ovn: Fix ACLs for child logical ports.

The physical input flows for child logical ports (for the
container-in-a-VM use case, for example) did not set a conntrack zone
ID.  The previous code only allocated a zone ID for local VIFs and
missed doing it for child ports.

Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>

diff --git a/ovn/controller/binding.c b/ovn/controller/binding.c
index 7f31b31..952410c 100644 (file)
--- a/ovn/controller/binding.c
+++ b/ovn/controller/binding.c
@@ -144,7 +144,6 @@ binding_run(struct controller_ctx *ctx, const struct ovsrec_bridge *br_int,
         /* We have no integration bridge, therefore no local logical ports.
          * We'll remove our chassis from all port binding records below. */
     }
-    update_ct_zones(&lports, ct_zones, ct_zone_bitmap);
     sset_clone(&all_lports, &lports);
 
     ovsdb_idl_txn_add_comment(
@@ -155,6 +154,10 @@ binding_run(struct controller_ctx *ctx, const struct ovsrec_bridge *br_int,
         if (sset_find_and_delete(&lports, binding_rec->logical_port) ||
                 (binding_rec->parent_port && binding_rec->parent_port[0] &&
                  sset_contains(&all_lports, binding_rec->parent_port))) {
+            if (binding_rec->parent_port && binding_rec->parent_port[0]) {
+                /* Add child logical port to the set of all local ports. */
+                sset_add(&all_lports, binding_rec->logical_port);
+            }
             if (binding_rec->chassis == chassis_rec) {
                 continue;
             }
@@ -173,6 +176,9 @@ binding_run(struct controller_ctx *ctx, const struct ovsrec_bridge *br_int,
     SSET_FOR_EACH (name, &lports) {
         VLOG_DBG("No port binding record for lport %s", name);
     }
+
+    update_ct_zones(&all_lports, ct_zones, ct_zone_bitmap);
+
     sset_destroy(&lports);
     sset_destroy(&all_lports);
 }