Description of problem:

ANP, ACL1 - 32000 prio
ANP, ACL2 - 31999 prio - jump to NP ACL’s i.e skip all ACL’s in the range of [32000-3000]
ANP, ACL3 - 31995 prio
ANP, ACL4 - 30000 prio
NP, ACL5 - 1001 prio
NP, ACL6 - 1001 prio
NP, ACL7 - 1001 prio
BANP, ACL8 - 900 prio

Implementation Options:
1) Implement ANP & NP as two stages (probably will need to implement BANP as lower priority to NP - keep it same stage) - will need a new pipeline stage in OVN - we need to be sure ANP will be the last of hierarchies as far as policies go :D
2) Implement ANPs in switches and NPs/BANPs in transit switches or a different router/switch? Not sure… 
3) Trick OVS by setting a flag to resubmit to the same table, so if we matched on the skip ACL then we set flag=1 and rest of the flows in that table for that range are applied only if flag=0? - might be a bit more complicated…

This was discussed in the OVN-OpenShift sync meeting today.

From CMS perspective what we want is for a way to implement the "PASS" Admin Network Policy here, so have a way to say if I hit the PASS ACL rule it will just skip the rest of the ACLs under ANP and go straight to NP evaluation.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: