- This table prepares flows for all possible stateful processing
- in next tables. It contains a priority-0 flow that simply moves
-- traffic to the next table. A priority-100 flow sends the packets to
-- connection tracker based on a hint provided by the previous tables
-- (with a match for reg0[0] == 1) by using the
-- ct_next; action.
-+ traffic to the next table.
-
-+
-+ If the logical datapath has a stateful ACL or a load balancer with VIP
- configured, the following flows will also be added:
-
-
-@@ -615,7 +653,7 @@
-
-
-
-+ If the logical datapath has any ACL or a load balancer with VIP
-+ configured, the following flow will also be added:
-+
-+
-+
-- It contains a priority-0 flow that simply moves traffic to the next
-- table.
--
--
--
- This table implements ARP/ND responder in a logical switch for known
-@@ -1164,7 +1172,7 @@ output;
-
-
-
--
- This table adds the DHCPv4 options to a DHCPv4 packet from the
-@@ -1225,7 +1233,7 @@ next;
-
-
-
--
- This table implements DHCP responder for the DHCP replies generated by
-@@ -1306,7 +1314,7 @@ output;
-
-
-
--
- This table looks up and resolves the DNS names to the corresponding
-@@ -1335,7 +1343,7 @@ reg0[4] = dns_lookup(); next;
-
-
-
--
- This table implements DNS responder for the DNS replies generated by
-@@ -1370,7 +1378,7 @@ output;
-
-
-
--
- This table implements switching behavior. It contains these logical
-@@ -1639,9 +1647,11 @@ output;
- Moreover it contains a priority-110 flow to move IPv6 Neighbor Discovery
- traffic to the next table. If any load balancing rules exist for the
- datapath, a priority-100 flow is added with a match of ip
-- and action of reg0[0] = 1; next; to act as a hint for
-+ and action of reg0[2] = 1; next; to act as a hint for
- table Pre-stateful to send IP packets to the connection
-- tracker for packet de-fragmentation.
-+ tracker for packet de-fragmentation and possibly DNAT the destination
-+ VIP to one of the selected backend for already commited load balanced
-+ traffic.
-
-
-
- This is similar to the port security logic in table
-@@ -1764,7 +1793,7 @@ output;
- ip4.src and ip6.src
-
-
--
- This is similar to the ingress port security logic in ingress table
-@@ -2720,7 +2749,11 @@ icmp6 {
- (and optional port numbers) to load balance to. If the router is
- configured to force SNAT any load-balanced packets, the above action
- will be replaced by flags.force_snat_for_lb = 1;
-- ct_lb(args);. If health check is enabled, then
-+ ct_lb(args);.
-+ If the load balancing rule is configured with skip_snat
-+ set to true, the above action will be replaced by
-+ flags.skip_snat_for_lb = 1; ct_lb(args);.
-+ If health check is enabled, then
- args will only contain those endpoints whose service
- monitor status entry in OVN_Southbound db is
- either online or empty.
-@@ -2737,6 +2770,9 @@ icmp6 {
- with an action of ct_dnat;. If the router is
- configured to force SNAT any load-balanced packets, the above action
- will be replaced by flags.force_snat_for_lb = 1; ct_dnat;.
-+ If the load balancing rule is configured with skip_snat
-+ set to true, the above action will be replaced by
-+ flags.skip_snat_for_lb = 1; ct_dnat;.
-
-
-
-
- If the Gateway router in the OVN Northbound database has been
-diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
-index 5a2018c2e..ae58fda16 100644
---- a/northd/ovn-northd.c
-+++ b/northd/ovn-northd.c
-@@ -97,6 +97,10 @@ static bool check_lsp_is_up;
- static char svc_monitor_mac[ETH_ADDR_STRLEN + 1];
- static struct eth_addr svc_monitor_mac_ea;
-
-+/* If this option is 'true' northd will make use of ct.inv match fields.
-+ * Otherwise, it will avoid using it. The default is true. */
-+static bool use_ct_inv_match = true;
-+
- /* Default probe interval for NB and SB DB connections. */
- #define DEFAULT_PROBE_INTERVAL_MSEC 5000
- static int northd_probe_interval_nb = 0;
-@@ -147,32 +151,30 @@ enum ovn_stage {
- PIPELINE_STAGE(SWITCH, IN, ACL, 9, "ls_in_acl") \
- PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 10, "ls_in_qos_mark") \
- PIPELINE_STAGE(SWITCH, IN, QOS_METER, 11, "ls_in_qos_meter") \
-- PIPELINE_STAGE(SWITCH, IN, LB, 12, "ls_in_lb") \
-- PIPELINE_STAGE(SWITCH, IN, STATEFUL, 13, "ls_in_stateful") \
-- PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 14, "ls_in_pre_hairpin") \
-- PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 15, "ls_in_nat_hairpin") \
-- PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 16, "ls_in_hairpin") \
-- PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 17, "ls_in_arp_rsp") \
-- PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 18, "ls_in_dhcp_options") \
-- PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 19, "ls_in_dhcp_response") \
-- PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 20, "ls_in_dns_lookup") \
-- PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 21, "ls_in_dns_response") \
-- PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 22, "ls_in_external_port") \
-- PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 23, "ls_in_l2_lkup") \
-- PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 24, "ls_in_l2_unknown") \
-+ PIPELINE_STAGE(SWITCH, IN, STATEFUL, 12, "ls_in_stateful") \
-+ PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 13, "ls_in_pre_hairpin") \
-+ PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 14, "ls_in_nat_hairpin") \
-+ PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 15, "ls_in_hairpin") \
-+ PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 16, "ls_in_arp_rsp") \
-+ PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 17, "ls_in_dhcp_options") \
-+ PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 18, "ls_in_dhcp_response") \
-+ PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 19, "ls_in_dns_lookup") \
-+ PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 20, "ls_in_dns_response") \
-+ PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 21, "ls_in_external_port") \
-+ PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 22, "ls_in_l2_lkup") \
-+ PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 23, "ls_in_l2_unknown") \
- \
- /* Logical switch egress stages. */ \
- PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 0, "ls_out_pre_lb") \
- PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 1, "ls_out_pre_acl") \
- PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \
-- PIPELINE_STAGE(SWITCH, OUT, LB, 3, "ls_out_lb") \
-- PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 4, "ls_out_acl_hint") \
-- PIPELINE_STAGE(SWITCH, OUT, ACL, 5, "ls_out_acl") \
-- PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 6, "ls_out_qos_mark") \
-- PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 7, "ls_out_qos_meter") \
-- PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 8, "ls_out_stateful") \
-- PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP, 9, "ls_out_port_sec_ip") \
-- PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 10, "ls_out_port_sec_l2") \
-+ PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 3, "ls_out_acl_hint") \
-+ PIPELINE_STAGE(SWITCH, OUT, ACL, 4, "ls_out_acl") \
-+ PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 5, "ls_out_qos_mark") \
-+ PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 6, "ls_out_qos_meter") \
-+ PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 7, "ls_out_stateful") \
-+ PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP, 8, "ls_out_port_sec_ip") \
-+ PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 9, "ls_out_port_sec_l2") \
- \
- /* Logical router ingress stages. */ \
- PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \
-@@ -626,6 +628,7 @@ struct ovn_datapath {
- bool has_stateful_acl;
- bool has_lb_vip;
- bool has_unknown;
-+ bool has_acls;
-
- /* IPAM data. */
- struct ipam_info ipam_info;
-@@ -664,9 +667,6 @@ struct ovn_datapath {
- struct hmap nb_pgs;
- };
-
--static bool ls_has_stateful_acl(struct ovn_datapath *od);
--static bool ls_has_lb_vip(struct ovn_datapath *od);
--
- /* Contains a NAT entry with the external addresses pre-parsed. */
- struct ovn_nat {
- const struct nbrec_nat *nb;
-@@ -4729,27 +4729,38 @@ ovn_ls_port_group_destroy(struct hmap *nb_pgs)
- hmap_destroy(nb_pgs);
- }
-
--static bool
--ls_has_stateful_acl(struct ovn_datapath *od)
-+static void
-+ls_get_acl_flags(struct ovn_datapath *od)
- {
-- for (size_t i = 0; i < od->nbs->n_acls; i++) {
-- struct nbrec_acl *acl = od->nbs->acls[i];
-- if (!strcmp(acl->action, "allow-related")) {
-- return true;
-+ od->has_acls = false;
-+ od->has_stateful_acl = false;
-+
-+ if (od->nbs->n_acls) {
-+ od->has_acls = true;
-+
-+ for (size_t i = 0; i < od->nbs->n_acls; i++) {
-+ struct nbrec_acl *acl = od->nbs->acls[i];
-+ if (!strcmp(acl->action, "allow-related")) {
-+ od->has_stateful_acl = true;
-+ return;
-+ }
- }
- }
-
- struct ovn_ls_port_group *ls_pg;
- HMAP_FOR_EACH (ls_pg, key_node, &od->nb_pgs) {
-- for (size_t i = 0; i < ls_pg->nb_pg->n_acls; i++) {
-- struct nbrec_acl *acl = ls_pg->nb_pg->acls[i];
-- if (!strcmp(acl->action, "allow-related")) {
-- return true;
-+ if (ls_pg->nb_pg->n_acls) {
-+ od->has_acls = true;
-+
-+ for (size_t i = 0; i < ls_pg->nb_pg->n_acls; i++) {
-+ struct nbrec_acl *acl = ls_pg->nb_pg->acls[i];
-+ if (!strcmp(acl->action, "allow-related")) {
-+ od->has_stateful_acl = true;
-+ return;
-+ }
- }
- }
- }
--
-- return false;
- }
-
- /* Logical switch ingress table 0: Ingress port security - L2
-@@ -5128,8 +5139,8 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows,
- vip_configured = (vip_configured || lb->n_vips);
- }
-
-- /* 'REGBIT_CONNTRACK_DEFRAG' is set to let the pre-stateful table send
-- * packet to conntrack for defragmentation.
-+ /* 'REGBIT_CONNTRACK_NAT' is set to let the pre-stateful table send
-+ * packet to conntrack for defragmentation and possibly for unNATting.
- *
- * Send all the packets to conntrack in the ingress pipeline if the
- * logical switch has a load balancer with VIP configured. Earlier
-@@ -5159,9 +5170,9 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows,
- */
- if (vip_configured) {
- ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB,
-- 100, "ip", REGBIT_CONNTRACK_DEFRAG" = 1; next;");
-+ 100, "ip", REGBIT_CONNTRACK_NAT" = 1; next;");
- ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB,
-- 100, "ip", REGBIT_CONNTRACK_DEFRAG" = 1; next;");
-+ 100, "ip", REGBIT_CONNTRACK_NAT" = 1; next;");
- }
- }
-
-@@ -5173,10 +5184,46 @@ build_pre_stateful(struct ovn_datapath *od, struct hmap *lflows)
- ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 0, "1", "next;");
- ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 0, "1", "next;");
-
-+ const char *lb_protocols[] = {"tcp", "udp", "sctp"};
-+ struct ds actions = DS_EMPTY_INITIALIZER;
-+ struct ds match = DS_EMPTY_INITIALIZER;
-+
-+ for (size_t i = 0; i < ARRAY_SIZE(lb_protocols); i++) {
-+ ds_clear(&match);
-+ ds_clear(&actions);
-+ ds_put_format(&match, REGBIT_CONNTRACK_NAT" == 1 && ip4 && %s",
-+ lb_protocols[i]);
-+ ds_put_format(&actions, REG_ORIG_DIP_IPV4 " = ip4.dst; "
-+ REG_ORIG_TP_DPORT " = %s.dst; ct_lb;",
-+ lb_protocols[i]);
-+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 120,
-+ ds_cstr(&match), ds_cstr(&actions));
-+
-+ ds_clear(&match);
-+ ds_clear(&actions);
-+ ds_put_format(&match, REGBIT_CONNTRACK_NAT" == 1 && ip6 && %s",
-+ lb_protocols[i]);
-+ ds_put_format(&actions, REG_ORIG_DIP_IPV6 " = ip6.dst; "
-+ REG_ORIG_TP_DPORT " = %s.dst; ct_lb;",
-+ lb_protocols[i]);
-+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 120,
-+ ds_cstr(&match), ds_cstr(&actions));
-+ }
-+
-+ ds_destroy(&actions);
-+ ds_destroy(&match);
-+
-+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 110,
-+ REGBIT_CONNTRACK_NAT" == 1", "ct_lb;");
-+
-+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 110,
-+ REGBIT_CONNTRACK_NAT" == 1", "ct_lb;");
-+
- /* If REGBIT_CONNTRACK_DEFRAG is set as 1, then the packets should be
- * sent to conntrack for tracking and defragmentation. */
- ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 100,
- REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;");
-+
- ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 100,
- REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;");
- }
-@@ -5206,7 +5253,11 @@ build_acl_hints(struct ovn_datapath *od, struct hmap *lflows)
- enum ovn_stage stage = stages[i];
-
- /* In any case, advance to the next stage. */
-- ovn_lflow_add(lflows, od, stage, 0, "1", "next;");
-+ if (!od->has_acls && !od->has_lb_vip) {
-+ ovn_lflow_add(lflows, od, stage, UINT16_MAX, "1", "next;");
-+ } else {
-+ ovn_lflow_add(lflows, od, stage, 0, "1", "next;");
-+ }
-
- if (!od->has_stateful_acl && !od->has_lb_vip) {
- continue;
-@@ -5606,10 +5657,19 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
- bool has_stateful = od->has_stateful_acl || od->has_lb_vip;
-
- /* Ingress and Egress ACL Table (Priority 0): Packets are allowed by
-- * default. A related rule at priority 1 is added below if there
-+ * default. If the logical switch has no ACLs or no load balancers,
-+ * then add 65535-priority flow to advance the packet to next
-+ * stage.
-+ *
-+ * A related rule at priority 1 is added below if there
- * are any stateful ACLs in this datapath. */
-- ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;");
-- ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;");
-+ if (!od->has_acls && !od->has_lb_vip) {
-+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "1", "next;");
-+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "1", "next;");
-+ } else {
-+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;");
-+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;");
-+ }
-
- if (has_stateful) {
- /* Ingress and Egress ACL Table (Priority 1).
-@@ -5640,21 +5700,23 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
- "ip && (!ct.est || (ct.est && ct_label.blocked == 1))",
- REGBIT_CONNTRACK_COMMIT" = 1; next;");
-
-- /* Ingress and Egress ACL Table (Priority 65535).
-+ /* Ingress and Egress ACL Table (Priority 65532).
- *
- * Always drop traffic that's in an invalid state. Also drop
- * reply direction packets for connections that have been marked
- * for deletion (bit 0 of ct_label is set).
- *
- * This is enforced at a higher priority than ACLs can be defined. */
-- ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
-- "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
-- "drop;");
-- ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
-- "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
-- "drop;");
-+ char *match =
-+ xasprintf("%s(ct.est && ct.rpl && ct_label.blocked == 1)",
-+ use_ct_inv_match ? "ct.inv || " : "");
-+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3,
-+ match, "drop;");
-+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3,
-+ match, "drop;");
-+ free(match);
-
-- /* Ingress and Egress ACL Table (Priority 65535).
-+ /* Ingress and Egress ACL Table (Priority 65535 - 3).
- *
- * Allow reply traffic that is part of an established
- * conntrack entry that has not been marked for deletion
-@@ -5663,14 +5725,15 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
- * direction to hit the currently defined policy from ACLs.
- *
- * This is enforced at a higher priority than ACLs can be defined. */
-- ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
-- "ct.est && !ct.rel && !ct.new && !ct.inv "
-- "&& ct.rpl && ct_label.blocked == 0",
-- "next;");
-- ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
-- "ct.est && !ct.rel && !ct.new && !ct.inv "
-- "&& ct.rpl && ct_label.blocked == 0",
-- "next;");
-+ match = xasprintf("ct.est && !ct.rel && !ct.new%s && "
-+ "ct.rpl && ct_label.blocked == 0",
-+ use_ct_inv_match ? " && !ct.inv" : "");
-+
-+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3,
-+ match, "next;");
-+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3,
-+ match, "next;");
-+ free(match);
-
- /* Ingress and Egress ACL Table (Priority 65535).
- *
-@@ -5683,21 +5746,21 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
- * a dynamically negotiated FTP data channel), but will allow
- * related traffic such as an ICMP Port Unreachable through
- * that's generated from a non-listening UDP port. */
-- ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
-- "!ct.est && ct.rel && !ct.new && !ct.inv "
-- "&& ct_label.blocked == 0",
-- "next;");
-- ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
-- "!ct.est && ct.rel && !ct.new && !ct.inv "
-- "&& ct_label.blocked == 0",
-- "next;");
-+ match = xasprintf("!ct.est && ct.rel && !ct.new%s && "
-+ "ct_label.blocked == 0",
-+ use_ct_inv_match ? " && !ct.inv" : "");
-+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3,
-+ match, "next;");
-+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3,
-+ match, "next;");
-+ free(match);
-
-- /* Ingress and Egress ACL Table (Priority 65535).
-+ /* Ingress and Egress ACL Table (Priority 65532).
- *
- * Not to do conntrack on ND packets. */
-- ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
-+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3,
- "nd || nd_ra || nd_rs || mldv1 || mldv2", "next;");
-- ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
-+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3,
- "nd || nd_ra || nd_rs || mldv1 || mldv2", "next;");
- }
-
-@@ -5784,15 +5847,18 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
- actions);
- }
-
-- /* Add a 34000 priority flow to advance the service monitor reply
-- * packets to skip applying ingress ACLs. */
-- ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 34000,
-- "eth.dst == $svc_monitor_mac", "next;");
-
-- /* Add a 34000 priority flow to advance the service monitor packets
-- * generated by ovn-controller to skip applying egress ACLs. */
-- ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 34000,
-- "eth.src == $svc_monitor_mac", "next;");
-+ if (od->has_acls || od->has_lb_vip) {
-+ /* Add a 34000 priority flow to advance the service monitor reply
-+ * packets to skip applying ingress ACLs. */
-+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 34000,
-+ "eth.dst == $svc_monitor_mac", "next;");
-+
-+ /* Add a 34000 priority flow to advance the service monitor packets
-+ * generated by ovn-controller to skip applying egress ACLs. */
-+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 34000,
-+ "eth.src == $svc_monitor_mac", "next;");
-+ }
- }
-
- static void
-@@ -5856,37 +5922,6 @@ build_qos(struct ovn_datapath *od, struct hmap *lflows) {
- }
- }
-
--static void
--build_lb(struct ovn_datapath *od, struct hmap *lflows)
--{
-- /* Ingress and Egress LB Table (Priority 0): Packets are allowed by
-- * default. */
-- ovn_lflow_add(lflows, od, S_SWITCH_IN_LB, 0, "1", "next;");
-- ovn_lflow_add(lflows, od, S_SWITCH_OUT_LB, 0, "1", "next;");
--
-- if (od->nbs->n_load_balancer) {
-- for (size_t i = 0; i < od->n_router_ports; i++) {
-- skip_port_from_conntrack(od, od->router_ports[i],
-- S_SWITCH_IN_LB, S_SWITCH_OUT_LB,
-- UINT16_MAX, lflows);
-- }
-- }
--
-- if (od->has_lb_vip) {
-- /* Ingress and Egress LB Table (Priority 65534).
-- *
-- * Send established traffic through conntrack for just NAT. */
-- ovn_lflow_add(lflows, od, S_SWITCH_IN_LB, UINT16_MAX - 1,
-- "ct.est && !ct.rel && !ct.new && !ct.inv && "
-- "ct_label.natted == 1",
-- REGBIT_CONNTRACK_NAT" = 1; next;");
-- ovn_lflow_add(lflows, od, S_SWITCH_OUT_LB, UINT16_MAX - 1,
-- "ct.est && !ct.rel && !ct.new && !ct.inv && "
-- "ct_label.natted == 1",
-- REGBIT_CONNTRACK_NAT" = 1; next;");
-- }
--}
--
- static void
- build_lb_rules(struct ovn_datapath *od, struct hmap *lflows,
- struct ovn_northd_lb *lb)
-@@ -5971,48 +6006,6 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows, struct hmap *lbs)
- REGBIT_CONNTRACK_COMMIT" == 1",
- "ct_commit { ct_label.blocked = 0; }; next;");
-
-- /* If REGBIT_CONNTRACK_NAT is set as 1, then packets should just be sent
-- * through nat (without committing).
-- *
-- * REGBIT_CONNTRACK_COMMIT is set for new connections and
-- * REGBIT_CONNTRACK_NAT is set for established connections. So they
-- * don't overlap.
-- *
-- * In the ingress pipeline, also store the original destination IP and
-- * transport port to be used when detecting hairpin packets.
-- */
-- const char *lb_protocols[] = {"tcp", "udp", "sctp"};
-- struct ds actions = DS_EMPTY_INITIALIZER;
-- struct ds match = DS_EMPTY_INITIALIZER;
--
-- for (size_t i = 0; i < ARRAY_SIZE(lb_protocols); i++) {
-- ds_clear(&match);
-- ds_clear(&actions);
-- ds_put_format(&match, REGBIT_CONNTRACK_NAT" == 1 && ip4 && %s",
-- lb_protocols[i]);
-- ds_put_format(&actions, REG_ORIG_DIP_IPV4 " = ip4.dst; "
-- REG_ORIG_TP_DPORT " = %s.dst; ct_lb;",
-- lb_protocols[i]);
-- ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,
-- ds_cstr(&match), ds_cstr(&actions));
--
-- ds_clear(&match);
-- ds_clear(&actions);
-- ds_put_format(&match, REGBIT_CONNTRACK_NAT" == 1 && ip6 && %s",
-- lb_protocols[i]);
-- ds_put_format(&actions, REG_ORIG_DIP_IPV6 " = ip6.dst; "
-- REG_ORIG_TP_DPORT " = %s.dst; ct_lb;",
-- lb_protocols[i]);
-- ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,
-- ds_cstr(&match), ds_cstr(&actions));
-- }
--
-- ds_destroy(&actions);
-- ds_destroy(&match);
--
-- ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 100,
-- REGBIT_CONNTRACK_NAT" == 1", "ct_lb;");
--
- /* Load balancing rules for new connections get committed to conntrack
- * table. So even if REGBIT_CONNTRACK_COMMIT is set in a previous table
- * a higher priority rule for load balancing below also commits the
-@@ -6759,7 +6752,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *lflows)
- struct ds actions = DS_EMPTY_INITIALIZER;
- struct ovn_datapath *od;
-
-- /* Ingress table 24: Destination lookup for unknown MACs (priority 0). */
-+ /* Ingress table 23: Destination lookup for unknown MACs (priority 0). */
- HMAP_FOR_EACH (od, key_node, datapaths) {
- if (!od->nbs) {
- continue;
-@@ -6794,8 +6787,8 @@ build_lswitch_lflows_pre_acl_and_acl(struct ovn_datapath *od,
- struct hmap *lbs)
- {
- if (od->nbs) {
-- od->has_stateful_acl = ls_has_stateful_acl(od);
- od->has_lb_vip = ls_has_lb_vip(od);
-+ ls_get_acl_flags(od);
-
- build_pre_acls(od, lflows);
- build_pre_lb(od, lflows, meter_groups, lbs);
-@@ -6803,7 +6796,6 @@ build_lswitch_lflows_pre_acl_and_acl(struct ovn_datapath *od,
- build_acl_hints(od, lflows);
- build_acls(od, lflows, port_groups, meter_groups);
- build_qos(od, lflows);
-- build_lb(od, lflows);
- build_stateful(od, lflows, lbs);
- build_lb_hairpin(od, lflows);
- }
-@@ -8573,10 +8565,16 @@ get_force_snat_ip(struct ovn_datapath *od, const char *key_type,
- return true;
- }
-
-+enum lb_snat_type {
-+ NO_FORCE_SNAT,
-+ FORCE_SNAT,
-+ SKIP_SNAT,
-+};
-+
- static void
- add_router_lb_flow(struct hmap *lflows, struct ovn_datapath *od,
- struct ds *match, struct ds *actions, int priority,
-- bool force_snat_for_lb, struct ovn_lb_vip *lb_vip,
-+ enum lb_snat_type snat_type, struct ovn_lb_vip *lb_vip,
- const char *proto, struct nbrec_load_balancer *lb,
- struct shash *meter_groups, struct sset *nat_entries)
- {
-@@ -8585,9 +8583,10 @@ add_router_lb_flow(struct hmap *lflows, struct ovn_datapath *od,
-
- /* A match and actions for new connections. */
- char *new_match = xasprintf("ct.new && %s", ds_cstr(match));
-- if (force_snat_for_lb) {
-- char *new_actions = xasprintf("flags.force_snat_for_lb = 1; %s",
-- ds_cstr(actions));
-+ if (snat_type == FORCE_SNAT || snat_type == SKIP_SNAT) {
-+ char *new_actions = xasprintf("flags.%s_snat_for_lb = 1; %s",
-+ snat_type == SKIP_SNAT ? "skip" : "force",
-+ ds_cstr(actions));
- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, priority,
- new_match, new_actions, &lb->header_);
- free(new_actions);
-@@ -8598,11 +8597,12 @@ add_router_lb_flow(struct hmap *lflows, struct ovn_datapath *od,
-
- /* A match and actions for established connections. */
- char *est_match = xasprintf("ct.est && %s", ds_cstr(match));
-- if (force_snat_for_lb) {
-+ if (snat_type == FORCE_SNAT || snat_type == SKIP_SNAT) {
-+ char *est_actions = xasprintf("flags.%s_snat_for_lb = 1; ct_dnat;",
-+ snat_type == SKIP_SNAT ? "skip" : "force");
- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, priority,
-- est_match,
-- "flags.force_snat_for_lb = 1; ct_dnat;",
-- &lb->header_);
-+ est_match, est_actions, &lb->header_);
-+ free(est_actions);
- } else {
- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, priority,
- est_match, "ct_dnat;", &lb->header_);
-@@ -8675,11 +8675,13 @@ add_router_lb_flow(struct hmap *lflows, struct ovn_datapath *od,
- ds_put_format(&undnat_match, ") && outport == %s && "
- "is_chassis_resident(%s)", od->l3dgw_port->json_key,
- od->l3redirect_port->json_key);
-- if (force_snat_for_lb) {
-+ if (snat_type == FORCE_SNAT || snat_type == SKIP_SNAT) {
-+ char *action = xasprintf("flags.%s_snat_for_lb = 1; ct_dnat;",
-+ snat_type == SKIP_SNAT ? "skip" : "force");
- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_UNDNAT, 120,
-- ds_cstr(&undnat_match),
-- "flags.force_snat_for_lb = 1; ct_dnat;",
-+ ds_cstr(&undnat_match), action,
- &lb->header_);
-+ free(action);
- } else {
- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_UNDNAT, 120,
- ds_cstr(&undnat_match), "ct_dnat;",
-@@ -8689,6 +8691,105 @@ add_router_lb_flow(struct hmap *lflows, struct ovn_datapath *od,
- ds_destroy(&undnat_match);
- }
-
-+static void
-+build_lrouter_lb_flows(struct hmap *lflows, struct ovn_datapath *od,
-+ struct hmap *lbs, struct shash *meter_groups,
-+ struct sset *nat_entries, struct ds *match,
-+ struct ds *actions)
-+{
-+ /* A set to hold all ips that need defragmentation and tracking. */
-+ struct sset all_ips = SSET_INITIALIZER(&all_ips);
-+ bool lb_force_snat_ip =
-+ !lport_addresses_is_empty(&od->lb_force_snat_addrs);
-+
-+ for (int i = 0; i < od->nbr->n_load_balancer; i++) {
-+ struct nbrec_load_balancer *nb_lb = od->nbr->load_balancer[i];
-+ struct ovn_northd_lb *lb =
-+ ovn_northd_lb_find(lbs, &nb_lb->header_.uuid);
-+ ovs_assert(lb);
-+
-+ bool lb_skip_snat = smap_get_bool(&nb_lb->options, "skip_snat", false);
-+ if (lb_skip_snat) {
-+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120,
-+ "flags.skip_snat_for_lb == 1 && ip", "next;");
-+ }
-+
-+ for (size_t j = 0; j < lb->n_vips; j++) {
-+ struct ovn_lb_vip *lb_vip = &lb->vips[j];
-+ struct ovn_northd_lb_vip *lb_vip_nb = &lb->vips_nb[j];
-+ ds_clear(actions);
-+ build_lb_vip_actions(lb_vip, lb_vip_nb, actions,
-+ lb->selection_fields, false);
-+
-+ if (!sset_contains(&all_ips, lb_vip->vip_str)) {
-+ sset_add(&all_ips, lb_vip->vip_str);
-+ /* If there are any load balancing rules, we should send
-+ * the packet to conntrack for defragmentation and
-+ * tracking. This helps with two things.
-+ *
-+ * 1. With tracking, we can send only new connections to
-+ * pick a DNAT ip address from a group.
-+ * 2. If there are L4 ports in load balancing rules, we
-+ * need the defragmentation to match on L4 ports. */
-+ ds_clear(match);
-+ if (IN6_IS_ADDR_V4MAPPED(&lb_vip->vip)) {
-+ ds_put_format(match, "ip && ip4.dst == %s",
-+ lb_vip->vip_str);
-+ } else {
-+ ds_put_format(match, "ip && ip6.dst == %s",
-+ lb_vip->vip_str);
-+ }
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DEFRAG,
-+ 100, ds_cstr(match), "ct_next;",
-+ &nb_lb->header_);
-+ }
-+
-+ /* Higher priority rules are added for load-balancing in DNAT
-+ * table. For every match (on a VIP[:port]), we add two flows
-+ * via add_router_lb_flow(). One flow is for specific matching
-+ * on ct.new with an action of "ct_lb($targets);". The other
-+ * flow is for ct.est with an action of "ct_dnat;". */
-+ ds_clear(match);
-+ if (IN6_IS_ADDR_V4MAPPED(&lb_vip->vip)) {
-+ ds_put_format(match, "ip && ip4.dst == %s",
-+ lb_vip->vip_str);
-+ } else {
-+ ds_put_format(match, "ip && ip6.dst == %s",
-+ lb_vip->vip_str);
-+ }
-+
-+ int prio = 110;
-+ bool is_udp = nullable_string_is_equal(nb_lb->protocol, "udp");
-+ bool is_sctp = nullable_string_is_equal(nb_lb->protocol,
-+ "sctp");
-+ const char *proto = is_udp ? "udp" : is_sctp ? "sctp" : "tcp";
-+
-+ if (lb_vip->vip_port) {
-+ ds_put_format(match, " && %s && %s.dst == %d", proto,
-+ proto, lb_vip->vip_port);
-+ prio = 120;
-+ }
-+
-+ if (od->l3redirect_port &&
-+ (lb_vip->n_backends || !lb_vip->empty_backend_rej)) {
-+ ds_put_format(match, " && is_chassis_resident(%s)",
-+ od->l3redirect_port->json_key);
-+ }
-+
-+ enum lb_snat_type snat_type = NO_FORCE_SNAT;
-+ if (lb_skip_snat) {
-+ snat_type = SKIP_SNAT;
-+ } else if (lb_force_snat_ip || od->lb_force_snat_router_ip) {
-+ snat_type = FORCE_SNAT;
-+ }
-+ add_router_lb_flow(lflows, od, match, actions, prio,
-+ snat_type, lb_vip, proto, nb_lb,
-+ meter_groups, nat_entries);
-+ }
-+ }
-+ sset_destroy(&all_ips);
-+}
-+
- #define ND_RA_MAX_INTERVAL_MAX 1800
- #define ND_RA_MAX_INTERVAL_MIN 4
-
-@@ -11002,668 +11103,643 @@ build_lrouter_ipv4_ip_input(struct ovn_port *op,
- }
- }
-
--/* NAT, Defrag and load balancing. */
- static void
--build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od,
-- struct hmap *lflows,
-- struct shash *meter_groups,
-- struct hmap *lbs,
-- struct ds *match, struct ds *actions)
-+build_lrouter_in_unsnat_flow(struct hmap *lflows, struct ovn_datapath *od,
-+ const struct nbrec_nat *nat, struct ds *match,
-+ struct ds *actions, bool distributed, bool is_v6)
- {
-- if (od->nbr) {
-+ /* Ingress UNSNAT table: It is for already established connections'
-+ * reverse traffic. i.e., SNAT has already been done in egress
-+ * pipeline and now the packet has entered the ingress pipeline as
-+ * part of a reply. We undo the SNAT here.
-+ *
-+ * Undoing SNAT has to happen before DNAT processing. This is
-+ * because when the packet was DNATed in ingress pipeline, it did
-+ * not know about the possibility of eventual additional SNAT in
-+ * egress pipeline. */
-+ if (strcmp(nat->type, "snat") && strcmp(nat->type, "dnat_and_snat")) {
-+ return;
-+ }
-
-- /* Packets are allowed by default. */
-- ovn_lflow_add(lflows, od, S_ROUTER_IN_DEFRAG, 0, "1", "next;");
-- ovn_lflow_add(lflows, od, S_ROUTER_IN_UNSNAT, 0, "1", "next;");
-- ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 0, "1", "next;");
-- ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 0, "1", "next;");
-- ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;");
-- ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;");
-- ovn_lflow_add(lflows, od, S_ROUTER_IN_ECMP_STATEFUL, 0, "1", "next;");
--
-- /* Send the IPv6 NS packets to next table. When ovn-controller
-- * generates IPv6 NS (for the action - nd_ns{}), the injected
-- * packet would go through conntrack - which is not required. */
-- ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, "nd_ns", "next;");
--
-- /* NAT rules are only valid on Gateway routers and routers with
-- * l3dgw_port (router has a port with gateway chassis
-- * specified). */
-- if (!smap_get(&od->nbr->options, "chassis") && !od->l3dgw_port) {
-- return;
-+ bool stateless = lrouter_nat_is_stateless(nat);
-+ if (!od->l3dgw_port) {
-+ /* Gateway router. */
-+ ds_clear(match);
-+ ds_clear(actions);
-+ ds_put_format(match, "ip && ip%s.dst == %s",
-+ is_v6 ? "6" : "4", nat->external_ip);
-+ if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-+ ds_put_format(actions, "ip%s.dst=%s; next;",
-+ is_v6 ? "6" : "4", nat->logical_ip);
-+ } else {
-+ ds_put_cstr(actions, "ct_snat;");
- }
-
-- struct sset nat_entries = SSET_INITIALIZER(&nat_entries);
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_UNSNAT,
-+ 90, ds_cstr(match), ds_cstr(actions),
-+ &nat->header_);
-+ } else {
-+ /* Distributed router. */
-
-- bool dnat_force_snat_ip =
-- !lport_addresses_is_empty(&od->dnat_force_snat_addrs);
-- bool lb_force_snat_ip =
-- !lport_addresses_is_empty(&od->lb_force_snat_addrs);
-+ /* Traffic received on l3dgw_port is subject to NAT. */
-+ ds_clear(match);
-+ ds_clear(actions);
-+ ds_put_format(match, "ip && ip%s.dst == %s && inport == %s",
-+ is_v6 ? "6" : "4", nat->external_ip,
-+ od->l3dgw_port->json_key);
-+ if (!distributed && od->l3redirect_port) {
-+ /* Flows for NAT rules that are centralized are only
-+ * programmed on the gateway chassis. */
-+ ds_put_format(match, " && is_chassis_resident(%s)",
-+ od->l3redirect_port->json_key);
-+ }
-
-- for (int i = 0; i < od->nbr->n_nat; i++) {
-- const struct nbrec_nat *nat;
-+ if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-+ ds_put_format(actions, "ip%s.dst=%s; next;",
-+ is_v6 ? "6" : "4", nat->logical_ip);
-+ } else {
-+ ds_put_cstr(actions, "ct_snat;");
-+ }
-
-- nat = od->nbr->nat[i];
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_UNSNAT,
-+ 100, ds_cstr(match), ds_cstr(actions),
-+ &nat->header_);
-+ }
-+}
-
-- ovs_be32 ip, mask;
-- struct in6_addr ipv6, mask_v6, v6_exact = IN6ADDR_EXACT_INIT;
-- bool is_v6 = false;
-- bool stateless = lrouter_nat_is_stateless(nat);
-- struct nbrec_address_set *allowed_ext_ips =
-- nat->allowed_ext_ips;
-- struct nbrec_address_set *exempted_ext_ips =
-- nat->exempted_ext_ips;
-+static void
-+build_lrouter_in_dnat_flow(struct hmap *lflows, struct ovn_datapath *od,
-+ const struct nbrec_nat *nat, struct ds *match,
-+ struct ds *actions, bool distributed,
-+ ovs_be32 mask, bool is_v6)
-+{
-+ /* Ingress DNAT table: Packets enter the pipeline with destination
-+ * IP address that needs to be DNATted from a external IP address
-+ * to a logical IP address. */
-+ if (!strcmp(nat->type, "dnat") || !strcmp(nat->type, "dnat_and_snat")) {
-+ bool stateless = lrouter_nat_is_stateless(nat);
-
-- if (allowed_ext_ips && exempted_ext_ips) {
-- static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
-- VLOG_WARN_RL(&rl, "NAT rule: "UUID_FMT" not applied, since "
-- "both allowed and exempt external ips set",
-- UUID_ARGS(&(nat->header_.uuid)));
-- continue;
-+ if (!od->l3dgw_port) {
-+ /* Gateway router. */
-+ /* Packet when it goes from the initiator to destination.
-+ * We need to set flags.loopback because the router can
-+ * send the packet back through the same interface. */
-+ ds_clear(match);
-+ ds_put_format(match, "ip && ip%s.dst == %s",
-+ is_v6 ? "6" : "4", nat->external_ip);
-+ ds_clear(actions);
-+ if (nat->allowed_ext_ips || nat->exempted_ext_ips) {
-+ lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
-+ is_v6, true, mask);
- }
-
-- char *error = ip_parse_masked(nat->external_ip, &ip, &mask);
-- if (error || mask != OVS_BE32_MAX) {
-- free(error);
-- error = ipv6_parse_masked(nat->external_ip, &ipv6, &mask_v6);
-- if (error || memcmp(&mask_v6, &v6_exact, sizeof(mask_v6))) {
-- /* Invalid for both IPv4 and IPv6 */
-- static struct vlog_rate_limit rl =
-- VLOG_RATE_LIMIT_INIT(5, 1);
-- VLOG_WARN_RL(&rl, "bad external ip %s for nat",
-- nat->external_ip);
-- free(error);
-- continue;
-- }
-- /* It was an invalid IPv4 address, but valid IPv6.
-- * Treat the rest of the handling of this NAT rule
-- * as IPv6. */
-- is_v6 = true;
-- }
--
-- /* Check the validity of nat->logical_ip. 'logical_ip' can
-- * be a subnet when the type is "snat". */
-- int cidr_bits;
-- if (is_v6) {
-- error = ipv6_parse_masked(nat->logical_ip, &ipv6, &mask_v6);
-- cidr_bits = ipv6_count_cidr_bits(&mask_v6);
-- } else {
-- error = ip_parse_masked(nat->logical_ip, &ip, &mask);
-- cidr_bits = ip_count_cidr_bits(mask);
-+ if (!lport_addresses_is_empty(&od->dnat_force_snat_addrs)) {
-+ /* Indicate to the future tables that a DNAT has taken
-+ * place and a force SNAT needs to be done in the
-+ * Egress SNAT table. */
-+ ds_put_format(actions, "flags.force_snat_for_dnat = 1; ");
- }
-- if (!strcmp(nat->type, "snat")) {
-- if (error) {
-- /* Invalid for both IPv4 and IPv6 */
-- static struct vlog_rate_limit rl =
-- VLOG_RATE_LIMIT_INIT(5, 1);
-- VLOG_WARN_RL(&rl, "bad ip network or ip %s for snat "
-- "in router "UUID_FMT"",
-- nat->logical_ip, UUID_ARGS(&od->key));
-- free(error);
-- continue;
-- }
-+
-+ if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-+ ds_put_format(actions, "flags.loopback = 1; "
-+ "ip%s.dst=%s; next;",
-+ is_v6 ? "6" : "4", nat->logical_ip);
- } else {
-- if (error || (!is_v6 && mask != OVS_BE32_MAX)
-- || (is_v6 && memcmp(&mask_v6, &v6_exact,
-- sizeof mask_v6))) {
-- /* Invalid for both IPv4 and IPv6 */
-- static struct vlog_rate_limit rl =
-- VLOG_RATE_LIMIT_INIT(5, 1);
-- VLOG_WARN_RL(&rl, "bad ip %s for dnat in router "
-- ""UUID_FMT"", nat->logical_ip, UUID_ARGS(&od->key));
-- free(error);
-- continue;
-+ ds_put_format(actions, "flags.loopback = 1; ct_dnat(%s",
-+ nat->logical_ip);
-+
-+ if (nat->external_port_range[0]) {
-+ ds_put_format(actions, ",%s", nat->external_port_range);
- }
-+ ds_put_format(actions, ");");
- }
-
-- /* For distributed router NAT, determine whether this NAT rule
-- * satisfies the conditions for distributed NAT processing. */
-- bool distributed = false;
-- struct eth_addr mac;
-- if (od->l3dgw_port && !strcmp(nat->type, "dnat_and_snat") &&
-- nat->logical_port && nat->external_mac) {
-- if (eth_addr_from_string(nat->external_mac, &mac)) {
-- distributed = true;
-- } else {
-- static struct vlog_rate_limit rl =
-- VLOG_RATE_LIMIT_INIT(5, 1);
-- VLOG_WARN_RL(&rl, "bad mac %s for dnat in router "
-- ""UUID_FMT"", nat->external_mac, UUID_ARGS(&od->key));
-- continue;
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, 100,
-+ ds_cstr(match), ds_cstr(actions),
-+ &nat->header_);
-+ } else {
-+ /* Distributed router. */
-+
-+ /* Traffic received on l3dgw_port is subject to NAT. */
-+ ds_clear(match);
-+ ds_put_format(match, "ip && ip%s.dst == %s && inport == %s",
-+ is_v6 ? "6" : "4", nat->external_ip,
-+ od->l3dgw_port->json_key);
-+ if (!distributed && od->l3redirect_port) {
-+ /* Flows for NAT rules that are centralized are only
-+ * programmed on the gateway chassis. */
-+ ds_put_format(match, " && is_chassis_resident(%s)",
-+ od->l3redirect_port->json_key);
-+ }
-+ ds_clear(actions);
-+ if (nat->allowed_ext_ips || nat->exempted_ext_ips) {
-+ lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
-+ is_v6, true, mask);
-+ }
-+
-+ if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-+ ds_put_format(actions, "ip%s.dst=%s; next;",
-+ is_v6 ? "6" : "4", nat->logical_ip);
-+ } else {
-+ ds_put_format(actions, "ct_dnat(%s", nat->logical_ip);
-+ if (nat->external_port_range[0]) {
-+ ds_put_format(actions, ",%s", nat->external_port_range);
- }
-+ ds_put_format(actions, ");");
- }
-
-- /* Ingress UNSNAT table: It is for already established connections'
-- * reverse traffic. i.e., SNAT has already been done in egress
-- * pipeline and now the packet has entered the ingress pipeline as
-- * part of a reply. We undo the SNAT here.
-- *
-- * Undoing SNAT has to happen before DNAT processing. This is
-- * because when the packet was DNATed in ingress pipeline, it did
-- * not know about the possibility of eventual additional SNAT in
-- * egress pipeline. */
-- if (!strcmp(nat->type, "snat")
-- || !strcmp(nat->type, "dnat_and_snat")) {
-- if (!od->l3dgw_port) {
-- /* Gateway router. */
-- ds_clear(match);
-- ds_clear(actions);
-- ds_put_format(match, "ip && ip%s.dst == %s",
-- is_v6 ? "6" : "4",
-- nat->external_ip);
-- if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-- ds_put_format(actions, "ip%s.dst=%s; next;",
-- is_v6 ? "6" : "4", nat->logical_ip);
-- } else {
-- ds_put_cstr(actions, "ct_snat;");
-- }
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, 100,
-+ ds_cstr(match), ds_cstr(actions),
-+ &nat->header_);
-+ }
-+ }
-+}
-
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_UNSNAT,
-- 90, ds_cstr(match),
-- ds_cstr(actions),
-- &nat->header_);
-- } else {
-- /* Distributed router. */
-+static void
-+build_lrouter_out_undnat_flow(struct hmap *lflows, struct ovn_datapath *od,
-+ const struct nbrec_nat *nat, struct ds *match,
-+ struct ds *actions, bool distributed,
-+ struct eth_addr mac, bool is_v6)
-+{
-+ /* Egress UNDNAT table: It is for already established connections'
-+ * reverse traffic. i.e., DNAT has already been done in ingress
-+ * pipeline and now the packet has entered the egress pipeline as
-+ * part of a reply. We undo the DNAT here.
-+ *
-+ * Note that this only applies for NAT on a distributed router.
-+ * Undo DNAT on a gateway router is done in the ingress DNAT
-+ * pipeline stage. */
-+ if (!od->l3dgw_port ||
-+ (strcmp(nat->type, "dnat") && strcmp(nat->type, "dnat_and_snat"))) {
-+ return;
-+ }
-
-- /* Traffic received on l3dgw_port is subject to NAT. */
-- ds_clear(match);
-- ds_clear(actions);
-- ds_put_format(match, "ip && ip%s.dst == %s"
-- " && inport == %s",
-- is_v6 ? "6" : "4",
-- nat->external_ip,
-- od->l3dgw_port->json_key);
-- if (!distributed && od->l3redirect_port) {
-- /* Flows for NAT rules that are centralized are only
-- * programmed on the gateway chassis. */
-- ds_put_format(match, " && is_chassis_resident(%s)",
-- od->l3redirect_port->json_key);
-- }
-+ ds_clear(match);
-+ ds_put_format(match, "ip && ip%s.src == %s && outport == %s",
-+ is_v6 ? "6" : "4", nat->logical_ip,
-+ od->l3dgw_port->json_key);
-+ if (!distributed && od->l3redirect_port) {
-+ /* Flows for NAT rules that are centralized are only
-+ * programmed on the gateway chassis. */
-+ ds_put_format(match, " && is_chassis_resident(%s)",
-+ od->l3redirect_port->json_key);
-+ }
-+ ds_clear(actions);
-+ if (distributed) {
-+ ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
-+ ETH_ADDR_ARGS(mac));
-+ }
-
-- if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-- ds_put_format(actions, "ip%s.dst=%s; next;",
-- is_v6 ? "6" : "4", nat->logical_ip);
-- } else {
-- ds_put_cstr(actions, "ct_snat;");
-- }
-+ if (!strcmp(nat->type, "dnat_and_snat") &&
-+ lrouter_nat_is_stateless(nat)) {
-+ ds_put_format(actions, "ip%s.src=%s; next;",
-+ is_v6 ? "6" : "4", nat->external_ip);
-+ } else {
-+ ds_put_format(actions, "ct_dnat;");
-+ }
-
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_UNSNAT,
-- 100,
-- ds_cstr(match), ds_cstr(actions),
-- &nat->header_);
-- }
-- }
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_UNDNAT, 100,
-+ ds_cstr(match), ds_cstr(actions),
-+ &nat->header_);
-+}
-
-- /* Ingress DNAT table: Packets enter the pipeline with destination
-- * IP address that needs to be DNATted from a external IP address
-- * to a logical IP address. */
-- if (!strcmp(nat->type, "dnat")
-- || !strcmp(nat->type, "dnat_and_snat")) {
-- if (!od->l3dgw_port) {
-- /* Gateway router. */
-- /* Packet when it goes from the initiator to destination.
-- * We need to set flags.loopback because the router can
-- * send the packet back through the same interface. */
-- ds_clear(match);
-- ds_put_format(match, "ip && ip%s.dst == %s",
-- is_v6 ? "6" : "4",
-- nat->external_ip);
-- ds_clear(actions);
-- if (allowed_ext_ips || exempted_ext_ips) {
-- lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
-- is_v6, true, mask);
-- }
-+static void
-+build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od,
-+ const struct nbrec_nat *nat, struct ds *match,
-+ struct ds *actions, bool distributed,
-+ struct eth_addr mac, ovs_be32 mask,
-+ int cidr_bits, bool is_v6)
-+{
-+ /* Egress SNAT table: Packets enter the egress pipeline with
-+ * source ip address that needs to be SNATted to a external ip
-+ * address. */
-+ if (strcmp(nat->type, "snat") && strcmp(nat->type, "dnat_and_snat")) {
-+ return;
-+ }
-
-- if (dnat_force_snat_ip) {
-- /* Indicate to the future tables that a DNAT has taken
-- * place and a force SNAT needs to be done in the
-- * Egress SNAT table. */
-- ds_put_format(actions,
-- "flags.force_snat_for_dnat = 1; ");
-- }
-+ bool stateless = lrouter_nat_is_stateless(nat);
-+ if (!od->l3dgw_port) {
-+ /* Gateway router. */
-+ ds_clear(match);
-+ ds_put_format(match, "ip && ip%s.src == %s",
-+ is_v6 ? "6" : "4", nat->logical_ip);
-+ ds_clear(actions);
-
-- if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-- ds_put_format(actions, "flags.loopback = 1; "
-- "ip%s.dst=%s; next;",
-- is_v6 ? "6" : "4", nat->logical_ip);
-- } else {
-- ds_put_format(actions, "flags.loopback = 1; "
-- "ct_dnat(%s", nat->logical_ip);
-+ if (nat->allowed_ext_ips || nat->exempted_ext_ips) {
-+ lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
-+ is_v6, false, mask);
-+ }
-
-- if (nat->external_port_range[0]) {
-- ds_put_format(actions, ",%s",
-- nat->external_port_range);
-- }
-- ds_put_format(actions, ");");
-- }
-+ if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-+ ds_put_format(actions, "ip%s.src=%s; next;",
-+ is_v6 ? "6" : "4", nat->external_ip);
-+ } else {
-+ ds_put_format(actions, "ct_snat(%s", nat->external_ip);
-
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, 100,
-- ds_cstr(match), ds_cstr(actions),
-- &nat->header_);
-- } else {
-- /* Distributed router. */
-+ if (nat->external_port_range[0]) {
-+ ds_put_format(actions, ",%s",
-+ nat->external_port_range);
-+ }
-+ ds_put_format(actions, ");");
-+ }
-
-- /* Traffic received on l3dgw_port is subject to NAT. */
-- ds_clear(match);
-- ds_put_format(match, "ip && ip%s.dst == %s"
-- " && inport == %s",
-- is_v6 ? "6" : "4",
-- nat->external_ip,
-- od->l3dgw_port->json_key);
-- if (!distributed && od->l3redirect_port) {
-- /* Flows for NAT rules that are centralized are only
-- * programmed on the gateway chassis. */
-- ds_put_format(match, " && is_chassis_resident(%s)",
-- od->l3redirect_port->json_key);
-- }
-- ds_clear(actions);
-- if (allowed_ext_ips || exempted_ext_ips) {
-- lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
-- is_v6, true, mask);
-- }
-+ /* The priority here is calculated such that the
-+ * nat->logical_ip with the longest mask gets a higher
-+ * priority. */
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_SNAT,
-+ cidr_bits + 1, ds_cstr(match),
-+ ds_cstr(actions), &nat->header_);
-+ } else {
-+ uint16_t priority = cidr_bits + 1;
-
-- if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-- ds_put_format(actions, "ip%s.dst=%s; next;",
-- is_v6 ? "6" : "4", nat->logical_ip);
-- } else {
-- ds_put_format(actions, "ct_dnat(%s", nat->logical_ip);
-- if (nat->external_port_range[0]) {
-- ds_put_format(actions, ",%s",
-- nat->external_port_range);
-- }
-- ds_put_format(actions, ");");
-- }
-+ /* Distributed router. */
-+ ds_clear(match);
-+ ds_put_format(match, "ip && ip%s.src == %s && outport == %s",
-+ is_v6 ? "6" : "4", nat->logical_ip,
-+ od->l3dgw_port->json_key);
-+ if (!distributed && od->l3redirect_port) {
-+ /* Flows for NAT rules that are centralized are only
-+ * programmed on the gateway chassis. */
-+ priority += 128;
-+ ds_put_format(match, " && is_chassis_resident(%s)",
-+ od->l3redirect_port->json_key);
-+ }
-+ ds_clear(actions);
-
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, 100,
-- ds_cstr(match), ds_cstr(actions),
-- &nat->header_);
-- }
-- }
-+ if (nat->allowed_ext_ips || nat->exempted_ext_ips) {
-+ lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
-+ is_v6, false, mask);
-+ }
-
-- /* ARP resolve for NAT IPs. */
-- if (od->l3dgw_port) {
-- if (!strcmp(nat->type, "snat")) {
-- ds_clear(match);
-- ds_put_format(
-- match, "inport == %s && %s == %s",
-- od->l3dgw_port->json_key,
-- is_v6 ? "ip6.src" : "ip4.src", nat->external_ip);
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_IP_INPUT,
-- 120, ds_cstr(match), "next;",
-- &nat->header_);
-- }
-+ if (distributed) {
-+ ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
-+ ETH_ADDR_ARGS(mac));
-+ }
-
-- if (!sset_contains(&nat_entries, nat->external_ip)) {
-- ds_clear(match);
-- ds_put_format(
-- match, "outport == %s && %s == %s",
-- od->l3dgw_port->json_key,
-- is_v6 ? REG_NEXT_HOP_IPV6 : REG_NEXT_HOP_IPV4,
-+ if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-+ ds_put_format(actions, "ip%s.src=%s; next;",
-+ is_v6 ? "6" : "4", nat->external_ip);
-+ } else {
-+ ds_put_format(actions, "ct_snat(%s",
- nat->external_ip);
-- ds_clear(actions);
-- ds_put_format(
-- actions, "eth.dst = %s; next;",
-- distributed ? nat->external_mac :
-- od->l3dgw_port->lrp_networks.ea_s);
-- ovn_lflow_add_with_hint(lflows, od,
-- S_ROUTER_IN_ARP_RESOLVE,
-- 100, ds_cstr(match),
-- ds_cstr(actions),
-- &nat->header_);
-- sset_add(&nat_entries, nat->external_ip);
-- }
-- } else {
-- /* Add the NAT external_ip to the nat_entries even for
-- * gateway routers. This is required for adding load balancer
-- * flows.*/
-- sset_add(&nat_entries, nat->external_ip);
-+ if (nat->external_port_range[0]) {
-+ ds_put_format(actions, ",%s", nat->external_port_range);
- }
-+ ds_put_format(actions, ");");
-+ }
-
-- /* Egress UNDNAT table: It is for already established connections'
-- * reverse traffic. i.e., DNAT has already been done in ingress
-- * pipeline and now the packet has entered the egress pipeline as
-- * part of a reply. We undo the DNAT here.
-- *
-- * Note that this only applies for NAT on a distributed router.
-- * Undo DNAT on a gateway router is done in the ingress DNAT
-- * pipeline stage. */
-- if (od->l3dgw_port && (!strcmp(nat->type, "dnat")
-- || !strcmp(nat->type, "dnat_and_snat"))) {
-- ds_clear(match);
-- ds_put_format(match, "ip && ip%s.src == %s"
-- " && outport == %s",
-- is_v6 ? "6" : "4",
-- nat->logical_ip,
-- od->l3dgw_port->json_key);
-- if (!distributed && od->l3redirect_port) {
-- /* Flows for NAT rules that are centralized are only
-- * programmed on the gateway chassis. */
-- ds_put_format(match, " && is_chassis_resident(%s)",
-- od->l3redirect_port->json_key);
-- }
-- ds_clear(actions);
-- if (distributed) {
-- ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
-- ETH_ADDR_ARGS(mac));
-- }
-+ /* The priority here is calculated such that the
-+ * nat->logical_ip with the longest mask gets a higher
-+ * priority. */
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_SNAT,
-+ priority, ds_cstr(match),
-+ ds_cstr(actions), &nat->header_);
-+ }
-+}
-
-- if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-- ds_put_format(actions, "ip%s.src=%s; next;",
-- is_v6 ? "6" : "4", nat->external_ip);
-- } else {
-- ds_put_format(actions, "ct_dnat;");
-- }
-+static void
-+build_lrouter_ingress_flow(struct hmap *lflows, struct ovn_datapath *od,
-+ const struct nbrec_nat *nat, struct ds *match,
-+ struct ds *actions, struct eth_addr mac,
-+ bool distributed, bool is_v6)
-+{
-+ if (od->l3dgw_port && !strcmp(nat->type, "snat")) {
-+ ds_clear(match);
-+ ds_put_format(
-+ match, "inport == %s && %s == %s",
-+ od->l3dgw_port->json_key,
-+ is_v6 ? "ip6.src" : "ip4.src", nat->external_ip);
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_IP_INPUT,
-+ 120, ds_cstr(match), "next;",
-+ &nat->header_);
-+ }
-+ /* Logical router ingress table 0:
-+ * For NAT on a distributed router, add rules allowing
-+ * ingress traffic with eth.dst matching nat->external_mac
-+ * on the l3dgw_port instance where nat->logical_port is
-+ * resident. */
-+ if (distributed) {
-+ /* Store the ethernet address of the port receiving the packet.
-+ * This will save us from having to match on inport further
-+ * down in the pipeline.
-+ */
-+ ds_clear(actions);
-+ ds_put_format(actions, REG_INPORT_ETH_ADDR " = %s; next;",
-+ od->l3dgw_port->lrp_networks.ea_s);
-
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_UNDNAT, 100,
-- ds_cstr(match), ds_cstr(actions),
-- &nat->header_);
-- }
-+ ds_clear(match);
-+ ds_put_format(match,
-+ "eth.dst == "ETH_ADDR_FMT" && inport == %s"
-+ " && is_chassis_resident(\"%s\")",
-+ ETH_ADDR_ARGS(mac),
-+ od->l3dgw_port->json_key,
-+ nat->logical_port);
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_ADMISSION, 50,
-+ ds_cstr(match), ds_cstr(actions),
-+ &nat->header_);
-+ }
-+}
-
-- /* Egress SNAT table: Packets enter the egress pipeline with
-- * source ip address that needs to be SNATted to a external ip
-- * address. */
-- if (!strcmp(nat->type, "snat")
-- || !strcmp(nat->type, "dnat_and_snat")) {
-- if (!od->l3dgw_port) {
-- /* Gateway router. */
-- ds_clear(match);
-- ds_put_format(match, "ip && ip%s.src == %s",
-- is_v6 ? "6" : "4",
-- nat->logical_ip);
-- ds_clear(actions);
-+static int
-+lrouter_check_nat_entry(struct ovn_datapath *od, const struct nbrec_nat *nat,
-+ ovs_be32 *mask, bool *is_v6, int *cidr_bits,
-+ struct eth_addr *mac, bool *distributed)
-+{
-+ struct in6_addr ipv6, mask_v6, v6_exact = IN6ADDR_EXACT_INIT;
-+ ovs_be32 ip;
-
-- if (allowed_ext_ips || exempted_ext_ips) {
-- lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
-- is_v6, false, mask);
-- }
-+ if (nat->allowed_ext_ips && nat->exempted_ext_ips) {
-+ static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
-+ VLOG_WARN_RL(&rl, "NAT rule: "UUID_FMT" not applied, since "
-+ "both allowed and exempt external ips set",
-+ UUID_ARGS(&(nat->header_.uuid)));
-+ return -EINVAL;
-+ }
-
-- if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-- ds_put_format(actions, "ip%s.src=%s; next;",
-- is_v6 ? "6" : "4", nat->external_ip);
-- } else {
-- ds_put_format(actions, "ct_snat(%s",
-- nat->external_ip);
-+ char *error = ip_parse_masked(nat->external_ip, &ip, mask);
-+ *is_v6 = false;
-
-- if (nat->external_port_range[0]) {
-- ds_put_format(actions, ",%s",
-- nat->external_port_range);
-- }
-- ds_put_format(actions, ");");
-- }
-+ if (error || *mask != OVS_BE32_MAX) {
-+ free(error);
-+ error = ipv6_parse_masked(nat->external_ip, &ipv6, &mask_v6);
-+ if (error || memcmp(&mask_v6, &v6_exact, sizeof(mask_v6))) {
-+ /* Invalid for both IPv4 and IPv6 */
-+ static struct vlog_rate_limit rl =
-+ VLOG_RATE_LIMIT_INIT(5, 1);
-+ VLOG_WARN_RL(&rl, "bad external ip %s for nat",
-+ nat->external_ip);
-+ free(error);
-+ return -EINVAL;
-+ }
-+ /* It was an invalid IPv4 address, but valid IPv6.
-+ * Treat the rest of the handling of this NAT rule
-+ * as IPv6. */
-+ *is_v6 = true;
-+ }
-
-- /* The priority here is calculated such that the
-- * nat->logical_ip with the longest mask gets a higher
-- * priority. */
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_SNAT,
-- cidr_bits + 1,
-- ds_cstr(match), ds_cstr(actions),
-- &nat->header_);
-- } else {
-- uint16_t priority = cidr_bits + 1;
-+ /* Check the validity of nat->logical_ip. 'logical_ip' can
-+ * be a subnet when the type is "snat". */
-+ if (*is_v6) {
-+ error = ipv6_parse_masked(nat->logical_ip, &ipv6, &mask_v6);
-+ *cidr_bits = ipv6_count_cidr_bits(&mask_v6);
-+ } else {
-+ error = ip_parse_masked(nat->logical_ip, &ip, mask);
-+ *cidr_bits = ip_count_cidr_bits(*mask);
-+ }
-+ if (!strcmp(nat->type, "snat")) {
-+ if (error) {
-+ /* Invalid for both IPv4 and IPv6 */
-+ static struct vlog_rate_limit rl =
-+ VLOG_RATE_LIMIT_INIT(5, 1);
-+ VLOG_WARN_RL(&rl, "bad ip network or ip %s for snat "
-+ "in router "UUID_FMT"",
-+ nat->logical_ip, UUID_ARGS(&od->key));
-+ free(error);
-+ return -EINVAL;
-+ }
-+ } else {
-+ if (error || (*is_v6 == false && *mask != OVS_BE32_MAX)
-+ || (*is_v6 && memcmp(&mask_v6, &v6_exact,
-+ sizeof mask_v6))) {
-+ /* Invalid for both IPv4 and IPv6 */
-+ static struct vlog_rate_limit rl =
-+ VLOG_RATE_LIMIT_INIT(5, 1);
-+ VLOG_WARN_RL(&rl, "bad ip %s for dnat in router "
-+ ""UUID_FMT"", nat->logical_ip, UUID_ARGS(&od->key));
-+ free(error);
-+ return -EINVAL;
-+ }
-+ }
-
-- /* Distributed router. */
-- ds_clear(match);
-- ds_put_format(match, "ip && ip%s.src == %s"
-- " && outport == %s",
-- is_v6 ? "6" : "4",
-- nat->logical_ip,
-- od->l3dgw_port->json_key);
-- if (!distributed && od->l3redirect_port) {
-- /* Flows for NAT rules that are centralized are only
-- * programmed on the gateway chassis. */
-- priority += 128;
-- ds_put_format(match, " && is_chassis_resident(%s)",
-- od->l3redirect_port->json_key);
-- }
-- ds_clear(actions);
-+ /* For distributed router NAT, determine whether this NAT rule
-+ * satisfies the conditions for distributed NAT processing. */
-+ *distributed = false;
-+ if (od->l3dgw_port && !strcmp(nat->type, "dnat_and_snat") &&
-+ nat->logical_port && nat->external_mac) {
-+ if (eth_addr_from_string(nat->external_mac, mac)) {
-+ *distributed = true;
-+ } else {
-+ static struct vlog_rate_limit rl =
-+ VLOG_RATE_LIMIT_INIT(5, 1);
-+ VLOG_WARN_RL(&rl, "bad mac %s for dnat in router "
-+ ""UUID_FMT"", nat->external_mac, UUID_ARGS(&od->key));
-+ return -EINVAL;
-+ }
-+ }
-
-- if (allowed_ext_ips || exempted_ext_ips) {
-- lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
-- is_v6, false, mask);
-- }
-+ return 0;
-+}
-
-- if (distributed) {
-- ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
-- ETH_ADDR_ARGS(mac));
-- }
-+/* NAT, Defrag and load balancing. */
-+static void
-+build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od,
-+ struct hmap *lflows,
-+ struct shash *meter_groups,
-+ struct hmap *lbs,
-+ struct ds *match, struct ds *actions)
-+{
-+ if (!od->nbr) {
-+ return;
-+ }
-
-- if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
-- ds_put_format(actions, "ip%s.src=%s; next;",
-- is_v6 ? "6" : "4", nat->external_ip);
-- } else {
-- ds_put_format(actions, "ct_snat(%s",
-- nat->external_ip);
-- if (nat->external_port_range[0]) {
-- ds_put_format(actions, ",%s",
-- nat->external_port_range);
-- }
-- ds_put_format(actions, ");");
-- }
-+ /* Packets are allowed by default. */
-+ ovn_lflow_add(lflows, od, S_ROUTER_IN_DEFRAG, 0, "1", "next;");
-+ ovn_lflow_add(lflows, od, S_ROUTER_IN_UNSNAT, 0, "1", "next;");
-+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 0, "1", "next;");
-+ ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 0, "1", "next;");
-+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;");
-+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;");
-+ ovn_lflow_add(lflows, od, S_ROUTER_IN_ECMP_STATEFUL, 0, "1", "next;");
-+
-+ /* Send the IPv6 NS packets to next table. When ovn-controller
-+ * generates IPv6 NS (for the action - nd_ns{}), the injected
-+ * packet would go through conntrack - which is not required. */
-+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, "nd_ns", "next;");
-+
-+ /* NAT rules are only valid on Gateway routers and routers with
-+ * l3dgw_port (router has a port with gateway chassis
-+ * specified). */
-+ if (!smap_get(&od->nbr->options, "chassis") && !od->l3dgw_port) {
-+ return;
-+ }
-
-- /* The priority here is calculated such that the
-- * nat->logical_ip with the longest mask gets a higher
-- * priority. */
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_SNAT,
-- priority, ds_cstr(match),
-- ds_cstr(actions),
-- &nat->header_);
-- }
-- }
-+ struct sset nat_entries = SSET_INITIALIZER(&nat_entries);
-
-- /* Logical router ingress table 0:
-- * For NAT on a distributed router, add rules allowing
-- * ingress traffic with eth.dst matching nat->external_mac
-- * on the l3dgw_port instance where nat->logical_port is
-- * resident. */
-- if (distributed) {
-- /* Store the ethernet address of the port receiving the packet.
-- * This will save us from having to match on inport further
-- * down in the pipeline.
-- */
-- ds_clear(actions);
-- ds_put_format(actions, REG_INPORT_ETH_ADDR " = %s; next;",
-- od->l3dgw_port->lrp_networks.ea_s);
-+ bool dnat_force_snat_ip =
-+ !lport_addresses_is_empty(&od->dnat_force_snat_addrs);
-+ bool lb_force_snat_ip =
-+ !lport_addresses_is_empty(&od->lb_force_snat_addrs);
-
-- ds_clear(match);
-- ds_put_format(match,
-- "eth.dst == "ETH_ADDR_FMT" && inport == %s"
-- " && is_chassis_resident(\"%s\")",
-- ETH_ADDR_ARGS(mac),
-- od->l3dgw_port->json_key,
-- nat->logical_port);
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_ADMISSION, 50,
-- ds_cstr(match), ds_cstr(actions),
-- &nat->header_);
-- }
-+ for (int i = 0; i < od->nbr->n_nat; i++) {
-+ const struct nbrec_nat *nat = nat = od->nbr->nat[i];
-+ struct eth_addr mac = eth_addr_broadcast;
-+ bool is_v6, distributed;
-+ ovs_be32 mask;
-+ int cidr_bits;
-
-- /* Ingress Gateway Redirect Table: For NAT on a distributed
-- * router, add flows that are specific to a NAT rule. These
-- * flows indicate the presence of an applicable NAT rule that
-- * can be applied in a distributed manner.
-- * In particulr REG_SRC_IPV4/REG_SRC_IPV6 and eth.src are set to
-- * NAT external IP and NAT external mac so the ARP request
-- * generated in the following stage is sent out with proper IP/MAC
-- * src addresses.
-- */
-- if (distributed) {
-- ds_clear(match);
-- ds_clear(actions);
-- ds_put_format(match,
-- "ip%s.src == %s && outport == %s && "
-- "is_chassis_resident(\"%s\")",
-- is_v6 ? "6" : "4", nat->logical_ip,
-- od->l3dgw_port->json_key, nat->logical_port);
-- ds_put_format(actions, "eth.src = %s; %s = %s; next;",
-- nat->external_mac,
-- is_v6 ? REG_SRC_IPV6 : REG_SRC_IPV4,
-- nat->external_ip);
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_GW_REDIRECT,
-- 100, ds_cstr(match),
-- ds_cstr(actions), &nat->header_);
-- }
-+ if (lrouter_check_nat_entry(od, nat, &mask, &is_v6, &cidr_bits,
-+ &mac, &distributed) < 0) {
-+ continue;
-+ }
-
-- /* Egress Loopback table: For NAT on a distributed router.
-- * If packets in the egress pipeline on the distributed
-- * gateway port have ip.dst matching a NAT external IP, then
-- * loop a clone of the packet back to the beginning of the
-- * ingress pipeline with inport = outport. */
-- if (od->l3dgw_port) {
-- /* Distributed router. */
-- ds_clear(match);
-- ds_put_format(match, "ip%s.dst == %s && outport == %s",
-- is_v6 ? "6" : "4",
-- nat->external_ip,
-- od->l3dgw_port->json_key);
-- if (!distributed) {
-- ds_put_format(match, " && is_chassis_resident(%s)",
-- od->l3redirect_port->json_key);
-- } else {
-- ds_put_format(match, " && is_chassis_resident(\"%s\")",
-- nat->logical_port);
-- }
-+ /* S_ROUTER_IN_UNSNAT */
-+ build_lrouter_in_unsnat_flow(lflows, od, nat, match, actions, distributed,
-+ is_v6);
-+ /* S_ROUTER_IN_DNAT */
-+ build_lrouter_in_dnat_flow(lflows, od, nat, match, actions, distributed,
-+ mask, is_v6);
-
-+ /* ARP resolve for NAT IPs. */
-+ if (od->l3dgw_port) {
-+ if (!sset_contains(&nat_entries, nat->external_ip)) {
-+ ds_clear(match);
-+ ds_put_format(
-+ match, "outport == %s && %s == %s",
-+ od->l3dgw_port->json_key,
-+ is_v6 ? REG_NEXT_HOP_IPV6 : REG_NEXT_HOP_IPV4,
-+ nat->external_ip);
- ds_clear(actions);
-- ds_put_format(actions,
-- "clone { ct_clear; "
-- "inport = outport; outport = \"\"; "
-- "flags = 0; flags.loopback = 1; ");
-- for (int j = 0; j < MFF_N_LOG_REGS; j++) {
-- ds_put_format(actions, "reg%d = 0; ", j);
-- }
-- ds_put_format(actions, REGBIT_EGRESS_LOOPBACK" = 1; "
-- "next(pipeline=ingress, table=%d); };",
-- ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_EGR_LOOP, 100,
-- ds_cstr(match), ds_cstr(actions),
-+ ds_put_format(
-+ actions, "eth.dst = %s; next;",
-+ distributed ? nat->external_mac :
-+ od->l3dgw_port->lrp_networks.ea_s);
-+ ovn_lflow_add_with_hint(lflows, od,
-+ S_ROUTER_IN_ARP_RESOLVE,
-+ 100, ds_cstr(match),
-+ ds_cstr(actions),
- &nat->header_);
-+ sset_add(&nat_entries, nat->external_ip);
- }
-- }
--
-- /* Handle force SNAT options set in the gateway router. */
-- if (!od->l3dgw_port) {
-- if (dnat_force_snat_ip) {
-- if (od->dnat_force_snat_addrs.n_ipv4_addrs) {
-- build_lrouter_force_snat_flows(lflows, od, "4",
-- od->dnat_force_snat_addrs.ipv4_addrs[0].addr_s,
-- "dnat");
-- }
-- if (od->dnat_force_snat_addrs.n_ipv6_addrs) {
-- build_lrouter_force_snat_flows(lflows, od, "6",
-- od->dnat_force_snat_addrs.ipv6_addrs[0].addr_s,
-- "dnat");
-- }
-- }
-- if (lb_force_snat_ip) {
-- if (od->lb_force_snat_addrs.n_ipv4_addrs) {
-- build_lrouter_force_snat_flows(lflows, od, "4",
-- od->lb_force_snat_addrs.ipv4_addrs[0].addr_s, "lb");
-- }
-- if (od->lb_force_snat_addrs.n_ipv6_addrs) {
-- build_lrouter_force_snat_flows(lflows, od, "6",
-- od->lb_force_snat_addrs.ipv6_addrs[0].addr_s, "lb");
-- }
-+ } else {
-+ /* Add the NAT external_ip to the nat_entries even for
-+ * gateway routers. This is required for adding load balancer
-+ * flows.*/
-+ sset_add(&nat_entries, nat->external_ip);
-+ }
-+
-+ /* S_ROUTER_OUT_UNDNAT */
-+ build_lrouter_out_undnat_flow(lflows, od, nat, match, actions, distributed,
-+ mac, is_v6);
-+ /* S_ROUTER_OUT_SNAT */
-+ build_lrouter_out_snat_flow(lflows, od, nat, match, actions, distributed,
-+ mac, mask, cidr_bits, is_v6);
-+
-+ /* S_ROUTER_IN_ADMISSION - S_ROUTER_IN_IP_INPUT */
-+ build_lrouter_ingress_flow(lflows, od, nat, match, actions,
-+ mac, distributed, is_v6);
-+
-+ /* Ingress Gateway Redirect Table: For NAT on a distributed
-+ * router, add flows that are specific to a NAT rule. These
-+ * flows indicate the presence of an applicable NAT rule that
-+ * can be applied in a distributed manner.
-+ * In particulr REG_SRC_IPV4/REG_SRC_IPV6 and eth.src are set to
-+ * NAT external IP and NAT external mac so the ARP request
-+ * generated in the following stage is sent out with proper IP/MAC
-+ * src addresses.
-+ */
-+ if (distributed) {
-+ ds_clear(match);
-+ ds_clear(actions);
-+ ds_put_format(match,
-+ "ip%s.src == %s && outport == %s && "
-+ "is_chassis_resident(\"%s\")",
-+ is_v6 ? "6" : "4", nat->logical_ip,
-+ od->l3dgw_port->json_key, nat->logical_port);
-+ ds_put_format(actions, "eth.src = %s; %s = %s; next;",
-+ nat->external_mac,
-+ is_v6 ? REG_SRC_IPV6 : REG_SRC_IPV4,
-+ nat->external_ip);
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_GW_REDIRECT,
-+ 100, ds_cstr(match),
-+ ds_cstr(actions), &nat->header_);
-+ }
-+
-+ /* Egress Loopback table: For NAT on a distributed router.
-+ * If packets in the egress pipeline on the distributed
-+ * gateway port have ip.dst matching a NAT external IP, then
-+ * loop a clone of the packet back to the beginning of the
-+ * ingress pipeline with inport = outport. */
-+ if (od->l3dgw_port) {
-+ /* Distributed router. */
-+ ds_clear(match);
-+ ds_put_format(match, "ip%s.dst == %s && outport == %s",
-+ is_v6 ? "6" : "4",
-+ nat->external_ip,
-+ od->l3dgw_port->json_key);
-+ if (!distributed) {
-+ ds_put_format(match, " && is_chassis_resident(%s)",
-+ od->l3redirect_port->json_key);
-+ } else {
-+ ds_put_format(match, " && is_chassis_resident(\"%s\")",
-+ nat->logical_port);
- }
-
-- /* For gateway router, re-circulate every packet through
-- * the DNAT zone. This helps with the following.
-- *
-- * Any packet that needs to be unDNATed in the reverse
-- * direction gets unDNATed. Ideally this could be done in
-- * the egress pipeline. But since the gateway router
-- * does not have any feature that depends on the source
-- * ip address being external IP address for IP routing,
-- * we can do it here, saving a future re-circulation. */
-- ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 50,
-- "ip", "flags.loopback = 1; ct_dnat;");
-+ ds_clear(actions);
-+ ds_put_format(actions,
-+ "clone { ct_clear; "
-+ "inport = outport; outport = \"\"; "
-+ "flags = 0; flags.loopback = 1; ");
-+ for (int j = 0; j < MFF_N_LOG_REGS; j++) {
-+ ds_put_format(actions, "reg%d = 0; ", j);
-+ }
-+ ds_put_format(actions, REGBIT_EGRESS_LOOPBACK" = 1; "
-+ "next(pipeline=ingress, table=%d); };",
-+ ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
-+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_EGR_LOOP, 100,
-+ ds_cstr(match), ds_cstr(actions),
-+ &nat->header_);
- }
-+ }
-
-- /* Load balancing and packet defrag are only valid on
-- * Gateway routers or router with gateway port. */
-- if (!smap_get(&od->nbr->options, "chassis") && !od->l3dgw_port) {
-- sset_destroy(&nat_entries);
-- return;
-+ /* Handle force SNAT options set in the gateway router. */
-+ if (!od->l3dgw_port) {
-+ if (dnat_force_snat_ip) {
-+ if (od->dnat_force_snat_addrs.n_ipv4_addrs) {
-+ build_lrouter_force_snat_flows(lflows, od, "4",
-+ od->dnat_force_snat_addrs.ipv4_addrs[0].addr_s,
-+ "dnat");
-+ }
-+ if (od->dnat_force_snat_addrs.n_ipv6_addrs) {
-+ build_lrouter_force_snat_flows(lflows, od, "6",
-+ od->dnat_force_snat_addrs.ipv6_addrs[0].addr_s,
-+ "dnat");
-+ }
- }
--
-- /* A set to hold all ips that need defragmentation and tracking. */
-- struct sset all_ips = SSET_INITIALIZER(&all_ips);
--
-- for (int i = 0; i < od->nbr->n_load_balancer; i++) {
-- struct nbrec_load_balancer *nb_lb = od->nbr->load_balancer[i];
-- struct ovn_northd_lb *lb =
-- ovn_northd_lb_find(lbs, &nb_lb->header_.uuid);
-- ovs_assert(lb);
--
-- for (size_t j = 0; j < lb->n_vips; j++) {
-- struct ovn_lb_vip *lb_vip = &lb->vips[j];
-- struct ovn_northd_lb_vip *lb_vip_nb = &lb->vips_nb[j];
-- ds_clear(actions);
-- build_lb_vip_actions(lb_vip, lb_vip_nb, actions,
-- lb->selection_fields, false);
--
-- if (!sset_contains(&all_ips, lb_vip->vip_str)) {
-- sset_add(&all_ips, lb_vip->vip_str);
-- /* If there are any load balancing rules, we should send
-- * the packet to conntrack for defragmentation and
-- * tracking. This helps with two things.
-- *
-- * 1. With tracking, we can send only new connections to
-- * pick a DNAT ip address from a group.
-- * 2. If there are L4 ports in load balancing rules, we
-- * need the defragmentation to match on L4 ports. */
-- ds_clear(match);
-- if (IN6_IS_ADDR_V4MAPPED(&lb_vip->vip)) {
-- ds_put_format(match, "ip && ip4.dst == %s",
-- lb_vip->vip_str);
-- } else {
-- ds_put_format(match, "ip && ip6.dst == %s",
-- lb_vip->vip_str);
-- }
-- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DEFRAG,
-- 100, ds_cstr(match), "ct_next;",
-- &nb_lb->header_);
-- }
--
-- /* Higher priority rules are added for load-balancing in DNAT
-- * table. For every match (on a VIP[:port]), we add two flows
-- * via add_router_lb_flow(). One flow is for specific matching
-- * on ct.new with an action of "ct_lb($targets);". The other
-- * flow is for ct.est with an action of "ct_dnat;". */
-- ds_clear(match);
-- if (IN6_IS_ADDR_V4MAPPED(&lb_vip->vip)) {
-- ds_put_format(match, "ip && ip4.dst == %s",
-- lb_vip->vip_str);
-- } else {
-- ds_put_format(match, "ip && ip6.dst == %s",
-- lb_vip->vip_str);
-- }
--
-- int prio = 110;
-- bool is_udp = nullable_string_is_equal(nb_lb->protocol, "udp");
-- bool is_sctp = nullable_string_is_equal(nb_lb->protocol,
-- "sctp");
-- const char *proto = is_udp ? "udp" : is_sctp ? "sctp" : "tcp";
--
-- if (lb_vip->vip_port) {
-- ds_put_format(match, " && %s && %s.dst == %d", proto,
-- proto, lb_vip->vip_port);
-- prio = 120;
-- }
--
-- if (od->l3redirect_port &&
-- (lb_vip->n_backends || !lb_vip->empty_backend_rej)) {
-- ds_put_format(match, " && is_chassis_resident(%s)",
-- od->l3redirect_port->json_key);
-- }
-- bool force_snat_for_lb =
-- lb_force_snat_ip || od->lb_force_snat_router_ip;
-- add_router_lb_flow(lflows, od, match, actions, prio,
-- force_snat_for_lb, lb_vip, proto,
-- nb_lb, meter_groups, &nat_entries);
-+ if (lb_force_snat_ip) {
-+ if (od->lb_force_snat_addrs.n_ipv4_addrs) {
-+ build_lrouter_force_snat_flows(lflows, od, "4",
-+ od->lb_force_snat_addrs.ipv4_addrs[0].addr_s, "lb");
-+ }
-+ if (od->lb_force_snat_addrs.n_ipv6_addrs) {
-+ build_lrouter_force_snat_flows(lflows, od, "6",
-+ od->lb_force_snat_addrs.ipv6_addrs[0].addr_s, "lb");
- }
- }
-- sset_destroy(&all_ips);
-+
-+ /* For gateway router, re-circulate every packet through
-+ * the DNAT zone. This helps with the following.
-+ *
-+ * Any packet that needs to be unDNATed in the reverse
-+ * direction gets unDNATed. Ideally this could be done in
-+ * the egress pipeline. But since the gateway router
-+ * does not have any feature that depends on the source
-+ * ip address being external IP address for IP routing,
-+ * we can do it here, saving a future re-circulation. */
-+ ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 50,
-+ "ip", "flags.loopback = 1; ct_dnat;");
-+ }
-+
-+ /* Load balancing and packet defrag are only valid on
-+ * Gateway routers or router with gateway port. */
-+ if (!smap_get(&od->nbr->options, "chassis") && !od->l3dgw_port) {
- sset_destroy(&nat_entries);
-+ return;
- }
-+
-+ build_lrouter_lb_flows(lflows, od, lbs, meter_groups, &nat_entries,
-+ match, actions);
-+
-+ sset_destroy(&nat_entries);
- }
-
-
-@@ -12909,6 +12985,9 @@ ovnnb_db_run(struct northd_context *ctx,
-
- use_logical_dp_groups = smap_get_bool(&nb->options,
- "use_logical_dp_groups", false);
-+ use_ct_inv_match = smap_get_bool(&nb->options,
-+ "use_ct_inv_match", true);
-+
- /* deprecated, use --event instead */
- controller_event_en = smap_get_bool(&nb->options,
- "controller_event", false);
-diff --git a/ovn-nb.xml b/ovn-nb.xml
-index b0a4adffe..046d053e9 100644
---- a/ovn-nb.xml
-+++ b/ovn-nb.xml
-@@ -227,6 +227,21 @@
-
-
-
-+
-+
-+ If set to false, ovn-northd will not use the
-+ ct.inv field in any of the logical flow matches.
-+ The default value is true. If the NIC supports offloading
-+ OVS datapath flows but doesn't support offloading ct_state
-+ inv flag, then the datapath flows matching on this flag
-+ (either +inv or -inv) will not be
-+ offloaded. CMS should consider setting use_ct_inv_match
-+ to false in such cases. This results in a side effect
-+ of the invalid packets getting delivered to the destination VIF,
-+ which otherwise would have been dropped by OVN.
-+
-+
-+
-
-
- These options control how routes are advertised between OVN
-@@ -1653,6 +1668,12 @@
- exactly one IPv4 and/or one IPv6 address on it, separated by a space
- character.
-
-+
-+
-+ If the load balancing rule is configured with skip_snat
-+ option, the force_snat_for_lb option configured for the router
-+ pipeline will not be applied for this load balancer.
-+
-
-
-
-diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
-index 2cd3e261f..5c64fff12 100644
---- a/tests/ovn-controller.at
-+++ b/tests/ovn-controller.at
-@@ -431,3 +431,83 @@ OVS_WAIT_UNTIL([
-
- OVN_CLEANUP([hv1])
- AT_CLEANUP
-+
-+# Test that changes of a port binding from one type to another doesn'that
-+# result in any ovn-controller asserts or crashes.
-+AT_SETUP([ovn-controller - port binding type change handling])
-+AT_KEYWORDS([ovn])
-+ovn_start
-+
-+net_add n1
-+sim_add hv1
-+ovs-vsctl add-br br-phys
-+ovn_attach n1 br-phys 192.168.0.1
-+
-+check ovn-nbctl ls-add ls1 -- lsp-add ls1 lsp1
-+
-+as hv1
-+check ovs-vsctl \
-+ -- add-port br-int vif1 \
-+ -- set Interface vif1 external_ids:iface-id=lsp1
-+
-+# ovn-controller should bind the interface.
-+wait_for_ports_up
-+hv_uuid=$(fetch_column Chassis _uuid name=hv1)
-+check_column "$hv_uuid" Port_Binding chassis logical_port=lsp1
-+
-+AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[lsp1]], OVS interface name : [[vif1]], num binding lports : [[1]]
-+primary lport : [[lsp1]]
-+----------------------------------------
-+])
-+
-+# pause ovn-northd
-+check as northd ovn-appctl -t ovn-northd pause
-+check as northd-backup ovn-appctl -t ovn-northd pause
-+
-+as northd ovn-appctl -t ovn-northd status
-+as northd-backup ovn-appctl -t ovn-northd status
-+
-+pb_types=(patch chassisredirect l3gateway localnet localport l2gateway
-+ virtual external remote vtep)
-+for type in ${pb_types[[@]]}
-+do
-+ for update_type in ${pb_types[[@]]}
-+ do
-+ check ovn-sbctl set port_binding lsp1 type=$type
-+ check as hv1 ovs-vsctl set open . external_ids:ovn-cms-options=$type
-+ OVS_WAIT_UNTIL([test $type = $(ovn-sbctl get chassis . other_config:ovn-cms-options)])
-+
-+ AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[lsp1]], OVS interface name : [[vif1]], num binding lports : [[0]]
-+----------------------------------------
-+])
-+
-+ echo "Updating to $update_type from $type"
-+ check ovn-sbctl set port_binding lsp1 type=$update_type
-+ check as hv1 ovs-vsctl set open . external_ids:ovn-cms-options=$update_type
-+ OVS_WAIT_UNTIL([test $update_type = $(ovn-sbctl get chassis . other_config:ovn-cms-options)])
-+
-+ AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[lsp1]], OVS interface name : [[vif1]], num binding lports : [[0]]
-+----------------------------------------
-+])
-+ # Set the port binding type back to VIF.
-+ check ovn-sbctl set port_binding lsp1 type=\"\"
-+ check as hv1 ovs-vsctl set open . external_ids:ovn-cms-options=foo
-+ OVS_WAIT_UNTIL([test foo = $(ovn-sbctl get chassis . other_config:ovn-cms-options)])
-+
-+ AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[lsp1]], OVS interface name : [[vif1]], num binding lports : [[1]]
-+primary lport : [[lsp1]]
-+----------------------------------------
-+])
-+ done
-+done
-+
-+OVN_CLEANUP([hv1])
-+AT_CLEANUP
-diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at
-index 2ba29a960..4cf14b1f2 100644
---- a/tests/ovn-macros.at
-+++ b/tests/ovn-macros.at
-@@ -433,6 +433,24 @@ wait_for_ports_up() {
- done
- fi
- }
-+
-+# reset_pcap_file iface pcap_file
-+# Resets the pcap file associates with OVS interface. should be used
-+# with dummy datapath.
-+reset_iface_pcap_file() {
-+ local iface=$1
-+ local pcap_file=$2
-+ check rm -f dummy-*.pcap
-+ check ovs-vsctl -- set Interface $iface options:tx_pcap=dummy-tx.pcap \
-+options:rxq_pcap=dummy-rx.pcap
-+ OVS_WAIT_WHILE([test 24 = $(wc -c dummy-tx.pcap | cut -d " " -f1)])
-+ check rm -f ${pcap_file}*.pcap
-+ check ovs-vsctl -- set Interface $iface options:tx_pcap=${pcap_file}-tx.pcap \
-+options:rxq_pcap=${pcap_file}-rx.pcap
-+
-+ OVS_WAIT_WHILE([test 24 = $(wc -c ${pcap_file}-tx.pcap | cut -d " " -f1)])
-+}
-+
- OVS_END_SHELL_HELPERS
-
- m4_define([OVN_POPULATE_ARP], [AT_CHECK(ovn_populate_arp__, [0], [ignore])])
-diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
-index b78baa708..b941ee86b 100644
---- a/tests/ovn-northd.at
-+++ b/tests/ovn-northd.at
-@@ -1077,7 +1077,7 @@ check ovn-nbctl --wait=sb ls-lb-add sw0 lb1
-
- AT_CAPTURE_FILE([sbflows])
- OVS_WAIT_FOR_OUTPUT(
-- [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*ct_lb' | sed 's/table=..//'], 0, [dnl
-+ [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' | sed 's/table=..//'], 0, [dnl
- (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- ])
-
-@@ -1087,7 +1087,7 @@ wait_row_count Service_Monitor 0
-
- AT_CAPTURE_FILE([sbflows2])
- OVS_WAIT_FOR_OUTPUT(
-- [ovn-sbctl dump-flows sw0 | tee sbflows2 | grep 'priority=120.*ct_lb' | sed 's/table=..//'], [0],
-+ [ovn-sbctl dump-flows sw0 | tee sbflows2 | grep 'priority=120.*backends' | sed 's/table=..//'], [0],
- [ (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- ])
-
-@@ -1098,7 +1098,7 @@ health_check @hc
- wait_row_count Service_Monitor 2
- check ovn-nbctl --wait=sb sync
-
--ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
-+ovn-sbctl dump-flows sw0 | grep backends | grep priority=120 > lflows.txt
- AT_CHECK([cat lflows.txt | sed 's/table=..//'], [0], [dnl
- (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- ])
-@@ -1109,7 +1109,7 @@ sm_sw1_p1=$(fetch_column Service_Monitor _uuid logical_port=sw1-p1)
-
- AT_CAPTURE_FILE([sbflows3])
- OVS_WAIT_FOR_OUTPUT(
-- [ovn-sbctl dump-flows sw0 | tee sbflows 3 | grep 'priority=120.*ct_lb' | sed 's/table=..//'], [0],
-+ [ovn-sbctl dump-flows sw0 | tee sbflows 3 | grep 'priority=120.*backends' | sed 's/table=..//'], [0],
- [ (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- ])
-
-@@ -1120,7 +1120,7 @@ check ovn-nbctl --wait=sb sync
-
- AT_CAPTURE_FILE([sbflows4])
- OVS_WAIT_FOR_OUTPUT(
-- [ovn-sbctl dump-flows sw0 | tee sbflows4 | grep 'priority=120.*ct_lb' | sed 's/table=..//'], [0],
-+ [ovn-sbctl dump-flows sw0 | tee sbflows4 | grep 'priority=120.*backends' | sed 's/table=..//'], [0],
- [ (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80);)
- ])
-
-@@ -1132,7 +1132,7 @@ check ovn-nbctl --wait=sb sync
-
- AT_CAPTURE_FILE([sbflows5])
- OVS_WAIT_FOR_OUTPUT(
-- [ovn-sbctl dump-flows sw0 | tee sbflows5 | grep 'priority=120.*ct_lb'], 1)
-+ [ovn-sbctl dump-flows sw0 | tee sbflows5 | grep 'priority=120.*backends'], 1)
-
- AT_CAPTURE_FILE([sbflows6])
- OVS_WAIT_FOR_OUTPUT(
-@@ -1149,7 +1149,7 @@ check ovn-nbctl --wait=sb sync
-
- AT_CAPTURE_FILE([sbflows7])
- OVS_WAIT_FOR_OUTPUT(
-- [ovn-sbctl dump-flows sw0 | tee sbflows7 | grep ct_lb | grep priority=120 | sed 's/table=..//'], 0,
-+ [ovn-sbctl dump-flows sw0 | tee sbflows7 | grep backends | grep priority=120 | sed 's/table=..//'], 0,
- [ (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- ])
-
-@@ -1185,7 +1185,7 @@ wait_row_count Service_Monitor 1 port=1000
-
- AT_CAPTURE_FILE([sbflows9])
- OVS_WAIT_FOR_OUTPUT(
-- [ovn-sbctl dump-flows sw0 | tee sbflows9 | grep ct_lb | grep priority=120 | sed 's/table=..//' | sort],
-+ [ovn-sbctl dump-flows sw0 | tee sbflows9 | grep backends | grep priority=120 | sed 's/table=..//' | sort],
- 0,
- [ (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80);)
- (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg1 = 10.0.0.40; reg2[[0..15]] = 1000; ct_lb(backends=10.0.0.3:1000);)
-@@ -1199,7 +1199,7 @@ check ovn-nbctl --wait=sb sync
-
- AT_CAPTURE_FILE([sbflows10])
- OVS_WAIT_FOR_OUTPUT(
-- [ovn-sbctl dump-flows sw0 | tee sbflows10 | grep ct_lb | grep priority=120 | sed 's/table=..//' | sort],
-+ [ovn-sbctl dump-flows sw0 | tee sbflows10 | grep backends | grep priority=120 | sed 's/table=..//' | sort],
- 0,
- [ (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg1 = 10.0.0.40; reg2[[0..15]] = 1000; ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
-@@ -1209,7 +1209,7 @@ AS_BOX([Associate lb1 to sw1])
- check ovn-nbctl --wait=sb ls-lb-add sw1 lb1
- AT_CAPTURE_FILE([sbflows11])
- OVS_WAIT_FOR_OUTPUT(
-- [ovn-sbctl dump-flows sw1 | tee sbflows11 | grep ct_lb | grep priority=120 | sed 's/table=..//' | sort],
-+ [ovn-sbctl dump-flows sw1 | tee sbflows11 | grep backends | grep priority=120 | sed 's/table=..//' | sort],
- 0, [dnl
- (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg1 = 10.0.0.40; reg2[[0..15]] = 1000; ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
-@@ -1269,7 +1269,7 @@ ovn-sbctl set service_monitor $sm_sw1_p1 status=offline
- AT_CAPTURE_FILE([sbflows12])
- OVS_WAIT_FOR_OUTPUT(
- [ovn-sbctl dump-flows sw0 | tee sbflows12 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" | grep priority=120 | sed 's/table=..//'], [0], [dnl
-- (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=6);};)
-+ (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=5);};)
- ])
-
- AT_CLEANUP
-@@ -1671,13 +1671,13 @@ AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0
- ovn-nbctl ls-lb-add sw0 lb1
- ovn-nbctl --wait=sb sync
- AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
-- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;)
-+ table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
- ])
-
- ovn-nbctl ls-lb-add sw0 lb2
- ovn-nbctl --wait=sb sync
- AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
-- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;)
-+ table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
- ])
-
- lb1_uuid=$(ovn-nbctl --bare --columns _uuid find load_balancer name=lb1)
-@@ -1686,7 +1686,7 @@ lb2_uuid=$(ovn-nbctl --bare --columns _uuid find load_balancer name=lb2)
- ovn-nbctl clear load_balancer $lb1_uuid vips
- ovn-nbctl --wait=sb sync
- AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
-- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;)
-+ table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
- ])
-
- ovn-nbctl clear load_balancer $lb2_uuid vips
-@@ -1699,14 +1699,14 @@ ovn-nbctl set load_balancer $lb2_uuid vips:"10.0.0.11"="10.0.0.4"
-
- ovn-nbctl --wait=sb sync
- AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
-- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;)
-+ table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
- ])
-
- # Now reverse the order of clearing the vip.
- ovn-nbctl clear load_balancer $lb2_uuid vips
- ovn-nbctl --wait=sb sync
- AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
-- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;)
-+ table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
- ])
-
- ovn-nbctl clear load_balancer $lb1_uuid vips
-@@ -1754,10 +1754,10 @@ AT_CAPTURE_FILE([sw1flows])
-
- AT_CHECK(
- [grep -E 'ls_(in|out)_acl' sw0flows sw1flows | grep pg0 | sort], [0], [dnl
--sw0flows: table=5 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw0flows: table=9 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };)
--sw1flows: table=5 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw1flows: table=9 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };)
-+sw0flows: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw0flows: table=9 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };)
-+sw1flows: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw1flows: table=9 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };)
- ])
-
- AS_BOX([2])
-@@ -1770,10 +1770,10 @@ ovn-sbctl dump-flows sw1 > sw1flows2
- AT_CAPTURE_FILE([sw1flows2])
-
- AT_CHECK([grep "ls_out_acl" sw0flows2 sw1flows2 | grep pg0 | sort], [0], [dnl
--sw0flows2: table=5 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw0flows2: table=5 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw1flows2: table=5 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw1flows2: table=5 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
-+sw0flows2: table=4 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw0flows2: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw1flows2: table=4 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw1flows2: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
- ])
-
- AS_BOX([3])
-@@ -1786,18 +1786,18 @@ ovn-sbctl dump-flows sw1 > sw1flows3
- AT_CAPTURE_FILE([sw1flows3])
-
- AT_CHECK([grep "ls_out_acl" sw0flows3 sw1flows3 | grep pg0 | sort], [0], [dnl
--sw0flows3: table=5 (ls_out_acl ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;)
--sw0flows3: table=5 (ls_out_acl ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;)
--sw0flows3: table=5 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw0flows3: table=5 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw0flows3: table=5 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw0flows3: table=5 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw1flows3: table=5 (ls_out_acl ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;)
--sw1flows3: table=5 (ls_out_acl ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;)
--sw1flows3: table=5 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw1flows3: table=5 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw1flows3: table=5 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
--sw1flows3: table=5 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };)
-+sw0flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;)
-+sw0flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;)
-+sw0flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw0flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw0flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw0flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw1flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;)
-+sw1flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;)
-+sw1flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw1flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw1flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
-+sw1flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=22); };)
- ])
-
- AT_CLEANUP
-@@ -1932,17 +1932,17 @@ check ovn-nbctl --wait=sb \
- -- acl-add ls from-lport 2 "udp" allow-related \
- -- acl-add ls to-lport 2 "udp" allow-related
- AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | grep 'ct\.' | sort], [0], [dnl
-- table=4 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_label.blocked == 0), action=(reg0[[10]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_label.blocked == 1), action=(reg0[[9]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-- table=5 (ls_out_acl ), priority=1 , match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), action=(reg0[[1]] = 1; next;)
-- table=5 (ls_out_acl ), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-- table=5 (ls_out_acl ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-- table=5 (ls_out_acl ), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_label.blocked == 0), action=(reg0[[10]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_label.blocked == 1), action=(reg0[[9]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-+ table=4 (ls_out_acl ), priority=1 , match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), action=(reg0[[1]] = 1; next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
- table=8 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_label.blocked == 0), action=(reg0[[10]] = 1; next;)
- table=8 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_label.blocked == 1), action=(reg0[[9]] = 1; next;)
- table=8 (ls_in_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;)
-@@ -1951,9 +1951,9 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e
- table=8 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
- table=8 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
- table=9 (ls_in_acl ), priority=1 , match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), action=(reg0[[1]] = 1; next;)
-- table=9 (ls_in_acl ), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-- table=9 (ls_in_acl ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-- table=9 (ls_in_acl ), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=9 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
- ])
-
- AS_BOX([Check match ct_state with load balancer])
-@@ -1963,18 +1963,25 @@ check ovn-nbctl --wait=sb \
- -- lb-add lb "10.0.0.1" "10.0.0.2" \
- -- ls-lb-add ls lb
-
--AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | grep 'ct\.' | sort], [0], [dnl
-- table=4 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_label.blocked == 0), action=(reg0[[10]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_label.blocked == 1), action=(reg0[[9]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-- table=4 (ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-- table=5 (ls_out_acl ), priority=1 , match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), action=(reg0[[1]] = 1; next;)
-- table=5 (ls_out_acl ), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-- table=5 (ls_out_acl ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-- table=5 (ls_out_acl ), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | sort], [0], [dnl
-+ table=3 (ls_out_acl_hint ), priority=0 , match=(1), action=(next;)
-+ table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_label.blocked == 0), action=(reg0[[10]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_label.blocked == 1), action=(reg0[[9]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-+ table=3 (ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-+ table=4 (ls_out_acl ), priority=0 , match=(1), action=(next;)
-+ table=4 (ls_out_acl ), priority=1 , match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), action=(reg0[[1]] = 1; next;)
-+ table=4 (ls_out_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg0[[1]] = 1; next;)
-+ table=4 (ls_out_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(next;)
-+ table=4 (ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;)
-+ table=8 (ls_in_acl_hint ), priority=0 , match=(1), action=(next;)
- table=8 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_label.blocked == 0), action=(reg0[[10]] = 1; next;)
- table=8 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_label.blocked == 1), action=(reg0[[9]] = 1; next;)
- table=8 (ls_in_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;)
-@@ -1982,12 +1989,28 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e
- table=8 (ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
- table=8 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
- table=8 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-+ table=9 (ls_in_acl ), priority=0 , match=(1), action=(next;)
- table=9 (ls_in_acl ), priority=1 , match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), action=(reg0[[1]] = 1; next;)
-- table=9 (ls_in_acl ), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-- table=9 (ls_in_acl ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-- table=9 (ls_in_acl ), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=9 (ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg0[[1]] = 1; next;)
-+ table=9 (ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(next;)
-+ table=9 (ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=9 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;)
-+])
-+
-+ovn-nbctl --wait=sb clear logical_switch ls acls
-+ovn-nbctl --wait=sb clear logical_switch ls load_balancer
-+
-+AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | sort], [0], [dnl
-+ table=3 (ls_out_acl_hint ), priority=65535, match=(1), action=(next;)
-+ table=4 (ls_out_acl ), priority=65535, match=(1), action=(next;)
-+ table=8 (ls_in_acl_hint ), priority=65535, match=(1), action=(next;)
-+ table=9 (ls_in_acl ), priority=65535, match=(1), action=(next;)
- ])
-
-+
- AT_CLEANUP
-
- AT_SETUP([datapath requested-tnl-key])
-@@ -2197,20 +2220,20 @@ check ovn-nbctl \
- check ovn-nbctl --wait=sb sync
-
- AT_CHECK([ovn-sbctl lflow-list sw0 | grep ls_in_pre_hairpin | sort], [0], [dnl
-- table=14(ls_in_pre_hairpin ), priority=0 , match=(1), action=(next;)
-- table=14(ls_in_pre_hairpin ), priority=100 , match=(ip && ct.trk), action=(reg0[[6]] = chk_lb_hairpin(); reg0[[12]] = chk_lb_hairpin_reply(); next;)
-+ table=13(ls_in_pre_hairpin ), priority=0 , match=(1), action=(next;)
-+ table=13(ls_in_pre_hairpin ), priority=100 , match=(ip && ct.trk), action=(reg0[[6]] = chk_lb_hairpin(); reg0[[12]] = chk_lb_hairpin_reply(); next;)
- ])
-
- AT_CHECK([ovn-sbctl lflow-list sw0 | grep ls_in_nat_hairpin | sort], [0], [dnl
-- table=15(ls_in_nat_hairpin ), priority=0 , match=(1), action=(next;)
-- table=15(ls_in_nat_hairpin ), priority=100 , match=(ip && ct.est && ct.trk && reg0[[6]] == 1), action=(ct_snat;)
-- table=15(ls_in_nat_hairpin ), priority=100 , match=(ip && ct.new && ct.trk && reg0[[6]] == 1), action=(ct_snat_to_vip; next;)
-- table=15(ls_in_nat_hairpin ), priority=90 , match=(ip && reg0[[12]] == 1), action=(ct_snat;)
-+ table=14(ls_in_nat_hairpin ), priority=0 , match=(1), action=(next;)
-+ table=14(ls_in_nat_hairpin ), priority=100 , match=(ip && ct.est && ct.trk && reg0[[6]] == 1), action=(ct_snat;)
-+ table=14(ls_in_nat_hairpin ), priority=100 , match=(ip && ct.new && ct.trk && reg0[[6]] == 1), action=(ct_snat_to_vip; next;)
-+ table=14(ls_in_nat_hairpin ), priority=90 , match=(ip && reg0[[12]] == 1), action=(ct_snat;)
- ])
-
- AT_CHECK([ovn-sbctl lflow-list sw0 | grep ls_in_hairpin | sort], [0], [dnl
-- table=16(ls_in_hairpin ), priority=0 , match=(1), action=(next;)
-- table=16(ls_in_hairpin ), priority=1 , match=((reg0[[6]] == 1 || reg0[[12]] == 1)), action=(eth.dst <-> eth.src; outport = inport; flags.loopback = 1; output;)
-+ table=15(ls_in_hairpin ), priority=0 , match=(1), action=(next;)
-+ table=15(ls_in_hairpin ), priority=1 , match=((reg0[[6]] == 1 || reg0[[12]] == 1)), action=(eth.dst <-> eth.src; outport = inport; flags.loopback = 1; output;)
- ])
-
- AT_CLEANUP
-@@ -2324,6 +2347,13 @@ check ovn-nbctl lsp-set-options public-lr0 router-port=lr0-public
-
- check ovn-nbctl --wait=sb lr-policy-add lr0 10 "ip4.src == 10.0.0.3" reroute 172.168.0.101,172.168.0.102
-
-+ovn-nbctl lr-policy-list lr0 > policy-list
-+AT_CAPTURE_FILE([policy-list])
-+AT_CHECK([cat policy-list], [0], [dnl
-+Routing Policies
-+ 10 ip4.src == 10.0.0.3 reroute 172.168.0.101, 172.168.0.102
-+])
-+
- ovn-sbctl dump-flows lr0 > lr0flows3
- AT_CAPTURE_FILE([lr0flows3])
-
-@@ -2551,7 +2581,7 @@ wait_row_count nb:Logical_Switch_Port 1 up=false name=lsp1
-
- AT_CLEANUP
-
--AT_SETUP([ovn -- lb_force_snat_ip for Gateway Routers])
-+AT_SETUP([ovn -- Load Balancers and lb_force_snat_ip for Gateway Routers])
- ovn_start
-
- check ovn-nbctl ls-add sw0
-@@ -2589,11 +2619,11 @@ AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
- ])
-
--AT_CHECK([grep "lr_in_dnat" lr0flows | grep force_snat_for_lb | sort], [0], [dnl
--])
--
--
--AT_CHECK([grep "lr_out_snat" lr0flows | grep force_snat_for_lb | sort], [0], [dnl
-+AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
-+ table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
-+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_dnat;)
-+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb(backends=10.0.0.4:8080);)
-+ table=6 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
- ])
-
- check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="20.0.0.4 aef0::4"
-@@ -2608,14 +2638,18 @@ AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=110 , match=(ip6 && ip6.dst == aef0::4), action=(ct_snat;)
- ])
-
--AT_CHECK([grep "lr_in_dnat" lr0flows | grep force_snat_for_lb | sort], [0], [dnl
-+AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
-+ table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_dnat;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.4:8080);)
-+ table=6 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
- ])
-
--AT_CHECK([grep "lr_out_snat" lr0flows | grep force_snat_for_lb | sort], [0], [dnl
-+AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
-+ table=1 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_snat ), priority=100 , match=(flags.force_snat_for_lb == 1 && ip4), action=(ct_snat(20.0.0.4);)
- table=1 (lr_out_snat ), priority=100 , match=(flags.force_snat_for_lb == 1 && ip6), action=(ct_snat(aef0::4);)
-+ table=1 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
- ])
-
- check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="router_ip"
-@@ -2633,15 +2667,19 @@ AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip4.dst == 20.0.0.1), action=(ct_snat;)
- ])
-
--AT_CHECK([grep "lr_in_dnat" lr0flows | grep force_snat_for_lb | sort], [0], [dnl
-+AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
-+ table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_dnat;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.4:8080);)
-+ table=6 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
- ])
-
--AT_CHECK([grep "lr_out_snat" lr0flows | grep force_snat_for_lb | sort], [0], [dnl
-+AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
-+ table=1 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.100);)
- table=1 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
- table=1 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw1"), action=(ct_snat(20.0.0.1);)
-+ table=1 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
- ])
-
- check ovn-nbctl --wait=sb remove logical_router lr0 options chassis
-@@ -2653,7 +2691,9 @@ AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
- ])
-
--AT_CHECK([grep "lr_out_snat" lr0flows | grep force_snat_for_lb | sort], [0], [dnl
-+AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
-+ table=1 (lr_out_snat ), priority=0 , match=(1), action=(next;)
-+ table=1 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
- ])
-
- check ovn-nbctl set logical_router lr0 options:chassis=ch1
-@@ -2670,16 +2710,43 @@ AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip6.dst == bef0::1), action=(ct_snat;)
- ])
-
--AT_CHECK([grep "lr_in_dnat" lr0flows | grep force_snat_for_lb | sort], [0], [dnl
-+AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
-+ table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_dnat;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.4:8080);)
-+ table=6 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
- ])
-
--AT_CHECK([grep "lr_out_snat" lr0flows | grep force_snat_for_lb | sort], [0], [dnl
-+AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
-+ table=1 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.100);)
- table=1 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
- table=1 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw1"), action=(ct_snat(20.0.0.1);)
- table=1 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip6 && outport == "lr0-sw1"), action=(ct_snat(bef0::1);)
-+ table=1 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
-+])
-+
-+check ovn-nbctl --wait=sb lb-add lb2 10.0.0.20:80 10.0.0.40:8080
-+check ovn-nbctl --wait=sb set load_balancer lb2 options:skip_snat=true
-+check ovn-nbctl lr-lb-add lr0 lb2
-+check ovn-nbctl --wait=sb lb-del lb1
-+ovn-sbctl dump-flows lr0 > lr0flows
-+
-+AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
-+ table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
-+ table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-public" && ip4.dst == 172.168.0.100), action=(ct_snat;)
-+ table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw0" && ip4.dst == 10.0.0.1), action=(ct_snat;)
-+ table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip4.dst == 20.0.0.1), action=(ct_snat;)
-+ table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip6.dst == bef0::1), action=(ct_snat;)
-+])
-+
-+AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | sort], [0], [dnl
-+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_dnat;)
-+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=10.0.0.40:8080);)
-+])
-+
-+AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | sort], [0], [dnl
-+ table=1 (lr_out_snat ), priority=120 , match=(flags.skip_snat_for_lb == 1 && ip), action=(next;)
- ])
-
- AT_CLEANUP
-@@ -2783,3 +2850,206 @@ wait_row_count FDB 0
- ovn-sbctl list FDB
-
- AT_CLEANUP
-+
-+AT_SETUP([ovn -- LS load balancer logical flows])
-+ovn_start
-+
-+check ovn-nbctl \
-+ -- ls-add sw0 \
-+ -- lb-add lb0 10.0.0.10:80 10.0.0.4:8080 \
-+ -- ls-lb-add sw0 lb0
-+
-+check ovn-nbctl lr-add lr0
-+check ovn-nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24
-+check ovn-nbctl lsp-add sw0 sw0-lr0
-+check ovn-nbctl lsp-set-type sw0-lr0 router
-+check ovn-nbctl lsp-set-addresses sw0-lr0 00:00:00:00:ff:01
-+check ovn-nbctl lsp-set-options sw0-lr0 router-port=lr0-sw0
-+
-+check ovn-nbctl --wait=sb sync
-+
-+check_stateful_flows() {
-+ ovn-sbctl dump-flows sw0 > sw0flows
-+ AT_CAPTURE_FILE([sw0flows])
-+
-+ AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0], [dnl
-+ table=6 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;)
-+ table=6 (ls_in_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
-+ table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;)
-+ table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;)
-+ table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;)
-+])
-+
-+ AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl
-+ table=7 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
-+ table=7 (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1), action=(ct_next;)
-+ table=7 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb;)
-+])
-+
-+ AT_CHECK([grep "ls_in_stateful" sw0flows | sort], [0], [dnl
-+ table=12(ls_in_stateful ), priority=0 , match=(1), action=(next;)
-+ table=12(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1), action=(ct_commit { ct_label.blocked = 0; }; next;)
-+ table=12(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.4:8080);)
-+])
-+
-+ AT_CHECK([grep "ls_out_pre_lb" sw0flows | sort], [0], [dnl
-+ table=0 (ls_out_pre_lb ), priority=0 , match=(1), action=(next;)
-+ table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
-+ table=0 (ls_out_pre_lb ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;)
-+ table=0 (ls_out_pre_lb ), priority=110 , match=(ip && outport == "sw0-lr0"), action=(next;)
-+ table=0 (ls_out_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;)
-+])
-+
-+ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | sort], [0], [dnl
-+ table=2 (ls_out_pre_stateful), priority=0 , match=(1), action=(next;)
-+ table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[[0]] == 1), action=(ct_next;)
-+ table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb;)
-+])
-+
-+ AT_CHECK([grep "ls_out_lb" sw0flows | sort], [0], [])
-+
-+ AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl
-+ table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;)
-+ table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1), action=(ct_commit { ct_label.blocked = 0; }; next;)
-+])
-+}
-+
-+check_stateful_flows
-+
-+# Add few ACLs
-+check ovn-nbctl --wait=sb acl-add sw0 from-lport 1002 "ip4 && tcp && tcp.dst == 80" allow-related
-+check ovn-nbctl --wait=sb acl-add sw0 to-lport 1002 "ip4 && tcp && tcp.src == 80" drop
-+
-+check_stateful_flows
-+
-+# Remove load balancer from sw0
-+check ovn-nbctl --wait=sb ls-lb-del sw0 lb0
-+
-+ovn-sbctl dump-flows sw0 > sw0flows
-+AT_CAPTURE_FILE([sw0flows])
-+
-+AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0], [dnl
-+ table=6 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;)
-+ table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;)
-+ table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;)
-+ table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;)
-+])
-+
-+AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl
-+ table=7 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
-+ table=7 (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1), action=(ct_next;)
-+ table=7 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb;)
-+ table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb;)
-+])
-+
-+AT_CHECK([grep "ls_in_stateful" sw0flows | sort], [0], [dnl
-+ table=12(ls_in_stateful ), priority=0 , match=(1), action=(next;)
-+ table=12(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1), action=(ct_commit { ct_label.blocked = 0; }; next;)
-+])
-+
-+AT_CHECK([grep "ls_out_pre_lb" sw0flows | sort], [0], [dnl
-+ table=0 (ls_out_pre_lb ), priority=0 , match=(1), action=(next;)
-+ table=0 (ls_out_pre_lb ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;)
-+ table=0 (ls_out_pre_lb ), priority=110 , match=(ip && outport == "sw0-lr0"), action=(next;)
-+ table=0 (ls_out_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;)
-+])
-+
-+AT_CHECK([grep "ls_out_pre_stateful" sw0flows | sort], [0], [dnl
-+ table=2 (ls_out_pre_stateful), priority=0 , match=(1), action=(next;)
-+ table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[[0]] == 1), action=(ct_next;)
-+ table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb;)
-+])
-+
-+AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl
-+ table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;)
-+ table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1), action=(ct_commit { ct_label.blocked = 0; }; next;)
-+])
-+
-+AT_CLEANUP
-+])
-+
-+AT_SETUP([ovn -- ct.inv usage])
-+ovn_start
-+
-+check ovn-nbctl ls-add sw0
-+check ovn-nbctl lsp-add sw0 sw0p1
-+
-+check ovn-nbctl --wait=sb acl-add sw0 to-lport 1002 ip allow-related
-+
-+ovn-sbctl dump-flows sw0 > sw0flows
-+AT_CAPTURE_FILE([sw0flows])
-+
-+AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort], [0], [dnl
-+ table=9 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=9 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;)
-+])
-+
-+AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort], [0], [dnl
-+ table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;)
-+])
-+
-+# Disable ct.inv usage.
-+check ovn-nbctl --wait=sb set NB_Global . options:use_ct_inv_match=false
-+
-+ovn-sbctl dump-flows sw0 > sw0flows
-+AT_CAPTURE_FILE([sw0flows])
-+
-+AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort], [0], [dnl
-+ table=9 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_label.blocked == 0), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=((ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=9 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_label.blocked == 0), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;)
-+])
-+
-+AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort], [0], [dnl
-+ table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_label.blocked == 0), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=((ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_label.blocked == 0), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;)
-+])
-+
-+AT_CHECK([grep -c "ct.inv" sw0flows], [1], [dnl
-+0
-+])
-+
-+# Enable ct.inv usage.
-+check ovn-nbctl --wait=sb set NB_Global . options:use_ct_inv_match=true
-+
-+ovn-sbctl dump-flows sw0 > sw0flows
-+AT_CAPTURE_FILE([sw0flows])
-+
-+AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort], [0], [dnl
-+ table=9 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-+ table=9 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=9 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;)
-+])
-+
-+AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort], [0], [dnl
-+ table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
-+ table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
-+ table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;)
-+])
-+
-+AT_CHECK([grep -c "ct.inv" sw0flows], [0], [dnl
-+6
-+])
-+
-+AT_CLEANUP
-diff --git a/tests/ovn.at b/tests/ovn.at
-index b465784cd..f994088ed 100644
---- a/tests/ovn.at
-+++ b/tests/ovn.at
-@@ -9878,15 +9878,12 @@ AT_CHECK([ovn-nbctl --wait=sb sync], [0], [ignore])
- ovn-sbctl dump-flows > sbflows
- AT_CAPTURE_FILE([sbflows])
-
--reset_pcap_file() {
-- local iface=$1
-- local pcap_file=$2
-- check ovs-vsctl -- set Interface $iface options:tx_pcap=dummy-tx.pcap \
--options:rxq_pcap=dummy-rx.pcap
-- rm -f ${pcap_file}*.pcap
-- check ovs-vsctl -- set Interface $iface options:tx_pcap=${pcap_file}-tx.pcap \
--options:rxq_pcap=${pcap_file}-rx.pcap
--}
-+hv1_gw1_ofport=$(as hv1 ovs-vsctl --bare --columns ofport find Interface name=ovn-gw1-0)
-+hv1_gw2_ofport=$(as hv1 ovs-vsctl --bare --columns ofport find Interface name=ovn-gw2-0)
-+
-+OVS_WAIT_UNTIL([
-+ test 1 = $(as hv1 ovs-ofctl dump-flows br-int table=37 | grep -c "active_backup,ofport,members:$hv1_gw1_ofport,$hv1_gw2_ofport")
-+])
-
- test_ip_packet()
- {
-@@ -9932,13 +9929,13 @@ test_ip_packet()
- echo $expected > ext1-vif1.expected
- exp_gw_ip_garp=ffffffffffff00000201020308060001080006040001000002010203ac100101000000000000ac100101
- echo $exp_gw_ip_garp >> ext1-vif1.expected
-- as $active_gw reset_pcap_file br-phys_n1 $active_gw/br-phys_n1
-+ as $active_gw reset_iface_pcap_file br-phys_n1 $active_gw/br-phys_n1
-
- if test $backup_vswitchd_dead != 1; then
- # Reset the file only if vswitchd in backup gw is alive
-- as $backup_gw reset_pcap_file br-phys_n1 $backup_gw/br-phys_n1
-+ as $backup_gw reset_iface_pcap_file br-phys_n1 $backup_gw/br-phys_n1
- fi
-- as ext1 reset_pcap_file ext1-vif1 ext1/vif1
-+ as ext1 reset_iface_pcap_file ext1-vif1 ext1/vif1
-
- # Resend packet from foo1 to outside1
- check as hv1 ovs-appctl netdev-dummy/receive hv1-vif1 $packet
-@@ -9990,6 +9987,10 @@ AT_CHECK(
- <1>
- ])
-
-+OVS_WAIT_UNTIL([
-+ test 1 = $(as hv1 ovs-ofctl dump-flows br-int table=37 | grep -c "active_backup,ofport,members:$hv1_gw2_ofport,$hv1_gw1_ofport")
-+])
-+
- test_ip_packet gw2 gw1 0
-
- # Get the claim count of both gw1 and gw2.
-@@ -10010,6 +10011,12 @@ OVS_WAIT_UNTIL([test $gw1_claim_ct = `cat gw1/ovn-controller.log \
- AT_CHECK([test $gw2_claim_ct = `cat gw2/ovn-controller.log | \
- grep -c "cr-alice: Claiming"`])
-
-+OVS_WAIT_UNTIL([
-+ bfd_status=$(as hv1 ovs-vsctl get interface ovn-gw2-0 bfd_status:state)
-+ echo "bfd status = $bfd_status"
-+ test "$bfd_status" = "down"
-+])
-+
- test_ip_packet gw1 gw2 1
-
- as gw2
-@@ -11494,6 +11501,59 @@ OVN_CLEANUP([hv1],[hv2])
-
- AT_CLEANUP
-
-+AT_SETUP([ovn -- localport suppress gARP])
-+ovn_start
-+
-+net_add n1
-+sim_add hv1
-+as hv1
-+check ovs-vsctl add-br br-phys
-+ovn_attach n1 br-phys 192.168.0.1
-+
-+check ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
-+
-+check ovn-nbctl ls-add ls \
-+ -- lsp-add ls lp \
-+ -- lsp-set-type lp localport \
-+ -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1" \
-+ -- lsp-add ls ln \
-+ -- lsp-set-type ln localnet \
-+ -- lsp-set-options ln network_name=phys \
-+ -- lsp-add ls lsp \
-+ -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2"
-+
-+dnl First bind the localport.
-+check ovs-vsctl add-port br-int vif1 \
-+ -- set Interface vif1 external-ids:iface-id=lp
-+check ovn-nbctl --wait=hv sync
-+
-+dnl Then bind the regular vif.
-+check ovs-vsctl add-port br-int vif2 \
-+ -- set Interface vif2 external-ids:iface-id=lsp \
-+ options:tx_pcap=hv1/vif2-tx.pcap \
-+ options:rxq_pcap=hv1/vif2-rx.pcap
-+
-+wait_for_ports_up lsp
-+check ovn-nbctl --wait=hv sync
-+
-+dnl Wait for at least two gARPs from lsp (10.0.0.2).
-+lsp_garp=ffffffffffff000000000002080600010800060400010000000000020a0000020000000000000a000002
-+OVS_WAIT_UNTIL([
-+ garps=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep ${lsp_garp} -c`
-+ test $garps -ge 2
-+])
-+
-+dnl At this point it's safe to assume that ovn-controller skipped sending gARP
-+dnl for the localport. Check that there are no other packets than the gARPs
-+dnl for the regular vif.
-+AT_CHECK([
-+ pkts=`$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv1/br-phys-tx.pcap | grep -v ${lsp_garp} -c`
-+ test 0 -eq $pkts
-+])
-+
-+OVN_CLEANUP([hv1])
-+AT_CLEANUP
-+
- AT_SETUP([ovn -- 1 LR with HA distributed router gateway port])
- ovn_start
-
-@@ -13901,16 +13961,16 @@ check ovn-nbctl acl-add ls1 to-lport 3 'ip4.src==10.0.0.1' allow
- check ovn-nbctl --wait=hv sync
-
- # Check OVS flows, the less restrictive flows should have been installed.
--AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=45 | ofctl_strip_all | \
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \
- grep "priority=1003" | \
- sed 's/conjunction([[^)]]*)/conjunction()/g' | sort], [0], [dnl
-- table=45, priority=1003,conj_id=2,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,conj_id=3,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,46)
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction()
-+ table=44, priority=1003,conj_id=2,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,conj_id=3,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45)
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction()
- ])
-
- # Traffic 10.0.0.1, 10.0.0.2 -> 10.0.0.3, 10.0.0.4 should be allowed.
-@@ -13945,16 +14005,16 @@ check ovn-nbctl acl-del ls1 to-lport 3 'ip4.src==10.0.0.1 || ip4.src==10.0.0.1'
- check ovn-nbctl --wait=hv sync
-
- # Check OVS flows, the second less restrictive allow ACL should have been installed.
--AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=45 | ofctl_strip_all | \
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \
- grep "priority=1003" | \
- sed 's/conjunction([[^)]]*)/conjunction()/g' | sort], [0], [dnl
-- table=45, priority=1003,conj_id=2,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,conj_id=3,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,46)
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction()
-+ table=44, priority=1003,conj_id=2,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,conj_id=3,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45)
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction()
- ])
-
- # Remove the less restrictive allow ACL.
-@@ -13962,16 +14022,16 @@ check ovn-nbctl acl-del ls1 to-lport 3 'ip4.src==10.0.0.1'
- check ovn-nbctl --wait=hv sync
-
- # Check OVS flows, the 10.0.0.1 conjunction should have been reinstalled.
--AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=45 | ofctl_strip_all | \
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \
- grep "priority=1003" | \
- sed 's/conjunction([[^)]]*)/conjunction()/g' | sort], [0], [dnl
-- table=45, priority=1003,conj_id=2,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,conj_id=3,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction()
-+ table=44, priority=1003,conj_id=2,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,conj_id=3,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction()
- ])
-
- # Traffic 10.0.0.1, 10.0.0.2 -> 10.0.0.3, 10.0.0.4 should be allowed.
-@@ -14001,16 +14061,16 @@ check ovn-nbctl acl-add ls1 to-lport 3 'ip4.src==10.0.0.1' allow
- check ovn-nbctl --wait=hv sync
-
- # Check OVS flows, the less restrictive flows should have been installed.
--AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=45 | ofctl_strip_all | \
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \
- grep "priority=1003" | \
- sed 's/conjunction([[^)]]*)/conjunction()/g' | sort], [0], [dnl
-- table=45, priority=1003,conj_id=2,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,conj_id=3,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,46)
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction()
-+ table=44, priority=1003,conj_id=2,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,conj_id=3,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45)
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction()
- ])
-
- # Add another ACL that overlaps with the existing less restrictive ones.
-@@ -14021,19 +14081,19 @@ check ovn-nbctl --wait=hv sync
- # with an additional conjunction action.
- #
- # New non-conjunctive flows should be added to match on 'udp'.
--AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=45 | ofctl_strip_all | \
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \
- grep "priority=1003" | \
- sed 's/conjunction([[^)]]*)/conjunction()/g' | sort], [0], [dnl
-- table=45, priority=1003,conj_id=2,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,conj_id=3,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,conj_id=4,ip,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,46)
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction(),conjunction()
-- table=45, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction()
-- table=45, priority=1003,udp,metadata=0x1 actions=resubmit(,46)
-- table=45, priority=1003,udp6,metadata=0x1 actions=resubmit(,46)
-+ table=44, priority=1003,conj_id=2,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,conj_id=3,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,conj_id=4,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45)
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction(),conjunction()
-+ table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction()
-+ table=44, priority=1003,udp,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=1003,udp6,metadata=0x1 actions=resubmit(,45)
- ])
-
- OVN_CLEANUP([hv1])
-@@ -15375,7 +15435,7 @@ wait_for_ports_up ls1-lp_ext1
- # There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined
- # to router mac.
- AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \
--table=30,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \
-+table=29,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \
- grep -c "actions=drop"], [0], [1
- ])
-
-@@ -16647,56 +16707,67 @@ ovs-vsctl -- add-port br-int hv2-vif2 -- \
-
- ovn-nbctl ls-add sw0
-
--ovn-nbctl lsp-add sw0 sw0-vir
--ovn-nbctl lsp-set-addresses sw0-vir "50:54:00:00:00:10 10.0.0.10"
--ovn-nbctl lsp-set-port-security sw0-vir "50:54:00:00:00:10 10.0.0.10"
--ovn-nbctl lsp-set-type sw0-vir virtual
--ovn-nbctl set logical_switch_port sw0-vir options:virtual-ip=10.0.0.10
--ovn-nbctl set logical_switch_port sw0-vir options:virtual-parents=sw0-p1,sw0-p2,sw0-p3
-+check ovn-nbctl lsp-add sw0 sw0-vir
-+check ovn-nbctl lsp-set-addresses sw0-vir "50:54:00:00:00:10 10.0.0.10"
-+check ovn-nbctl lsp-set-port-security sw0-vir "50:54:00:00:00:10 10.0.0.10"
-+check ovn-nbctl lsp-set-type sw0-vir virtual
-+check ovn-nbctl set logical_switch_port sw0-vir options:virtual-ip=10.0.0.10
-+check ovn-nbctl set logical_switch_port sw0-vir options:virtual-parents=sw0-p1,sw0-p2,sw0-p3
-
--ovn-nbctl lsp-add sw0 sw0-p1
--ovn-nbctl lsp-set-addresses sw0-p1 "50:54:00:00:00:03 10.0.0.3"
--ovn-nbctl lsp-set-port-security sw0-p1 "50:54:00:00:00:03 10.0.0.3 10.0.0.10"
-+check ovn-nbctl lsp-add sw0 sw0-p1
-+check ovn-nbctl lsp-set-addresses sw0-p1 "50:54:00:00:00:03 10.0.0.3"
-+check ovn-nbctl lsp-set-port-security sw0-p1 "50:54:00:00:00:03 10.0.0.3 10.0.0.10"
-
--ovn-nbctl lsp-add sw0 sw0-p2
--ovn-nbctl lsp-set-addresses sw0-p2 "50:54:00:00:00:04 10.0.0.4"
--ovn-nbctl lsp-set-port-security sw0-p2 "50:54:00:00:00:04 10.0.0.4 10.0.0.10"
-+check ovn-nbctl lsp-add sw0 sw0-p2
-+check ovn-nbctl lsp-set-addresses sw0-p2 "50:54:00:00:00:04 10.0.0.4"
-+check ovn-nbctl lsp-set-port-security sw0-p2 "50:54:00:00:00:04 10.0.0.4 10.0.0.10"
-
--ovn-nbctl lsp-add sw0 sw0-p3
--ovn-nbctl lsp-set-addresses sw0-p3 "50:54:00:00:00:05 10.0.0.5"
--ovn-nbctl lsp-set-port-security sw0-p3 "50:54:00:00:00:05 10.0.0.5 10.0.0.10"
-+check ovn-nbctl lsp-add sw0 sw0-p3
-+check ovn-nbctl lsp-set-addresses sw0-p3 "50:54:00:00:00:05 10.0.0.5"
-+check ovn-nbctl lsp-set-port-security sw0-p3 "50:54:00:00:00:05 10.0.0.5 10.0.0.10"
-
- # Create the second logical switch with one port
--ovn-nbctl ls-add sw1
--ovn-nbctl lsp-add sw1 sw1-p1
--ovn-nbctl lsp-set-addresses sw1-p1 "40:54:00:00:00:03 20.0.0.3"
--ovn-nbctl lsp-set-port-security sw1-p1 "40:54:00:00:00:03 20.0.0.3"
-+check ovn-nbctl ls-add sw1
-+check ovn-nbctl lsp-add sw1 sw1-p1
-+check ovn-nbctl lsp-set-addresses sw1-p1 "40:54:00:00:00:03 20.0.0.3"
-+check ovn-nbctl lsp-set-port-security sw1-p1 "40:54:00:00:00:03 20.0.0.3"
-
- # Create a logical router and attach both logical switches
--ovn-nbctl lr-add lr0
--ovn-nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24
--ovn-nbctl lsp-add sw0 sw0-lr0
--ovn-nbctl lsp-set-type sw0-lr0 router
--ovn-nbctl lsp-set-addresses sw0-lr0 00:00:00:00:ff:01
--ovn-nbctl lsp-set-options sw0-lr0 router-port=lr0-sw0
-+check ovn-nbctl lr-add lr0
-+check ovn-nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24
-+check ovn-nbctl lsp-add sw0 sw0-lr0
-+check ovn-nbctl lsp-set-type sw0-lr0 router
-+check ovn-nbctl lsp-set-addresses sw0-lr0 00:00:00:00:ff:01
-+check ovn-nbctl lsp-set-options sw0-lr0 router-port=lr0-sw0
-
--ovn-nbctl lrp-add lr0 lr0-sw1 00:00:00:00:ff:02 20.0.0.1/24
--ovn-nbctl lsp-add sw1 sw1-lr0
--ovn-nbctl lsp-set-type sw1-lr0 router
--ovn-nbctl lsp-set-addresses sw1-lr0 00:00:00:00:ff:02
--ovn-nbctl lsp-set-options sw1-lr0 router-port=lr0-sw1
-+check ovn-nbctl lrp-add lr0 lr0-sw1 00:00:00:00:ff:02 20.0.0.1/24
-+check ovn-nbctl lsp-add sw1 sw1-lr0
-+check ovn-nbctl lsp-set-type sw1-lr0 router
-+check ovn-nbctl lsp-set-addresses sw1-lr0 00:00:00:00:ff:02
-+check ovn-nbctl lsp-set-options sw1-lr0 router-port=lr0-sw1
-
--OVN_POPULATE_ARP
-+# Add an ACL that matches on sw0-vir being bound locally.
-+check ovn-nbctl acl-add sw0 to-lport 1000 'is_chassis_resident("sw0-vir") && ip' allow
-
--# Delete sw0-vir and add again.
--ovn-nbctl lsp-del sw0-vir
-+check ovn-nbctl ls-add public
-+check ovn-nbctl lrp-add lr0 lr0-public 00:00:20:20:12:13 172.168.0.100/24
-+check ovn-nbctl lsp-add public public-lr0
-+check ovn-nbctl lsp-set-type public-lr0 router
-+check ovn-nbctl lsp-set-addresses public-lr0 router
-+check ovn-nbctl lsp-set-options public-lr0 router-port=lr0-public
-
--ovn-nbctl lsp-add sw0 sw0-vir
--ovn-nbctl lsp-set-addresses sw0-vir "50:54:00:00:00:10 10.0.0.10"
--ovn-nbctl lsp-set-port-security sw0-vir "50:54:00:00:00:10 10.0.0.10"
--ovn-nbctl lsp-set-type sw0-vir virtual
--ovn-nbctl set logical_switch_port sw0-vir options:virtual-ip=10.0.0.10
--ovn-nbctl set logical_switch_port sw0-vir options:virtual-parents=sw0-p1,sw0-p2,sw0-p3
-+# localnet port
-+check ovn-nbctl lsp-add public ln-public
-+check ovn-nbctl lsp-set-type ln-public localnet
-+check ovn-nbctl lsp-set-addresses ln-public unknown
-+check ovn-nbctl lsp-set-options ln-public network_name=public
-+
-+# schedule the gw router port to a chassis. Change the name of the chassis
-+check ovn-nbctl --wait=hv lrp-set-gateway-chassis lr0-public hv1 20
-+
-+check ovn-nbctl lr-nat-add lr0 dnat_and_snat 172.168.0.50 10.0.0.10 sw0-vir 10:54:00:00:00:10
-+
-+OVN_POPULATE_ARP
-
- wait_for_ports_up
- ovn-nbctl --wait=hv sync
-@@ -16746,6 +16817,30 @@ ovs-vsctl del-port hv1-vif3
- AT_CHECK([test x$(ovn-sbctl --bare --columns chassis find port_binding \
- logical_port=sw0-vir) = x], [0], [])
-
-+check_virtual_offlows_present() {
-+ hv=$1
-+
-+ AT_CHECK([as $hv ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | grep "priority=2000"], [0], [dnl
-+ table=44, priority=2000,ip,metadata=0x1 actions=resubmit(,45)
-+ table=44, priority=2000,ipv6,metadata=0x1 actions=resubmit(,45)
-+])
-+
-+ AT_CHECK([as $hv ovs-ofctl dump-flows br-int table=11 | ofctl_strip_all | \
-+ grep "priority=92" | grep 172.168.0.50], [0], [dnl
-+ table=11, priority=92,arp,reg14=0x3,metadata=0x3,arp_tpa=172.168.0.50,arp_op=1 actions=move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],mod_dl_src:10:54:00:00:00:10,load:0x2->NXM_OF_ARP_OP[[]],move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],load:0x105400000010->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],load:0xaca80032->NXM_OF_ARP_SPA[[]],move:NXM_NX_REG14[[]]->NXM_NX_REG15[[]],load:0x1->NXM_NX_REG10[[0]],resubmit(,37)
-+])
-+}
-+
-+check_virtual_offlows_not_present() {
-+ hv=$1
-+ AT_CHECK([as $hv ovs-ofctl dump-flows br-int table=45 | ofctl_strip_all | grep "priority=2000"], [1], [dnl
-+])
-+
-+ AT_CHECK([as $hv ovs-ofctl dump-flows br-int table=11 | ofctl_strip_all | \
-+ grep "priority=92" | grep 172.168.0.50], [1], [dnl
-+])
-+}
-+
- # From sw0-p0 send GARP for 10.0.0.10. hv1 should claim sw0-vir
- # and sw0-p1 should be its virtual_parent.
- eth_src=505400000003
-@@ -16767,6 +16862,13 @@ AT_CHECK([grep lr_in_arp_resolve lr0-flows2 | grep "reg0 == 10.0.0.10" | sed 's/
- table=??(lr_in_arp_resolve ), priority=100 , match=(outport == "lr0-sw0" && reg0 == 10.0.0.10), action=(eth.dst = 50:54:00:00:00:03; next;)
- ])
-
-+# hv1 should add the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_present hv1
-+
-+# hv2 should not have the above flows.
-+check_virtual_offlows_not_present hv2
-+
- # Forcibly clear virtual_parent. ovn-controller should release the binding
- # gracefully.
- pb_uuid=$(ovn-sbctl --bare --columns _uuid find port_binding logical_port=sw0-vir)
-@@ -16777,6 +16879,13 @@ logical_port=sw0-vir) = x])
-
- wait_row_count nb:Logical_Switch_Port 1 up=false name=sw0-vir
-
-+check ovn-nbctl --wait=hv sync
-+# hv1 should remove the flow for the ACL with is_chassis_redirect check for sw0-vir.
-+check_virtual_offlows_not_present hv1
-+
-+# hv2 should not have the flow for ACL.
-+check_virtual_offlows_not_present hv2
-+
- # From sw0-p0 resend GARP for 10.0.0.10. hv1 should reclaim sw0-vir
- # and sw0-p1 should be its virtual_parent.
- send_garp 1 1 $eth_src $eth_dst $spa $tpa
-@@ -16789,6 +16898,58 @@ logical_port=sw0-vir) = xsw0-p1])
-
- wait_for_ports_up sw0-vir
-
-+check ovn-nbctl --wait=hv sync
-+# hv1 should add the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_present hv1
-+
-+# hv2 should not have the above flows.
-+check_virtual_offlows_not_present hv2
-+
-+# Release sw0-p1.
-+as hv1 ovs-vsctl set interface hv1-vif1 external-ids:iface-id=sw0-px
-+wait_column "false" nb:Logical_Switch_Port up name=sw0-p1
-+wait_column "false" nb:Logical_Switch_Port up name=sw0-vir
-+
-+check ovn-nbctl --wait=hv sync
-+# hv1 should remove the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_not_present hv1
-+
-+# hv2 should not have the above flows.
-+check_virtual_offlows_not_present hv2
-+
-+# Claim sw0-p1 again.
-+as hv1 ovs-vsctl set interface hv1-vif1 external-ids:iface-id=sw0-p1
-+wait_for_ports_up sw0-p1
-+
-+# hv1 should not have the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_not_present hv1
-+
-+# hv2 should not have the above flows.
-+check_virtual_offlows_not_present hv2
-+
-+# From sw0-p0 send GARP for 10.0.0.10. hv1 should claim sw0-vir
-+# and sw0-p1 should be its virtual_parent.
-+eth_src=505400000003
-+eth_dst=ffffffffffff
-+spa=$(ip_to_hex 10 0 0 10)
-+tpa=$(ip_to_hex 10 0 0 10)
-+send_garp 1 1 $eth_src $eth_dst $spa $tpa
-+
-+wait_row_count Port_Binding 1 logical_port=sw0-vir chassis=$hv1_ch_uuid
-+check_row_count Port_Binding 1 logical_port=sw0-vir virtual_parent=sw0-p1
-+wait_for_ports_up sw0-vir
-+check ovn-nbctl --wait=hv sync
-+
-+# hv1 should add the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_present hv1
-+
-+# hv2 should not have the above flows.
-+check_virtual_offlows_not_present hv2
-+
- # From sw0-p3 send GARP for 10.0.0.10. hv1 should claim sw0-vir
- # and sw0-p3 should be its virtual_parent.
- eth_src=505400000005
-@@ -16806,8 +16967,8 @@ logical_port=sw0-vir) = xsw0-p3])
- wait_for_ports_up sw0-vir
-
- # There should be an arp resolve flow to resolve the virtual_ip with the
--# sw0-p2's MAC.
--sleep 1
-+# sw0-p3's MAC.
-+check ovn-nbctl --wait=hv sync
- ovn-sbctl dump-flows lr0 > lr0-flows3
- AT_CAPTURE_FILE([lr0-flows3])
- cp ovn-sb/ovn-sb.db lr0-flows3.db
-@@ -16815,6 +16976,13 @@ AT_CHECK([grep lr_in_arp_resolve lr0-flows3 | grep "reg0 == 10.0.0.10" | sed 's
- table=??(lr_in_arp_resolve ), priority=100 , match=(outport == "lr0-sw0" && reg0 == 10.0.0.10), action=(eth.dst = 50:54:00:00:00:05; next;)
- ])
-
-+# hv1 should add the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_present hv1
-+
-+# hv2 should not have the above flows.
-+check_virtual_offlows_not_present hv2
-+
- # send the garp from sw0-p2 (in hv2). hv2 should claim sw0-vir
- # and sw0-p2 shpuld be its virtual_parent.
- eth_src=505400000004
-@@ -16832,14 +17000,21 @@ logical_port=sw0-vir) = xsw0-p2])
- wait_for_ports_up sw0-vir
-
- # There should be an arp resolve flow to resolve the virtual_ip with the
--# sw0-p3's MAC.
--sleep 1
-+# sw0-p2's MAC.
-+check ovn-nbctl --wait=hv sync
- ovn-sbctl dump-flows lr0 > lr0-flows4
- AT_CAPTURE_FILE([lr0-flows4])
- AT_CHECK([grep lr_in_arp_resolve lr0-flows4 | grep "reg0 == 10.0.0.10" | sed 's/table=../table=??/'], [0], [dnl
- table=??(lr_in_arp_resolve ), priority=100 , match=(outport == "lr0-sw0" && reg0 == 10.0.0.10), action=(eth.dst = 50:54:00:00:00:04; next;)
- ])
-
-+# hv2 should add the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_present hv2
-+
-+# hv1 should not have the above flows.
-+check_virtual_offlows_not_present hv1
-+
- # Now send arp reply from sw0-p1. hv1 should claim sw0-vir
- # and sw0-p1 shpuld be its virtual_parent.
- eth_src=505400000003
-@@ -16863,6 +17038,14 @@ AT_CHECK([grep lr_in_arp_resolve lr0-flows5 | grep "reg0 == 10.0.0.10" | sed 's/
- table=??(lr_in_arp_resolve ), priority=100 , match=(outport == "lr0-sw0" && reg0 == 10.0.0.10), action=(eth.dst = 50:54:00:00:00:03; next;)
- ])
-
-+check ovn-nbctl --wait=hv sync
-+# hv1 should add the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_present hv1
-+
-+# hv2 should not have the above flows.
-+check_virtual_offlows_not_present hv2
-+
- # Delete hv1-vif1 port. hv1 should release sw0-vir
- as hv1 ovs-vsctl del-port hv1-vif1
-
-@@ -16883,6 +17066,15 @@ AT_CHECK([grep lr_in_arp_resolve lr0-flows6 | grep "reg0 == 10.0.0.10" | sed 's/
- table=??(lr_in_arp_resolve ), priority=100 , match=(outport == "lr0-sw0" && reg0 == 10.0.0.10), action=(eth.dst = 00:00:00:00:00:00; next;)
- ])
-
-+check ovn-nbctl --wait=hv sync
-+# hv1 should remove the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_not_present hv1
-+
-+# hv2 should not have the above flows.
-+check_virtual_offlows_not_present hv2
-+
-+
- # Now send arp reply from sw0-p2. hv2 should claim sw0-vir
- # and sw0-p2 should be its virtual_parent.
- eth_src=505400000004
-@@ -16906,6 +17098,14 @@ AT_CHECK([grep lr_in_arp_resolve lr0-flows7 | grep "reg0 == 10.0.0.10" | sed 's/
- table=??(lr_in_arp_resolve ), priority=100 , match=(outport == "lr0-sw0" && reg0 == 10.0.0.10), action=(eth.dst = 50:54:00:00:00:04; next;)
- ])
-
-+check ovn-nbctl --wait=hv sync
-+# hv2 should add the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_present hv2
-+
-+# hv1 should not have the above flows.
-+check_virtual_offlows_not_present hv1
-+
- # Delete sw0-p2 logical port
- ovn-nbctl lsp-del sw0-p2
-
-@@ -16933,6 +17133,14 @@ AT_CHECK([grep ls_in_arp_rsp sw0-flows3 | grep bind_vport | sed 's/table=../tabl
- table=??(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
- ])
-
-+check ovn-nbctl --wait=hv sync
-+# hv2 should remove the flow for the ACL with is_chassis_redirect check for sw0-vir and
-+# arp responder flow in lr0 pipeline.
-+check_virtual_offlows_not_present hv2
-+
-+# hv1 should not have the above flows.
-+check_virtual_offlows_not_present hv2
-+
- ovn-nbctl --wait=hv remove logical_switch_port sw0-vir options virtual-parents
- ovn-sbctl dump-flows sw0 > sw0-flows4
- AT_CAPTURE_FILE([sw0-flows4])
-@@ -16942,6 +17150,38 @@ ovn-sbctl dump-flows lr0 > lr0-flows8
- AT_CAPTURE_FILE([lr0-flows8])
- AT_CHECK([grep lr_in_arp_resolve lr0-flows8 | grep "reg0 == 10.0.0.10"], [1])
-
-+# Delete sw0-vir and add again.
-+ovn-nbctl lsp-del sw0-vir
-+
-+ovn-nbctl lsp-add sw0 sw0-vir
-+ovn-nbctl lsp-set-addresses sw0-vir "50:54:00:00:00:10 10.0.0.10"
-+ovn-nbctl lsp-set-port-security sw0-vir "50:54:00:00:00:10 10.0.0.10"
-+ovn-nbctl lsp-set-type sw0-vir virtual
-+ovn-nbctl set logical_switch_port sw0-vir options:virtual-ip=10.0.0.10
-+ovn-nbctl set logical_switch_port sw0-vir options:virtual-parents=sw0-p1,sw0-p2,sw0-p3
-+
-+ovn-nbctl --wait=hv sync
-+
-+# Check that logical flows are added for sw0-vir in lsp_in_arp_rsp pipeline
-+# with bind_vport action.
-+
-+ovn-sbctl dump-flows sw0 > sw0-flows
-+AT_CAPTURE_FILE([sw0-flows])
-+
-+AT_CHECK([grep ls_in_arp_rsp sw0-flows | grep bind_vport | sed 's/table=../table=??/' | sort], [0], [dnl
-+ table=??(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
-+ table=??(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
-+])
-+
-+ovn-sbctl dump-flows lr0 > lr0-flows
-+AT_CAPTURE_FILE([lr0-flows])
-+
-+# Since the sw0-vir is not claimed by any chassis, eth.dst should be set to
-+# zero if the ip4.dst is the virtual ip in the router pipeline.
-+AT_CHECK([grep lr_in_arp_resolve lr0-flows | grep "reg0 == 10.0.0.10" | sed 's/table=../table=??/'], [0], [dnl
-+ table=??(lr_in_arp_resolve ), priority=100 , match=(outport == "lr0-sw0" && reg0 == 10.0.0.10), action=(eth.dst = 00:00:00:00:00:00; next;)
-+])
-+
- OVN_CLEANUP([hv1], [hv2])
- AT_CLEANUP
-
-@@ -17321,6 +17561,27 @@ check ovs-vsctl -- add-port br-int hv2-vif4 -- \
- ofport-request=1
- ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
-
-+AT_CAPTURE_FILE([exp])
-+AT_CAPTURE_FILE([rcv])
-+check_packets() {
-+ > exp
-+ > rcv
-+ if test "$1" = --uniq; then
-+ sort="sort -u"; shift
-+ else
-+ sort=sort
-+ fi
-+ for tuple in "$@"; do
-+ set $tuple; pcap=$1 type=$2
-+ echo "--- $pcap" | tee -a exp >> rcv
-+ $sort "$type" >> exp
-+ $PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" $pcap | $sort >> rcv
-+ echo | tee -a exp >> rcv
-+ done
-+
-+ $at_diff exp rcv >/dev/null
-+}
-+
- OVN_POPULATE_ARP
-
- # Enable IGMP snooping on sw1.
-@@ -17337,21 +17598,16 @@ ovn-sbctl dump-flows > sbflows
- AT_CAPTURE_FILE([expected])
- AT_CAPTURE_FILE([received])
- > expected
--> received
--for i in 1 2; do
-- for j in 1 2; do
-- pcap=hv$i/vif$j-tx.pcap
-- echo "--- $pcap" | tee -a expected >> received
-- $PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" $pcap | sort >> received
-- echo | tee -a expected >> received
-- done
--done
--check $at_diff -F'^---' expected received
-+OVS_WAIT_UNTIL(
-+ [check_packets 'hv1/vif1-tx.pcap expected' \
-+ 'hv1/vif2-tx.pcap expected' \
-+ 'hv2/vif1-tx.pcap expected' \
-+ 'hv2/vif2-tx.pcap expected'],
-+ [$at_diff -F'^---' exp rcv])
-
- check ovn-nbctl --wait=hv sync
-
- AT_CAPTURE_FILE([sbflows2])
--cp ovn-sb/ovn-sb.db ovn-sb2.db
- ovn-sbctl dump-flows > sbflows2
-
- # Inject IGMP Join for 239.0.1.68 on sw1-p11.
-@@ -17369,7 +17625,6 @@ wait_row_count IGMP_Group 2 address=239.0.1.68
- check ovn-nbctl --wait=hv sync
-
- AT_CAPTURE_FILE([sbflows3])
--cp ovn-sb/ovn-sb.db ovn-sb3.db
- ovn-sbctl dump-flows > sbflows3
-
- AS_BOX([IGMP traffic test 1])
-@@ -17386,22 +17641,6 @@ store_ip_multicast_pkt \
- $(ip_to_hex 10 0 0 42) $(ip_to_hex 239 0 1 68) 1e 20 ca70 11 \
- e518e518000a3b3a0000 expected
-
--AT_CAPTURE_FILE([exp])
--AT_CAPTURE_FILE([rcv])
--check_packets() {
-- > exp
-- > rcv
-- for tuple in "$@"; do
-- set $tuple; pcap=$1 type=$2
-- echo "--- $pcap" | tee -a exp >> rcv
-- sort "$type" >> exp
-- $PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" $pcap | sort >> rcv
-- echo | tee -a exp >> rcv
-- done
--
-- $at_diff exp rcv >/dev/null
--}
--
- OVS_WAIT_UNTIL(
- [check_packets 'hv1/vif1-tx.pcap expected' \
- 'hv2/vif1-tx.pcap expected' \
-@@ -17492,15 +17731,26 @@ check ovn-nbctl set Logical_Switch sw2 \
- other_config:mcast_ip4_src="20.0.0.254"
-
- AS_BOX([IGMP traffic test 4])
--# Wait for 1 query interval (1 sec) and check that two queries are generated.
-+# Check that multiple queries are generated over time.
- > expected
- store_igmp_v3_query 0000000002fe $(ip_to_hex 20 0 0 254) 84dd expected
- store_igmp_v3_query 0000000002fe $(ip_to_hex 20 0 0 254) 84dd expected
-
--OVS_WAIT_UNTIL(
-- [check_packets 'hv1/vif3-tx.pcap expected' \
-- 'hv2/vif3-tx.pcap expected'],
-- [$at_diff -F'^---' exp rcv])
-+for count in 1 2 3; do
-+ as hv1 reset_pcap_file hv1-vif1 hv1/vif1
-+ as hv1 reset_pcap_file hv1-vif2 hv1/vif2
-+ as hv1 reset_pcap_file hv1-vif3 hv1/vif3
-+ as hv1 reset_pcap_file hv1-vif4 hv1/vif4
-+ as hv2 reset_pcap_file hv2-vif1 hv2/vif1
-+ as hv2 reset_pcap_file hv2-vif2 hv2/vif2
-+ as hv2 reset_pcap_file hv2-vif3 hv2/vif3
-+ as hv2 reset_pcap_file hv2-vif4 hv2/vif4
-+ OVS_WAIT_UNTIL(
-+ [check_packets --uniq \
-+ 'hv1/vif3-tx.pcap expected' \
-+ 'hv2/vif3-tx.pcap expected'],
-+ [$at_diff -F'^---' exp rcv])
-+done
-
- # Disable IGMP querier on sw2.
- check ovn-nbctl set Logical_Switch sw2 \
-@@ -19776,7 +20026,14 @@ AT_CAPTURE_FILE([sbflows])
- OVS_WAIT_FOR_OUTPUT(
- [ovn-sbctl dump-flows > sbflows
- ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 | sed 's/table=..//'], 0,
-- [ (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");)
-+ [dnl
-+ (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb;)
-+ (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb;)
-+ (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb;)
-+ (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb;)
-+ (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb;)
-+ (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb;)
-+ (ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");)
- ])
-
- AT_CAPTURE_FILE([sbflows2])
-@@ -22463,7 +22720,7 @@ check ovn-nbctl --wait=hv sync
- # wait_conj_id_count COUNT ["ID COUNT [MATCH]"]...
- #
- # Waits until COUNT flows matching against conj_id appear in the
--# table 45 on hv1's br-int bridge. Makes the flows available in
-+# table 44 on hv1's br-int bridge. Makes the flows available in
- # "hv1flows", which will be logged on error.
- #
- # In addition, for each quoted "ID COUNT" or "ID COUNT MATCH",
-@@ -22480,7 +22737,7 @@ wait_conj_id_count() {
- echo "waiting for $1 conj_id flows..."
- OVS_WAIT_FOR_OUTPUT_UNQUOTED(
- [ovs-ofctl dump-flows br-int > hv1flows
-- grep table=45 hv1flows | grep -c conj_id],
-+ grep table=44 hv1flows | grep -c conj_id],
- [$retval], [$1
- ])
-
-@@ -22489,7 +22746,7 @@ wait_conj_id_count() {
- set -- $arg; id=$1 count=$2 match=$3
- echo "checking that there are $count ${match:+$match }flows with conj_id=$id..."
- AT_CHECK_UNQUOTED(
-- [grep table=45 hv1flows | grep "$match" | grep -c conj_id=$id],
-+ [grep table=44 hv1flows | grep "$match" | grep -c conj_id=$id],
- [0], [$count
- ])
- done
-@@ -22514,8 +22771,8 @@ wait_conj_id_count 1 "3 1 udp"
- AS_BOX([Add back the tcp ACL.])
- check ovn-nbctl --wait=hv acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && tcp.dst >= 80 && tcp.dst <= 82" allow
- wait_conj_id_count 2 "3 1 udp" "4 1 tcp"
--AT_CHECK([test 1 = $(as hv1 ovs-ofctl dump-flows br-int table=45 | grep udp | grep -c "conj_id=3")])
--AT_CHECK([test 1 = $(as hv1 ovs-ofctl dump-flows br-int table=45 | grep tcp | grep -c "conj_id=4")])
-+AT_CHECK([test 1 = $(as hv1 ovs-ofctl dump-flows br-int table=44 | grep udp | grep -c "conj_id=3")])
-+AT_CHECK([test 1 = $(as hv1 ovs-ofctl dump-flows br-int table=44 | grep tcp | grep -c "conj_id=4")])
-
- AS_BOX([Add another tcp ACL.])
- check ovn-nbctl --wait=hv acl-add pg0 to-lport 1002 "outport == @pg0 && inport == @pg0 && ip4 && tcp.dst >= 84 && tcp.dst <= 86" allow
-@@ -24454,43 +24711,43 @@ AT_CHECK([kill -0 $(cat hv1/ovn-controller.pid)])
- check ovn-nbctl --wait=hv sync
-
- # Check OVS flows are installed properly.
--AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=45 | ofctl_strip_all | \
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \
- grep "priority=2002" | grep conjunction | \
- sed 's/conjunction([[^)]]*)/conjunction()/g' | sort], [0], [dnl
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x10/0xfff0 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x100/0xff00 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x1000/0xf000 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x2/0xfffe actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x20/0xffe0 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x200/0xfe00 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x2000/0xe000 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x4/0xfffc actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x40/0xffc0 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x400/0xfc00 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x4000/0xc000 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x8/0xfff8 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x80/0xff80 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x800/0xf800 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x8000/0x8000 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=1 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x100/0x100,reg15=0x3,metadata=0x1,nw_src=192.168.47.3 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x10/0xfff0 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x100/0xff00 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x1000/0xf000 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x2/0xfffe actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x20/0xffe0 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x200/0xfe00 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x2000/0xe000 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x4/0xfffc actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x40/0xffc0 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x400/0xfc00 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x4000/0xc000 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x8/0xfff8 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x80/0xff80 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x800/0xf800 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x8000/0x8000 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=1 actions=conjunction()
-- table=45, priority=2002,udp,reg0=0x80/0x80,reg15=0x3,metadata=0x1,nw_src=192.168.47.3 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x10/0xfff0 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x100/0xff00 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x1000/0xf000 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x2/0xfffe actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x20/0xffe0 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x200/0xfe00 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x2000/0xe000 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x4/0xfffc actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x40/0xffc0 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x400/0xfc00 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x4000/0xc000 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x8/0xfff8 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x80/0xff80 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x800/0xf800 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x8000/0x8000 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.3,tp_dst=1 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x100/0x100,reg15=0x3,metadata=0x1,nw_src=192.168.47.3 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x10/0xfff0 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x100/0xff00 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x1000/0xf000 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x2/0xfffe actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x20/0xffe0 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x200/0xfe00 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x2000/0xe000 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x4/0xfffc actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x40/0xffc0 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x400/0xfc00 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x4000/0xc000 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x8/0xfff8 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x80/0xff80 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x800/0xf800 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=0x8000/0x8000 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.3,tp_dst=1 actions=conjunction()
-+ table=44, priority=2002,udp,reg0=0x80/0x80,reg15=0x3,metadata=0x1,nw_src=192.168.47.3 actions=conjunction()
- ])
-
- OVN_CLEANUP([hv1])
-@@ -24918,3 +25175,633 @@ AT_CHECK([cat hv2_offlows_table72.txt | grep -v NXST], [1], [dnl
-
- OVN_CLEANUP([hv1], [hv2])
- AT_CLEANUP
-+
-+AT_SETUP([ovn -- container port changed to normal port and then deleted])
-+ovn_start
-+
-+net_add n1
-+
-+sim_add hv1
-+as hv1
-+ovs-vsctl add-br br-phys
-+ovn_attach n1 br-phys 192.168.0.1
-+ovs-vsctl -- add-port br-int vm1
-+
-+check ovn-nbctl ls-add ls
-+check ovn-nbctl lsp-add ls vm1
-+check ovn-nbctl lsp-add ls vm-cont vm1 1
-+check as hv1 ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
-+
-+wait_for_ports_up
-+
-+check as hv1 ovn-appctl -t ovn-controller debug/pause
-+check ovn-nbctl clear logical_switch_port vm-cont parent_name
-+check as hv1 ovs-vsctl set Interface vm1 external_ids:iface-id=foo
-+check ovn-nbctl lsp-del vm-cont
-+check as hv1 ovn-appctl -t ovn-controller debug/resume
-+
-+ovn-nbctl --wait=hv sync
-+
-+# Make sure that ovn-controller has not asserted.
-+AT_CHECK([kill -0 $(cat hv1/ovn-controller.pid)])
-+
-+wait_column "false" nb:Logical_Switch_Port up name=vm1
-+
-+check ovn-nbctl lsp-add ls vm-cont1 vm1 1
-+check ovn-nbctl lsp-add ls vm-cont2 vm1 2
-+
-+check ovn-nbctl --wait=sb lsp-del vm1
-+
-+check as hv1 ovn-appctl -t ovn-controller debug/pause
-+check ovn-nbctl clear logical_switch_port vm-cont1 parent_name
-+check ovn-nbctl clear logical_switch_port vm-cont2 parent_name
-+
-+check as hv1 ovn-appctl -t ovn-controller debug/resume
-+
-+check ovn-nbctl --wait=hv sync
-+
-+# Make sure that ovn-controller has not crashed.
-+AT_CHECK([kill -0 $(cat hv1/ovn-controller.pid)])
-+
-+check ovn-nbctl lsp-add ls vm1
-+check ovn-nbctl set logical_switch_port vm-cont1 parent_name=vm1
-+check ovn-nbctl --wait=sb set logical_switch_port vm-cont2 parent_name=vm1
-+check as hv1 ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
-+
-+wait_for_ports_up
-+
-+check as hv1 ovn-appctl -t ovn-controller debug/pause
-+check ovn-nbctl --wait=sb lsp-del vm1
-+check ovn-nbctl clear logical_switch_port vm-cont1 parent_name
-+check ovn-nbctl --wait=sb clear logical_switch_port vm-cont2 parent_name
-+check ovn-nbctl lsp-del vm-cont1
-+check ovn-nbctl --wait=sb lsp-del vm-cont2
-+check as hv1 ovn-appctl -t ovn-controller debug/resume
-+
-+check ovn-nbctl --wait=hv sync
-+
-+# Make sure that ovn-controller has not crashed.
-+AT_CHECK([kill -0 $(cat hv1/ovn-controller.pid)])
-+
-+check ovn-nbctl lsp-add ls vm1
-+check ovn-nbctl lsp-add ls vm-cont1 vm1 1
-+check ovn-nbctl lsp-add ls vm-cont2 vm1 2
-+
-+wait_for_ports_up
-+
-+check as hv1 ovn-appctl -t ovn-controller debug/pause
-+check ovn-nbctl clear logical_switch_port vm-cont1 parent_name
-+check ovn-nbctl --wait=sb clear logical_switch_port vm-cont2 parent_name
-+check ovn-nbctl lsp-del vm-cont1
-+check ovn-nbctl lsp-del vm-cont2
-+check as hv1 ovn-appctl -t ovn-controller debug/resume
-+
-+check ovn-nbctl --wait=hv sync
-+
-+# Make sure that ovn-controller has not crashed.
-+AT_CHECK([kill -0 $(cat hv1/ovn-controller.pid)])
-+
-+check ovn-nbctl lsp-add ls vm-cont1 vm1 1
-+check ovn-nbctl lsp-add ls vm-cont2 vm1 2
-+
-+wait_for_ports_up
-+
-+check as hv1 ovn-appctl -t ovn-controller debug/pause
-+check ovn-nbctl clear logical_switch_port vm-cont1 parent_name
-+check ovn-nbctl --wait=sb clear logical_switch_port vm-cont2 parent_name
-+
-+check as hv1 ovs-vsctl set Interface vm1 external_ids:iface-id=foo
-+
-+check as hv1 ovn-appctl -t ovn-controller debug/resume
-+
-+wait_column "false" nb:Logical_Switch_Port up name=vm1
-+wait_column "false" nb:Logical_Switch_Port up name=vm-cont1
-+wait_column "false" nb:Logical_Switch_Port up name=vm-cont2
-+
-+check ovn-nbctl set logical_switch_port vm-cont1 parent_name=vm1
-+check as hv1 ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
-+check ovn-nbctl --wait=sb set logical_switch_port vm-cont2 parent_name=vm1
-+
-+wait_for_ports_up
-+
-+check as hv1 ovn-appctl -t ovn-controller debug/pause
-+check ovn-nbctl clear logical_switch_port vm-cont1 parent_name
-+check as hv1 ovs-vsctl set Interface vm1 external_ids:iface-id=vm-cont1
-+check as hv1 ovn-appctl -t ovn-controller debug/resume
-+
-+wait_column "false" nb:Logical_Switch_Port up name=vm1
-+wait_column "true" nb:Logical_Switch_Port up name=vm-cont1
-+wait_column "false" nb:Logical_Switch_Port up name=vm-cont2
-+
-+check ovn-nbctl --wait=sb set logical_switch_port vm-cont2 parent_name=vm-cont1
-+check ovn-nbctl --wait=sb set logical_switch_port vm1 parent_name=vm-cont1
-+
-+wait_for_ports_up
-+
-+# Delete vm1, vm-cont1 and vm-cont2 and recreate again.
-+check ovn-nbctl lsp-del vm1
-+check ovn-nbctl lsp-del vm-cont1
-+check ovn-nbctl --wait=hv lsp-del vm-cont2
-+
-+check as hv1 ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
-+check ovn-nbctl lsp-add ls vm1
-+check ovn-nbctl lsp-add ls vm-cont1 vm1 1
-+check ovn-nbctl lsp-add ls vm-cont2 vm1 2
-+
-+wait_for_ports_up
-+
-+# Make vm1 as a child port of some non existent lport - foo. vm1, vm1-cont1 and
-+# vm1-cont2 should be released.
-+check ovn-nbctl --wait=sb set logical_switch_port vm1 parent_name=bar
-+wait_column "false" nb:Logical_Switch_Port up name=vm1
-+wait_column "false" nb:Logical_Switch_Port up name=vm-cont1
-+wait_column "false" nb:Logical_Switch_Port up name=vm-cont2
-+
-+OVN_CLEANUP([hv1])
-+AT_CLEANUP
-+
-+AT_SETUP([ovn -- container port changed from one parent to another])
-+ovn_start
-+
-+net_add n1
-+
-+sim_add hv1
-+as hv1
-+ovs-vsctl add-br br-phys
-+ovn_attach n1 br-phys 192.168.0.1
-+ovs-vsctl -- add-port br-int vm1 -- set interface vm1 ofport-request=1
-+ovs-vsctl -- add-port br-int vm2 -- set interface vm1 ofport-request=2
-+
-+check ovn-nbctl ls-add ls
-+check ovn-nbctl lsp-add ls vm1
-+check ovn-nbctl lsp-add ls vm1-cont vm1 1
-+check ovn-nbctl lsp-add ls vm2
-+check ovn-nbctl lsp-add ls vm2-cont vm2 2
-+
-+check as hv1 ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
-+check as hv1 ovs-vsctl set Interface vm2 external_ids:iface-id=vm2
-+
-+wait_for_ports_up
-+
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=0 | grep -c dl_vlan=1], [0], [dnl
-+1
-+])
-+
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=0 | grep -c dl_vlan=2], [0], [dnl
-+1
-+])
-+
-+# change the parent of vm1-cont to vm2.
-+as hv1 ovn-appctl -t ovn-controller vlog/set dbg
-+check ovn-nbctl --wait=sb set logical_switch_port vm1-cont parent_name=vm2 \
-+-- set logical_switch_port vm1-cont tag_request=3
-+
-+wait_for_ports_up
-+
-+check ovn-nbctl --wait=hv sync
-+
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=0 | grep -c dl_vlan=1], [1], [dnl
-+0
-+])
-+
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=0 | grep -c dl_vlan=2], [0], [dnl
-+1
-+])
-+
-+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=0 | grep -c dl_vlan=3], [0], [dnl
-+1
-+])
-+
-+OVN_CLEANUP([hv1])
-+AT_CLEANUP
-+
-+AT_SETUP([ovn -- container port use-after-free test])
-+ovn_start
-+
-+net_add n1
-+
-+sim_add hv1
-+as hv1
-+ovs-vsctl add-br br-phys
-+ovn_attach n1 br-phys 192.168.0.1
-+ovs-vsctl -- add-port br-int vm1
-+
-+check ovn-nbctl ls-add ls
-+check ovn-nbctl lsp-add ls vm1
-+check ovn-nbctl lsp-add ls vm-cont vm1 1
-+check ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
-+check ovn-nbctl clear logical_switch_port vm-cont parent_name
-+check ovs-vsctl set Interface vm1 external_ids:iface-id=foo
-+check ovn-nbctl lsp-del vm-cont
-+check ovn-nbctl ls-del ls
-+check ovn-nbctl ls-add ls
-+check ovn-nbctl lsp-add ls vm1
-+check ovn-nbctl lsp-add ls vm-cont vm1 1
-+check ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
-+check as hv1 ovn-appctl -t ovn-controller debug/pause
-+check ovn-nbctl clear logical_switch_port vm-cont parent_name
-+check ovn-nbctl lsp-del vm-cont
-+check as hv1 ovn-appctl -t ovn-controller debug/resume
-+check as hv1 ovs-vsctl set Interface vm1 external_ids:iface-id=foo
-+
-+ovn-nbctl --wait=hv sync
-+
-+# Make sure that ovn-controller has not asserted.
-+AT_CHECK([kill -0 $(cat hv1/ovn-controller.pid)])
-+
-+wait_column "false" nb:Logical_Switch_Port up name=vm1
-+
-+OVN_CLEANUP([hv1])
-+AT_CLEANUP
-+
-+# Test that OVS.external_ids:iface-id doesn't affect non-VIF port bindings.
-+AT_SETUP([ovn -- Non-VIF ports incremental processing])
-+ovn_start
-+
-+net_add n1
-+sim_add hv1
-+as hv1
-+ovs-vsctl add-br br-phys
-+ovn_attach n1 br-phys 192.168.0.10
-+
-+check ovn-nbctl ls-add ls1 -- lsp-add ls1 lsp1
-+
-+as hv1
-+check ovs-vsctl \
-+ -- add-port br-int vif1 \
-+ -- set Interface vif1 external_ids:iface-id=lsp1
-+
-+# ovn-controller should bind the interface.
-+wait_for_ports_up
-+hv_uuid=$(fetch_column Chassis _uuid name=hv1)
-+check_column "$hv_uuid" Port_Binding chassis logical_port=lsp1
-+
-+# Change the port type to router, ovn-controller should release it.
-+check ovn-nbctl --wait=hv lsp-set-type lsp1 router
-+check_column "" Port_Binding chassis logical_port=lsp1
-+
-+# Clear port type, ovn-controller should rebind it.
-+check ovn-nbctl --wait=hv lsp-set-type lsp1 ''
-+check_column "$hv_uuid" Port_Binding chassis logical_port=lsp1
-+
-+# Change the port type to localnet, ovn-controller should release it.
-+check ovn-nbctl --wait=hv lsp-set-type lsp1 localnet
-+check_column "" Port_Binding chassis logical_port=lsp1
-+
-+# Clear port type, ovn-controller should rebind it.
-+check ovn-nbctl --wait=hv lsp-set-type lsp1 ''
-+check_column "$hv_uuid" Port_Binding chassis logical_port=lsp1
-+
-+# Change the port type to localport, ovn-controller should release it.
-+check ovn-nbctl --wait=hv lsp-set-type lsp1 localport
-+check_column "" Port_Binding chassis logical_port=lsp1
-+
-+# Clear port type, ovn-controller should rebind it.
-+check ovn-nbctl --wait=hv lsp-set-type lsp1 ''
-+check_column "$hv_uuid" Port_Binding chassis logical_port=lsp1
-+
-+# Change the port type to localnet and then delete it.
-+# ovn-controller should handle this properly.
-+check as hv1 ovn-appctl -t ovn-controller debug/pause
-+check ovn-nbctl --wait=sb lsp-set-type lsp1 localport
-+check ovn-nbctl --wait=sb lsp-del lsp1
-+check as hv1 ovn-appctl -t ovn-controller debug/resume
-+
-+check ovn-nbctl --wait=hv sync
-+
-+# Make sure that ovn-controller has not asserted.
-+AT_CHECK([kill -0 $(cat hv1/ovn-controller.pid)])
-+
-+check ovn-nbctl lsp-add ls1 lsp1
-+wait_for_ports_up
-+
-+# Change the port type to virtual and then delete it.
-+# ovn-controller should handle this properly.
-+check as hv1 ovn-appctl -t ovn-controller debug/pause
-+check ovn-nbctl --wait=sb lsp-set-type lsp1 virtual
-+check ovn-nbctl --wait=sb lsp-del lsp1
-+check as hv1 ovn-appctl -t ovn-controller debug/resume
-+
-+check ovn-nbctl --wait=hv sync
-+
-+# Make sure that ovn-controller has not asserted.
-+AT_CHECK([kill -0 $(cat hv1/ovn-controller.pid)])
-+
-+OVN_CLEANUP([hv1])
-+AT_CLEANUP
-+
-+# Tests that ovn-controller creates local bindings correctly by running
-+# ovn-appctl -t ovn-controller debug/dump-local-bindings.
-+# Ideally this test case should have been a unit test case.
-+AT_SETUP([ovn -- ovn-controller local bindings])
-+ovn_start
-+
-+net_add n1
-+
-+sim_add hv1
-+as hv1
-+ovs-vsctl add-br br-phys
-+ovn_attach n1 br-phys 192.168.0.1
-+ovs-vsctl -- add-port br-int hv1-vm1
-+
-+sim_add hv2
-+as hv2
-+ovs-vsctl add-br br-phys
-+ovn_attach n1 br-phys 192.168.0.2
-+ovs-vsctl -- add-port br-int hv2-vm1
-+
-+check ovn-nbctl ls-add sw0
-+check ovn-nbctl lsp-add sw0 sw0p1
-+check ovn-nbctl lsp-add sw0 sw0p2
-+
-+check as hv1 ovs-vsctl set interface hv1-vm1 external_ids:iface-id=sw0p1
-+check as hv2 ovs-vsctl set interface hv2-vm1 external_ids:iface-id=sw0p2
-+
-+wait_for_ports_up
-+
-+AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p1]], OVS interface name : [[hv1-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p1]]
-+----------------------------------------
-+])
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p2]], OVS interface name : [[hv2-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p2]]
-+----------------------------------------
-+])
-+
-+# Create an ovs interface in hv1
-+check as hv1 ovs-vsctl add-port br-int hv1-vm2 -- set interface hv1-vm2 external_ids:iface-id=sw1p1
-+check ovn-nbctl --wait=hv sync
-+AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p1]], OVS interface name : [[hv1-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p1]]
-+----------------------------------------
-+name: [[sw1p1]], OVS interface name : [[hv1-vm2]], num binding lports : [[0]]
-+----------------------------------------
-+])
-+
-+# Create lport sw1p1
-+check ovn-nbctl ls-add sw1 -- lsp-add sw1 sw1p1
-+
-+wait_for_ports_up
-+
-+AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p1]], OVS interface name : [[hv1-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p1]]
-+----------------------------------------
-+name: [[sw1p1]], OVS interface name : [[hv1-vm2]], num binding lports : [[1]]
-+primary lport : [[sw1p1]]
-+----------------------------------------
-+])
-+
-+# Swap sw0p1 and sw0p2.
-+check as hv1 ovs-vsctl set interface hv1-vm1 external_ids:iface-id=sw0p2
-+check as hv2 ovs-vsctl set interface hv2-vm1 external_ids:iface-id=sw0p1
-+
-+check ovn-nbctl --wait=hv sync
-+
-+AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p2]], OVS interface name : [[hv1-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p2]]
-+----------------------------------------
-+name: [[sw1p1]], OVS interface name : [[hv1-vm2]], num binding lports : [[1]]
-+primary lport : [[sw1p1]]
-+----------------------------------------
-+])
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p1]], OVS interface name : [[hv2-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p1]]
-+----------------------------------------
-+])
-+
-+# Create child port for sw0p1
-+check ovn-nbctl --wait=hv lsp-add sw0 sw0p1-c1 sw0p1 1
-+AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p1]], OVS interface name : [[NULL]], num binding lports : [[2]]
-+primary lport : [[sw0p1]]
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p2]], OVS interface name : [[hv1-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p2]]
-+----------------------------------------
-+name: [[sw1p1]], OVS interface name : [[hv1-vm2]], num binding lports : [[1]]
-+primary lport : [[sw1p1]]
-+----------------------------------------
-+])
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p1]], OVS interface name : [[hv2-vm1]], num binding lports : [[2]]
-+primary lport : [[sw0p1]]
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+----------------------------------------
-+])
-+
-+# Create another child port for sw0p1
-+check ovn-nbctl --wait=hv lsp-add sw0 sw0p1-c2 sw0p1 2
-+
-+wait_for_ports_up
-+
-+AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p1]], OVS interface name : [[NULL]], num binding lports : [[3]]
-+primary lport : [[sw0p1]]
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p2]], OVS interface name : [[hv1-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p2]]
-+----------------------------------------
-+name: [[sw1p1]], OVS interface name : [[hv1-vm2]], num binding lports : [[1]]
-+primary lport : [[sw1p1]]
-+----------------------------------------
-+])
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p1]], OVS interface name : [[hv2-vm1]], num binding lports : [[3]]
-+primary lport : [[sw0p1]]
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+])
-+
-+# Swap sw0p1 and sw0p2 again.
-+check as hv1 ovs-vsctl set interface hv1-vm1 external_ids:iface-id=sw0p1
-+check as hv2 ovs-vsctl set interface hv2-vm1 external_ids:iface-id=sw0p2
-+
-+check ovn-nbctl --wait=hv sync
-+
-+AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p1]], OVS interface name : [[hv1-vm1]], num binding lports : [[3]]
-+primary lport : [[sw0p1]]
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw1p1]], OVS interface name : [[hv1-vm2]], num binding lports : [[1]]
-+primary lport : [[sw1p1]]
-+----------------------------------------
-+])
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[sw0p1]], OVS interface name : [[NULL]], num binding lports : [[3]]
-+primary lport : [[sw0p1]]
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p2]], OVS interface name : [[hv2-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p2]]
-+----------------------------------------
-+])
-+
-+# Make sw0p1 as child port of non existent lport - foo
-+check ovn-nbctl --wait=hv set logical_switch_port sw0p1 parent_name=foo
-+
-+AT_CHECK([as hv1 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[foo]], OVS interface name : [[NULL]], num binding lports : [[1]]
-+no primary lport
-+child lport[[1]] : [[sw0p1]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p1]], OVS interface name : [[hv1-vm1]], num binding lports : [[2]]
-+no primary lport
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw1p1]], OVS interface name : [[hv1-vm2]], num binding lports : [[1]]
-+primary lport : [[sw1p1]]
-+----------------------------------------
-+])
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[foo]], OVS interface name : [[NULL]], num binding lports : [[1]]
-+no primary lport
-+child lport[[1]] : [[sw0p1]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p1]], OVS interface name : [[NULL]], num binding lports : [[2]]
-+no primary lport
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p2]], OVS interface name : [[hv2-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p2]]
-+----------------------------------------
-+])
-+
-+# Change the lport type of sw0p2 to different types and make sure that
-+# local bindings are correct.
-+
-+hv2_uuid=$(fetch_column Chassis _uuid name=hv2)
-+check_column "$hv2_uuid" Port_Binding chassis logical_port=sw0p2
-+
-+# Change the port type to router, ovn-controller should release it.
-+check ovn-nbctl --wait=hv lsp-set-type sw0p2 router
-+check_column "" Port_Binding chassis logical_port=sw0p2
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[foo]], OVS interface name : [[NULL]], num binding lports : [[1]]
-+no primary lport
-+child lport[[1]] : [[sw0p1]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p1]], OVS interface name : [[NULL]], num binding lports : [[2]]
-+no primary lport
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p2]], OVS interface name : [[hv2-vm1]], num binding lports : [[0]]
-+----------------------------------------
-+])
-+
-+# change the port type to external from router.
-+check ovn-nbctl --wait=hv lsp-set-type sw0p2 external
-+check_column "" Port_Binding chassis logical_port=sw0p2
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[foo]], OVS interface name : [[NULL]], num binding lports : [[1]]
-+no primary lport
-+child lport[[1]] : [[sw0p1]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p1]], OVS interface name : [[NULL]], num binding lports : [[2]]
-+no primary lport
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p2]], OVS interface name : [[hv2-vm1]], num binding lports : [[0]]
-+----------------------------------------
-+])
-+
-+# change the port type to localnet from external.
-+check ovn-nbctl --wait=hv lsp-set-type sw0p2 localnet
-+check_column "" Port_Binding chassis logical_port=sw0p2
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[foo]], OVS interface name : [[NULL]], num binding lports : [[1]]
-+no primary lport
-+child lport[[1]] : [[sw0p1]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p1]], OVS interface name : [[NULL]], num binding lports : [[2]]
-+no primary lport
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p2]], OVS interface name : [[hv2-vm1]], num binding lports : [[0]]
-+----------------------------------------
-+])
-+
-+# change the port type to localport from localnet.
-+check ovn-nbctl --wait=hv lsp-set-type sw0p2 localnet
-+check_column "" Port_Binding chassis logical_port=sw0p2
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[foo]], OVS interface name : [[NULL]], num binding lports : [[1]]
-+no primary lport
-+child lport[[1]] : [[sw0p1]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p1]], OVS interface name : [[NULL]], num binding lports : [[2]]
-+no primary lport
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p2]], OVS interface name : [[hv2-vm1]], num binding lports : [[0]]
-+----------------------------------------
-+])
-+
-+# change the port type back to vif.
-+check ovn-nbctl --wait=hv lsp-set-type sw0p2 ""
-+wait_column "$hv2_uuid" Port_Binding chassis logical_port=sw0p2
-+
-+AT_CHECK([as hv2 ovn-appctl -t ovn-controller debug/dump-local-bindings], [0], [dnl
-+Local bindings:
-+name: [[foo]], OVS interface name : [[NULL]], num binding lports : [[1]]
-+no primary lport
-+child lport[[1]] : [[sw0p1]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p1]], OVS interface name : [[NULL]], num binding lports : [[2]]
-+no primary lport
-+child lport[[1]] : [[sw0p1-c1]], type : [[CONTAINER]]
-+child lport[[2]] : [[sw0p1-c2]], type : [[CONTAINER]]
-+----------------------------------------
-+name: [[sw0p2]], OVS interface name : [[hv2-vm1]], num binding lports : [[1]]
-+primary lport : [[sw0p2]]
-+----------------------------------------
-+])
-+
-+OVN_CLEANUP([hv1], [hv2])
-+AT_CLEANUP
-diff --git a/tests/system-ovn.at b/tests/system-ovn.at
-index 9819573bb..bd27b01a0 100644
---- a/tests/system-ovn.at
-+++ b/tests/system-ovn.at
-@@ -4722,7 +4722,7 @@ OVS_WAIT_UNTIL([
- ])
-
- OVS_WAIT_UNTIL([
-- n_pkt=$(ovs-ofctl dump-flows br-int table=45 | grep -v n_packets=0 | \
-+ n_pkt=$(ovs-ofctl dump-flows br-int table=44 | grep -v n_packets=0 | \
- grep controller | grep tp_dst=84 -c)
- test $n_pkt -eq 1
- ])
-@@ -5831,3 +5831,131 @@ as
- OVS_TRAFFIC_VSWITCHD_STOP(["/.*error receiving.*/d
- /.*terminating with signal 15.*/d"])
- AT_CLEANUP
-+
-+AT_SETUP([ovn -- No ct_state matches in dp flows when no ACLs in an LS])
-+AT_KEYWORDS([no ct_state match])
-+ovn_start
-+
-+OVS_TRAFFIC_VSWITCHD_START()
-+ADD_BR([br-int])
-+
-+# Set external-ids in br-int needed for ovn-controller
-+ovs-vsctl \
-+ -- set Open_vSwitch . external-ids:system-id=hv1 \
-+ -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \
-+ -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \
-+ -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \
-+ -- set bridge br-int fail-mode=secure other-config:disable-in-band=true
-+
-+# Start ovn-controller
-+start_daemon ovn-controller
-+
-+check ovn-nbctl ls-add sw0
-+
-+check ovn-nbctl lsp-add sw0 sw0-p1
-+check ovn-nbctl lsp-set-addresses sw0-p1 "50:54:00:00:00:03"
-+check ovn-nbctl lsp-set-port-security sw0-p1 "50:54:00:00:00:03"
-+
-+check ovn-nbctl lsp-add sw0 sw0-p2
-+check ovn-nbctl lsp-set-addresses sw0-p2 "50:54:00:00:00:04 10.0.0.4"
-+check ovn-nbctl lsp-set-port-security sw0-p2 "50:54:00:00:00:04 10.0.0.4"
-+
-+
-+# Create the second logical switch with one port and configure some ACLs.
-+check ovn-nbctl ls-add sw1
-+check ovn-nbctl lsp-add sw1 sw1-p1
-+
-+# Create port group and ACLs for sw1 ports.
-+check ovn-nbctl pg-add pg1 sw1-p1
-+check ovn-nbctl acl-add pg1 from-lport 1002 "ip" allow-related
-+check ovn-nbctl acl-add pg1 to-lport 1002 "ip" allow-related
-+
-+
-+OVN_POPULATE_ARP
-+ovn-nbctl --wait=hv sync
-+
-+ADD_NAMESPACES(sw0-p1)
-+ADD_VETH(sw0-p1, sw0-p1, br-int, "10.0.0.3/24", "50:54:00:00:00:03", \
-+ "10.0.0.1")
-+
-+
-+ADD_NAMESPACES(sw0-p2)
-+ADD_VETH(sw0-p2, sw0-p2, br-int, "10.0.0.4/24", "50:54:00:00:00:04", \
-+ "10.0.0.1")
-+
-+ADD_NAMESPACES(sw1-p1)
-+ADD_VETH(sw1-p1, sw1-p1, br-int, "20.0.0.4/24", "30:54:00:00:00:04", \
-+ "20.0.0.1")
-+
-+wait_for_ports_up
-+
-+NS_CHECK_EXEC([sw0-p1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.4 | FORMAT_PING], \
-+[0], [dnl
-+3 packets transmitted, 3 received, 0% packet loss, time 0ms
-+])
-+
-+ovs-appctl dpctl/dump-flows
-+
-+# sw1-p1 may send IPv6 traffic. So filter this out. Since sw1-p1 has
-+# ACLs configured, the datapath flows for the packets from sw1-p1 will have
-+# matches on ct_state and ct_label fields.
-+# Since sw0 doesn't have any ACLs, there should be no match on ct fields.
-+AT_CHECK([ovs-appctl dpctl/dump-flows | grep ct_state | grep -v ipv6 -c], [1], [dnl
-+0
-+])
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows | grep ct_label | grep -v ipv6 -c], [1], [dnl
-+0
-+])
-+
-+# Add an ACL to sw0.
-+check ovn-nbctl --wait=hv acl-add sw0 to-lport 1002 ip allow-related
-+
-+NS_CHECK_EXEC([sw0-p1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.4 | FORMAT_PING], \
-+[0], [dnl
-+3 packets transmitted, 3 received, 0% packet loss, time 0ms
-+])
-+
-+ovs-appctl dpctl/dump-flows
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows | grep ct_state | grep -v ipv6 -c], [0], [ignore])
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows | grep ct_label | grep -v ipv6 -c], [0], [ignore])
-+
-+# Clear ACL for sw0
-+check ovn-nbctl --wait=hv clear logical_switch sw0 acls
-+
-+check ovs-appctl dpctl/del-flows
-+
-+check ovn-nbctl --wait=hv sync
-+
-+NS_CHECK_EXEC([sw0-p1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.4 | FORMAT_PING], \
-+[0], [dnl
-+3 packets transmitted, 3 received, 0% packet loss, time 0ms
-+])
-+
-+ovs-appctl dpctl/dump-flows
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows | grep ct_state | grep -v ipv6 -c], [1], [dnl
-+0
-+])
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows | grep ct_label | grep -v ipv6 -c], [1], [dnl
-+0
-+])
-+
-+OVS_APP_EXIT_AND_WAIT([ovn-controller])
-+
-+as ovn-sb
-+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
-+
-+as ovn-nb
-+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
-+
-+as northd
-+OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
-+
-+as
-+OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d
-+/connection dropped.*/d"])
-+AT_CLEANUP
-diff --git a/utilities/ovn-ctl b/utilities/ovn-ctl
-index 967db6d6c..c52c17ee0 100755
---- a/utilities/ovn-ctl
-+++ b/utilities/ovn-ctl
-@@ -45,18 +45,12 @@ pidfile_is_running () {
- test -e "$pidfile" && [ -s "$pidfile" ] && pid=`cat "$pidfile"` && pid_exists "$pid"
- } >/dev/null 2>&1
-
--stop_xx_ovsdb() {
-- if pidfile_is_running $1; then
-- ovn-appctl -t $OVN_RUNDIR/$2 exit
-- fi
--}
--
- stop_nb_ovsdb() {
-- stop_xx_ovsdb $DB_NB_PID ovnnb_db.ctl
-+ OVS_RUNDIR=${OVS_RUNDIR} stop_ovn_daemon ovnnb_db $DB_NB_PID $OVN_RUNDIR/ovnnb_db.ctl
- }
-
- stop_sb_ovsdb() {
-- stop_xx_ovsdb $DB_SB_PID ovnsb_db.ctl
-+ OVS_RUNDIR=${OVS_RUNDIR} stop_ovn_daemon ovnsb_db $DB_SB_PID $OVN_RUNDIR/ovnsb_db.ctl
- }
-
- stop_ovsdb () {
-@@ -65,11 +59,11 @@ stop_ovsdb () {
- }
-
- stop_ic_nb_ovsdb() {
-- stop_xx_ovsdb $DB_IC_NB_PID ovn_ic_nb_db.ctl
-+ OVS_RUNDIR=${OVS_RUNDIR} stop_ovn_daemon ovn_ic_nb_db $DB_IC_NB_PID $OVN_RUNDIR/ovn_ic_nb_db.ctl
- }
-
- stop_ic_sb_ovsdb() {
-- stop_xx_ovsdb $DB_IC_SB_PID ovn_ic_sb_db.ctl
-+ OVS_RUNDIR=${OVS_RUNDIR} stop_ovn_daemon ovn_ic_sb_db $DB_IC_SB_PID $OVN_RUNDIR/ovn_ic_sb_db.ctl
- }
-
- stop_ic_ovsdb () {
-@@ -590,7 +584,7 @@ stop_ic () {
- }
-
- stop_controller () {
-- OVS_RUNDIR=${OVS_RUNDIR} stop_ovn_daemon ovn-controller "$@"
-+ OVS_RUNDIR=${OVS_RUNDIR} stop_ovn_daemon ovn-controller "" "" "$@"
- }
-
- stop_controller_vtep () {
-diff --git a/utilities/ovn-lib.in b/utilities/ovn-lib.in
-index 016815626..301cc5712 100644
---- a/utilities/ovn-lib.in
-+++ b/utilities/ovn-lib.in
-@@ -137,10 +137,22 @@ start_ovn_daemon () {
- }
-
- stop_ovn_daemon () {
-- if test -e "$ovn_rundir/$1.pid"; then
-- if pid=`cat "$ovn_rundir/$1.pid"`; then
-+ local pid_file=$2
-+ local ctl_file=$3
-+ local other_args=$4
-+
-+ if [ -z "$pid_file" ]; then
-+ pid_file="$ovn_rundir/$1.pid"
-+ fi
-+
-+ if test -e "$pid_file"; then
-+ if pid=`cat "$pid_file"`; then
-+ if [ -z "$ctl_file" ]; then
-+ ctl_file="$ovn_rundir/$1.$pid.ctl"
-+ fi
-+
- if pid_exists "$pid" >/dev/null 2>&1; then :; else
-- rm -f $ovn_rundir/$1.$pid.ctl $ovn_rundir/$1.$pid
-+ rm -f $ctl_file $pid_file
- return 0
- fi
-
-@@ -148,7 +160,7 @@ stop_ovn_daemon () {
- actions="TERM .1 .25 .65 1 1 1 1 \
- KILL 1 1 1 2 10 15 30 \
- FAIL"
-- version=`ovs-appctl -T 1 -t $ovn_rundir/$1.$pid.ctl version \
-+ version=`ovs-appctl -T 1 -t $ctl_file version \
- | awk 'NR==1{print $NF}'`
-
- # Use `ovs-appctl exit` only if the running daemon version
-@@ -159,20 +171,36 @@ stop_ovn_daemon () {
- if version_geq "$version" "2.5.90"; then
- actions="$graceful $actions"
- fi
-+ actiontype=""
- for action in $actions; do
- if pid_exists "$pid" >/dev/null 2>&1; then :; else
-- return 0
-+ # pid does not exist.
-+ if [ -n "$actiontype" ]; then
-+ return 0
-+ fi
-+ # But, does the file exist? We may have had a daemon
-+ # segfault with `ovs-appctl exit`. Check one more time
-+ # before deciding that the daemon is dead.
-+ [ -e "$pid_file" ] && sleep 2 && pid=`cat "$pid_file"` 2>/dev/null
-+ if pid_exists "$pid" >/dev/null 2>&1; then :; else
-+ return 0
-+ fi
- fi
- case $action in
- EXIT)
- action "Exiting $1 ($pid)" \
-- ${bindir}/ovs-appctl -T 1 -t $ovn_rundir/$1.$pid.ctl exit $2
-+ ${bindir}/ovs-appctl -T 1 -t $ctl_file exit $other_args
-+ # The above command could have resulted in delayed
-+ # daemon segfault. And if a monitor is running, it
-+ # would restart the daemon giving it a new pid.
- ;;
- TERM)
- action "Killing $1 ($pid)" kill $pid
-+ actiontype="force"
- ;;
- KILL)
- action "Killing $1 ($pid) with SIGKILL" kill -9 $pid
-+ actiontype="force"
- ;;
- FAIL)
- log_failure_msg "Killing $1 ($pid) failed"
-diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c
-index 2c77f4ba7..6e4a3daf0 100644
---- a/utilities/ovn-nbctl.c
-+++ b/utilities/ovn-nbctl.c
-@@ -3866,11 +3866,15 @@ static void
- print_routing_policy(const struct nbrec_logical_router_policy *policy,
- struct ds *s)
- {
-- if (policy->nexthop != NULL) {
-- char *next_hop = normalize_prefix_str(policy->nexthop);
-- ds_put_format(s, "%10"PRId64" %50s %15s %25s", policy->priority,
-- policy->match, policy->action, next_hop);
-- free(next_hop);
-+ if (policy->n_nexthops) {
-+ ds_put_format(s, "%10"PRId64" %50s %15s", policy->priority,
-+ policy->match, policy->action);
-+ for (int i = 0; i < policy->n_nexthops; i++) {
-+ char *next_hop = normalize_prefix_str(policy->nexthops[i]);
-+ char *fmt = i ? ", %s" : " %25s";
-+ ds_put_format(s, fmt, next_hop);
-+ free(next_hop);
-+ }
- } else {
- ds_put_format(s, "%10"PRId64" %50s %15s", policy->priority,
- policy->match, policy->action);
-diff --git a/utilities/ovndb-servers.ocf b/utilities/ovndb-servers.ocf
-index 7351c7d64..eba9c97a1 100755
---- a/utilities/ovndb-servers.ocf
-+++ b/utilities/ovndb-servers.ocf
-@@ -259,6 +259,9 @@ ovsdb_server_notify() {
- ovn-nbctl -- --id=@conn_uuid create Connection \
- target="p${NB_MASTER_PROTO}\:${NB_MASTER_PORT}\:${LISTEN_ON_IP}" \
- inactivity_probe=$INACTIVE_PROBE -- set NB_Global . connections=@conn_uuid
-+ else
-+ CONN_UID=$(sed -e 's/^\[//' -e 's/\]$//' <<< ${conn})
-+ ovn-nbctl set connection "${CONN_UID}" target="p${NB_MASTER_PROTO}\:${NB_MASTER_PORT}\:${LISTEN_ON_IP}"
- fi
-
- conn=`ovn-sbctl get SB_global . connections`
-@@ -267,6 +270,9 @@ inactivity_probe=$INACTIVE_PROBE -- set NB_Global . connections=@conn_uuid
- ovn-sbctl -- --id=@conn_uuid create Connection \
- target="p${SB_MASTER_PROTO}\:${SB_MASTER_PORT}\:${LISTEN_ON_IP}" \
- inactivity_probe=$INACTIVE_PROBE -- set SB_Global . connections=@conn_uuid
-+ else
-+ CONN_UID=$(sed -e 's/^\[//' -e 's/\]$//' <<< ${conn})
-+ ovn-sbctl set connection "${CONN_UID}" target="p${SB_MASTER_PROTO}\:${SB_MASTER_PORT}\:${LISTEN_ON_IP}"
- fi
-
- else
diff --git a/ovn.spec b/ovn.spec
index dcb5825..b89f591 100644
--- a/ovn.spec
+++ b/ovn.spec
@@ -42,8 +42,8 @@
Name: ovn
Summary: Open Virtual Network support
URL: http://www.openvswitch.org/
-Version: 21.03.0
-Release: 32%{?commit0:.%{date}git%{shortcommit0}}%{?dist}
+Version: 21.06.0
+Release: 1%{?commit0:.%{date}git%{shortcommit0}}%{?dist}
Obsoletes: openvswitch-ovn-common < %{?epoch_ovs:%{epoch_ovs}:}2.11.0-8
Provides: openvswitch-ovn-common = %{?epoch:%{epoch}:}%{version}-%{release}
@@ -73,8 +73,6 @@ Source10: https://openvswitch.org/releases/openvswitch-%{ovsver}.tar.gz
# ovn-patches
-Patch01: ovn-21.03.0.patch
-
# OpenvSwitch backports (400-) if required.
# Address crpto policy for fedora
%if 0%{?fedora}
@@ -441,6 +439,9 @@ fi
%{_unitdir}/ovn-controller-vtep.service
%changelog
+* Fri Jun 25 2021 Numan Siddique - 21.06.0-1
+- Synced with the upstream release v21.06.0
+
* Wed May 12 2021 Numan Siddique - 21.03.0-32
- Synced with the RHEL FDP ovn-2021
- Backports since 21.03.0-2 are:
diff --git a/sources b/sources
index 3db51bc..adeff4a 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (ovn-21.03.0.tar.gz) = b704efc0d9a7b5ef6c83e7fcf88e79f4316bb54bb36a87cb5bb83f36e6970ca3ccf53ae0b67b87eb2f2fd473dac00c6083b7278b34c021f0a71bb9a216a07ffc
-SHA512 (openvswitch-2.15.90.tar.gz) = 661c85570115d6d7e2c2cafee588706ee02ecd8afae3ca589eab3eb993522ae35b8a032bafef4da826b97e58c42daedbf9b33562552954e940b5b34d14bd58b0
+SHA512 (ovn-21.06.0.tar.gz) = 2ac0197abfff832c167baffb6971c9897b04d85f440a6ad1e09fc4b78a1dda70ec6638a9396ffb0c8dd44ffe55242de868950cbcd1b6a850f172b424e043ec81
+SHA512 (openvswitch-2.15.90.tar.gz) = 4c28207ac0388b2fa83ebe48725bb8c74dcc6e55c569445179946e6040e45265455930bd4ea35a718db19581e194d56a1542af1a4e189af98f47bbfb57b7c5c7