From patchwork Tue Dec 6 23:53:50 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lorenzo Bianconi
X-Patchwork-Id: 1712971
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
(client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;
envelope-from=ovs-dev-bounces@openvswitch.org; receiver=)
Authentication-Results: legolas.ozlabs.org;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=iCn/1qjl;
dkim-atps=neutral
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
(No client certificate requested)
by legolas.ozlabs.org (Postfix) with ESMTPS id 4NRchS1Sh9z23pB
for ; Wed, 7 Dec 2022 10:54:15 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id A797561068;
Tue, 6 Dec 2022 23:54:12 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org A797561068
Authentication-Results: smtp3.osuosl.org;
dkim=fail reason="signature verification failed" (1024-bit key)
header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=iCn/1qjl
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id x-GBVAbeIlLE; Tue, 6 Dec 2022 23:54:11 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
[IPv6:2605:bc80:3010:104::8cd3:938])
by smtp3.osuosl.org (Postfix) with ESMTPS id 2F78F60E46;
Tue, 6 Dec 2022 23:54:10 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 2F78F60E46
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
by lists.linuxfoundation.org (Postfix) with ESMTP id D61DEC0032;
Tue, 6 Dec 2022 23:54:09 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 2AC2AC002D
for ; Tue, 6 Dec 2022 23:54:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id F1AF681EB9
for ; Tue, 6 Dec 2022 23:54:07 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org F1AF681EB9
Authentication-Results: smtp1.osuosl.org;
dkim=fail reason="signature verification failed" (1024-bit key)
header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=iCn/1qjl
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id kPB92xkDEieo for ;
Tue, 6 Dec 2022 23:54:05 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9052F81EA6
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124])
by smtp1.osuosl.org (Postfix) with ESMTPS id 9052F81EA6
for ; Tue, 6 Dec 2022 23:54:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1670370844;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=KapykoAEJ6UlWRKSoxg8kGq+CJYTxOFzr3P2yzDVKv0=;
b=iCn/1qjlWrLex5Bym6xZuNPqHRrd1bVQTYtKjKAy/SxzWGdz9sbK3LulQIwswtxjVK25iE
NWsGEUj0pdB6EIoSQSzGG1TqfZPdnk+cgksEIIVZ88MzBEq/eeeqlAz9UHi4tUM0vspPK9
kDjltckTG2u1KmDVg2dqKyF4IJR85Gc=
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
[209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS
(version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id
us-mta-356-d8THbLqKOBqX_NZR_gkdWg-1; Tue, 06 Dec 2022 18:54:03 -0500
X-MC-Unique: d8THbLqKOBqX_NZR_gkdWg-1
Received: by mail-wm1-f69.google.com with SMTP id
r67-20020a1c4446000000b003d09b0fbf54so5922430wma.3
for ; Tue, 06 Dec 2022 15:54:03 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=anFILzTBo41bkEdiu49roqB5JC027IluhL/57e61JIU=;
b=xAmkB5ayKOE2wni667PTIWl5jCA+jOJwg//EKTXaKeDiJRgjwCIiJHketIIEPsc0z4
Lhgr5Hrge3zbA/wqa3o6tp/+HIUKmAPMm1qQiQXyhPlQrkknRsRVPhs0BouNT/ZNpAaD
xdLWfUxt5s41e4hVKIh62moZsH2tOX3+CnRwKpzEGk6BvIc8OHIoXuWRw+NPMjnr1OXZ
wt2ZD9rb5uUjIuF7s2G3pqEKGvABd0PFVWnEnHcAWcMOaukydJigr3BcYxcKwRa2l+C/
NV57kZMB1AhGx7WrOGSgZ0/Sb8lfiqNwM0Bi79yjFAZZb1bhVADZ3JIyMsunmgYC4Mx7
1A7Q==
X-Gm-Message-State: ANoB5pm9uydnsG9JK3hSZzkzvAOYDM4eOKcCjhcqUcI3oB4ADkIRQIx7
XL/Kc+eCFjRldMALfNGBiThKgl/H0Y4qdMV54VqZ0kSUHRrfgK1vR8YV2FuVFpwWetDwIW+tsTI
wKzMk65yvcfAdBRn7M9q1SdHHHcFQlT6pJ7JfgdQSnLTAFHSjjpewQGmxSl3X/G+BXLen+Sm8Lp
ik5JCF
X-Received: by 2002:a05:6000:104b:b0:242:3b8d:fdb1 with SMTP id
c11-20020a056000104b00b002423b8dfdb1mr14831697wrx.193.1670370841566;
Tue, 06 Dec 2022 15:54:01 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf5QSZhnDx5jytJ03Nqm7EnsHwQQpiknXT7cd43WMah4XUmoTw6pmOk3EaEyetEK4ZxIwl9TVQ==
X-Received: by 2002:a05:6000:104b:b0:242:3b8d:fdb1 with SMTP id
c11-20020a056000104b00b002423b8dfdb1mr14831674wrx.193.1670370840903;
Tue, 06 Dec 2022 15:54:00 -0800 (PST)
Received: from localhost (net-188-216-77-84.cust.vodafonedsl.it.
[188.216.77.84]) by smtp.gmail.com with ESMTPSA id
u14-20020a05600c19ce00b003cfd42821dasm24657445wmq.3.2022.12.06.15.54.00
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 06 Dec 2022 15:54:00 -0800 (PST)
From: Lorenzo Bianconi
To: ovs-dev@openvswitch.org
Date: Wed, 7 Dec 2022 00:53:50 +0100
Message-Id:
<804194d4ee223edb50f094ddb8793a07035d44d9.1670370365.git.lorenzo.bianconi@redhat.com>
X-Mailer: git-send-email 2.38.1
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Subject: [ovs-dev] [PATCH v2 ovn] actions: introduce ct_commit_continue
action
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev"
In the current codebase ct_commit {} action clears ct_state metadata of
the incoming packet. This behaviour introduces an issue if we need to
check the connection tracking state in the subsequent pipeline stages,
e.g. for hairpin traffic:
table=14(ls_in_pre_hairpin ), priority=100 , match=(ip && ct.trk), action=(reg0[6] = chk_lb_hairpin(); reg0[12] = chk_lb_hairpin_reply(); next;)
Fix the issue introducing ct_commit_continue action used to allow the ct
packet to proceed in the pipeline instead of the original one.
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2103086
Signed-off-by: Lorenzo Bianconi
---
Changes since v1:
- introduce new nested action ct_commit_continue instead of modifying
ct_commit_v2
---
controller/chassis.c | 7 +++++
include/ovn/actions.h | 2 ++
include/ovn/features.h | 1 +
lib/actions.c | 61 ++++++++++++++++++++++++++++++++++++++---
northd/northd.c | 40 +++++++++++++++++++++++----
northd/northd.h | 2 ++
northd/ovn-northd.8.xml | 7 +++++
ovn-sb.xml | 15 ++++++++++
tests/ovn-controller.at | 42 ++++++++++++++++++++++++++++
tests/ovn-northd.at | 8 +++---
tests/ovn.at | 4 +++
utilities/ovn-trace.c | 2 ++
12 files changed, 177 insertions(+), 14 deletions(-)
diff --git a/controller/chassis.c b/controller/chassis.c
index 685d9b2ae..8dc7ecc07 100644
--- a/controller/chassis.c
+++ b/controller/chassis.c
@@ -352,6 +352,7 @@ chassis_build_other_config(const struct ovs_chassis_cfg *ovs_cfg,
smap_replace(config, OVN_FEATURE_PORT_UP_NOTIF, "true");
smap_replace(config, OVN_FEATURE_CT_NO_MASKED_LABEL, "true");
smap_replace(config, OVN_FEATURE_MAC_BINDING_TIMESTAMP, "true");
+ smap_replace(config, OVN_FEATURE_CT_COMMIT_CONTINUE, "true");
}
/*
@@ -469,6 +470,12 @@ chassis_other_config_changed(const struct ovs_chassis_cfg *ovs_cfg,
return true;
}
+ if (!smap_get_bool(&chassis_rec->other_config,
+ OVN_FEATURE_CT_COMMIT_CONTINUE,
+ false)) {
+ return true;
+ }
+
return false;
}
diff --git a/include/ovn/actions.h b/include/ovn/actions.h
index a56351081..927818976 100644
--- a/include/ovn/actions.h
+++ b/include/ovn/actions.h
@@ -66,6 +66,7 @@ struct ovn_extend_table;
OVNACT(CT_NEXT, ovnact_ct_next) \
OVNACT(CT_COMMIT_V1, ovnact_ct_commit_v1) \
OVNACT(CT_COMMIT_V2, ovnact_nest) \
+ OVNACT(CT_COMMIT_CONTINUE, ovnact_nest) \
OVNACT(CT_DNAT, ovnact_ct_nat) \
OVNACT(CT_SNAT, ovnact_ct_nat) \
OVNACT(CT_DNAT_IN_CZONE, ovnact_ct_nat) \
@@ -321,6 +322,7 @@ struct ovnact_nest {
struct ovnact ovnact;
struct ovnact *nested;
size_t nested_len;
+ uint8_t ltable; /* Logical table ID of next table. */
};
/* OVNACT_GET_ARP, OVNACT_GET_ND. */
diff --git a/include/ovn/features.h b/include/ovn/features.h
index 679f67457..0ad8a27b9 100644
--- a/include/ovn/features.h
+++ b/include/ovn/features.h
@@ -24,6 +24,7 @@
#define OVN_FEATURE_PORT_UP_NOTIF "port-up-notif"
#define OVN_FEATURE_CT_NO_MASKED_LABEL "ct-no-masked-label"
#define OVN_FEATURE_MAC_BINDING_TIMESTAMP "mac-binding-timestamp"
+#define OVN_FEATURE_CT_COMMIT_CONTINUE "ct-commit-continue"
/* OVS datapath supported features. Based on availability OVN might generate
* different types of openflows.
diff --git a/lib/actions.c b/lib/actions.c
index 47ec654e1..807b84127 100644
--- a/lib/actions.c
+++ b/lib/actions.c
@@ -766,6 +766,13 @@ parse_CT_COMMIT(struct action_context *ctx)
if (ctx->lexer->token.type == LEX_T_LCURLY) {
parse_nested_action(ctx, OVNACT_CT_COMMIT_V2, "ip",
WR_CT_COMMIT);
+
+ if (ctx->lexer->error) {
+ return;
+ }
+
+ struct ovnact_nest *on = ctx->ovnacts->header;
+ on->ltable = 0;
} else if (ctx->lexer->token.type == LEX_T_LPAREN) {
parse_CT_COMMIT_V1(ctx);
} else {
@@ -775,6 +782,7 @@ parse_CT_COMMIT(struct action_context *ctx)
OVNACT_ALIGN(sizeof *on));
on->nested_len = 0;
on->nested = NULL;
+ on->ltable = 0;
}
}
@@ -871,13 +879,13 @@ format_CT_COMMIT_V2(const struct ovnact_nest *on, struct ds *s)
}
static void
-encode_CT_COMMIT_V2(const struct ovnact_nest *on,
- const struct ovnact_encode_params *ep OVS_UNUSED,
- struct ofpbuf *ofpacts)
+encode_ct_commit_nested(const struct ovnact_nest *on,
+ const struct ovnact_encode_params *ep,
+ uint8_t recirc_table, struct ofpbuf *ofpacts)
{
struct ofpact_conntrack *ct = ofpact_put_CT(ofpacts);
ct->flags = NX_CT_F_COMMIT;
- ct->recirc_table = NX_CT_RECIRC_NONE;
+ ct->recirc_table = recirc_table;
ct->zone_src.field = ep->is_switch
? mf_from_id(MFF_LOG_CT_ZONE)
: mf_from_id(MFF_LOG_DNAT_ZONE);
@@ -907,6 +915,49 @@ encode_CT_COMMIT_V2(const struct ovnact_nest *on,
ct = ofpacts->header;
ofpact_finish(ofpacts, &ct->ofpact);
}
+
+static void
+encode_CT_COMMIT_V2(const struct ovnact_nest *on,
+ const struct ovnact_encode_params *ep,
+ struct ofpbuf *ofpacts)
+{
+ encode_ct_commit_nested(on, ep, NX_CT_RECIRC_NONE, ofpacts);
+}
+
+static void
+parse_CT_COMMIT_CONTINUE(struct action_context *ctx)
+{
+ int table = ctx->pp->cur_ltable + 1;
+ if (table >= ctx->pp->n_tables) {
+ table = 0;
+ }
+ parse_nested_action(ctx, OVNACT_CT_COMMIT_CONTINUE, "ip",
+ WR_CT_COMMIT);
+
+ struct ovnact_nest *on = ctx->ovnacts->header;
+ on->ltable = table;
+}
+
+static void
+format_CT_COMMIT_CONTINUE(const struct ovnact_nest *on, struct ds *s)
+{
+ if (on->nested_len) {
+ format_nested_action(on, "ct_commit_continue", s);
+ } else {
+ ds_put_cstr(s, "ct_commit_continue;");
+ }
+}
+
+static void
+encode_CT_COMMIT_CONTINUE(const struct ovnact_nest *on,
+ const struct ovnact_encode_params *ep,
+ struct ofpbuf *ofpacts)
+{
+ uint8_t recirc_table = first_ptable(ep, ep->pipeline) + on->ltable;
+
+ encode_ct_commit_nested(on, ep, recirc_table, ofpacts);
+}
+
static void
parse_ct_nat(struct action_context *ctx, const char *name,
@@ -5288,6 +5339,8 @@ parse_action(struct action_context *ctx)
parse_DEC_TTL(ctx);
} else if (lexer_match_id(ctx->lexer, "ct_next")) {
parse_CT_NEXT(ctx);
+ } else if (lexer_match_id(ctx->lexer, "ct_commit_continue")) {
+ parse_CT_COMMIT_CONTINUE(ctx);
} else if (lexer_match_id(ctx->lexer, "ct_commit")) {
parse_CT_COMMIT(ctx);
} else if (lexer_match_id(ctx->lexer, "ct_dnat")) {
diff --git a/northd/northd.c b/northd/northd.c
index 74facce7a..5170e20e2 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -446,6 +446,14 @@ build_chassis_features(const struct northd_input *input_data,
chassis_features->mac_binding_timestamp) {
chassis_features->mac_binding_timestamp = false;
}
+
+ bool ct_commit_continue =
+ smap_get_bool(&chassis->other_config,
+ OVN_FEATURE_CT_COMMIT_CONTINUE,
+ false);
+ if (!ct_commit_continue && chassis_features->ct_commit_continue) {
+ chassis_features->ct_commit_continue = false;
+ }
}
}
@@ -5494,6 +5502,7 @@ ls_get_acl_flags(struct ovn_datapath *od)
{
od->has_acls = false;
od->has_stateful_acl = false;
+ od->has_apply_after_lb_acls = false;
if (od->nbs->n_acls) {
od->has_acls = true;
@@ -5502,7 +5511,9 @@ ls_get_acl_flags(struct ovn_datapath *od)
struct nbrec_acl *acl = od->nbs->acls[i];
if (!strcmp(acl->action, "allow-related")) {
od->has_stateful_acl = true;
- return;
+ }
+ if (smap_get_bool(&acl->options, "apply-after-lb", false)) {
+ od->has_apply_after_lb_acls = true;
}
}
}
@@ -5516,7 +5527,9 @@ ls_get_acl_flags(struct ovn_datapath *od)
struct nbrec_acl *acl = ls_pg->nb_pg->acls[i];
if (!strcmp(acl->action, "allow-related")) {
od->has_stateful_acl = true;
- return;
+ }
+ if (smap_get_bool(&acl->options, "apply-after-lb", false)) {
+ od->has_apply_after_lb_acls = true;
}
}
}
@@ -7447,9 +7460,17 @@ build_stateful(struct ovn_datapath *od,
* We always set ct_mark.blocked to 0 here as
* any packet that makes it this far is part of a connection we
* want to allow to continue. */
- ds_put_format(&actions, "ct_commit { %s = 0; "
- "ct_label.label = " REG_LABEL "; }; next;",
- ct_block_action);
+ if (features->ct_commit_continue && od->has_apply_after_lb_acls) {
+ ds_put_format(&actions,
+ "ct_commit_continue { %s = 0; "
+ "ct_label.label = " REG_LABEL "; };",
+ ct_block_action);
+ } else {
+ ds_put_format(&actions,
+ "ct_commit { %s = 0; "
+ "ct_label.label = " REG_LABEL "; }; next;",
+ ct_block_action);
+ }
ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,
REGBIT_CONNTRACK_COMMIT" == 1 && "
REGBIT_ACL_LABEL" == 1",
@@ -7464,7 +7485,13 @@ build_stateful(struct ovn_datapath *od,
* any packet that makes it this far is part of a connection we
* want to allow to continue. */
ds_clear(&actions);
- ds_put_format(&actions, "ct_commit { %s = 0; }; next;", ct_block_action);
+ if (features->ct_commit_continue && od->has_apply_after_lb_acls) {
+ ds_put_format(&actions, "ct_commit_continue { %s = 0; };",
+ ct_block_action);
+ } else {
+ ds_put_format(&actions, "ct_commit { %s = 0; }; next;",
+ ct_block_action);
+ }
ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,
REGBIT_CONNTRACK_COMMIT" == 1 && "
REGBIT_ACL_LABEL" == 0",
@@ -15875,6 +15902,7 @@ northd_init(struct northd_data *data)
data->features = (struct chassis_features) {
.ct_no_masked_label = true,
.mac_binding_timestamp = true,
+ .ct_commit_continue = true,
};
data->ovn_internal_version_changed = false;
}
diff --git a/northd/northd.h b/northd/northd.h
index 7942c0a34..fee68d1e7 100644
--- a/northd/northd.h
+++ b/northd/northd.h
@@ -69,6 +69,7 @@ struct northd_input {
struct chassis_features {
bool ct_no_masked_label;
bool mac_binding_timestamp;
+ bool ct_commit_continue;
};
struct northd_data {
@@ -211,6 +212,7 @@ struct ovn_datapath {
bool has_unknown;
bool has_acls;
bool has_vtep_lports;
+ bool has_apply_after_lb_acls;
/* IPAM data. */
struct ipam_info ipam_info;
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index dffbba96d..6a6425dd4 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -1108,6 +1108,13 @@
action based on a hint provided by the previous tables (with a match
for reg0[1] == 1 && reg0[13] == 0
).
+
+
+ If the ACL is configured with apply-after-lb
option,
+ ct_commit_continue
action will be used instead of
+ ct_commit
in order to preserve ct_state metadata.
+
+
A priority-0 flow that simply moves traffic to the next table.
diff --git a/ovn-sb.xml b/ovn-sb.xml
index 4f485b860..6f759b428 100644
--- a/ovn-sb.xml
+++ b/ovn-sb.xml
@@ -1408,6 +1408,21 @@
+ ct_commit_continue { };
+ ct_commit_continue { ct_mark=value[/mask]; };
+ ct_commit_continue { ct_label=value[/mask]; };
+ ct_commit_continue { ct_mark=value[/mask]; ct_label=value[/mask]; };
+
+
+
+ ct_commit_continue
action exports the same features
+ supported by ct_commit
but allow the packet committed
+ to the ct table to continue the processing in the next pipeline
+ stage. This is useful to maintain ct metadata of the processed
+ packet.
+
+
+
ct_dnat;
ct_dnat(IP);
diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
index 6bc9ba75d..67c74f9cd 100644
--- a/tests/ovn-controller.at
+++ b/tests/ovn-controller.at
@@ -2499,3 +2499,45 @@ AT_CHECK([GET_LOCAL_TEMPLATE_VARS], [1], [])
AT_CLEANUP
])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([ovn-controller - ct_commit_continue])
+AT_KEYWORDS([ct_commit_continue])
+
+ovn_start
+
+net_add n1
+sim_add hv1
+ovs-vsctl add-br br-phys
+ovn_attach n1 br-phys 192.168.0.1
+
+check ovn-nbctl ls-add sw0 \
+ -- lsp-add sw0 sw0-p0 \
+ -- lsp-set-addresses sw0-p0 "00:00:00:00:00:01 192.168.1.1"
+
+as hv1
+ovs-vsctl \
+ -- add-port br-int vif0 \
+ -- set Interface vif0 external_ids:iface-id=sw0-p0
+
+check ovn-nbctl pg-add pg0 sw0-p0
+check ovn-nbctl --apply-after-lb acl-add pg0 from-lport 1004 "ip4 && ip4.dst == 192.168.1.2" drop
+check ovn-nbctl --apply-after-lb acl-add pg0 from-lport 1002 "ip4 && tcp" allow-related
+check ovn-nbctl --apply-after-lb acl-add pg0 from-lport 1003 "ip4 && icmp" allow-related
+check ovn-nbctl --apply-after-lb acl-add pg0 from-lport 1001 "ip4" drop
+
+check ovn-nbctl lb-add lb0 192.168.1.10 192.168.1.2
+check ovn-nbctl ls-lb-add sw0 lb0
+
+check ovn-nbctl --wait=hv sync
+wait_for_ports_up
+
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=23 | grep table=24 | sed -e 's/cookie=0x[[a-z,0-9]]*/cookie=0x0/; s/duration=[[0-9]]*.[[0-9]]*s/duration=/' |sort], [0], [dnl
+ cookie=0x0 duration=, table=23, n_packets=0, n_bytes=0, idle_age=0, priority=100,ip,reg0=0x2/0x2002,metadata=0x1 actions=ct(commit,table=24,zone=NXM_NX_REG13[[0..15]],nat(src),exec(load:0->NXM_NX_CT_MARK[[0]]))
+ cookie=0x0 duration=, table=23, n_packets=0, n_bytes=0, idle_age=0, priority=100,ip,reg0=0x2002/0x2002,metadata=0x1 actions=ct(commit,table=24,zone=NXM_NX_REG13[[0..15]],nat(src),exec(load:0->NXM_NX_CT_MARK[[0]],move:NXM_NX_XXREG0[[0..31]]->NXM_NX_CT_LABEL[[96..127]]))
+ cookie=0x0 duration=, table=23, n_packets=0, n_bytes=0, idle_age=0, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x1 actions=ct(commit,table=24,zone=NXM_NX_REG13[[0..15]],nat(src),exec(load:0->NXM_NX_CT_MARK[[0]]))
+ cookie=0x0 duration=, table=23, n_packets=0, n_bytes=0, idle_age=0, priority=100,ipv6,reg0=0x2002/0x2002,metadata=0x1 actions=ct(commit,table=24,zone=NXM_NX_REG13[[0..15]],nat(src),exec(load:0->NXM_NX_CT_MARK[[0]],move:NXM_NX_XXREG0[[0..31]]->NXM_NX_CT_LABEL[[96..127]]))
+])
+
+AT_CLEANUP
+])
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 9a76ca340..7eb965ce8 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -6623,8 +6623,8 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | sed 's/table=../table=??/' | sort], [0],
AT_CHECK([grep -e "ls_in_stateful" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit_continue { ct_mark.blocked = 0; };)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit_continue { ct_mark.blocked = 0; ct_label.label = reg3; };)
])
AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option])
@@ -6676,8 +6676,8 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | sed 's/table=../table=??/' | sort], [0],
AT_CHECK([grep -e "ls_in_stateful" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit_continue { ct_mark.blocked = 0; };)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit_continue { ct_mark.blocked = 0; ct_label.label = reg3; };)
])
AT_CLEANUP
diff --git a/tests/ovn.at b/tests/ovn.at
index f3bd53242..ed4a2f50d 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -1187,6 +1187,10 @@ ct_commit { ct_mark=1; };
formats as ct_commit { ct_mark = 1; };
encodes as ct(commit,zone=NXM_NX_REG13[0..15],exec(set_field:0x1->ct_mark))
has prereqs ip
+ct_commit_continue { ct_mark=1; };
+ formats as ct_commit_continue { ct_mark = 1; };
+ encodes as ct(commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:0x1->ct_mark))
+ has prereqs ip
ct_commit { ct_mark=1/1; };
formats as ct_commit { ct_mark = 1/1; };
encodes as ct(commit,zone=NXM_NX_REG13[0..15],exec(set_field:0x1/0x1->ct_mark))
diff --git a/utilities/ovn-trace.c b/utilities/ovn-trace.c
index 79ed5a9af..e1def9eea 100644
--- a/utilities/ovn-trace.c
+++ b/utilities/ovn-trace.c
@@ -3098,6 +3098,8 @@ trace_actions(const struct ovnact *ovnacts, size_t ovnacts_len,
case OVNACT_CT_COMMIT_V2:
/* Nothing to do. */
break;
+ case OVNACT_CT_COMMIT_CONTINUE:
+ break;
case OVNACT_CT_DNAT:
execute_ct_nat(ovnact_get_CT_DNAT(a), dp, uflow, pipeline, super);