Description of problem:
Currently Port-Group is used in multiple context 
(1) as a match criteria for ACL
(2) applying ACL's to set of logical switches (not to specific ports of the logical-switches).

This creates a bit of a confusion about it's functional behavior. Specifically for scenario (2) above, where port group is used to determine the logical-switch where ACL needs to be specified. Please see the BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1885668) for more details about it.

Had a good discussion over IRC on this with Dimitru, Iilya and numan in this regard. Just want to share few thoughts on improving this function behavior based on the discussion to see if that makes sense.

If we do following enhancement in OVN NB DB, it might make things more intuitive and simple
(1) Remove support for inport=@portgroup match from the ACL match.
(2) Port-Group will only be used to apply ACL to the specific ports. So it ACL is associated with a port-group, northd can generate logical-flows that contains inport match.
(3) Define Logical-Switch-Groups, to apply ACLs at the logical-switch level.

Given that inport won't be allowed in ACL, user need to explicitly define whether they want to apply ACL to specific port/set-of-ports or apply at the logical-switch level.

Thoughts?

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: