Description of problem: ANP, ACL1 - 32000 prio ANP, ACL2 - 31999 prio - jump to NP ACL’s i.e skip all ACL’s in the range of [32000-3000] ANP, ACL3 - 31995 prio ANP, ACL4 - 30000 prio NP, ACL5 - 1001 prio NP, ACL6 - 1001 prio NP, ACL7 - 1001 prio BANP, ACL8 - 900 prio Implementation Options: 1) Implement ANP & NP as two stages (probably will need to implement BANP as lower priority to NP - keep it same stage) - will need a new pipeline stage in OVN - we need to be sure ANP will be the last of hierarchies as far as policies go :D 2) Implement ANPs in switches and NPs/BANPs in transit switches or a different router/switch? Not sure… 3) Trick OVS by setting a flag to resubmit to the same table, so if we matched on the skip ACL then we set flag=1 and rest of the flows in that table for that range are applied only if flag=0? - might be a bit more complicated… This was discussed in the OVN-OpenShift sync meeting today. From CMS perspective what we want is for a way to implement the "PASS" Admin Network Policy here, so have a way to say if I hit the PASS ACL rule it will just skip the rest of the ACLs under ANP and go straight to NP evaluation. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Patch series posted for review here: https://patchwork.ozlabs.org/project/ovn/list/?series=347327
ovn23.06 fast-datapath-rhel-9 clone created at https://bugzilla.redhat.com/show_bug.cgi?id=2208427