diff mbox series

[ovs-dev] northd: Remove redundant ct state matches.

Message ID 20250507145900.317243-1-dceara@redhat.com
State Accepted
Headers show
Series [ovs-dev] northd: Remove redundant ct state matches. | expand

Checks

Context Check Description
ovsrobot/apply-robot success apply and check: success
ovsrobot/github-robot-_Build_and_Test success github build: passed
ovsrobot/github-robot-_ovn-kubernetes fail github build: failed

Commit Message

Dumitru Ceara May 7, 2025, 2:59 p.m. UTC 
There were at least three types of redundant matches in northd generated
logical flows:
a. ct.est && !ct.new -> this can be simplified to ct.est because
                        "established" implies "not new"
b. ct.est && !ct.inv -> this can be simplified to ct.est because
                        "established" implies "not invalid" (*)
c. ct.rel && !ct.inv -> this can be simplified to ct.rel because
                        "related" implies "not invalid".

(*) There's a single case in the OVS userspace conntrack in which we
could end up with some malformed FTP control packets that have
ct_state=+trk+est+inv but after a private discussion with Ilya Maximets
that's probably just a minor bug in the userspace conntrack
implementation.

Spotted during code review.

Signed-off-by: Dumitru Ceara <dceara@redhat.com>
---
 northd/northd.c     |  22 ++++----
 tests/ovn-northd.at | 122 ++++++++++++++++++++++----------------------
 2 files changed, 70 insertions(+), 74 deletions(-)

Comments

Ales Musil May 16, 2025, 10:12 a.m. UTC | #1 
On Wed, May 7, 2025 at 4:59 PM Dumitru Ceara via dev <
ovs-dev@openvswitch.org> wrote:

> There were at least three types of redundant matches in northd generated
> logical flows:
> a. ct.est && !ct.new -> this can be simplified to ct.est because
>                         "established" implies "not new"
> b. ct.est && !ct.inv -> this can be simplified to ct.est because
>                         "established" implies "not invalid" (*)
> c. ct.rel && !ct.inv -> this can be simplified to ct.rel because
>                         "related" implies "not invalid".
>
> (*) There's a single case in the OVS userspace conntrack in which we
> could end up with some malformed FTP control packets that have
> ct_state=+trk+est+inv but after a private discussion with Ilya Maximets
> that's probably just a minor bug in the userspace conntrack
> implementation.
>
> Spotted during code review.
>
> Signed-off-by: Dumitru Ceara <dceara@redhat.com>
> ---
>  northd/northd.c     |  22 ++++----
>  tests/ovn-northd.at | 122 ++++++++++++++++++++++----------------------
>  2 files changed, 70 insertions(+), 74 deletions(-)
>
> diff --git a/northd/northd.c b/northd/northd.c
> index 7b05147b41..2ab49fc27e 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -7646,10 +7646,9 @@ build_acl_log_related_flows(const struct
> ovn_datapath *od,
>          S_SWITCH_OUT_ACL_EVAL :
>          S_SWITCH_IN_ACL_EVAL;
>      ds_clear(match);
> -    ds_put_format(match, "ct.est && !ct.rel && !ct.new%s && "
> -                  "ct.rpl && ct_mark.blocked == 0 && "
> -                  "ct_label.label == %" PRId64,
> -                  use_ct_inv_match ? " && !ct.inv" : "",
> +    ds_put_format(match, "ct.est && !ct.rel && ct.rpl && "
> +                         "ct_mark.blocked == 0 && "
> +                         "ct_label.label == %" PRId64,
>                    acl->label);
>      ovn_lflow_add_with_hint(lflows, od, log_related_stage,
>                              UINT16_MAX - 2,
> @@ -7657,11 +7656,10 @@ build_acl_log_related_flows(const struct
> ovn_datapath *od,
>                              &acl->header_, lflow_ref);
>
>      ds_clear(match);
> -    ds_put_format(match, "!ct.est && ct.rel && !ct.new%s && "
> +    ds_put_format(match, "!ct.est && ct.rel && !ct.new && "
>                           "ct_mark.blocked == 0 && "
>                           "ct_label.label == %" PRId64,
> -                         use_ct_inv_match ? " && !ct.inv" : "",
> -                         acl->label);
> +                  acl->label);
>      ovn_lflow_add_with_hint(lflows, od, log_related_stage,
>                              UINT16_MAX - 2,
>                              ds_cstr(match), ds_cstr(actions),
> @@ -7799,9 +7797,8 @@ build_acls(const struct ls_stateful_record
> *ls_stateful_rec,
>           *
>           * This is enforced at a higher priority than ACLs can be
> defined. */
>          ds_clear(&match);
> -        ds_put_format(&match, "ct.est && !ct.rel && !ct.new%s && "
> -                      "ct.rpl && ct_mark.blocked == 0",
> -                      use_ct_inv_match ? " && !ct.inv" : "");
> +        ds_put_cstr(&match, "ct.est && !ct.rel && ct.rpl && "
> +                            "ct_mark.blocked == 0");
>          ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3,
>                        ds_cstr(&match), REGBIT_ACL_HINT_DROP" = 0; "
>                        REGBIT_ACL_HINT_BLOCK" = 0; "
> @@ -7831,9 +7828,8 @@ build_acls(const struct ls_stateful_record
> *ls_stateful_rec,
>          const char *ct_out_acl_action =
>              REGBIT_ACL_VERDICT_ALLOW" = 1; ct_commit_nat;";
>          ds_clear(&match);
> -        ds_put_format(&match, "!ct.est && ct.rel && !ct.new%s "
> -                              "&& ct_mark.blocked == 0",
> -                      use_ct_inv_match ? " && !ct.inv" : "");
> +        ds_put_cstr(&match, "!ct.est && ct.rel && !ct.new && "
> +                            "ct_mark.blocked == 0");
>          ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3,
>                        ds_cstr(&match), ct_in_acl_action, lflow_ref);
>          ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3,
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index 69b75fe9de..756e11faab 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -2717,8 +2717,8 @@ check ovn-nbctl --wait=sb \
>  AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e
> ls_out_acl_hint -e ls_in_acl -e ls_out_acl | grep 'ct\.' |
> ovn_strip_lflows], [0], [dnl
>    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est),
> action=(next;)
>    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est &&
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1;
> reg8[[16]] = 1; ct_commit_nat;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1;
> next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_hint     ), priority=1    , match=(ct.est &&
> ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
> @@ -2730,8 +2730,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
> ls_in_acl_hint -e ls_out_acl_hint -e
>    table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new &&
> !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est),
> action=(next;)
>    table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est &&
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_out_acl_hint    ), priority=1    , match=(ct.est &&
> ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
> @@ -2761,8 +2761,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
> ls_in_acl_hint -e ls_out_acl_hint -e
>    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 &&
> (ip)), action=(reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 &&
> (ip)), action=(reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1;
> reg8[[16]] = 1; ct_commit_nat;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1;
> next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -2780,8 +2780,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
> ls_in_acl_hint -e ls_out_acl_hint -e
>    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 &&
> (ip)), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 &&
> (ip)), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -5049,16 +5049,16 @@ ovn-sbctl dump-flows sw0 > sw0flows
>  AT_CAPTURE_FILE([sw0flows])
>
>  AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 |
> ovn_strip_lflows], [0], [dnl
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1;
> reg8[[16]] = 1; ct_commit_nat;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1;
> next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
>  ])
>
>  AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 |
> ovn_strip_lflows], [0], [dnl
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -5073,7 +5073,7 @@ AT_CAPTURE_FILE([sw0flows])
>  AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 |
> ovn_strip_lflows], [0], [dnl
>    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=((ct.est && ct.rpl
> && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
> reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
>  ])
> @@ -5081,7 +5081,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep
> 6553 | ovn_strip_lflows], [0]
>  AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 |
> ovn_strip_lflows], [0], [dnl
>    table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=((ct.est && ct.rpl
> && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> next;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
>  ])
> @@ -5097,23 +5097,23 @@ ovn-sbctl dump-flows sw0 > sw0flows
>  AT_CAPTURE_FILE([sw0flows])
>
>  AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 |
> ovn_strip_lflows], [0], [dnl
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1;
> reg8[[16]] = 1; ct_commit_nat;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1;
> next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
>  ])
>
>  AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 |
> ovn_strip_lflows], [0], [dnl
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
>  ])
>
>  AT_CHECK([grep -c "ct.inv" sw0flows], [0], [dnl
> -6
> +2
>  ])
>
>  AT_CLEANUP
> @@ -7857,10 +7857,10 @@ check_log_flows_count 0 in
>
>  # Now ensure the flows are what we expect them to be for the ACLs we
> created
>  AT_CHECK([cat log_flows], [0], [dnl
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 1), action=(log(name="allow_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
>  ])
>
>  rm log_flows
> @@ -7878,10 +7878,10 @@ check_log_flows_count 0 in
>
>  # And the log flows will remain the same since the stateless ACL will not
> be represented.
>  AT_CHECK([cat log_flows], [0], [dnl
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 1), action=(log(name="allow_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
>  ])
>
>  rm log_flows
> @@ -7900,8 +7900,8 @@ check_log_flows_count 0 in
>
>  # And make sure only the allow ACL has the log flows installed
>  AT_CHECK([cat log_flows], [0], [dnl
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 1), action=(log(name="allow_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
>  ])
>
>  rm log_flows
> @@ -7917,8 +7917,8 @@ check_log_flows_count 0 in
>
>  # And make sure only the allow ACL has the log flows installed
>  AT_CHECK([cat log_flows], [0], [dnl
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 1), action=(log(name="allow_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
>  ])
>
>  rm log_flows
> @@ -7962,10 +7962,10 @@ check_log_flows_count 0 out
>
>  # Now ensure the flows are what we expect them to be for the ACLs we
> created
>  AT_CHECK([cat log_flows], [0], [dnl
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 1), action=(log(name="allow_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
>  ])
>
>  rm log_flows
> @@ -7983,10 +7983,10 @@ check_log_flows_count 0 out
>
>  # And the log flows will remain the same since the stateless ACL will not
> be represented.
>  AT_CHECK([cat log_flows], [0], [dnl
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 1), action=(log(name="allow_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2),
> action=(log(name="allow_related_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
>  ])
>
>  rm log_flows
> @@ -8005,8 +8005,8 @@ check_log_flows_count 0 out
>
>  # And make sure only the allow ACL has the log flows installed
>  AT_CHECK([cat log_flows], [0], [dnl
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 1), action=(log(name="allow_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
>  ])
>
>  rm log_flows
> @@ -8022,8 +8022,8 @@ check_log_flows_count 0 out
>
>  # And make sure only the allow ACL has the log flows installed
>  AT_CHECK([cat log_flows], [0], [dnl
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label
> == 1), action=(log(name="allow_acl", severity=info, verdict=allow);
> reg8[[16]] = 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
> +  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1),
> action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] =
> 1; next;)
>  ])
>
>  rm log_flows
> @@ -8123,8 +8123,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>    table=??(ls_in_acl_eval     ), priority=2004 , match=(reg0[[10]] == 1
> && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit {
> ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;)
>    table=??(ls_in_acl_eval     ), priority=2004 , match=(reg0[[9]] == 1 &&
> (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1;
> reg8[[16]] = 1; ct_commit_nat;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1;
> next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -8182,8 +8182,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est),
> action=(next;)
>    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est &&
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1;
> reg8[[16]] = 1; ct_commit_nat;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1;
> next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -8241,8 +8241,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e
> "ls_in_acl_hint" lsflows | ovn_strip_lflo
>    table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] == 1 &&
> (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[8]] == 1 &&
> (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1;
> reg8[[16]] = 1; ct_commit_nat;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1;
> next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -8786,8 +8786,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl"
> | ovn_strip_lflows], [0], [
>    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 &&
> (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 &&
> (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1;
> reg8[[16]] = 1; ct_commit_nat;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1;
> next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -8814,8 +8814,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl"
> | ovn_strip_lflows], [0], [
>    table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est),
> action=(next;)
>    table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est &&
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -8986,8 +8986,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl"
> | ovn_strip_lflows], [0], [
>    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est),
> action=(next;)
>    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est &&
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1;
> reg8[[16]] = 1; ct_commit_nat;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1;
> next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -9014,8 +9014,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl"
> | ovn_strip_lflows], [0], [
>    table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est),
> action=(next;)
>    table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est &&
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -9184,8 +9184,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl"
> | ovn_strip_lflows], [0], [
>    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est),
> action=(next;)
>    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est &&
> ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1;
> reg8[[16]] = 1; ct_commit_nat;)
> -  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1;
> next;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] =
> 1; ct_commit_nat;)
> +  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0;
> reg0[[17]] = 1; reg8[[16]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1;
> next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> @@ -9214,8 +9214,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl"
> | ovn_strip_lflows], [0], [
>    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 &&
> (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 &&
> (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> -  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0),
> action=(reg8[[16]] = 1; next;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel
> && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
> ct_commit_nat;)
> +  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel
> && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est &&
> ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est
> && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
>    table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra ||
> nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
> --
> 2.49.0
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Thank you Dumitru,

I went ahead and merged this into main.

Regards,
Ales
Dumitru Ceara May 16, 2025, 11:03 a.m. UTC | #2 
On 5/16/25 12:12 PM, Ales Musil wrote:
> I went ahead and merged this into main.

Thanks a lot Ales!

Regards,
Dumitru
diff mbox series

Patch

diff --git a/northd/northd.c b/northd/northd.c
index 7b05147b41..2ab49fc27e 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -7646,10 +7646,9 @@  build_acl_log_related_flows(const struct ovn_datapath *od,
         S_SWITCH_OUT_ACL_EVAL :
         S_SWITCH_IN_ACL_EVAL;
     ds_clear(match);
-    ds_put_format(match, "ct.est && !ct.rel && !ct.new%s && "
-                  "ct.rpl && ct_mark.blocked == 0 && "
-                  "ct_label.label == %" PRId64,
-                  use_ct_inv_match ? " && !ct.inv" : "",
+    ds_put_format(match, "ct.est && !ct.rel && ct.rpl && "
+                         "ct_mark.blocked == 0 && "
+                         "ct_label.label == %" PRId64,
                   acl->label);
     ovn_lflow_add_with_hint(lflows, od, log_related_stage,
                             UINT16_MAX - 2,
@@ -7657,11 +7656,10 @@  build_acl_log_related_flows(const struct ovn_datapath *od,
                             &acl->header_, lflow_ref);
 
     ds_clear(match);
-    ds_put_format(match, "!ct.est && ct.rel && !ct.new%s && "
+    ds_put_format(match, "!ct.est && ct.rel && !ct.new && "
                          "ct_mark.blocked == 0 && "
                          "ct_label.label == %" PRId64,
-                         use_ct_inv_match ? " && !ct.inv" : "",
-                         acl->label);
+                  acl->label);
     ovn_lflow_add_with_hint(lflows, od, log_related_stage,
                             UINT16_MAX - 2,
                             ds_cstr(match), ds_cstr(actions),
@@ -7799,9 +7797,8 @@  build_acls(const struct ls_stateful_record *ls_stateful_rec,
          *
          * This is enforced at a higher priority than ACLs can be defined. */
         ds_clear(&match);
-        ds_put_format(&match, "ct.est && !ct.rel && !ct.new%s && "
-                      "ct.rpl && ct_mark.blocked == 0",
-                      use_ct_inv_match ? " && !ct.inv" : "");
+        ds_put_cstr(&match, "ct.est && !ct.rel && ct.rpl && "
+                            "ct_mark.blocked == 0");
         ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3,
                       ds_cstr(&match), REGBIT_ACL_HINT_DROP" = 0; "
                       REGBIT_ACL_HINT_BLOCK" = 0; "
@@ -7831,9 +7828,8 @@  build_acls(const struct ls_stateful_record *ls_stateful_rec,
         const char *ct_out_acl_action =
             REGBIT_ACL_VERDICT_ALLOW" = 1; ct_commit_nat;";
         ds_clear(&match);
-        ds_put_format(&match, "!ct.est && ct.rel && !ct.new%s "
-                              "&& ct_mark.blocked == 0",
-                      use_ct_inv_match ? " && !ct.inv" : "");
+        ds_put_cstr(&match, "!ct.est && ct.rel && !ct.new && "
+                            "ct_mark.blocked == 0");
         ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3,
                       ds_cstr(&match), ct_in_acl_action, lflow_ref);
         ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3,
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 69b75fe9de..756e11faab 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -2717,8 +2717,8 @@  check ovn-nbctl --wait=sb \
 AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | grep 'ct\.' | ovn_strip_lflows], [0], [dnl
   table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), action=(next;)
   table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_hint     ), priority=1    , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
@@ -2730,8 +2730,8 @@  AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e
   table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est), action=(next;)
   table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_out_acl_hint    ), priority=1    , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
@@ -2761,8 +2761,8 @@  AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e
   table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -2780,8 +2780,8 @@  AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e
   table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -5049,16 +5049,16 @@  ovn-sbctl dump-flows sw0 > sw0flows
 AT_CAPTURE_FILE([sw0flows])
 
 AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
 ])
 
 AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -5073,7 +5073,7 @@  AT_CAPTURE_FILE([sw0flows])
 AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl
   table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
   table=??(ls_in_acl_eval     ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
 ])
@@ -5081,7 +5081,7 @@  AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows], [0]
 AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl
   table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
   table=??(ls_out_acl_eval    ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
 ])
@@ -5097,23 +5097,23 @@  ovn-sbctl dump-flows sw0 > sw0flows
 AT_CAPTURE_FILE([sw0flows])
 
 AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
 ])
 
 AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
 ])
 
 AT_CHECK([grep -c "ct.inv" sw0flows], [0], [dnl
-6
+2
 ])
 
 AT_CLEANUP
@@ -7857,10 +7857,10 @@  check_log_flows_count 0 in
 
 # Now ensure the flows are what we expect them to be for the ACLs we created
 AT_CHECK([cat log_flows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
 ])
 
 rm log_flows
@@ -7878,10 +7878,10 @@  check_log_flows_count 0 in
 
 # And the log flows will remain the same since the stateless ACL will not be represented.
 AT_CHECK([cat log_flows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
 ])
 
 rm log_flows
@@ -7900,8 +7900,8 @@  check_log_flows_count 0 in
 
 # And make sure only the allow ACL has the log flows installed
 AT_CHECK([cat log_flows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
 ])
 
 rm log_flows
@@ -7917,8 +7917,8 @@  check_log_flows_count 0 in
 
 # And make sure only the allow ACL has the log flows installed
 AT_CHECK([cat log_flows], [0], [dnl
-  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
 ])
 
 rm log_flows
@@ -7962,10 +7962,10 @@  check_log_flows_count 0 out
 
 # Now ensure the flows are what we expect them to be for the ACLs we created
 AT_CHECK([cat log_flows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
 ])
 
 rm log_flows
@@ -7983,10 +7983,10 @@  check_log_flows_count 0 out
 
 # And the log flows will remain the same since the stateless ACL will not be represented.
 AT_CHECK([cat log_flows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
 ])
 
 rm log_flows
@@ -8005,8 +8005,8 @@  check_log_flows_count 0 out
 
 # And make sure only the allow ACL has the log flows installed
 AT_CHECK([cat log_flows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
 ])
 
 rm log_flows
@@ -8022,8 +8022,8 @@  check_log_flows_count 0 out
 
 # And make sure only the allow ACL has the log flows installed
 AT_CHECK([cat log_flows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65533, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;)
 ])
 
 rm log_flows
@@ -8123,8 +8123,8 @@  AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo
   table=??(ls_in_acl_eval     ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; ct_label.obs_point_id = 0; }; next;)
   table=??(ls_in_acl_eval     ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -8182,8 +8182,8 @@  AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo
   table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), action=(next;)
   table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -8241,8 +8241,8 @@  AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo
   table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -8786,8 +8786,8 @@  AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [
   table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -8814,8 +8814,8 @@  AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [
   table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est), action=(next;)
   table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -8986,8 +8986,8 @@  AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [
   table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), action=(next;)
   table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -9014,8 +9014,8 @@  AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [
   table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est), action=(next;)
   table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -9184,8 +9184,8 @@  AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [
   table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), action=(next;)
   table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_in_acl_eval     ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
@@ -9214,8 +9214,8 @@  AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [
   table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
-  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
+  table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
   table=??(ls_out_acl_eval    ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)