Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2223121/?format=api
{ "id": 2223121, "url": "http://patchwork.ozlabs.org/api/patches/2223121/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/patch/20260414134043.924997-5-dceara@redhat.com/", "project": { "id": 68, "url": "http://patchwork.ozlabs.org/api/projects/68/?format=api", "name": "Open Virtual Network development", "link_name": "ovn", "list_id": "ovs-dev.openvswitch.org", "list_email": "ovs-dev@openvswitch.org", "web_url": "http://openvswitch.org/", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260414134043.924997-5-dceara@redhat.com>", "list_archive_url": null, "date": "2026-04-14T13:40:43", "name": "[ovs-dev,4/4] northd: Skip conntrack for EVPN remote VTEP traffic.", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "f5488110d21b5653a0120a10644c8b030806a94a", "submitter": { "id": 76591, "url": "http://patchwork.ozlabs.org/api/people/76591/?format=api", "name": "Dumitru Ceara", "email": "dceara@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/ovn/patch/20260414134043.924997-5-dceara@redhat.com/mbox/", "series": [ { "id": 499847, "url": "http://patchwork.ozlabs.org/api/series/499847/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/list/?series=499847", "date": "2026-04-14T13:40:39", "name": "Fix conntrack handling for traffic to/from EVPN vteps.", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/499847/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2223121/comments/", "check": "success", "checks": "http://patchwork.ozlabs.org/api/patches/2223121/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<ovs-dev-bounces@openvswitch.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "ovs-dev@openvswitch.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "ovs-dev@lists.linuxfoundation.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=XJPxt/Vf;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)", "smtp1.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=XJPxt/Vf", "smtp3.osuosl.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com", "smtp3.osuosl.org;\n dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com\n header.a=rsa-sha256 header.s=mimecast20190719 header.b=XJPxt/Vf" ], "Received": [ "from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fw56V6thmz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 23:41:54 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 6922184CB1;\n\tTue, 14 Apr 2026 13:41:53 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id yJFZBNM4oQ-v; Tue, 14 Apr 2026 13:41:52 +0000 (UTC)", "from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp1.osuosl.org (Postfix) with ESMTPS id 1A53784CA5;\n\tTue, 14 Apr 2026 13:41:52 +0000 (UTC)", "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 02905C054A;\n\tTue, 14 Apr 2026 13:41:52 +0000 (UTC)", "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 3CADCC0549\n for <ovs-dev@openvswitch.org>; Tue, 14 Apr 2026 13:41:50 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 40D946EB93\n for <ovs-dev@openvswitch.org>; Tue, 14 Apr 2026 13:41:30 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id jaDKZt1BGf7f for <ovs-dev@openvswitch.org>;\n Tue, 14 Apr 2026 13:41:28 +0000 (UTC)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n by smtp3.osuosl.org (Postfix) with ESMTPS id F0DE661CD4\n for <ovs-dev@openvswitch.org>; Tue, 14 Apr 2026 13:41:27 +0000 (UTC)", "from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-399-Gyoks1dfPdCriQMzfTqWOA-1; Tue,\n 14 Apr 2026 09:41:24 -0400", "from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id D893519560AB\n for <ovs-dev@openvswitch.org>; Tue, 14 Apr 2026 13:41:23 +0000 (UTC)", "from cecil-rh.redhat.com (unknown [10.44.33.229])\n by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id 97C4819560AB; Tue, 14 Apr 2026 13:41:22 +0000 (UTC)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1A53784CA5", "OpenDKIM Filter v2.11.0 smtp3.osuosl.org F0DE661CD4" ], "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124;\n helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com;\n receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp3.osuosl.org F0DE661CD4", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776174086;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=bqXYITYIrh9gO+h1BVuDdumd2+WdBgA+krRl6JbJ3/c=;\n b=XJPxt/VfgvS/vTJ6XoGAgwN1EuWZfTjD4s2ikq4NijJ5HHG24s7Y4Ljyos5riqk7OL5JNt\n 1NiUDZUCgTjI7BXqvOr7M6HCXOD710xNr83LgPcmzhY9VjxLiS0ATnP0lcvFLLQ2cw9Hjt\n 5kjlnXOIKY8FNrB28UE2YAFwtedP3l4=", "X-MC-Unique": "Gyoks1dfPdCriQMzfTqWOA-1", "X-Mimecast-MFC-AGG-ID": "Gyoks1dfPdCriQMzfTqWOA_1776174084", "To": "ovs-dev@openvswitch.org", "Date": "Tue, 14 Apr 2026 15:40:43 +0200", "Message-ID": "<20260414134043.924997-5-dceara@redhat.com>", "In-Reply-To": "<20260414134043.924997-1-dceara@redhat.com>", "References": "<20260414134043.924997-1-dceara@redhat.com>", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 3.0 on 10.30.177.12", "X-Mimecast-Spam-Score": "0", "X-Mimecast-MFC-PROC-ID": "kZ8w49OzIVrWWY7VkxSRMAYXRk4eOFQnEI9WaoRANFY_1776174084", "X-Mimecast-Originator": "redhat.com", "Subject": "[ovs-dev] [PATCH ovn 4/4] northd: Skip conntrack for EVPN remote\n VTEP traffic.", "X-BeenThere": "ovs-dev@openvswitch.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "<ovs-dev.openvswitch.org>", "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>", "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>", "List-Post": "<mailto:ovs-dev@openvswitch.org>", "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>", "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>", "From": "Dumitru Ceara via dev <ovs-dev@openvswitch.org>", "Reply-To": "Dumitru Ceara <dceara@redhat.com>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "ovs-dev-bounces@openvswitch.org", "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>" }, "content": "When a logical switch has stateful ACLs (allow-related) or load\nbalancers configured, all IP traffic is sent to conntrack in the\nPRE_ACL and PRE_LB pipeline stages. Traffic from/to remote VTEPs\nhas no conntrack zone assigned, so conntrack lookups return\nct_state=+trk+inv, causing the traffic to be dropped.\n\nFix this by adding priority-110 flows that bypass conntrack for\nEVPN remote VTEP traffic, identified by the from_evpn_vtep and\nto_evpn_vtep predicates. These predicates check bit 31 of the\nlogical inport/outport registers, which is always set for EVPN\nbinding keys (OVN_MIN_EVPN_KEY = 1 << 31).\n\nThe EVPN skip in PRE_ACL is only added when stateful ACLs are\npresent (matching the existing pattern for localnet/router/switch\nports). The EVPN skip in PRE_LB is unconditional, unlike localnet\nports which are gated on !has_lb_vip -- remote VTEPs have no\nconntrack zones so conntrack would always fail regardless of LB\nconfiguration.\n\nFixes: 9081afcf8698 (\"controller: Create physical flows based on EVPN structures.\")\nReported-at: https://redhat.atlassian.net/browse/FDP-3462\nSuggested-by: Ales Musil <amusil@redhat.com>\nAssisted-by: Claude, with model: claude-opus-4-6\nSigned-off-by: Dumitru Ceara <dceara@redhat.com>\n---\n lib/logical-fields.c | 22 +++++++++++\n lib/ovn-util.c | 2 +-\n northd/northd.c | 37 ++++++++++++++++++\n tests/multinode.at | 30 ++++++++++++++\n tests/ovn-northd.at | 93 ++++++++++++++++++++++++++++++++++++++++++++\n tests/ovn.at | 16 +++++++-\n 6 files changed, 197 insertions(+), 3 deletions(-)", "diff": "diff --git a/lib/logical-fields.c b/lib/logical-fields.c\nindex 9b04762a17..4b8bcfdc6f 100644\n--- a/lib/logical-fields.c\n+++ b/lib/logical-fields.c\n@@ -72,6 +72,28 @@ ovn_init_symtab(struct shash *symtab)\n expr_symtab_add_string(symtab, \"inport\", MFF_LOG_INPORT, NULL);\n expr_symtab_add_string(symtab, \"outport\", MFF_LOG_OUTPORT, NULL);\n \n+ /* Also register the inport/outport backing registers as numeric fields\n+ * so that predicates can reference specific bits (e.g., the EVPN key\n+ * indicator at bit 31). */\n+ char inport_reg[8], outport_reg[8];\n+ snprintf(inport_reg, sizeof inport_reg, \"reg%d\",\n+ MFF_LOG_INPORT - MFF_REG0);\n+ expr_symtab_add_field(symtab, inport_reg, MFF_LOG_INPORT, NULL, false);\n+ snprintf(outport_reg, sizeof outport_reg, \"reg%d\",\n+ MFF_LOG_OUTPORT - MFF_REG0);\n+ expr_symtab_add_field(symtab, outport_reg, MFF_LOG_OUTPORT, NULL, false);\n+\n+ /* EVPN binding keys have bit 31 set (OVN_MIN_EVPN_KEY = 1 << 31).\n+ * Define predicates to identify traffic from/to remote VTEPs so that\n+ * northd can skip conntrack without hard-coding register indices. */\n+ char vtep_pred[64];\n+ snprintf(vtep_pred, sizeof vtep_pred,\n+ \"%s == 0x80000000/0x80000000\", inport_reg);\n+ expr_symtab_add_predicate(symtab, \"from_evpn_vtep\", vtep_pred);\n+ snprintf(vtep_pred, sizeof vtep_pred,\n+ \"%s == 0x80000000/0x80000000\", outport_reg);\n+ expr_symtab_add_predicate(symtab, \"to_evpn_vtep\", vtep_pred);\n+\n /* The port isn't reserved along the pipeline it's just defined as symbol\n * to support matching on string and moving between string registers. */\n expr_symtab_add_string(symtab, \"remote_outport\",\ndiff --git a/lib/ovn-util.c b/lib/ovn-util.c\nindex 65fdb3a59c..fb02825ac4 100644\n--- a/lib/ovn-util.c\n+++ b/lib/ovn-util.c\n@@ -1027,7 +1027,7 @@ ip_address_and_port_from_lb_key(const char *key, char **ip_address,\n * NOTE: If OVN_NORTHD_PIPELINE_CSUM is updated make sure to double check\n * whether an update of OVN_INTERNAL_MINOR_VER is required. */\n #define OVN_NORTHD_PIPELINE_CSUM \"3760014456 11249\"\n-#define OVN_INTERNAL_MINOR_VER 13\n+#define OVN_INTERNAL_MINOR_VER 14\n \n /* Returns the OVN version. The caller must free the returned value. */\n char *\ndiff --git a/northd/northd.c b/northd/northd.c\nindex bc817073e2..0b52db6cf6 100644\n--- a/northd/northd.c\n+++ b/northd/northd.c\n@@ -6418,6 +6418,31 @@ skip_port_from_conntrack(const struct ovn_datapath *od, struct ovn_port *op,\n free(egress_match);\n }\n \n+/* Skip conntrack for traffic from/to EVPN remote VTEPs.\n+ * Remote VTEPs do not have conntrack zones assigned, so\n+ * conntrack lookups would return +trk+inv and cause drops. */\n+static void\n+skip_evpn_from_conntrack(const struct ovn_datapath *od,\n+ bool has_stateful_acl,\n+ const struct ovn_stage *in_stage,\n+ const struct ovn_stage *out_stage, uint16_t priority,\n+ struct lflow_table *lflows,\n+ struct lflow_ref *lflow_ref)\n+{\n+ if (!od->has_evpn_vni) {\n+ return;\n+ }\n+\n+ const char *egress_action = has_stateful_acl\n+ ? \"next;\"\n+ : \"flags.pkt_sampled = 0; ct_clear; next;\";\n+\n+ ovn_lflow_add(lflows, od, in_stage, priority,\n+ \"from_evpn_vtep\", \"next;\", lflow_ref);\n+ ovn_lflow_add(lflows, od, out_stage, priority,\n+ \"to_evpn_vtep\", egress_action, lflow_ref);\n+}\n+\n static void\n build_stateless_filter(const struct ovn_datapath *od,\n const struct nbrec_acl *acl,\n@@ -6520,6 +6545,10 @@ build_ls_stateful_rec_pre_acls(\n lflow_ref);\n }\n \n+ skip_evpn_from_conntrack(od, true,\n+ S_SWITCH_IN_PRE_ACL, S_SWITCH_OUT_PRE_ACL,\n+ 110, lflows, lflow_ref);\n+\n /* stateless filters always take precedence over stateful ACLs. */\n build_stateless_filters(od, ls_port_groups, lflows, lflow_ref);\n \n@@ -6751,6 +6780,14 @@ build_ls_stateful_rec_pre_lb(const struct ls_stateful_record *ls_stateful_rec,\n }\n }\n \n+ /* EVPN remote VTEPs do not have conntrack zones, so their traffic\n+ * must always skip conntrack regardless of whether LB VIPs are\n+ * configured. This differs from localnet ports which DO have\n+ * conntrack zones and can participate in load balancing. */\n+ skip_evpn_from_conntrack(od, ls_stateful_rec->has_stateful_acl,\n+ S_SWITCH_IN_PRE_LB, S_SWITCH_OUT_PRE_LB,\n+ 110, lflows, lflow_ref);\n+\n /* 'REGBIT_CONNTRACK_NAT' is set to let the pre-stateful table send\n * packet to conntrack for defragmentation and possibly for unNATting.\n *\ndiff --git a/tests/multinode.at b/tests/multinode.at\nindex c2587b68ae..d07660797c 100644\n--- a/tests/multinode.at\n+++ b/tests/multinode.at\n@@ -3829,6 +3829,36 @@ OVS_WAIT_UNTIL([m_as ovn-gw-1 ip netns exec fabric_workload ping -6 -W 1 -c 1 10\n OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping -W 1 -c 1 10.0.0.12])\n OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping -6 -W 1 -c 1 10::12])\n \n+AS_BOX([Check EVPN traffic with stateful ACLs])\n+dnl Adding a stateful ACL should not break traffic from/to remote VTEPs.\n+dnl Without the conntrack skip flows (from_evpn_vtep / to_evpn_vtep),\n+dnl conntrack would return +trk+inv for VXLAN traffic and drop it.\n+check multinode_nbctl --wait=hv \\\n+ -- acl-add ls from-lport 100 \"ip\" allow-related \\\n+ -- acl-add ls to-lport 100 \"ip\" allow-related\n+\n+dnl Verify fabric-to-workload pings still work with stateful ACL.\n+OVS_WAIT_UNTIL([m_as ovn-gw-1 ip netns exec fabric_workload ping -W 1 -c 1 10.0.0.11])\n+OVS_WAIT_UNTIL([m_as ovn-gw-1 ip netns exec fabric_workload ping -6 -W 1 -c 1 10::11])\n+OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping -W 1 -c 1 10.0.0.12])\n+OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping -6 -W 1 -c 1 10::12])\n+\n+dnl Also add a load balancer and verify pings still work.\n+check multinode_nbctl --wait=hv \\\n+ -- lb-add lb1 10.0.0.100:80 10.0.0.11:80 \\\n+ -- ls-lb-add ls lb1\n+\n+OVS_WAIT_UNTIL([m_as ovn-gw-1 ip netns exec fabric_workload ping -W 1 -c 1 10.0.0.11])\n+OVS_WAIT_UNTIL([m_as ovn-gw-1 ip netns exec fabric_workload ping -6 -W 1 -c 1 10::11])\n+OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping -W 1 -c 1 10.0.0.12])\n+OVS_WAIT_UNTIL([m_as ovn-gw-2 ip netns exec fabric_workload ping -6 -W 1 -c 1 10::12])\n+\n+dnl Cleanup ACL and LB.\n+check multinode_nbctl --wait=hv \\\n+ -- acl-del ls \\\n+ -- ls-lb-del ls lb1 \\\n+ -- lb-del lb1\n+\n AS_BOX([Check type-2 MAC+IP EVPN route advertisements])\n # Ping from the frr-ns to the fabric workload so that its IP is learned on\n # the fabric EVPN peer (and advertised to OVN).\ndiff --git a/tests/ovn-northd.at b/tests/ovn-northd.at\nindex 796c30daf7..1d7bd6c288 100644\n--- a/tests/ovn-northd.at\n+++ b/tests/ovn-northd.at\n@@ -19026,6 +19026,99 @@ OVN_CLEANUP_NORTHD\n AT_CLEANUP\n ])\n \n+OVN_FOR_EACH_NORTHD_NO_HV([\n+AT_SETUP([LS EVPN conntrack skip with stateful ACLs and LBs])\n+AT_KEYWORDS([dynamic-routing])\n+ovn_start\n+\n+AS_BOX([EVPN switch, no ACLs or LBs])\n+check ovn-nbctl --wait=sb \\\n+ -- ls-add ls-evpn \\\n+ -- set logical_switch ls-evpn other_config:dynamic-routing-vni=10 \\\n+ -- lsp-add ls-evpn lsp0 \\\n+ -- lsp-set-addresses lsp0 \"00:00:00:00:00:01 10.0.0.1\"\n+\n+ovn-sbctl dump-flows ls-evpn > lflows\n+\n+dnl No stateful ACL, so no EVPN skip flows in pre_acl.\n+AT_CHECK([grep 'pre_acl' lflows | grep 'from_evpn_vtep'], [1])\n+AT_CHECK([grep 'pre_acl' lflows | grep 'to_evpn_vtep'], [1])\n+\n+dnl pre_lb EVPN skip flows are always present for EVPN switches.\n+AT_CHECK([grep 'pre_lb' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+ table=??(ls_in_pre_lb ), priority=110 , match=(from_evpn_vtep), action=(next;)\n+ table=??(ls_out_pre_lb ), priority=110 , match=(to_evpn_vtep), action=(flags.pkt_sampled = 0; ct_clear; next;)\n+])\n+\n+AS_BOX([EVPN switch + stateful ACL])\n+check ovn-nbctl --wait=sb acl-add ls-evpn from-lport 100 \"ip\" allow-related\n+\n+ovn-sbctl dump-flows ls-evpn > lflows\n+\n+dnl Stateful ACL present, so EVPN skip flows appear in pre_acl.\n+AT_CHECK([grep 'pre_acl' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+ table=??(ls_in_pre_acl ), priority=110 , match=(from_evpn_vtep), action=(next;)\n+ table=??(ls_out_pre_acl ), priority=110 , match=(to_evpn_vtep), action=(next;)\n+])\n+\n+dnl pre_lb EVPN skip flows with next; action (has_stateful_acl is true).\n+AT_CHECK([grep 'pre_lb' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+ table=??(ls_in_pre_lb ), priority=110 , match=(from_evpn_vtep), action=(next;)\n+ table=??(ls_out_pre_lb ), priority=110 , match=(to_evpn_vtep), action=(next;)\n+])\n+\n+AS_BOX([EVPN switch + LB only])\n+check ovn-nbctl --wait=sb \\\n+ -- acl-del ls-evpn \\\n+ -- lb-add lb1 10.0.0.100:80 10.0.0.1:80 \\\n+ -- ls-lb-add ls-evpn lb1\n+\n+ovn-sbctl dump-flows ls-evpn > lflows\n+\n+dnl No stateful ACL, so no EVPN skip flows in pre_acl.\n+AT_CHECK([grep 'pre_acl' lflows | grep 'from_evpn_vtep'], [1])\n+AT_CHECK([grep 'pre_acl' lflows | grep 'to_evpn_vtep'], [1])\n+\n+dnl pre_lb EVPN skip flows with ct_clear egress (no stateful ACL).\n+AT_CHECK([grep 'pre_lb' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+ table=??(ls_in_pre_lb ), priority=110 , match=(from_evpn_vtep), action=(next;)\n+ table=??(ls_out_pre_lb ), priority=110 , match=(to_evpn_vtep), action=(flags.pkt_sampled = 0; ct_clear; next;)\n+])\n+\n+AS_BOX([EVPN switch + ACL + LB])\n+check ovn-nbctl --wait=sb acl-add ls-evpn from-lport 100 \"ip\" allow-related\n+\n+ovn-sbctl dump-flows ls-evpn > lflows\n+\n+dnl Stateful ACL present again, so EVPN skip flows appear in pre_acl.\n+AT_CHECK([grep 'pre_acl' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+ table=??(ls_in_pre_acl ), priority=110 , match=(from_evpn_vtep), action=(next;)\n+ table=??(ls_out_pre_acl ), priority=110 , match=(to_evpn_vtep), action=(next;)\n+])\n+\n+dnl pre_lb egress action is next; because has_stateful_acl is true.\n+AT_CHECK([grep 'pre_lb' lflows | grep 'from_evpn_vtep\\|to_evpn_vtep' | ovn_strip_lflows], [0], [dnl\n+ table=??(ls_in_pre_lb ), priority=110 , match=(from_evpn_vtep), action=(next;)\n+ table=??(ls_out_pre_lb ), priority=110 , match=(to_evpn_vtep), action=(next;)\n+])\n+\n+AS_BOX([Non-EVPN switch + ACL])\n+check ovn-nbctl --wait=sb \\\n+ -- ls-add ls-plain \\\n+ -- lsp-add ls-plain lsp1 \\\n+ -- lsp-set-addresses lsp1 \"00:00:00:00:00:02 10.0.0.2\" \\\n+ -- acl-add ls-plain from-lport 100 \"ip\" allow-related\n+\n+ovn-sbctl dump-flows ls-plain > lflows\n+\n+dnl Non-EVPN switch must not have any EVPN skip flows.\n+AT_CHECK([grep 'from_evpn_vtep' lflows], [1])\n+AT_CHECK([grep 'to_evpn_vtep' lflows], [1])\n+\n+OVN_CLEANUP_NORTHD\n+AT_CLEANUP\n+])\n+\n OVN_FOR_EACH_NORTHD_NO_HV([\n AT_SETUP([Check network function])\n ovn_start\ndiff --git a/tests/ovn.at b/tests/ovn.at\nindex cec3bb9a73..939dffc761 100644\n--- a/tests/ovn.at\n+++ b/tests/ovn.at\n@@ -108,8 +108,11 @@ dnl\n dnl When we add or remove registers this test needs to be updated, of course.\n AT_SETUP([registers])\n AT_CHECK([ovstest test-ovn dump-symtab | grep reg | sort], [0],\n-[[reg0 = xxreg0[96..127]\n+[[from_evpn_vtep = reg14 == 0x80000000/0x80000000\n+reg0 = xxreg0[96..127]\n reg1 = xxreg0[64..95]\n+reg14 = NXM_NX_REG14\n+reg15 = NXM_NX_REG15\n reg2 = xxreg0[32..63]\n reg3 = xxreg0[0..31]\n reg4 = xxreg1[96..127]\n@@ -118,6 +121,7 @@ reg6 = xxreg1[32..63]\n reg7 = xxreg1[0..31]\n reg8 = xreg4[32..63]\n reg9 = xreg4[0..31]\n+to_evpn_vtep = reg15 == 0x80000000/0x80000000\n xreg0 = xxreg0[64..127]\n xreg1 = xxreg0[0..63]\n xreg2 = xxreg1[64..127]\n@@ -128,6 +132,14 @@ xxreg1 = NXM_NX_XXREG1\n ]])\n AT_CLEANUP\n \n+dnl Check EVPN VTEP predicate definitions.\n+AT_SETUP([EVPN VTEP fields])\n+AT_CHECK([ovstest test-ovn dump-symtab | grep evpn_vtep | sort], [0],\n+[[from_evpn_vtep = reg14 == 0x80000000/0x80000000\n+to_evpn_vtep = reg15 == 0x80000000/0x80000000\n+]])\n+AT_CLEANUP\n+\n dnl Check that the OVN conntrack field definitions are correct.\n AT_SETUP([conntrack fields])\n AT_CHECK([ovstest test-ovn dump-symtab | grep ^ct | sort], [0],\n@@ -2108,7 +2120,7 @@ reg0[[1..3]] = get_fdb(eth.src);\n Cannot use 3-bit field reg0[[1..3]] where 32-bit field is required.\n \n reg15 = get_fdb(eth.dst);\n- Syntax error at `reg15' expecting field name.\n+ encodes as set_field:0->reg15,resubmit(,OFTABLE_GET_FDB)\n \n outport = get_fdb(ip4.dst);\n Cannot use 32-bit field ip4.dst[[0..31]] where 48-bit field is required.\n", "prefixes": [ "ovs-dev", "4/4" ] }