Bug 1919941

Summary: [ovn-nbctl] Enhance acl-list <LS> to also display ACLs applied through port groups.
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Dumitru Ceara <dceara>
Component: OVNAssignee: OVN Team <ovnteam>
Status: NEW --- QA Contact: Jianlin Shi <jishi>
Severity: unspecified Docs Contact:
Priority: medium    
Version: FDP 20.HCC: ctrautma, mmichels
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dumitru Ceara 2021-01-25 12:22:38 UTC 
Description of problem:

When OVN ACLs are applied to a port group they are essentially applied to every logical switch that contains ports that are part of the port group.

However, when displaying ACLs applied on a logical switch, ovn-nbctl only returns ACLs explicitly applied on the logical switch. This makes troubleshooting more complicated.

Version-Release number of selected component (if applicable):
Any.

How reproducible:
Every time.

Steps to Reproduce:
$ ovn-nbctl ls-add ls
$ ovn-nbctl lsp-add ls lsp1
$ ovn-nbctl pg-add pg1 lsp1
$ ovn-nbctl acl-add pg1 to-lport 2 udp allow
$ ovn-nbctl acl-add ls to-lport 1 ip drop

Actual results:
$ ovn-nbctl acl-list ls
  to-lport     1 (ip) drop
$ ovn-nbctl acl-list pg1
  to-lport     2 (udp) allow

Expected results:
$ ovn-nbctl --all acl-list ls
  to-lport     2 (udp) allow
  to-lport     1 (ip) drop