name": "[ovs-dev,v4,2/2] northd, controller, lib: Add Pre-NF stage and store NF ID in ct_label.", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "707a6a08028d981c243a8927b73662bc50682eee", "submitter": { "id": 90537, "url": "http://patchwork.ozlabs.org/api/people/90537/?format=api", "name": "Aditya Mehakare", "email": "aditya.mehakare@nutanix.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/ovn/patch/20260211175841.3756146-3-aditya.mehakare@nutanix.com/mbox/", "series": [ { "id": 491889, "url": "http://patchwork.ozlabs.org/api/series/491889/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/list/?series=491889", "date": "2026-02-11T17:58:39", "name": "Network Function: Commit NF ID instead of NFG ID in CT.", "version": 4, "mbox": "http://patchwork.ozlabs.org/series/491889/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2195729/comments/", "check": "warning", "checks": "http://patchwork.ozlabs.org/api/patches/2195729/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<ovs-dev-bounces@openvswitch.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "dev@openvswitch.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "ovs-dev@lists.linuxfoundation.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256\n header.s=proofpoint20171006 header.b=qOMbUjqp;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256\n header.s=selector1 header.b=FPWb2BLK;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)", "smtp4.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key)\n header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256\n header.s=proofpoint20171006 header.b=qOMbUjqp;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key,\n unprotected) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256\n header.s=selector1 header.b=FPWb2BLK", "smtp4.osuosl.org;\n dmarc=pass (p=none dis=none) header.from=nutanix.com" ], "Received": [ "from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fB5m10yT5z1xpY\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 12 Feb 2026 04:59:12 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 6D36541C97;\n\tWed, 11 Feb 2026 17:59:11 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id pfESx-wLzSBo; Wed, 11 Feb 2026 17:59:06 +0000 (UTC)", "from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp4.osuosl.org (Postfix) with ESMTPS id EC12841CA5;\n\tWed, 11 Feb 2026 17:59:05 +0000 (UTC)", "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id C2E3AC077F;\n\tWed, 11 Feb 2026 17:59:05 +0000 (UTC)", "from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 1250CC077F\n for <dev@openvswitch.org>; Wed, 11 Feb 2026 17:59:05 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 4E24C41C97\n for <dev@openvswitch.org>; Wed, 11 Feb 2026 17:59:03 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id yju-UVsAOmGW for <dev@openvswitch.org>;\n Wed, 11 Feb 2026 17:59:00 +0000 (UTC)", "from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com\n [148.163.155.12])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 74BA441A7D\n for <dev@openvswitch.org>; Wed, 11 Feb 2026 17:59:00 +0000 (UTC)", "from pps.filterd (m0127844.ppops.net [127.0.0.1])\n by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 61BAk53C909551; Wed, 11 Feb 2026 09:58:59 -0800", "from sn4pr2101cu001.outbound.protection.outlook.com\n (mail-southcentralusazon11022102.outbound.protection.outlook.com\n [40.93.195.102])\n by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4c87tubxxh-1\n (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT);\n Wed, 11 Feb 2026 09:58:58 -0800 (PST)", "from CY5PR02MB9038.namprd02.prod.outlook.com (2603:10b6:930:32::5)\n by CY8PR02MB9179.namprd02.prod.outlook.com (2603:10b6:930:9a::5) with\n Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9611.10; Wed, 11 Feb\n 2026 17:58:56 +0000", "from CY5PR02MB9038.namprd02.prod.outlook.com\n ([fe80::88d2:46ce:c264:17ec]) by CY5PR02MB9038.namprd02.prod.outlook.com\n ([fe80::88d2:46ce:c264:17ec%4]) with mapi id 15.20.9611.008; Wed, 11 Feb 2026\n 17:58:56 +0000" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp4.osuosl.org EC12841CA5", "OpenDKIM Filter v2.11.0 smtp4.osuosl.org 74BA441A7D" ], "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=148.163.155.12;\n helo=mx0b-002c1b01.pphosted.com; envelope-from=aditya.mehakare@nutanix.com;\n receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp4.osuosl.org 74BA441A7D", "DKIM-Signature": [ "v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=\n cc:content-transfer-encoding:content-type:date:from:in-reply-to\n :message-id:mime-version:references:subject:to; s=\n proofpoint20171006; bh=3myJxx0K2Ba0hiS06swtpSEOeJGRzvfcn2sDO/i82\n E8=; b=qOMbUjqpnrEri/Pk6DlwuhbgawFgM++lRH5FnVS7wXuEl2nkdbz1CsXPR\n XDwBbuySlPBBpDMCdXlBLPwExzTvKNYThWW3PfnjnOnJLB8bsBerwqljkdl8L45p\n 1K3mzD37RnuthO/p6CxPnf5QTx2sj5OaI03UHXKDn/LTDwgr6PlhMk9V6ATKTkkb\n ONr3H8yGS8IEuwroh68WHbqxt9b/DbiBHeeH4ULjP6X6A3K9qtnJ3heH8YFESA33\n ONPm4iildvJNomk2L2S3aYaIm+VO95zX7vchkzzeT0WwfenBYnKW495KmMoH5b2e\n +RmXMIkaj+DUi0pNMnJf3/+3tAZLg==", "v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com;\n s=selector1;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=3myJxx0K2Ba0hiS06swtpSEOeJGRzvfcn2sDO/i82E8=;\n b=FPWb2BLKABsAc2hQK+bWGduiE4JvNIRbMiGrkoHPpBuu+Q5eqzUmRLjrgbcTAYDqX4k1JmLHT+9Rn31Y+/tpbmXHm4zfGRSuBsFxcwfuRXgO7pby3dQsOXu67a1rb+tI7UpJYXQyoVM4WO32z/nJzqggAI8/QB4PizVcVFp0ya+UA8Yy2l+MQ5bNn8Lb8GZLz22oCw4H1vxwYL0SKxms41T2vYqXffGHZCGr8kJ3TUdrPoDLm0dXyVamtmDdjHPmC/EBSh/zhd27WHGGcU2T+VC8iIGGv4CzA2APtU9gRGaYhvJax64YQmgeiUg4vtGqjRwh2HSPk6ldqYzZJgyXOQ==" ], "ARC-Seal": "i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=ox5mAo7KKygtdHMXTC9v5804GTQfsPmpz7T7TpgMR14s0m1jCsTH8H6aZDN1aBR9TKyMlBS4Bp4ih8mGqXB5v0V5YurRo+FcNRipARG0pjZ3cKq7uVBPMEJLsQh4z4XBp/PEDuVtWqOpzYw3kwBmer5Qq63h6vKD9pmb7wiMvBMP8WfcZM6em/3nA6UdqK3PPMfvMVhnxdcoIWXP5KYTL4dQBlLTIsKJIU6S8zwiajpHOL10VwOMCugzKnPn1cSTo060pa6k5dMlSL/QEGB2kJZ8dIpXPcRKa+btvhw7ny/8rSKOHePbtGng/YXaJiXvhESIpSx7VnPRQ06n5fB+HQ==", "ARC-Message-Signature": "i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=3myJxx0K2Ba0hiS06swtpSEOeJGRzvfcn2sDO/i82E8=;\n b=xh2QR5laybzaVY+bjFgfhMbQKiH1VvCIFGXLUqvM63bTb+5CFrs4gLuxJSbpaqaTZVD3yGUNJ3XFHkldsTqhyVzhCcoSGeeOK+PPZ53W0fjuzDo6TVjB5GPaxDzWG3NmniKTZBeGd4a1OzBaB6mgRTSy99GuAeitm8VTKlHJnRsk/rlnFRmNOMHP4GPyLc5tJtl2TuHZkmo4v6E0LLY2RtPr4POhoF3kht3XZBTmiYA0FIVVEIU7nnEbSDhHmfuOEu1FIH5agcFPt1ObQsdxp9vse1yHKNdgzP74/bSxC6MyBQTMV1PE14thvo1XV1jrv/hIxnKeMVwB4eWMoA/RHw==", "ARC-Authentication-Results": "i=1; mx.microsoft.com 1; spf=pass\n smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com;\n dkim=pass header.d=nutanix.com; arc=none", "From": "Aditya Mehakare <aditya.mehakare@nutanix.com>", "To": "dev@openvswitch.org", "Date": "Wed, 11 Feb 2026 17:58:41 +0000", "Message-ID": "<20260211175841.3756146-3-aditya.mehakare@nutanix.com>", "X-Mailer": "git-send-email 2.43.5", "In-Reply-To": "<20260211175841.3756146-1-aditya.mehakare@nutanix.com>", "References": "<20260211175841.3756146-1-aditya.mehakare@nutanix.com>", "X-ClientProxiedBy": "PH7P220CA0075.NAMP220.PROD.OUTLOOK.COM\n (2603:10b6:510:32c::11) To CY5PR02MB9038.namprd02.prod.outlook.com\n (2603:10b6:930:32::5)", "MIME-Version": "1.0", "X-MS-PublicTrafficType": "Email", "X-MS-TrafficTypeDiagnostic": "CY5PR02MB9038:EE_|CY8PR02MB9179:EE_", "X-MS-Office365-Filtering-Correlation-Id": "36e7ca16-72e0-410e-999d-08de6997393b", "x-proofpoint-crosstenant": "true", "X-MS-Exchange-SenderADCheck": "1", "X-MS-Exchange-AntiSpam-Relay": "0", "X-Microsoft-Antispam": "BCL:0;\n ARA:13230040|376014|52116014|366016|1800799024|38350700014|7142099003;", "X-Microsoft-Antispam-Message-Info": "=?utf-8?q?aKPiVWYJ4PkbXgo4DkWDgRp0LljAWaJ?=\n\t=?utf-8?q?fTI0xtXQKNU4fPQ5a2oCY7oHbAiMqYKzHPYJJ96iOQLQ9FDwCvO45iadD2gvvVSvq?=\n\t=?utf-8?q?wOwq3+Rc0HrSP0mQm68w4wwiz63wQio7iUUdZJepdd6QC3ehwzFUPXVpnS2IK4MY2?=\n\t=?utf-8?q?7cNyOwCLFgfos9T0c2OSmAlgA0AvVaAh2voZiMfPmt1g5bWPJ0QgpEFDgZiBF62GF?=\n\t=?utf-8?q?KvpQYuGI7HSd11cv6HxQQ1Rcmz8nCjNfziHXZgt9LNToXQW49tpswew9td3kA0Rvg?=\n\t=?utf-8?q?sVw2XlSxzr+xb2ev6eXiDxSF0/Bha2hwF2IprWiuxulA66EqHsSL5DpoIUzbrgVye?=\n\t=?utf-8?q?MFHbdDGFNhYRUfPz873wjXB0rcshyRjRzn6J/svfLw/9oXGLOZ2Ul1B7apoY1yVNN?=\n\t=?utf-8?q?jZhjVjGZwtuAOlYIjQuCzgyOZIEwFOr/Nh5fJuLCxPM4Sa/m2EPbjdkhTGzMlhu3C?=\n\t=?utf-8?q?NU907svegFHEl+HhZDRAIXq20kDuKRjI/haAoXuMZunGwf8oJFhzKSDfIclxN6eiN?=\n\t=?utf-8?q?Y+tWIyK4wLoCx4fwaHsNjjcHGaOo9/1v4/uSgIyAv5fCNrLVsOAWt2WVXOzS8q1Vg?=\n\t=?utf-8?q?A1LyS8qI2Rvb0c3XmUmL7sb/gbZ5vA+HsZ0/7W+JsiDGluLDrPES3gdQT950kyGiY?=\n\t=?utf-8?q?6G9vkioOrIKD8fbEK2pPMokU3J3HrOSx/42N0KqoXzGllwMVVsM+xjjFz6rcnDl4Y?=\n\t=?utf-8?q?qZJpr93ybDpFs6XZALUjkj0eqO5QpMgvDEmwPlYhpyzqkUcrasx6i36vJOrXQm0XN?=\n\t=?utf-8?q?B+C8U8OhIhwDMo64Q6dTjlOFh5djOmMKonB/tCLW+nauVhEaQ5KhMVACAiZaTFGhl?=\n\t=?utf-8?q?vHjuxhA9IikfplMeHg6Jo5AZKcqAm3FrtGgRWA7S8bbs3FQyb3YhFuOtLLXeaermH?=\n\t=?utf-8?q?NykScIth/oxci4cp9HXVxXO/8wr+efXclCvQKGHZ484AAePDhrIRQEIu/aBzp1Xw3?=\n\t=?utf-8?q?elA1/4HH5tvIMk1fnX6I43xXROzny297s57xU7GLIkSlUrN6tFdnRrfx3J4fMZJ2t?=\n\t=?utf-8?q?/i8LXMX8JAvMDbTeQamIQKSn+NELlawjJQZts5LaO7nGBsKz2KWbsyCmolPVzhSS5?=\n\t=?utf-8?q?SOUS2xfIcqtwXw9DpcbnzLvmrGUayG8vMlH+/9Zk7gRuXOJKx8KXjGWTg8IS4yPsB?=\n\t=?utf-8?q?22SRAKrDmR09iMjtxRT4JFJhTymnlyIoO9j+wxObMdBUvUyfRlz6bMQ5tYIlgn6KB?=\n\t=?utf-8?q?boDo4PtrSACr+XOSmtKf+Bk27jMwspmWmiHby14RM2wgjJ/Z8fQczZGvYggtAnAwL?=\n\t=?utf-8?q?rL/vLRsW3AHwUxDcLnXDoaTa1B7mEjahHcoZmv2ChWc17Km1QA74P+whxVs3CVh81?=\n\t=?utf-8?q?RXUZh7bhFjXchKYZDC+QGDZjTs0JOxUTftzZN1Gffk59qDf/kbXxXG4Nj52JnE5+O?=\n\t=?utf-8?q?1w+/rnfVWQ8So4IkuoDDIa73SNyiWklIU4b91TszxT6fTiJHUo8Dt3x6yZWADSfgo?=\n\t=?utf-8?q?ilAgT59mwWrXgx/fbOa6uYOAJtlMkX1vlroIfjb7JdPYulj8g9Boe7mmgMrwrMtp/?=\n\t=?utf-8?q?Um4PvhrULYxYyXEh6mOtg8RMR8bK/IVH70044v5DjWoVM4D25wL8=3D?=", "X-Forefront-Antispam-Report": "CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;\n IPV:NLI; SFV:NSPM; H:CY5PR02MB9038.namprd02.prod.outlook.com; PTR:; CAT:NONE;\n SFS:(13230040)(376014)(52116014)(366016)(1800799024)(38350700014)(7142099003);\n DIR:OUT; SFP:1102;", "X-MS-Exchange-AntiSpam-MessageData-ChunkCount": "1", "X-MS-Exchange-AntiSpam-MessageData-0": "=?utf-8?q?8MGNezPDYPEvIjz0wzwLSlpPgcSw?=\n\t=?utf-8?q?l1/HQ3h9MuHqR0dULYGqd3U7LV+KAdRp3X7OzKGQzgu9TWAxdZNpqhuvthaz6sVdC?=\n\t=?utf-8?q?wX3XaY3rPDdanUiFa4ORwpWyJsoa+mJUQvNy7tofQDncyNJSPirZnplbIVxc/bcm4?=\n\t=?utf-8?q?7wNnitd6kEiGoZLWMA/yqzojcRHc081Z+Bl9ldQSmr8dL8i9BkaXLd6E+pTe9dbUn?=\n\t=?utf-8?q?z9k+qhVgMfMi9i9ksCIOGjegNal0H2tl3be2bx5CT4TesLNjx45sOQDMAyhTwi9dx?=\n\t=?utf-8?q?P6b3jP8VYlErf4HT0vWX03u056hmnkek4EaSmwsxygS5GjxldzrdFUuQ8xZZm8MaD?=\n\t=?utf-8?q?gOy/Ubdn2CVj+GFpgxefINcjLk7bZTH4eO95VK647hlwklFloTWImU6k8ZNgNYUdT?=\n\t=?utf-8?q?U3Xgd6E9+rqWMf4vRjXu+WHnLOYWgeCqv0ygeFDN++uzGkO0OVWpIPRmWw1QTzetU?=\n\t=?utf-8?q?ri67I8kID7HqHJFubINZvWOYOj9UVQvoMGVZnd328xEON6h19ygXy1qfn2dpySKnr?=\n\t=?utf-8?q?9k1jXskbC7i+0VUn+YynMZ4NXGZ3Vs4mVoB6eV6JRlqgM0f1qxsuq7Y0wJ7Urh0xw?=\n\t=?utf-8?q?9gw8AyCYFpQxHtoLyMMNPh16myySN/OT9GfX+oGvXugdcF7HtGChIsdjIekxcUNDA?=\n\t=?utf-8?q?Ycaszm44k701tqxo2PGR9nmdCC5Hq0YMiWx3fz7baSI/a5GWhJeIil3iE46yX0j9M?=\n\t=?utf-8?q?5gq4pdKQUE3X2iwbp/PCp6K1bE+ky1NVCUXd238PBPGHrgZ9yIhkqe3gwR1+yMF3l?=\n\t=?utf-8?q?EhuyfBeFAeVDv7wUrJrGo2tm8FnCEBzUBD4O8U9c02Gq8C3adWO/kBHCI9rYpYw60?=\n\t=?utf-8?q?ozicQe+QMeJoL9J6CK46uqEr5OradKkT8GHspzajHgsc+clKf2ll2RUqgVQe7aZhC?=\n\t=?utf-8?q?wdMz+DrvXE5ALcSDGIN97+2BXZkAlLGyWZGbSD+4oUsytGgbsP7Lba0KqaDaIqPIW?=\n\t=?utf-8?q?adhwhnqO3ti9IsG6WyDSlQ2vdgdzn4kuq/GQRSzvHATqhUYFAn56v+DC4HgnuowQR?=\n\t=?utf-8?q?D+hCD7nrfurqmhszS8TWulFoQ1sCWVP8oSlCLJ0wj+A4OXZ/CXJAd5fnRuuMWHMuI?=\n\t=?utf-8?q?roBpTDq+ftlX/B9FlEQdNHRjbXrZ3g3yoCTEPKU/mGR2oHUn7mAC93R4zn5Gn4g/B?=\n\t=?utf-8?q?j1mCwSI5Gj8bYZelCxeRplu1ewHFFYObYSzsrcreDAUj98ZlFrDB7UX4reGSODIJD?=\n\t=?utf-8?q?BJVN6aUxa7S0VfDNM6G9nSGHvMglZEI8xfCMoTzSLLkXkRATpXqeEVkqoifxciVFi?=\n\t=?utf-8?q?99q5y9ByO0zYS4hr7+th7IquLAYQj5/VjgeW0rMZLG+W0As3fN0FX1OnDd+hOfp0s?=\n\t=?utf-8?q?aYjea+cKcQ4flIEEwNstgzLwVLmmhuDrsZDaMWAaIcgVCPnM1S+BnaP3MiY0l2esu?=\n\t=?utf-8?q?4ziwoAZ+CZY9xt2JOsrEvTNB9u6cDHmL3gzLpYqLtoX90LIFNfeuhW3dOgvUS0Wpf?=\n\t=?utf-8?q?VMaPQd14oWBY+HNEC2idoDs14PRYNZMokZx9O5KiqMpgabGlr2OFU8C1L+GVStysV?=\n\t=?utf-8?q?5lJ7Fr4VP0X/QsxYODXwfPvXXGiQkczFwbN9SrSFF6nu3vb/QsGVPh/VpdhYaWMt6?=\n\t=?utf-8?q?N1yxJAjqhq3gPE3G17swx7PHPlsX88kjpL1fUaJKfrGSgzPZwn8um1G0qTiNFzxW7?=\n\t=?utf-8?q?8OTwbn4+lZ0TL+RkX4I4nT1ypJ82mcUoWoYGk6l152oVvgEnxgm1Q=3D?=", "X-OriginatorOrg": "nutanix.com", "X-MS-Exchange-CrossTenant-Network-Message-Id": "\n 36e7ca16-72e0-410e-999d-08de6997393b", "X-MS-Exchange-CrossTenant-AuthSource": "CY5PR02MB9038.namprd02.prod.outlook.com", "X-MS-Exchange-CrossTenant-AuthAs": "Internal", "X-MS-Exchange-CrossTenant-OriginalArrivalTime": "11 Feb 2026 17:58:55.7990 (UTC)", "X-MS-Exchange-CrossTenant-FromEntityHeader": "Hosted", "X-MS-Exchange-CrossTenant-Id": "bb047546-786f-4de1-bd75-24e5b6f79043", "X-MS-Exchange-CrossTenant-MailboxType": "HOSTED", "X-MS-Exchange-CrossTenant-UserPrincipalName": "\n xAi15EevJrpwnOYvJUulmJ4Jmq5WnSuKD1HwGnz9gaC72C81YlOMTxF1MC1C6wRpgsILpF4Ea7cRnaP2+fDayNIqDnp/6a6a2DUFht/JEzI=", "X-MS-Exchange-Transport-CrossTenantHeadersStamped": "CY8PR02MB9179", "X-Proofpoint-GUID": "1uvBpd-Tig1TaZjSznV5gEXQB-Gkps4z", "X-Proofpoint-ORIG-GUID": "1uvBpd-Tig1TaZjSznV5gEXQB-Gkps4z", "X-Proofpoint-Spam-Details-Enc": "AW1haW4tMjYwMjExMDEzOSBTYWx0ZWRfX5S0q16QFQYXR\n J/plvcfV9sKx6q4PMPRS7Cy7aWS+EBu/AeR8QY2Mx62GnfCm7WYXW7clKxj5hV7ugJcebGVffRA\n Q7AQr47ll7qIPZ4gJ3dXjjnEBxlKX+ywKR842+mR4NFJ+is+KDx4PESSG55ZEUeRvvADIwK5b6M\n AUN6/MAEGhDk4Td222E61jREHN8JzCRGoKDKVSxrntFAhU/3pEwbiJHZFnbkooV/uyNbNQ7rpop\n s8afeT987+pHiiKvgCM4YptopXZDQUwA2dvq9K7ytovQ+5alJPqeTfUunNjwpkBCPUISXmlcRCn\n B4R6XGHFNbrktXIC91jdgBsa7ABzTgxcohHpOcszS8h4gshj6+IoLFSBgeE3My3s1W+NlTjkn25\n moDIFPLS3RDl5D5yczBbOrVJNz9+M9ZtozqR7tXMO7vhzO/9lCSBpixV7TQeL6r343gbU82ht2j\n AffGzc/LV/i2kio6OGg==", "X-Authority-Analysis": "v=2.4 cv=bpRBxUai c=1 sm=1 tr=0 ts=698cc363 cx=c_pps\n a=wVfAXNSrx9oslCtdZ7LgKA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19\n a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19\n a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=HzLeVaNsDn8A:10 a=0kUYKlekyDsA:10\n a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22 a=GgsMoib0sEa3-_RKJdDe:22\n a=64Cc0HZtAAAA:8 a=20KFwNOVAAAA:8 a=xwn4GZUUBMGuZaFU1q8A:9\n a=oPfjL4XfXK4vm7rN:21 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-02-11_02,2026-02-11_04,2025-10-01_01", "X-Proofpoint-Spam-Reason": "safe", "Subject": "[ovs-dev] [PATCH ovn v4 2/2] northd, controller,\n lib: Add Pre-NF stage and store NF ID in ct_label.", "X-BeenThere": "ovs-dev@openvswitch.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "<ovs-dev.openvswitch.org>", "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>", "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>", "List-Post": "<mailto:ovs-dev@openvswitch.org>", "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>", "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "ovs-dev-bounces@openvswitch.org", "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>" }, "content": "This commit introduces a new Pre Network Function (PRE_NF)\npipeline stage and changes the connection tracking label to\nstore the individual network function ID instead of the network\nfunction group ID.\n\nPreviously, when a packet matched an ACL with a\nnetwork_function_group, the network function group ID was stored\nin ct_label.nf_group_id. This approach had limitations for\nimplementing network function load balancing and active-active\nsupport, as it didn't track which specific network function\ninstance handled the connection.\n\nWith this change:\n\n1. A new PRE_NF stage (table 23 for ingress, table 11 for\n egress) is added before the STATEFUL stage. This stage is\n responsible for selecting the active network function from a\n network function group and setting the specific NF ID in\n reg0[22..29].\n\n2. The STATEFUL stage now stores the individual network\n function ID (instead of the group ID) in ct_label.nf_id.\n This allows response and related packets to be redirected to\n the same network function instance that handled the request.\n\n3. The PRE_NF stage implements fail-open behavior: when no\n active network function exists in a group, it resets the\n nf_enabled bit and clears the nf_id register, allowing\n packets to continue processing without network function\n redirection.\n\n4. Pipeline stage numbers are adjusted:\n - Ingress: STATEFUL moves from 23 to 24, NF from 24 to 25\n - Egress: STATEFUL moves from 11 to 12, NF from 12 to 13\n - Controller OpenFlow tables updated accordingly\n\n5. Connection tracking label fields renamed for clarity:\n - ct_label.nf_group → ct_label.nf\n - ct_label.nf_group_id → ct_label.nf_id\n\nSigned-off-by: Aditya Mehakare <aditya.mehakare@nutanix.com>\nAcked-by: Naveen Yerramneni <naveen.yerramneni@nutanix.com>\nAcked-by: Mark Michelson <mmichels@redhat.com>\n---\n controller/lflow.h | 14 +-\n include/ovn/logical-fields.h | 8 +-\n lib/logical-fields.c | 10 +-\n lib/ovn-util.c | 4 +-\n lib/ovn-util.h | 4 +-\n northd/northd.c | 118 +++++---\n northd/northd.h | 34 ++-\n northd/ovn-northd.8.xml | 305 +++++++++++++++-----\n ovn-sb.ovsschema | 6 +-\n tests/ovn-macros.at | 12 +-\n tests/ovn-northd.at | 519 ++++++++++++++++++++---------------\n tests/ovn.at | 8 +-\n 12 files changed, 669 insertions(+), 373 deletions(-)", "diff": "diff --git a/controller/lflow.h b/controller/lflow.h\nindex cd714ffef..4bae1dfab 100644\n--- a/controller/lflow.h\n+++ b/controller/lflow.h\n@@ -67,18 +67,18 @@ struct uuid;\n \n /* Start of LOG_PIPELINE_LEN tables. */\n #define OFTABLE_LOG_INGRESS_PIPELINE 8\n-#define OFTABLE_OUTPUT_LARGE_PKT_DETECT 41\n-#define OFTABLE_OUTPUT_LARGE_PKT_PROCESS 42\n-#define OFTABLE_REMOTE_OUTPUT 43\n-#define OFTABLE_REMOTE_VTEP_OUTPUT 44\n-#define OFTABLE_LOCAL_OUTPUT 45\n-#define OFTABLE_CHECK_LOOPBACK 46\n+#define OFTABLE_OUTPUT_LARGE_PKT_DETECT 42\n+#define OFTABLE_OUTPUT_LARGE_PKT_PROCESS 43\n+#define OFTABLE_REMOTE_OUTPUT 44\n+#define OFTABLE_REMOTE_VTEP_OUTPUT 45\n+#define OFTABLE_LOCAL_OUTPUT 46\n+#define OFTABLE_CHECK_LOOPBACK 47\n \n /* Start of the OUTPUT section of the pipeline. */\n #define OFTABLE_OUTPUT_INIT OFTABLE_OUTPUT_LARGE_PKT_DETECT\n \n /* Start of LOG_PIPELINE_LEN tables. */\n-#define OFTABLE_LOG_EGRESS_PIPELINE 47\n+#define OFTABLE_LOG_EGRESS_PIPELINE 48\n #define OFTABLE_SAVE_INPORT 64\n #define OFTABLE_LOG_TO_PHY 65\n #define OFTABLE_MAC_BINDING 66\ndiff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h\nindex 028f5aef7..a22e4cfb7 100644\n--- a/include/ovn/logical-fields.h\n+++ b/include/ovn/logical-fields.h\n@@ -291,18 +291,18 @@ const struct ovn_field *ovn_field_from_name(const char *name);\n #define OVN_CT_OBS_STAGE_1ST_BIT 4\n #define OVN_CT_OBS_STAGE_END_BIT 5\n #define OVN_CT_ALLOW_ESTABLISHED_BIT 6\n-#define OVN_CT_NF_GROUP_BIT 7\n+#define OVN_CT_NF_BIT 7\n #define OVN_CT_TUN_IF_BIT 8\n \n #define OVN_CT_BLOCKED 1\n #define OVN_CT_NATTED 2\n #define OVN_CT_LB_SKIP_SNAT 4\n #define OVN_CT_LB_FORCE_SNAT 8\n-#define OVN_CT_NF_GROUP 128\n+#define OVN_CT_NF 128\n #define OVN_CT_TUN_IF 256\n \n-#define OVN_CT_NF_GROUP_ID_1ST_BIT 17\n-#define OVN_CT_NF_GROUP_ID_END_BIT 24\n+#define OVN_CT_NF_ID_1ST_BIT 17\n+#define OVN_CT_NF_ID_END_BIT 24\n #define OVN_CT_TUN_IF_1ST_BIT 80\n #define OVN_CT_TUN_IF_END_BIT 95\n \ndiff --git a/lib/logical-fields.c b/lib/logical-fields.c\nindex c8bddcdc5..601208cb9 100644\n--- a/lib/logical-fields.c\n+++ b/lib/logical-fields.c\n@@ -220,17 +220,17 @@ ovn_init_symtab(struct shash *symtab)\n \"ct_label[0..95]\", WR_CT_COMMIT);\n expr_symtab_add_subfield_scoped(symtab, \"ct_label.acl_id\", NULL,\n \"ct_label[80..95]\", WR_CT_COMMIT);\n- expr_symtab_add_subfield_scoped(symtab, \"ct_label.nf_group\",\n+ expr_symtab_add_subfield_scoped(symtab, \"ct_label.nf\",\n NULL, \"ct_label[\"\n- OVN_CT_STR(OVN_CT_NF_GROUP_BIT)\n+ OVN_CT_STR(OVN_CT_NF_BIT)\n \"]\",\n WR_CT_COMMIT);\n expr_symtab_add_subfield_scoped(symtab,\n- \"ct_label.nf_group_id\", NULL,\n+ \"ct_label.nf_id\", NULL,\n \"ct_label[\"\n- OVN_CT_STR(OVN_CT_NF_GROUP_ID_1ST_BIT)\n+ OVN_CT_STR(OVN_CT_NF_ID_1ST_BIT)\n \"..\"\n- OVN_CT_STR(OVN_CT_NF_GROUP_ID_END_BIT)\n+ OVN_CT_STR(OVN_CT_NF_ID_END_BIT)\n \"]\",\n WR_CT_COMMIT);\n expr_symtab_add_subfield_scoped(symtab, \"ct_label.tun_if\", NULL,\ndiff --git a/lib/ovn-util.c b/lib/ovn-util.c\nindex 2df51dc7e..aae603c88 100644\n--- a/lib/ovn-util.c\n+++ b/lib/ovn-util.c\n@@ -968,8 +968,8 @@ ip_address_and_port_from_lb_key(const char *key, char **ip_address,\n *\n * NOTE: If OVN_NORTHD_PIPELINE_CSUM is updated make sure to double check\n * whether an update of OVN_INTERNAL_MINOR_VER is required. */\n-#define OVN_NORTHD_PIPELINE_CSUM \"45472499 11094\"\n-#define OVN_INTERNAL_MINOR_VER 12\n+#define OVN_NORTHD_PIPELINE_CSUM \"3760014456 11249\"\n+#define OVN_INTERNAL_MINOR_VER 13\n \n /* Returns the OVN version. The caller must free the returned value. */\n char *\ndiff --git a/lib/ovn-util.h b/lib/ovn-util.h\nindex 0ba0d1c26..fbd2cc620 100644\n--- a/lib/ovn-util.h\n+++ b/lib/ovn-util.h\n@@ -330,8 +330,8 @@ BUILD_ASSERT_DECL(\n #define SCTP_ABORT_CHUNK_FLAG_T (1 << 0)\n \n /* The number of tables for the ingress and egress pipelines. */\n-#define LOG_PIPELINE_INGRESS_LEN 33\n-#define LOG_PIPELINE_EGRESS_LEN 15\n+#define LOG_PIPELINE_INGRESS_LEN 34\n+#define LOG_PIPELINE_EGRESS_LEN 16\n \n static inline uint32_t\n hash_add_in6_addr(uint32_t hash, const struct in6_addr *addr)\ndiff --git a/northd/northd.c b/northd/northd.c\nindex 6d9c67821..4ecdd9c2d 100644\n--- a/northd/northd.c\n+++ b/northd/northd.c\n@@ -172,7 +172,10 @@ static bool vxlan_mode;\n #define REGBIT_NF_ENABLED \"reg8[21]\"\n #define REGBIT_NF_ORIG_DIR \"reg8[22]\"\n #define REGBIT_NF_EGRESS_LOOPBACK \"reg8[23]\"\n+/* Register to store the network function group id */\n #define REG_NF_GROUP_ID \"reg0[22..29]\"\n+/* REG_NF_ID overrides REG_NF_GROUP_ID in the pre_network_function stage. */\n+#define REG_NF_ID \"reg0[22..29]\"\n \n enum acl_observation_stage {\n ACL_OBS_FROM_LPORT = 0,\n@@ -273,7 +276,9 @@ static const char *reg_ct_state[] = {\n * | | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} | | |\n * | | REGBIT_ACL_{LABEL/STATELESS} | | |\n * | | REG_NF_GROUP_ID (22..29) | | |\n- * | | (>= ACL_EVAL* && <= NF*) | | |\n+ * | | (>= ACL_EVAL* && <= PRE_NF*) | | |\n+ * | | REG_NF_ID (22..29) | | |\n+ * | | (> PRE_NF* && <= NF*) | | |\n * +----+----------------------------------------------+ | |\n * | R1 | REG_CT_TP_DST (0..15) | | |\n * | | REG_CT_PROTO (16..23) | | |\n@@ -7662,7 +7667,7 @@ build_acl_log_related_flows(const struct ovn_datapath *od,\n \n ds_clear(actions);\n build_acl_log(actions, acl, meter_groups);\n- ds_put_cstr(actions, REGBIT_NF_ENABLED\" = ct_label.nf_group; \");\n+ ds_put_cstr(actions, REGBIT_NF_ENABLED\" = ct_label.nf; \");\n ds_put_cstr(actions, REGBIT_ACL_VERDICT_ALLOW\" = 1; next;\");\n /* Related/reply flows need to be set on the opposite pipeline\n * from where the ACL itself is set.\n@@ -7832,12 +7837,12 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec,\n ds_cstr(&match), REGBIT_ACL_HINT_DROP\" = 0; \"\n REGBIT_ACL_HINT_BLOCK\" = 0; \"\n REGBIT_ACL_HINT_ALLOW_REL\" = 1; \"\n- REGBIT_NF_ENABLED\" = ct_label.nf_group; \"\n+ REGBIT_NF_ENABLED\" = ct_label.nf; \"\n REGBIT_ACL_VERDICT_ALLOW\" = 1; next;\",\n lflow_ref);\n ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3,\n ds_cstr(&match),\n- REGBIT_NF_ENABLED\" = ct_label.nf_group; \"\n+ REGBIT_NF_ENABLED\" = ct_label.nf; \"\n REGBIT_ACL_VERDICT_ALLOW \" = 1; next;\",\n lflow_ref);\n \n@@ -7855,10 +7860,10 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec,\n * that's generated from a non-listening UDP port. */\n const char *ct_in_acl_action =\n REGBIT_ACL_HINT_ALLOW_REL\" = 1; \"\n- REGBIT_NF_ENABLED\" = ct_label.nf_group; \"\n+ REGBIT_NF_ENABLED\" = ct_label.nf; \"\n REGBIT_ACL_VERDICT_ALLOW\" = 1; ct_commit_nat;\";\n const char *ct_out_acl_action =\n- REGBIT_NF_ENABLED\" = ct_label.nf_group; \"\n+ REGBIT_NF_ENABLED\" = ct_label.nf; \"\n REGBIT_ACL_VERDICT_ALLOW\" = 1; ct_commit_nat;\";\n ds_clear(&match);\n ds_put_cstr(&match, \"!ct.est && ct.rel && !ct.new && \"\n@@ -7883,12 +7888,12 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec,\n ds_clear(&match);\n const char *pre_lb_persisted_acl_action =\n REGBIT_ACL_HINT_ALLOW_PERSISTED\" = 1; \"\n- REGBIT_NF_ENABLED\" = ct_label.nf_group; \"\n+ REGBIT_NF_ENABLED\" = ct_label.nf; \"\n REGBIT_ACL_VERDICT_ALLOW\" = 1; next;\";\n const char *post_lb_persisted_acl_action =\n REGBIT_ACL_VERDICT_ALLOW\" = 1; next;\";\n const char *persisted_acl_action =\n- REGBIT_NF_ENABLED\" = ct_label.nf_group; \"\n+ REGBIT_NF_ENABLED\" = ct_label.nf; \"\n REGBIT_ACL_VERDICT_ALLOW\" = 1; next;\";\n ds_put_format(&match, \"ct.est && ct_mark.allow_established == 1\");\n ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3,\n@@ -8770,8 +8775,8 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows,\n \"ct_mark.obs_collector_id = \" REG_OBS_COLLECTOR_ID_EST \"; \"\n \"ct_label.obs_point_id = \" REG_OBS_POINT_ID_EST \"; \"\n \"ct_label.acl_id = \" REG_ACL_ID \"; \"\n- \"ct_label.nf_group = 0; \"\n- \"ct_label.nf_group_id = 0; \"\n+ \"ct_label.nf = 0; \"\n+ \"ct_label.nf_id = 0; \"\n \"}; next;\");\n ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,\n REGBIT_CONNTRACK_COMMIT\" == 1 && \"\n@@ -8794,8 +8799,8 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows,\n \"ct_mark.blocked = 0; \"\n \"ct_mark.allow_established = \" REGBIT_ACL_PERSIST_ID \"; \"\n \"ct_label.acl_id = \" REG_ACL_ID \"; \"\n- \"ct_label.nf_group = 0; \"\n- \"ct_label.nf_group_id = 0; \"\n+ \"ct_label.nf = 0; \"\n+ \"ct_label.nf_id = 0; \"\n \"}; next;\");\n ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,\n REGBIT_CONNTRACK_COMMIT\" == 1 && \"\n@@ -8817,8 +8822,8 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows,\n \"ct_mark.blocked = 0; \"\n \"ct_mark.allow_established = \" REGBIT_ACL_PERSIST_ID \"; \"\n \"ct_label.acl_id = \" REG_ACL_ID \"; \"\n- \"ct_label.nf_group = 1; \"\n- \"ct_label.nf_group_id = \" REG_NF_GROUP_ID \"; }; next;\");\n+ \"ct_label.nf = 1; \"\n+ \"ct_label.nf_id = \" REG_NF_ID \"; }; next;\");\n ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 110,\n REGBIT_CONNTRACK_COMMIT\" == 1 && \"\n REGBIT_ACL_LABEL\" == 0 && \"\n@@ -8845,8 +8850,8 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows,\n \"ct_mark.obs_collector_id = \" REG_OBS_COLLECTOR_ID_EST \"; \"\n \"ct_label.obs_point_id = \" REG_OBS_POINT_ID_EST \"; \"\n \"ct_label.acl_id = \" REG_ACL_ID \"; \"\n- \"ct_label.nf_group = 1; \"\n- \"ct_label.nf_group_id = \" REG_NF_GROUP_ID \"; }; next;\");\n+ \"ct_label.nf = 1; \"\n+ \"ct_label.nf_id = \" REG_NF_ID \"; }; next;\");\n ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 110,\n REGBIT_CONNTRACK_COMMIT\" == 1 && \"\n REGBIT_ACL_LABEL\" == 1 && \"\n@@ -18682,17 +18687,28 @@ static void build_network_function_active(\n static void\n network_function_configure_fail_open_flows(struct lflow_table *lflows,\n const struct ovn_datapath *od, struct lflow_ref *lflow_ref,\n- uint64_t nfg_id)\n+ uint64_t nfg_id, bool ingress)\n {\n struct ds match = DS_EMPTY_INITIALIZER;\n- ds_put_format(&match,\n- REG_NF_GROUP_ID \" == %\"PRIu8\" || \"\n- \"(ct.trk && ct_label.nf_group_id == %\"PRIu8\")\",\n- (uint8_t) nfg_id, (uint8_t) nfg_id);\n- ovn_lflow_add(lflows, od, S_SWITCH_IN_NF, 10,\n- ds_cstr(&match), \"next;\", lflow_ref);\n- ovn_lflow_add(lflows, od, S_SWITCH_OUT_NF, 10,\n- ds_cstr(&match), \"next;\", lflow_ref);\n+ struct ds action = DS_EMPTY_INITIALIZER;\n+\n+ /* Pre NF Table (Priority 10):\n+ *\n+ * When no active network function exists in the network function group,\n+ * this flow resets the nf_enabled bit and clears the nf_group_id register\n+ * to allow packets to continue processing through the pipeline without\n+ * network function redirection (fail-open behavior).\n+ */\n+ ds_put_format(&match, REGBIT_NF_ENABLED\" == 1 && \"\n+ REGBIT_NF_ORIG_DIR\" == 1 && \"\n+ REG_NF_GROUP_ID\" == %\"PRIu8,\n+ (uint8_t) nfg_id);\n+ ds_put_format(&action, REGBIT_NF_ENABLED\" = 0; \"\n+ REG_NF_ID\" = 0; next;\");\n+ ovn_lflow_add(lflows, od, ingress ? S_SWITCH_IN_PRE_NF\n+ : S_SWITCH_OUT_PRE_NF,\n+ 10, ds_cstr(&match), ds_cstr(&action), lflow_ref);\n+ ds_destroy(&action);\n ds_destroy(&match);\n }\n \n@@ -18712,7 +18728,7 @@ consider_network_function(struct lflow_table *lflows,\n */\n if (network_function_group_is_fallback_fail_open(nfg)) {\n network_function_configure_fail_open_flows(lflows, od, lflow_ref,\n- nfg->id);\n+ nfg->id, ingress);\n }\n \n /* Currently we support only one active port-pair in a group.\n@@ -18751,16 +18767,36 @@ consider_network_function(struct lflow_table *lflows,\n reverse_redirect_port = input_port;\n }\n \n+ /* Pre NF Table (Priority 99):\n+ *\n+ * Currently, this stage simply writes the active network function ID into\n+ * the nf_id register.\n+ *\n+ * In the future, this stage will be extended to support network function\n+ * load balancing.\n+ */\n+ ds_put_format(&match, REGBIT_NF_ENABLED\" == 1 && \"\n+ REGBIT_NF_ORIG_DIR\" == 1 && \"\n+ REG_NF_GROUP_ID \" == %\"PRIu8,\n+ (uint8_t) nfg->id);\n+ ds_put_format(&action, REG_NF_ID\" = %\"PRIu8\"; next;\", (uint8_t) nf->id);\n+ ovn_lflow_add(lflows, od, ingress ? S_SWITCH_IN_PRE_NF\n+ : S_SWITCH_OUT_PRE_NF,\n+ 99, ds_cstr(&match), ds_cstr(&action), lflow_ref);\n+ ds_clear(&match);\n+ ds_clear(&action);\n+\n /* Add forward flows for redirection:\n * Flows to handle request packets for new or existing connections.\n *\n * from-lport ACL in_nf priority 99:\n * in_acl_eval has already categorized it and populated nf_enabled,\n- * direction and nfg_id registers. Here this rule sets the outport to the\n+ * direction and nfg_id registers. in_pre_nf sets the active network\n+ * function id in nf_id register. Here this rule sets the outport to the\n * NF port and does output action to skip the rest of the ingress pipeline.\n *\n * to-lport ACL out_nf priority 99:\n- * out_acl_eval does the setting of nf related registers. Then the\n+ * out_acl_eval, and out_pre_nf set the nf related registers. Then the\n * out_nf stage sets the outport to NF port and submits the\n * packet back to ingress pipeline l2_lkup table. The l2_lkup would skip\n * mac based lookup as the NF_EGRESS_LOOPBACK is set.\n@@ -18777,8 +18813,8 @@ consider_network_function(struct lflow_table *lflows,\n }\n ds_put_format(&match, REGBIT_NF_ENABLED\" == 1 && \"\n REGBIT_NF_ORIG_DIR\" == 1 && \"\n- REG_NF_GROUP_ID \" == %\"PRIu8,\n- (uint8_t) nfg->id);\n+ REG_NF_ID \" == %\"PRIu8,\n+ (uint8_t) nf->id);\n ovn_lflow_add(lflows, od, fwd_stage, 99, ds_cstr(&match),\n ds_cstr(&action), lflow_ref);\n ds_clear(&match);\n@@ -18811,8 +18847,8 @@ consider_network_function(struct lflow_table *lflows,\n }\n ds_put_format(&match, REGBIT_NF_ENABLED\" == 1 && \"\n REGBIT_NF_ORIG_DIR\" == 0 && \"\n- \"ct_label.nf_group_id == %\"PRIu8,\n- (uint8_t) nfg->id);\n+ \"ct_label.nf_id == %\"PRIu8,\n+ (uint8_t) nf->id);\n ovn_lflow_add(lflows, od, rev_stage, 99, ds_cstr(&match), ds_cstr(&action),\n lflow_ref);\n ds_clear(&match);\n@@ -18894,6 +18930,24 @@ build_network_function(const struct ovn_datapath *od,\n REGBIT_NF_EGRESS_LOOPBACK\" == 1\",\n \"output;\", lflow_ref);\n \n+ /* Ingress and Egress PRE NF Table (Priority 0): Packets are forwarded to\n+ * next table by default. */\n+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_NF, 0, \"1\", \"next;\", lflow_ref);\n+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_NF, 0, \"1\", \"next;\",\n+ lflow_ref);\n+\n+ /* Ingress and Egress PRE NF Table (Priority 1): ACL stage determined these\n+ * packets should be redirected, but there is no active NF in NFG.\n+ * Reset the nf_id register to 0. This will drop the packet by the\n+ * default drop rule in the subsequent NF table.\n+ */\n+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_NF, 1,\n+ REGBIT_NF_ENABLED\" == 1 && \" REGBIT_NF_ORIG_DIR\" == 1\",\n+ REG_NF_ID\" = 0; next;\", lflow_ref);\n+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_NF, 1,\n+ REGBIT_NF_ENABLED\" == 1 && \" REGBIT_NF_ORIG_DIR\" == 1\",\n+ REG_NF_ID\" = 0; next;\", lflow_ref);\n+\n /* Ingress and Egress NF Table (Priority 100): ACL stage determined these\n * packets should be redirected, but these are multicast/broadcast\n * packets which can cause L2 loop if redirected to NF. */\ndiff --git a/northd/northd.h b/northd/northd.h\nindex 9158f3d53..25c8a909a 100644\n--- a/northd/northd.h\n+++ b/northd/northd.h\n@@ -542,16 +542,18 @@ ovn_datapath_is_stale(const struct ovn_datapath *od)\n \"ls_in_acl_after_lb_sample\") \\\n PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_ACTION, 22, \\\n \"ls_in_acl_after_lb_action\") \\\n- PIPELINE_STAGE(SWITCH, IN, STATEFUL, 23, \"ls_in_stateful\") \\\n- PIPELINE_STAGE(SWITCH, IN, NF, 24, \"ls_in_network_function\") \\\n- PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 25, \"ls_in_arp_rsp\") \\\n- PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 26, \"ls_in_dhcp_options\") \\\n- PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 27, \"ls_in_dhcp_response\") \\\n- PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 28, \"ls_in_dns_lookup\") \\\n- PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 29, \"ls_in_dns_response\") \\\n- PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 30, \"ls_in_external_port\") \\\n- PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 31, \"ls_in_l2_lkup\") \\\n- PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 32, \"ls_in_l2_unknown\") \\\n+ PIPELINE_STAGE(SWITCH, IN, PRE_NF, 23, \\\n+ \"ls_in_pre_network_function\") \\\n+ PIPELINE_STAGE(SWITCH, IN, STATEFUL, 24, \"ls_in_stateful\") \\\n+ PIPELINE_STAGE(SWITCH, IN, NF, 25, \"ls_in_network_function\") \\\n+ PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 26, \"ls_in_arp_rsp\") \\\n+ PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 27, \"ls_in_dhcp_options\") \\\n+ PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 28, \"ls_in_dhcp_response\") \\\n+ PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 29, \"ls_in_dns_lookup\") \\\n+ PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 30, \"ls_in_dns_response\") \\\n+ PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 31, \"ls_in_external_port\") \\\n+ PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 32, \"ls_in_l2_lkup\") \\\n+ PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 33, \"ls_in_l2_unknown\") \\\n \\\n /* Logical switch egress stages. */ \\\n PIPELINE_STAGE(SWITCH, OUT, LOOKUP_FDB, 0, \"ls_out_lookup_fdb\") \\\n@@ -565,11 +567,13 @@ ovn_datapath_is_stale(const struct ovn_datapath *od)\n PIPELINE_STAGE(SWITCH, OUT, ACL_ACTION, 8, \"ls_out_acl_action\") \\\n PIPELINE_STAGE(SWITCH, OUT, MIRROR, 9, \"ls_out_mirror\") \\\n PIPELINE_STAGE(SWITCH, OUT, QOS, 10, \"ls_out_qos\") \\\n- PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 11, \"ls_out_stateful\") \\\n- PIPELINE_STAGE(SWITCH, OUT, NF, 12, \\\n- \"ls_out_network_function\") \\\n- PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 13, \"ls_out_check_port_sec\") \\\n- PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 14, \"ls_out_apply_port_sec\") \\\n+ PIPELINE_STAGE(SWITCH, OUT, PRE_NF, 11, \\\n+ \"ls_out_pre_network_function\") \\\n+ PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 12, \"ls_out_stateful\") \\\n+ PIPELINE_STAGE(SWITCH, OUT, NF, 13, \\\n+ \"ls_out_network_function\") \\\n+ PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 14, \"ls_out_check_port_sec\") \\\n+ PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 15, \"ls_out_apply_port_sec\") \\\n \\\n /* Logical router ingress stages. */ \\\n PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, \"lr_in_admission\") \\\ndiff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml\nindex 8e8d7a7cb..a17bc5f22 100644\n--- a/northd/ovn-northd.8.xml\n+++ b/northd/ovn-northd.8.xml\n@@ -917,7 +917,7 @@\n \n <li>\n The priority-65532 flows that allow response and related traffic, also\n- set <code>reg8[21] = ct_label.nf_group</code>, which gets checked in\n+ set <code>reg8[21] = ct_label.nf</code>, which gets checked in\n the <code>Network Function</code> table.\n </li>\n \n@@ -1487,7 +1487,79 @@\n </li>\n </ul>\n \n- <h3>Ingress Table 23: Stateful</h3>\n+ <h3>Ingress Table 23: Pre Network Function</h3>\n+ <p>\n+ This stage selects the active network function from a\n+ <code>Network_Function_Group</code> based on the network function group\n+ ID set by the ACL eval stage earlier. This stage is applicable for\n+ request packets of <code>from-lport</code> ACLs\n+ (<code>reg8[22] == 1</code>). Response packets for\n+ <code>to-lport</code> ACLs bypass this stage and use\n+ <code>ct_label.nf_id</code> directly in the Network Function table.\n+ </p>\n+\n+ <p>\n+ A network function group can contain one or more network functions.\n+ Health monitoring is performed by sending datapath probes as per\n+ parameters defined in <code>Network_Function_Health_Check</code>. This\n+ stage selects one of the healthy network functions. If none are healthy,\n+ the behavior follows the <code>fallback</code> column configured in the\n+ <code>Network_Function_Group</code> table. If health monitoring is not\n+ configured, any one from the group is selected.\n+ </p>\n+\n+ <p>\n+ When a request packet matches a <code>from-lport</code> ACL with\n+ <code>network_function_group</code> set, the ACL eval stage sets\n+ <code>reg8[21] = 1</code> (NF enabled), <code>reg8[22] = 1</code>\n+ (request direction), and <code>reg0[22..29]</code> to the network\n+ function group ID. This table then selects the active network function\n+ from the group and overwrites <code>reg0[22..29]</code> with the\n+ specific <code>id</code> of a <code>Network_Function</code> table entry.\n+ The subsequent Network Function table uses this NF ID to redirect packets\n+ to the appropriate network function port. In the future, this stage will\n+ be extended to support network function load balancing.\n+ </p>\n+\n+ <ul>\n+ <li>\n+ For each network_function_group <var>id</var> with an active network\n+ function, a priority-99 flow matches <code>reg8[21] == 1 &&\n+ reg8[22] == 1 && reg0[22..29] == <var>id</var></code> and\n+ sets <code>reg0[22..29] = <var>nf_id</var>; next;</code> where\n+ <var>nf_id</var> is the ID of the active network function. This\n+ prepares request packets that matched a <code>from-lport</code> ACL\n+ with network_function_group for redirection in the subsequent Network\n+ Function table.\n+ </li>\n+\n+ <li>\n+ For each network function group with <var>id</var> that has\n+ <code>fallback</code> set to <code>fail-open</code>, a priority-10 flow\n+ matches <code>reg8[21] == 1 && reg8[22] == 1 &&\n+ reg0[22..29] == <var>id</var></code> and sets <code>reg8[21] = 0;\n+ reg0[22..29] = 0; next;</code>. This clears both the NF enabled bit and\n+ the NF group ID, allowing packets to continue processing through the\n+ pipeline without network function redirection when no active network\n+ function is available (fail-open behavior).\n+ </li>\n+\n+ <li>\n+ A priority-1 flow matches <code>reg8[21] == 1 && reg8[22] == 1\n+ </code> and sets <code>reg0[22..29] = 0; next;</code>. This is a\n+ catch-all flow for network function groups with <code>fallback</code>\n+ set to <code>fail-close</code> (or default) when no active network\n+ function is available. It clears only the NF group ID, leaving the NF\n+ enabled bit set. These packets will be dropped by the priority-1 drop\n+ rule in the subsequent Network Function table (fail-close behavior).\n+ </li>\n+\n+ <li>\n+ A priority-0 flow that simply moves traffic to the next table.\n+ </li>\n+ </ul>\n+\n+ <h3>Ingress Table 24: Stateful</h3>\n \n <ul>\n <li>\n@@ -1512,8 +1584,8 @@\n action, but otherwise identical to the priority 100 flow.\n Match: <code>reg8[21] == 1</code> (packet matched an ACL with\n <code>network_function_group</code> set)\n- Action: <code>ct_label.nf_group = 1;\n- ct_label.nf_group_id = reg0[22..29];</code>\n+ Action: <code>ct_label.nf = 1;\n+ ct_label.nf_id = reg0[22..29];</code>\n This is to commit the network_function information in conntrack so that\n the response and related packets can be redirected to it as well.\n </li>\n@@ -1525,29 +1597,36 @@\n \n <h3>Ingress Table 25: Network Function</h3>\n <p>\n- This table implements the packet redirection rules for network function.\n- If <code>network_function_group</code> column in <code>from-lport</code>\n- ACL is set to <var>id</var> of a <code>Network_Function_Group</code>\n- entity, the ingress ACL eval stage sets a set of registers as described\n- before. Those registers get used here. In case of <code>to-lport</code>\n- ACLs, the request packet is redirected in egress pipeline as described\n- later. The response is handled here using the network_function_group id\n- committed in ct_label during request processing.\n+ This table implements packet redirection to network functions. When a\n+ packet matches an ACL with <code>network_function_group</code> column\n+ set to the <code>id</code> of a <code>Network_Function_Group</code>\n+ table entry, the ACL eval stage sets <code>reg8[21] = 1</code> (NF\n+ enabled), <code>reg8[22] = 1</code> (request direction), and\n+ <code>reg0[22..29]</code> to the network function group ID. The Pre\n+ Network Function stage then selects the active network function from the\n+ group and overwrites <code>reg0[22..29]</code> with the specific\n+ <code>id</code> of a <code>Network_Function</code> table entry. This\n+ table uses that NF ID to redirect packets to the appropriate network\n+ function port.\n </p>\n \n <p>\n- There can be one or more network_functions in a group. Health monitoring\n- is done by sending datapath probes as par parameters defined in\n- <code>Network_Function_Health_Check</code>. One of the healthy\n- network_functions is selected for each network_function_group.\n- If none are healthy, or if health monitoring is not configured, any one\n- from the group is selected. The rules in this table redirects request\n- packets for <code>from-lport</code> ACLs and response packets for\n- <code>to-lport</code> ACLs to the selected network_function's\n- <code>inport</code>. If the network_function ports are not present on\n- this logical switch, their child ports if any, are used. In the below\n- statements when network function ports are referred it implies the parent\n- or child ports as applicable to this logical switch.\n+ This table handles request packets for <code>from-lport</code> ACLs\n+ and response packets for <code>to-lport</code> ACLs. For\n+ <code>from-lport</code> ACLs, request packets are redirected to the\n+ network function's <code>inport</code>, and corresponding\n+ response/related packets are handled in the egress pipeline. For\n+ <code>to-lport</code> ACLs, request packets are handled in the egress\n+ pipeline, but corresponding response/related packets for those flows\n+ are redirected here using the network function ID stored in\n+ <code>ct_label.nf_id</code> during request processing.\n+ </p>\n+\n+ <p>\n+ If the network function ports are not present on this logical switch,\n+ their child ports (if any) are used. In the statements below, network\n+ function ports refer to either the parent or child ports as applicable to\n+ this logical switch.\n </p>\n \n <ul>\n@@ -1564,22 +1643,25 @@\n </li>\n \n <li>\n- For each network_function_group <var>id</var>, a priority-99 flow\n- matches <code>reg8[21] == 1 && reg8[22] == 1 &&\n+ For each active network function with <var>id</var> that is referenced\n+ in a network function group, a priority-99 flow matches\n+ <code>reg8[21] == 1 && reg8[22] == 1 &&\n reg0[22..29] == <var>id</var></code> and sets\n <code>outport=<var>P</var>; output;</code> where <var>P</var> is the\n- <code>inport</code> of the selected network function. This ensures\n- redirection of request packets for flows matching\n- <code>from-lport</code> ACLs with network_function.\n+ <code>inport</code> of that network function. This redirects request\n+ packets for flows matching <code>from-lport</code> ACLs with\n+ network_function_group to the specific network function selected by\n+ the Pre Network Function stage.\n </li>\n \n <li>\n- For each network_function_group <var>id</var>, a priority-99 rule\n- matches <code>reg8[21] == 1 && reg8[22] == 0 &&\n- ct_label.nf_group_id == <var>id</var></code> and takes\n- identical action as above. This ensures redirection of response and\n- related packets matching <code>to-lport</code> ACLs with\n- network_function.\n+ For each active network function with <var>id</var> that is referenced\n+ in a network function group, a priority-99 rule matches\n+ <code>reg8[21] == 1 && reg8[22] == 0 &&\n+ ct_label.nf_id == <var>id</var></code> and takes identical action as\n+ above. This redirects response and related packets for\n+ <code>to-lport</code> ACLs to the same network function that handled\n+ the request, using the NF ID stored in the connection tracking label.\n </li>\n \n <li>\n@@ -1590,12 +1672,12 @@\n \n <li>\n One priority-100 rule to skip redirection of multicast packets that hit\n- a network_function ACL. Match on <code>8[21] == 1 &&\n+ a network_function ACL. Match on <code>reg8[21] == 1 &&\n eth.mcast</code> and action is to advance to the next table.\n </li>\n \n <li>\n- One priority-1 rule that checks <code>reg8[[21]] == 1</code>, and drops\n+ One priority-1 rule that checks <code>reg8[21] == 1</code>, and drops\n such packets. This is to address the case where a packet hit an ACL\n with network function but the network function does not have ports or\n child ports on this logical switch.\n@@ -1607,7 +1689,7 @@\n </li>\n </ul>\n \n- <h3>Ingress Table 25: ARP/ND responder</h3>\n+ <h3>Ingress Table 26: ARP/ND responder</h3>\n \n <p>\n This table implements ARP/ND responder in a logical switch for known\n@@ -1942,7 +2024,7 @@ output;\n </li>\n </ul>\n \n- <h3>Ingress Table 26: DHCP option processing</h3>\n+ <h3>Ingress Table 27: DHCP option processing</h3>\n \n <p>\n This table adds the DHCPv4 options to a DHCPv4 packet from the\n@@ -2003,7 +2085,7 @@ next;\n </li>\n </ul>\n \n- <h3>Ingress Table 27: DHCP responses</h3>\n+ <h3>Ingress Table 28: DHCP responses</h3>\n \n <p>\n This table implements DHCP responder for the DHCP replies generated by\n@@ -2084,7 +2166,7 @@ output;\n </li>\n </ul>\n \n- <h3>Ingress Table 28 DNS Lookup</h3>\n+ <h3>Ingress Table 29 DNS Lookup</h3>\n \n <p>\n This table looks up and resolves the DNS names to the corresponding\n@@ -2113,7 +2195,7 @@ reg0[4] = dns_lookup(); next;\n </li>\n </ul>\n \n- <h3>Ingress Table 29 DNS Responses</h3>\n+ <h3>Ingress Table 30 DNS Responses</h3>\n \n <p>\n This table implements DNS responder for the DNS replies generated by\n@@ -2148,7 +2230,7 @@ output;\n </li>\n </ul>\n \n- <h3>Ingress table 30 External ports</h3>\n+ <h3>Ingress table 31 External ports</h3>\n \n <p>\n Traffic from the <code>external</code> logical ports enter the ingress\n@@ -2191,7 +2273,7 @@ output;\n </li>\n </ul>\n \n- <h3>Ingress Table 31 Destination Lookup</h3>\n+ <h3>Ingress Table 32 Destination Lookup</h3>\n \n <p>\n This table implements switching behavior. It contains these logical\n@@ -2425,7 +2507,7 @@ output;\n </li>\n </ul>\n \n- <h3>Ingress Table 32 Destination unknown</h3>\n+ <h3>Ingress Table 33 Destination unknown</h3>\n \n <p>\n This table handles the packets whose destination was not found or\n@@ -2720,7 +2802,81 @@ output;\n they apply to <code>to-lport</code> QoS rules.\n </p>\n \n- <h3>Egress Table 11: Stateful</h3>\n+ <h3>Egress Table 11: Pre Network Function</h3>\n+\n+ <p>\n+ This stage selects the active network function from a\n+ <code>Network_Function_Group</code> based on the network function group\n+ ID set by the ACL eval stage earlier. This stage is applicable for\n+ request packets of <code>to-lport</code> ACLs\n+ (<code>reg8[22] == 1</code>). Response packets for\n+ <code>from-lport</code> ACLs bypass this stage and use\n+ <code>ct_label.nf_id</code> directly in the Network Function table.\n+ </p>\n+\n+ <p>\n+ A network function group can contain one or more network functions.\n+ Health monitoring is performed by sending datapath probes as per\n+ parameters defined in <code>Network_Function_Health_Check</code>. This\n+ stage selects one of the healthy network functions. If none are healthy,\n+ the behavior follows the <code>fallback</code> column configured in the\n+ <code>Network_Function_Group</code> table. If health monitoring is not\n+ configured, any one from the group is selected.\n+ </p>\n+\n+ <p>\n+ When a request packet matches a <code>to-lport</code> ACL with\n+ <code>network_function_group</code> set, the ACL eval stage sets\n+ <code>reg8[21] = 1</code> (NF enabled), <code>reg8[22] = 1</code>\n+ (request direction), and <code>reg0[22..29]</code> to the network\n+ function group ID. This table then selects the active network function\n+ from the group and overwrites <code>reg0[22..29]</code> with the\n+ specific <code>id</code> of a <code>Network_Function</code> table entry.\n+ The subsequent Network Function table uses this NF ID to redirect packets\n+ to the appropriate network function port. In the future, this stage will\n+ be extended to support network function load balancing.\n+ </p>\n+\n+ <ul>\n+ <li>\n+ For each network function group with <var>id</var> that has an active\n+ network function, a priority-99 flow matches <code>reg8[21] == 1\n+ && reg8[22] == 1 && reg0[22..29] == <var>id</var></code>\n+ and sets <code>reg0[22..29] = <var>nf_id</var>; next;</code> where\n+ <var>nf_id</var> is the <code>id</code> of the active\n+ <code>Network_Function</code> selected from the group. This prepares\n+ request packets that matched a <code>to-lport</code> ACL with\n+ network_function_group for redirection in the subsequent Network\n+ Function table.\n+ </li>\n+\n+ <li>\n+ For each network function group with <var>id</var> that has\n+ <code>fallback</code> set to <code>fail-open</code>, a priority-10 flow\n+ matches <code>reg8[21] == 1 && reg8[22] == 1 &&\n+ reg0[22..29] == <var>id</var></code> and sets <code>reg8[21] = 0;\n+ reg0[22..29] = 0; next;</code>. This clears both the NF enabled bit and\n+ the NF group ID, allowing packets to continue processing through the\n+ pipeline without network function redirection when no active network\n+ function is available (fail-open behavior).\n+ </li>\n+\n+ <li>\n+ A priority-1 flow matches <code>reg8[21] == 1 && reg8[22] == 1\n+ </code> and sets <code>reg0[22..29] = 0; next;</code>. This is a\n+ catch-all flow for network function groups with <code>fallback</code>\n+ set to <code>fail-close</code> (or default) when no active network\n+ function is available. It clears only the NF group ID, leaving the NF\n+ enabled bit set. These packets will be dropped by the priority-1 drop\n+ rule in the subsequent Network Function table (fail-close behavior).\n+ </li>\n+\n+ <li>\n+ A priority-0 flow that simply moves traffic to the next table.\n+ </li>\n+ </ul>\n+\n+ <h3>Egress Table 12: Stateful</h3>\n \n <p>\n This is similar to ingress table <code>Stateful</code> except that\n@@ -2746,15 +2902,18 @@ output;\n </li>\n </ul>\n \n- <h3>Egress Table 12: Network Function</h3>\n+ <h3>Egress Table 13: Network Function</h3>\n \n <p>\n- This table is similar to ingress table <code>Network Function</code>\n- except for the role of <code>from-lport</code> and <code>to-lport</code>\n- ACLs reversed, and the packet redirection happening to the selected\n- network function's <code>outport</code> rather than to its\n- <code>inport</code>. Another difference is that the action injects the\n- packets back into the ingress pipeline.\n+ This table handles request packets for <code>to-lport</code> ACLs\n+ and response packets for <code>from-lport</code> ACLs. For\n+ <code>to-lport</code> ACLs, request packets are redirected to the\n+ network function's <code>outport</code>, and corresponding\n+ response/related packets are handled in the ingress pipeline. For\n+ <code>from-lport</code> ACLs, request packets are handled in the\n+ ingress pipeline, but corresponding response/related packets for those\n+ flows are redirected here using the network function ID stored in\n+ <code>ct_label.nf_id</code> during request processing.\n </p>\n \n <ul>\n@@ -2765,25 +2924,29 @@ output;\n </li>\n \n <li>\n- For each network_function_group <var>id</var>, a priority-99 flow\n- matches <code>reg8[21] == 1 && reg8[22] == 1 &&\n- reg0[22..29] == <var>id</var></code> and sets <code>outport=<var>P</var>;\n- reg8[23] = 1; next(pipeline=ingress, table=<var>T</var>)</code> where\n- <var>P</var> is the <code>outport</code> of the selected\n- network_function and <var>T</var> is the ingress table\n- <code>Destination Lookup</code>. This ensures redirection of request\n- packets matching <code>to-lport</code> ACL with network_function. The\n- packets are injected back to the ingress pipeline from where they get\n- sent out skipping any further lookup because of <code>reg8[23]</code>.\n+ For each active network function with <var>id</var> that is\n+ referenced in a network function group, a priority-99 flow matches\n+ <code>reg8[21] == 1 && reg8[22] == 1 &&\n+ reg0[22..29] == <var>id</var></code> and sets\n+ <code>outport=<var>P</var>; reg8[23] = 1; next(pipeline=ingress,\n+ table=<var>T</var>)</code> where <var>P</var> is the\n+ <code>outport</code> of that network function and <var>T</var> is\n+ the ingress table <code>Destination Lookup</code>. This redirects\n+ request packets matching <code>to-lport</code> ACLs with\n+ network_function_group to the specific network function selected by\n+ the Pre Network Function stage. The packets are injected back to the\n+ ingress pipeline from where they get sent out, skipping any further\n+ lookup because of <code>reg8[23]</code>.\n </li>\n \n <li>\n- For each network_function_group <var>id</var>, a priority-99 rule\n- matches <code>reg8[21] == 1 && reg8[22] == 0 &&\n- ct_label.nf_group_id == <var>id</var></code> and takes\n- identical action as above. This ensures redirection if response and\n- related packets for flows matching <code>from-lport</code> ACLs with\n- network_function.\n+ For each active network function with <var>id</var> that is referenced\n+ in a network function group, a priority-99 rule matches\n+ <code>reg8[21] == 1 && reg8[22] == 0 &&\n+ ct_label.nf_id == <var>id</var></code> and takes identical action as\n+ above. This redirects response and related packets for\n+ <code>from-lport</code> ACLs to the same network function that handled\n+ the request, using the NF ID stored in the connection tracking label.\n </li>\n \n <li>\n@@ -2806,7 +2969,7 @@ output;\n </li>\n </ul>\n \n- <h3>Egress Table 13: Egress Port Security - check</h3>\n+ <h3>Egress Table 14: Egress Port Security - check</h3>\n \n <p>\n This is similar to the port security logic in table\n@@ -2835,7 +2998,7 @@ output;\n </li>\n </ul>\n \n- <h3>Egress Table 14: Egress Port Security - Apply</h3>\n+ <h3>Egress Table 15: Egress Port Security - Apply</h3>\n \n <p>\n This is similar to the ingress port security logic in ingress table\ndiff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema\nindex cf33933da..237330df3 100644\n--- a/ovn-sb.ovsschema\n+++ b/ovn-sb.ovsschema\n@@ -1,7 +1,7 @@\n {\n \"name\": \"OVN_Southbound\",\n- \"version\": \"21.7.0\",\n- \"cksum\": \"1383351379 36646\",\n+ \"version\": \"21.7.1\",\n+ \"cksum\": \"3096184714 36646\",\n \"tables\": {\n \"SB_Global\": {\n \"columns\": {\n@@ -103,7 +103,7 @@\n \"egress\"]]}}},\n \"table_id\": {\"type\": {\"key\": {\"type\": \"integer\",\n \"minInteger\": 0,\n- \"maxInteger\": 32}}},\n+ \"maxInteger\": 33}}},\n \"priority\": {\"type\": {\"key\": {\"type\": \"integer\",\n \"minInteger\": 0,\n \"maxInteger\": 65535}}},\ndiff --git a/tests/ovn-macros.at b/tests/ovn-macros.at\nindex de5385620..8e77be3af 100644\n--- a/tests/ovn-macros.at\n+++ b/tests/ovn-macros.at\n@@ -1558,12 +1558,12 @@ m4_define([OVN_SKIP_MEM_LEAK],[\n \n m4_define([OFTABLE_PHY_TO_LOG], [0])\n m4_define([OFTABLE_LOG_INGRESS_PIPELINE], [8])\n-m4_define([OFTABLE_OUTPUT_LARGE_PKT_DETECT], [41])\n-m4_define([OFTABLE_OUTPUT_LARGE_PKT_PROCESS], [42])\n-m4_define([OFTABLE_REMOTE_OUTPUT], [43])\n-m4_define([OFTABLE_REMOTE_VTEP_OUTPUT], [44])\n-m4_define([OFTABLE_LOCAL_OUTPUT], [45])\n-m4_define([OFTABLE_LOG_EGRESS_PIPELINE], [47])\n+m4_define([OFTABLE_OUTPUT_LARGE_PKT_DETECT], [42])\n+m4_define([OFTABLE_OUTPUT_LARGE_PKT_PROCESS], [43])\n+m4_define([OFTABLE_REMOTE_OUTPUT], [44])\n+m4_define([OFTABLE_REMOTE_VTEP_OUTPUT], [45])\n+m4_define([OFTABLE_LOCAL_OUTPUT], [46])\n+m4_define([OFTABLE_LOG_EGRESS_PIPELINE], [48])\n m4_define([OFTABLE_SAVE_INPORT], [64])\n m4_define([OFTABLE_LOG_TO_PHY], [65])\n m4_define([OFTABLE_MAC_BINDING], [66])\ndiff --git a/tests/ovn-northd.at b/tests/ovn-northd.at\nindex 4cbd89e92..36b3db6f6 100644\n--- a/tests/ovn-northd.at\n+++ b/tests/ovn-northd.at\n@@ -2730,9 +2730,9 @@ check ovn-nbctl --wait=sb \\\n AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | grep 'ct\\.' | ovn_strip_lflows], [0], [dnl\n table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;)\n table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)\n table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;)\n@@ -2743,9 +2743,9 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e\n table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;)\n table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)\n table=??(ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;)\n@@ -2774,9 +2774,9 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e\n table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -2793,9 +2793,9 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e\n table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -4917,10 +4917,10 @@ check_stateful_flows() {\n \n AT_CHECK([grep \"ls_in_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n AT_CHECK_UNQUOTED([grep \"ls_out_pre_lb\" sw0flows | ovn_strip_lflows], [0], [dnl\n@@ -4943,10 +4943,10 @@ check_stateful_flows() {\n \n AT_CHECK([grep \"ls_out_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n }\n \n@@ -4989,10 +4989,10 @@ AT_CHECK([grep \"ls_in_lb \" sw0flows | ovn_strip_lflows], [0], [dnl\n \n AT_CHECK([grep \"ls_in_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n AT_CHECK([grep \"ls_out_pre_lb\" sw0flows | ovn_strip_lflows], [0], [dnl\n@@ -5012,10 +5012,10 @@ AT_CHECK([grep \"ls_out_pre_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n \n AT_CHECK([grep \"ls_out_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n # LB with event=false and reject=false\n@@ -5052,10 +5052,10 @@ AT_CHECK([grep -w \"ls_in_acl_eval\" sw0flows | grep 2002 | ovn_strip_lflows], [0]\n ])\n AT_CHECK([grep \"ls_in_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n AT_CHECK([grep -w \"ls_out_acl_eval\" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl\n@@ -5064,10 +5064,10 @@ AT_CHECK([grep -w \"ls_out_acl_eval\" sw0flows | grep 2002 | ovn_strip_lflows], [0\n ])\n AT_CHECK([grep \"ls_out_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n # Add new ACL without label\n@@ -5085,10 +5085,10 @@ AT_CHECK([grep -w \"ls_in_acl_eval\" sw0flows | grep 2002 | ovn_strip_lflows], [0]\n ])\n AT_CHECK([grep \"ls_in_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n AT_CHECK([grep -w \"ls_out_acl_eval\" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl\n@@ -5099,10 +5099,10 @@ AT_CHECK([grep -w \"ls_out_acl_eval\" sw0flows | grep 2002 | ovn_strip_lflows], [0\n ])\n AT_CHECK([grep \"ls_out_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n # Delete new ACL with label\n@@ -5118,10 +5118,10 @@ AT_CHECK([grep -w \"ls_in_acl_eval\" sw0flows | grep 2002 | ovn_strip_lflows], [0]\n ])\n AT_CHECK([grep \"ls_in_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n AT_CHECK([grep -w \"ls_out_acl_eval\" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl\n@@ -5130,10 +5130,10 @@ AT_CHECK([grep -w \"ls_out_acl_eval\" sw0flows | grep 2002 | ovn_strip_lflows], [0\n ])\n AT_CHECK([grep \"ls_out_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n OVN_CLEANUP_NORTHD\n AT_CLEANUP\n@@ -5162,7 +5162,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1\n \n dnl Check that the label is committed to conntrack in the ingress pipeline\n AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls \"$flow\" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n ])\n \n AS_BOX([from-lport --apply-after-lb allow-related ACL])\n@@ -5170,7 +5170,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add\n \n dnl Check that the label is committed to conntrack in the ingress pipeline\n AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls \"$flow\" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n ])\n \n AS_BOX([to-lport allow-related ACL])\n@@ -5178,7 +5178,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip\n \n dnl Check that the label is committed to conntrack in the ingress pipeline\n AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls \"$flow\" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n ])\n \n OVN_CLEANUP_NORTHD\n@@ -5198,17 +5198,17 @@ ovn-sbctl dump-flows sw0 > sw0flows\n AT_CAPTURE_FILE([sw0flows])\n \n AT_CHECK([grep -w \"ls_in_acl_eval\" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n ])\n \n AT_CHECK([grep -w \"ls_out_acl_eval\" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl\n- table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n ])\n@@ -5220,18 +5220,18 @@ ovn-sbctl dump-flows sw0 > sw0flows\n AT_CAPTURE_FILE([sw0flows])\n \n AT_CHECK([grep -w \"ls_in_acl_eval\" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n table=??(ls_in_acl_eval ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n ])\n \n AT_CHECK([grep -w \"ls_out_acl_eval\" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl\n- table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n table=??(ls_out_acl_eval ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n ])\n \n@@ -5246,17 +5246,17 @@ ovn-sbctl dump-flows sw0 > sw0flows\n AT_CAPTURE_FILE([sw0flows])\n \n AT_CHECK([grep -w \"ls_in_acl_eval\" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n ])\n \n AT_CHECK([grep -w \"ls_out_acl_eval\" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl\n- table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n ])\n@@ -7993,10 +7993,10 @@ check_log_flows_count 0 in\n \n # Now ensure the flows are what we expect them to be for the ACLs we created\n AT_CHECK([cat log_flows], [0], [dnl\n- table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n ])\n \n rm log_flows\n@@ -8014,10 +8014,10 @@ check_log_flows_count 0 in\n \n # And the log flows will remain the same since the stateless ACL will not be represented.\n AT_CHECK([cat log_flows], [0], [dnl\n- table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n ])\n \n rm log_flows\n@@ -8036,8 +8036,8 @@ check_log_flows_count 0 in\n \n # And make sure only the allow ACL has the log flows installed\n AT_CHECK([cat log_flows], [0], [dnl\n- table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n ])\n \n rm log_flows\n@@ -8053,8 +8053,8 @@ check_log_flows_count 0 in\n \n # And make sure only the allow ACL has the log flows installed\n AT_CHECK([cat log_flows], [0], [dnl\n- table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n ])\n \n rm log_flows\n@@ -8098,10 +8098,10 @@ check_log_flows_count 0 out\n \n # Now ensure the flows are what we expect them to be for the ACLs we created\n AT_CHECK([cat log_flows], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n ])\n \n rm log_flows\n@@ -8119,10 +8119,10 @@ check_log_flows_count 0 out\n \n # And the log flows will remain the same since the stateless ACL will not be represented.\n AT_CHECK([cat log_flows], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name=\"allow_related_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n ])\n \n rm log_flows\n@@ -8141,8 +8141,8 @@ check_log_flows_count 0 out\n \n # And make sure only the allow ACL has the log flows installed\n AT_CHECK([cat log_flows], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n ])\n \n rm log_flows\n@@ -8158,8 +8158,8 @@ check_log_flows_count 0 out\n \n # And make sure only the allow ACL has the log flows installed\n AT_CHECK([cat log_flows], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name=\"allow_acl\", severity=info, verdict=allow); reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n ])\n \n rm log_flows\n@@ -8265,9 +8265,9 @@ AT_CHECK([grep -e \"ls_in_acl.*eval\" -e \"ls_in_acl_hint\" lsflows | ovn_strip_lflo\n table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;)\n table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -8289,10 +8289,10 @@ AT_CHECK([grep -e \"ls_in_lb \" lsflows | ovn_strip_lflows], [0], [dnl\n \n AT_CHECK([grep -e \"ls_in_stateful\" lsflows | ovn_strip_lflows], [0], [dnl\n table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n AS_BOX([Remove and add the ACLs back with the apply-after-lb option])\n@@ -8326,9 +8326,9 @@ AT_CHECK([grep -e \"ls_in_acl.*eval\" -e \"ls_in_acl_hint\" lsflows | ovn_strip_lflo\n table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;)\n table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -8350,10 +8350,10 @@ AT_CHECK([grep -e \"ls_in_lb \" lsflows | ovn_strip_lflows], [0], [dnl\n \n AT_CHECK([grep -e \"ls_in_stateful\" lsflows | ovn_strip_lflows], [0], [dnl\n table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option])\n@@ -8387,9 +8387,9 @@ AT_CHECK([grep -e \"ls_in_acl.*eval\" -e \"ls_in_acl_hint\" lsflows | ovn_strip_lflo\n table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -8411,10 +8411,10 @@ AT_CHECK([grep -e \"ls_in_lb \" lsflows | ovn_strip_lflows], [0], [dnl\n \n AT_CHECK([grep -e \"ls_in_stateful\" lsflows | ovn_strip_lflows], [0], [dnl\n table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n OVN_CLEANUP_NORTHD\n@@ -8944,9 +8944,9 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E \"ls_.*_acl\" | ovn_strip_lflows], [0], [\n table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -8972,9 +8972,9 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E \"ls_.*_acl\" | ovn_strip_lflows], [0], [\n table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;)\n table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -9144,9 +9144,9 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E \"ls_.*_acl\" | ovn_strip_lflows], [0], [\n table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;)\n table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -9172,9 +9172,9 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E \"ls_.*_acl\" | ovn_strip_lflows], [0], [\n table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;)\n table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -9342,9 +9342,9 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E \"ls_.*_acl\" | ovn_strip_lflows], [0], [\n table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;)\n table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -9372,9 +9372,9 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E \"ls_.*_acl\" | ovn_strip_lflows], [0], [\n table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)\n table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)\n table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;)\n@@ -10957,8 +10957,8 @@ dnl commits to happen:\n dnl - in the egress pipeline of S1, when sending the packet out on s1_r1\n dnl - in the ingress pipeline of S2, when processing the packet on s2_r1\n AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new s1 \"$flow\" | grep -e ls_in_stateful -e ls_out_stateful -A 2 | grep commit], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n ])\n \n OVN_CLEANUP_NORTHD\n@@ -13315,7 +13315,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg9 = 4302;\n sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);\n sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);\n@@ -13324,7 +13324,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n dnl Trace estasblished connections.\n flow=\"$base_flow && ct_label.obs_point_id == 4302\"\n AT_CHECK_UNQUOTED([ovn_trace --ct est ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg9 = 4302;\n sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);\n sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);\n@@ -13346,7 +13346,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg9 = 0;\n sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);\n sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);\n@@ -13378,7 +13378,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg9 = 4302;\n sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);\n sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);\n@@ -13387,7 +13387,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n dnl Trace estasblished connections.\n flow=\"$base_flow && ct_label.obs_point_id == 4302\"\n AT_CHECK_UNQUOTED([ovn_trace --ct est ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg9 = 4302;\n sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);\n sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);\n@@ -13409,7 +13409,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg9 = 0;\n sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);\n sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);\n@@ -13441,8 +13441,8 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg9 = 4302;\n sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);\n sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);\n@@ -13451,7 +13451,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls \"$flow\" | TRACE_FILTER], [0],\n dnl Trace estasblished connections.\n flow=\"$base_flow && ct_label.obs_point_id == 4302\"\n AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg9 = 4302;\n sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);\n sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);\n@@ -13473,8 +13473,8 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg9 = 0;\n sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);\n sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);\n@@ -13537,7 +13537,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 1;\n reg9 = 4302;\n@@ -13547,7 +13547,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n dnl Trace estasblished connections.\n flow=\"$base_flow && ct_label.obs_point_id == 4302\"\n AT_CHECK_UNQUOTED([ovn_trace --ct est ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 1;\n reg9 = 4302;\n@@ -13575,7 +13575,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 1;\n reg9 = 4302;\n@@ -13585,7 +13585,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n dnl Trace estasblished connections.\n flow=\"$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 1\"\n AT_CHECK_UNQUOTED([ovn_trace --ct est ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 1;\n reg9 = 4302;\n@@ -13608,7 +13608,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 0;\n reg9 = 0;\n@@ -13643,7 +13643,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 1;\n reg9 = 4302;\n@@ -13653,7 +13653,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n dnl Trace estasblished connections.\n flow=\"$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 1 && ct_mark.obs_collector_id == 1\"\n AT_CHECK_UNQUOTED([ovn_trace --ct est ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 1;\n reg9 = 4302;\n@@ -13676,7 +13676,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 0;\n reg9 = 0;\n@@ -13711,8 +13711,8 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 1;\n reg9 = 4302;\n@@ -13722,7 +13722,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls \"$flow\" | TRACE_FILTER], [0],\n dnl Trace estasblished connections.\n flow=\"$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 1\"\n AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 1;\n reg9 = 4302;\n@@ -13745,8 +13745,8 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e\n dnl Trace new connections.\n flow=\"$base_flow\"\n AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls \"$flow\" | TRACE_FILTER], [0], [dnl\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n- ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; };\n reg8[[0..7]] = 1;\n reg8[[8..15]] = 0;\n reg9 = 0;\n@@ -17906,10 +17906,10 @@ AT_CHECK([grep -E 'ls_out_pre_lb' sw0flows | ovn_strip_lflows], [0], [dnl\n \n AT_CHECK([grep -E 'ls_out_stateful' sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n AS_BOX([Enable enable-stateless-acl-with-lb option.])\n@@ -17918,11 +17918,11 @@ ovn-sbctl dump-flows sw0 > sw0flows\n \n AT_CHECK([grep -E 'ls_out_stateful' sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n table=??(ls_out_stateful ), priority=110 , match=(reg0[[16]] == 1 && ct.new), action=(next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n ])\n \n AT_CHECK([grep -E 'ls_out_pre_lb' sw0flows | ovn_strip_lflows], [0], [dnl\n@@ -18609,8 +18609,8 @@ check ovn-nbctl set logical_switch_port sw0-nf-p1 \\\n check ovn-nbctl set logical_switch_port sw0-nf-p2 \\\n options:receive_multicast=false options:lsp_learn_mac=false \\\n options:is-nf=true options:nf-linked-port=sw0-nf-p1\n-check ovn-nbctl nf-add nf0 1 sw0-nf-p1 sw0-nf-p2\n-check ovn-nbctl nfg-add nfg0 1 inline nf0\n+check ovn-nbctl nf-add nf0 101 sw0-nf-p1 sw0-nf-p2\n+check ovn-nbctl nfg-add nfg0 201 inline nf0\n \n check ovn-nbctl lsp-add sw0 sw0-p1 -- lsp-set-addresses sw0-p1 \"00:00:00:00:00:01 10.0.0.2\"\n check ovn-nbctl lsp-add sw0 sw0-p2 -- lsp-set-addresses sw0-p2 \"00:00:00:00:00:02 10.0.0.3\"\n@@ -18631,15 +18631,24 @@ AT_CAPTURE_FILE([sw0flows])\n \n AT_CHECK(\n [grep -E 'ls_(in|out)_acl_eval' sw0flows | ovn_strip_lflows | grep pg0 | sort], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 201; next;)\n+ table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 201; next;)\n ])\n \n-AT_CHECK([grep \"ls_in_stateful\" sw0flows | ovn_strip_lflows | grep nf_group], [0], [dnl\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+AT_CHECK([grep \"ls_in_stateful\" sw0flows | ovn_strip_lflows | grep nf | sort], [0], [dnl\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_in_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+])\n+\n+AT_CHECK(\n+ [grep -E 'ls_(in|out)_pre_network_function' sw0flows | ovn_strip_lflows | sort], [0], [dnl\n+ table=??(ls_in_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_in_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_in_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 201), action=(reg0[[22..29]] = 101; next;)\n+ table=??(ls_out_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_out_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n ])\n \n AT_CHECK(\n@@ -18649,13 +18658,13 @@ AT_CHECK(\n table=??(ls_in_network_function), priority=100 , match=(inport == \"sw0-nf-p1\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(inport == \"sw0-nf-p2\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(outport = \"sw0-nf-p1\"; output;)\n+ table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 101), action=(outport = \"sw0-nf-p1\"; output;)\n table=??(ls_out_network_function), priority=0 , match=(1), action=(next;)\n table=??(ls_out_network_function), priority=1 , match=(reg8[[21]] == 1), action=(drop;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"sw0-nf-p1\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"sw0-nf-p2\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 1), action=(outport = \"sw0-nf-p2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n+ table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 101), action=(outport = \"sw0-nf-p2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n ])\n \n AT_CHECK([grep \"ls_in_l2_lkup\" sw0flows | ovn_strip_lflows | grep 'priority=100'], [0], [dnl\n@@ -18667,21 +18676,21 @@ AT_CHECK([grep \"ls_out_pre_acl\" sw0flows | ovn_strip_lflows | grep 'sw0-nf-p1'],\n ])\n \n AT_CHECK(\n- [grep -E 'ls_(in|out)_acl_eval' sw0flows | ovn_strip_lflows | grep nf_group | sort], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; ct_commit_nat;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf_group; reg8[[16]] = 1; next;)\n+ [grep -E 'ls_(in|out)_acl_eval' sw0flows | ovn_strip_lflows | grep nf | sort], [0], [dnl\n+ table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; ct_commit_nat;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[21]] = ct_label.nf; reg8[[16]] = 1; next;)\n ])\n \n- AT_CHECK([grep \"ls_out_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n+AT_CHECK([grep \"ls_out_stateful\" sw0flows | ovn_strip_lflows], [0], [dnl\n table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 0; ct_label.nf_group_id = 0; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n- table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf_group = 1; ct_label.nf_group_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 0; ct_label.nf_id = 0; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 0 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n+ table=??(ls_out_stateful ), priority=110 , match=(reg0[[1]] == 1 && reg0[[13]] == 1 && reg8[[21]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.acl_id = reg2[[16..31]]; ct_label.nf = 1; ct_label.nf_id = reg0[[22..29]]; }; next;)\n table=??(ls_out_stateful ), priority=120 , match=(outport == \"sw0-nf-p1\" && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.tun_if_id = reg5[[16..31]]; }; next;)\n table=??(ls_out_stateful ), priority=120 , match=(outport == \"sw0-nf-p1\" && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; ct_label.tun_if_id = reg5[[16..31]]; }; next;)\n table=??(ls_out_stateful ), priority=120 , match=(outport == \"sw0-nf-p2\" && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; ct_label.acl_id = reg2[[16..31]]; ct_label.tun_if_id = reg5[[16..31]]; }; next;)\n@@ -18722,8 +18731,8 @@ check ovn-nbctl set logical_switch_port sw0-nf-p3 \\\n check ovn-nbctl set logical_switch_port sw0-nf-p4 \\\n options:receive_multicast=false options:lsp_learn_mac=false \\\n options:is-nf=true options:nf-linked-port=sw0-nf-p3\n-check ovn-nbctl nf-add nf1 2 sw0-nf-p3 sw0-nf-p4\n-check ovn-nbctl nfg-add nfg1 2 inline nf1\n+check ovn-nbctl nf-add nf1 102 sw0-nf-p3 sw0-nf-p4\n+check ovn-nbctl nfg-add nfg1 202 inline nf1\n check ovn-nbctl acl-add pg0 to-lport 1003 \"outport == @pg0 && ip4.src == 10.0.0.4\" allow-related nfg1\n check ovn-sbctl lsp-bind sw0-nf-p3 hv1\n check ovn-sbctl lsp-bind sw0-nf-p4 hv1\n@@ -18734,10 +18743,20 @@ AT_CAPTURE_FILE([sw0flows])\n \n AT_CHECK(\n [grep -E 'ls_(in|out)_acl_eval' sw0flows | ovn_strip_lflows | grep pg0 | sort], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip4.src == 10.0.0.4)), action=(reg8[[16]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 2; next;)\n- table=??(ls_out_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip4.src == 10.0.0.4)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 2; next;)\n+ table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 201; next;)\n+ table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 201; next;)\n+ table=??(ls_out_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip4.src == 10.0.0.4)), action=(reg8[[16]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 202; next;)\n+ table=??(ls_out_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip4.src == 10.0.0.4)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 202; next;)\n+])\n+\n+AT_CHECK(\n+ [grep -E 'ls_(in|out)_pre_network_function' sw0flows | ovn_strip_lflows | sort], [0], [dnl\n+ table=??(ls_in_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_in_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_in_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 201), action=(reg0[[22..29]] = 101; next;)\n+ table=??(ls_out_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_out_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_out_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 202), action=(reg0[[22..29]] = 102; next;)\n ])\n \n AT_CHECK(\n@@ -18749,8 +18768,8 @@ AT_CHECK(\n table=??(ls_in_network_function), priority=100 , match=(inport == \"sw0-nf-p3\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(inport == \"sw0-nf-p4\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 2), action=(outport = \"sw0-nf-p3\"; output;)\n- table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(outport = \"sw0-nf-p1\"; output;)\n+ table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 102), action=(outport = \"sw0-nf-p3\"; output;)\n+ table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 101), action=(outport = \"sw0-nf-p1\"; output;)\n table=??(ls_out_network_function), priority=0 , match=(1), action=(next;)\n table=??(ls_out_network_function), priority=1 , match=(reg8[[21]] == 1), action=(drop;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"sw0-nf-p1\"), action=(next;)\n@@ -18758,8 +18777,8 @@ AT_CHECK(\n table=??(ls_out_network_function), priority=100 , match=(outport == \"sw0-nf-p3\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"sw0-nf-p4\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 1), action=(outport = \"sw0-nf-p2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n- table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 2), action=(outport = \"sw0-nf-p4\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n+ table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 101), action=(outport = \"sw0-nf-p2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n+ table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 102), action=(outport = \"sw0-nf-p4\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n ])\n \n # ICMP packets to sw0-p1 should be redirected to sw0-nf-p4.\n@@ -18806,10 +18825,20 @@ AT_CAPTURE_FILE([sw1flows])\n \n AT_CHECK(\n [grep -E 'ls_(in|out)_acl_eval' sw0flows | ovn_strip_lflows | grep pg0 | sort], [0], [dnl\n- table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 1; next;)\n- table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 1; next;)\n- table=??(ls_out_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip4.src == 10.0.0.4)), action=(reg8[[16]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 2; next;)\n- table=??(ls_out_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip4.src == 10.0.0.4)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 2; next;)\n+ table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 201; next;)\n+ table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (inport == @pg0 && ip4.dst == 10.0.0.3)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 201; next;)\n+ table=??(ls_out_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip4.src == 10.0.0.4)), action=(reg8[[16]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 202; next;)\n+ table=??(ls_out_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip4.src == 10.0.0.4)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 202; next;)\n+])\n+\n+AT_CHECK(\n+ [grep -E 'ls_(in|out)_pre_network_function' sw1flows | ovn_strip_lflows | sort], [0], [dnl\n+ table=??(ls_in_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_in_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_in_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 201), action=(reg0[[22..29]] = 101; next;)\n+ table=??(ls_out_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_out_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_out_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 202), action=(reg0[[22..29]] = 102; next;)\n ])\n \n AT_CHECK(\n@@ -18821,8 +18850,8 @@ AT_CHECK(\n table=??(ls_in_network_function), priority=100 , match=(inport == \"sw1-nf-p3\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(inport == \"sw1-nf-p4\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 2), action=(outport = \"sw1-nf-p3\"; output;)\n- table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(outport = \"sw1-nf-p1\"; output;)\n+ table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 102), action=(outport = \"sw1-nf-p3\"; output;)\n+ table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 101), action=(outport = \"sw1-nf-p1\"; output;)\n table=??(ls_out_network_function), priority=0 , match=(1), action=(next;)\n table=??(ls_out_network_function), priority=1 , match=(reg8[[21]] == 1), action=(drop;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"sw1-nf-p1\"), action=(next;)\n@@ -18830,8 +18859,8 @@ AT_CHECK(\n table=??(ls_out_network_function), priority=100 , match=(outport == \"sw1-nf-p3\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"sw1-nf-p4\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 1), action=(outport = \"sw1-nf-p2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n- table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 2), action=(outport = \"sw1-nf-p4\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n+ table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 101), action=(outport = \"sw1-nf-p2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n+ table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 102), action=(outport = \"sw1-nf-p4\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n ])\n \n # ICMP packets from sw1-p1 should be redirected to sw1-nf-p1.\n@@ -18919,7 +18948,7 @@ check ovn-nbctl acl-add pg0 from-lport 1001 \"inport == @pg0 && ip4.dst == 192.16\n check ovn-nbctl acl-add pg0 to-lport 1002 \"outport == @pg0 && ip4.src == 192.168.1.10\" allow-related nfg0\n check ovn-nbctl --wait=sb sync\n \n-# Set the service monitor for nf0 to online and nf1 to online\n+# Set the service monitor for nf0 to online and nf1 to offline\n # and verify nf0 is considered active.\n \n AS_BOX([Set the service monitor for nf0 to online and nf1 to offline])\n@@ -18940,6 +18969,16 @@ AT_CHECK(\n table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip4.src == 192.168.1.10)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg8[[21]] = 1; reg8[[22]] = 1; reg0[[22..29]] = 1; next;)\n ])\n \n+AT_CHECK(\n+ [grep -E 'ls_(in|out)_pre_network_function' lflows | ovn_strip_lflows | sort], [0], [dnl\n+ table=??(ls_in_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_in_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_in_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(reg0[[22..29]] = 1; next;)\n+ table=??(ls_out_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_out_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_out_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(reg0[[22..29]] = 1; next;)\n+])\n+\n AT_CHECK(\n [grep -E 'ls_(in|out)_network_function' lflows | ovn_strip_lflows | sort], [0], [dnl\n table=??(ls_in_network_function), priority=0 , match=(1), action=(next;)\n@@ -18947,14 +18986,14 @@ AT_CHECK(\n table=??(ls_in_network_function), priority=100 , match=(inport == \"child-1\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(inport == \"child-2\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 1), action=(outport = \"child-1\"; output;)\n+ table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 1), action=(outport = \"child-1\"; output;)\n table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(outport = \"child-1\"; output;)\n table=??(ls_out_network_function), priority=0 , match=(1), action=(next;)\n table=??(ls_out_network_function), priority=1 , match=(reg8[[21]] == 1), action=(drop;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"child-1\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"child-2\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 1), action=(outport = \"child-2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n+ table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 1), action=(outport = \"child-2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(outport = \"child-2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n ])\n \n@@ -18971,6 +19010,16 @@ check ovn-nbctl --wait=sb sync\n ovn-sbctl dump-flows $sw > lflows\n AT_CAPTURE_FILE([lflows])\n \n+AT_CHECK(\n+ [grep -E 'ls_(in|out)_pre_network_function' lflows | ovn_strip_lflows | sort], [0], [dnl\n+ table=??(ls_in_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_in_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_in_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(reg0[[22..29]] = 1; next;)\n+ table=??(ls_out_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_out_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_out_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(reg0[[22..29]] = 1; next;)\n+])\n+\n AT_CHECK(\n [grep -E 'ls_(in|out)_network_function' lflows | ovn_strip_lflows | sort], [0], [dnl\n table=??(ls_in_network_function), priority=0 , match=(1), action=(next;)\n@@ -18978,14 +19027,14 @@ AT_CHECK(\n table=??(ls_in_network_function), priority=100 , match=(inport == \"child-1\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(inport == \"child-2\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 1), action=(outport = \"child-1\"; output;)\n+ table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 1), action=(outport = \"child-1\"; output;)\n table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(outport = \"child-1\"; output;)\n table=??(ls_out_network_function), priority=0 , match=(1), action=(next;)\n table=??(ls_out_network_function), priority=1 , match=(reg8[[21]] == 1), action=(drop;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"child-1\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"child-2\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 1), action=(outport = \"child-2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n+ table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 1), action=(outport = \"child-2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(outport = \"child-2\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n ])\n \n@@ -19002,6 +19051,16 @@ check ovn-nbctl --wait=sb sync\n ovn-sbctl dump-flows $sw > lflows\n AT_CAPTURE_FILE([lflows])\n \n+AT_CHECK(\n+ [grep -E 'ls_(in|out)_pre_network_function' lflows | ovn_strip_lflows | sort], [0], [dnl\n+ table=??(ls_in_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_in_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_in_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(reg0[[22..29]] = 2; next;)\n+ table=??(ls_out_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_out_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_out_pre_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(reg0[[22..29]] = 2; next;)\n+])\n+\n AT_CHECK(\n [grep -E 'ls_(in|out)_network_function' lflows | ovn_strip_lflows | sort], [0], [dnl\n table=??(ls_in_network_function), priority=0 , match=(1), action=(next;)\n@@ -19009,15 +19068,15 @@ AT_CHECK(\n table=??(ls_in_network_function), priority=100 , match=(inport == \"child-3\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(inport == \"child-4\"), action=(reg5[[16..31]] = ct_label.tun_if_id; next;)\n table=??(ls_in_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 1), action=(outport = \"child-3\"; output;)\n- table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(outport = \"child-3\"; output;)\n+ table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 2), action=(outport = \"child-3\"; output;)\n+ table=??(ls_in_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 2), action=(outport = \"child-3\"; output;)\n table=??(ls_out_network_function), priority=0 , match=(1), action=(next;)\n table=??(ls_out_network_function), priority=1 , match=(reg8[[21]] == 1), action=(drop;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"child-3\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(outport == \"child-4\"), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n- table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_group_id == 1), action=(outport = \"child-4\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n- table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(outport = \"child-4\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n+ table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 0 && ct_label.nf_id == 2), action=(outport = \"child-4\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n+ table=??(ls_out_network_function), priority=99 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 2), action=(outport = \"child-4\"; reg8[[23]] = 1; next(pipeline=ingress, table=??);)\n ])\n \n # Set the service monitor for nf0 to offline and nf1 to offline\n@@ -19033,6 +19092,14 @@ check ovn-nbctl --wait=sb sync\n ovn-sbctl dump-flows $sw > lflows\n AT_CAPTURE_FILE([lflows])\n \n+AT_CHECK(\n+ [grep -E 'ls_(in|out)_pre_network_function' lflows | ovn_strip_lflows | sort], [0], [dnl\n+ table=??(ls_in_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_in_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_out_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_out_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+])\n+\n AT_CHECK(\n [grep -E 'ls_(in|out)_network_function' lflows | ovn_strip_lflows | sort], [0], [dnl\n table=??(ls_in_network_function), priority=0 , match=(1), action=(next;)\n@@ -19054,15 +19121,23 @@ check ovn-nbctl --wait=sb sync\n ovn-sbctl dump-flows $sw > lflows\n AT_CAPTURE_FILE([lflows])\n \n+AT_CHECK(\n+ [grep -E 'ls_(in|out)_pre_network_function' lflows | ovn_strip_lflows | sort], [0], [dnl\n+ table=??(ls_in_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_in_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_in_pre_network_function), priority=10 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(reg8[[21]] = 0; reg0[[22..29]] = 0; next;)\n+ table=??(ls_out_pre_network_function), priority=0 , match=(1), action=(next;)\n+ table=??(ls_out_pre_network_function), priority=1 , match=(reg8[[21]] == 1 && reg8[[22]] == 1), action=(reg0[[22..29]] = 0; next;)\n+ table=??(ls_out_pre_network_function), priority=10 , match=(reg8[[21]] == 1 && reg8[[22]] == 1 && reg0[[22..29]] == 1), action=(reg8[[21]] = 0; reg0[[22..29]] = 0; next;)\n+])\n+\n AT_CHECK(\n [grep -E 'ls_(in|out)_network_function' lflows | ovn_strip_lflows | sort], [0], [dnl\n table=??(ls_in_network_function), priority=0 , match=(1), action=(next;)\n table=??(ls_in_network_function), priority=1 , match=(reg8[[21]] == 1), action=(drop;)\n- table=??(ls_in_network_function), priority=10 , match=(reg0[[22..29]] == 1 || (ct.trk && ct_label.nf_group_id == 1)), action=(next;)\n table=??(ls_in_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n table=??(ls_out_network_function), priority=0 , match=(1), action=(next;)\n table=??(ls_out_network_function), priority=1 , match=(reg8[[21]] == 1), action=(drop;)\n- table=??(ls_out_network_function), priority=10 , match=(reg0[[22..29]] == 1 || (ct.trk && ct_label.nf_group_id == 1)), action=(next;)\n table=??(ls_out_network_function), priority=100 , match=(reg8[[21]] == 1 && eth.mcast), action=(next;)\n ])\n \ndiff --git a/tests/ovn.at b/tests/ovn.at\nindex 941081f9a..f0257b1c1 100644\n--- a/tests/ovn.at\n+++ b/tests/ovn.at\n@@ -143,8 +143,8 @@ ct_label = NXM_NX_CT_LABEL\n ct_label.acl_id = ct_label[80..95]\n ct_label.ecmp_reply_eth = ct_label[32..79]\n ct_label.label = ct_label[96..127]\n-ct_label.nf_group = ct_label[7]\n-ct_label.nf_group_id = ct_label[17..24]\n+ct_label.nf = ct_label[7]\n+ct_label.nf_id = ct_label[17..24]\n ct_label.obs_point_id = ct_label[96..127]\n ct_label.obs_unused = ct_label[0..95]\n ct_label.tun_if = ct_label[8]\n@@ -859,8 +859,8 @@ next();\n Syntax error at `)' expecting \"pipeline\" or \"table\".\n next(10;\n Syntax error at `;' expecting `)'.\n-next(33);\n- \"next\" action cannot advance beyond table 33.\n+next(34);\n+ \"next\" action cannot advance beyond table 34.\n \n next(table=lflow_table);\n formats as next;\n", "prefixes": [ "ovs-dev", "v4", "2/2" ] }