acl-list命令
kubectl-ko nbctl acl-list ovn.sg.sg.example
from-lport  2100 (inport == @ovn.sg.sg.example && ip4 && ip4.dst == 0.0.0.0) allow-related
from-lport  2005 (inport == @ovn.sg.sg.example && arp) allow-related
from-lport  2005 (inport == @ovn.sg.sg.example && icmp6.type == {130, 133, 135, 136} && icmp6.code == 0 && ip.ttl == 255) allow-related
from-lport  2005 (inport == @ovn.sg.sg.example && ip.proto == 112) allow-related
from-lport  2005 (inport == @ovn.sg.sg.example && udp.src == 546 && udp.dst == 547 && ip6) allow-related
from-lport  2005 (inport == @ovn.sg.sg.example && udp.src == 68 && udp.dst == 67 && ip4) allow-related
from-lport  2004 (inport == @ovn.sg.sg.example && ip4 && ip4.dst == $ovn.sg.sg.example.associated.v4) allow-related
from-lport  2004 (inport == @ovn.sg.sg.example && ip6 && ip6.dst == $ovn.sg.sg.example.associated.v6) allow-related
  to-lport  2100 (outport == @ovn.sg.sg.example && ip4 && ip4.src == 0.0.0.0) allow-related
  to-lport  2005 (outport == @ovn.sg.sg.example && arp) allow-related
  to-lport  2005 (outport == @ovn.sg.sg.example && icmp6.type == {130, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255) allow-related
  to-lport  2005 (outport == @ovn.sg.sg.example && ip.proto == 112) allow-related
  to-lport  2005 (outport == @ovn.sg.sg.example && udp.src == 547 && udp.dst == 546 && ip6) allow-related
  to-lport  2005 (outport == @ovn.sg.sg.example && udp.src == 67 && udp.dst == 68 && ip4) allow-related
  to-lport  2004 (outport == @ovn.sg.sg.example && ip4 && ip4.src == $ovn.sg.sg.example.associated.v4) allow-related
  to-lport  2004 (outport == @ovn.sg.sg.example && ip6 && ip6.src == $ovn.sg.sg.example.associated.v6) allow-related


ovn-trace命令
kubectl-ko ovn-trace default/toolbox-2 240.0.0.1 icmp
Using the logical gateway mac address as destination
+ kubectl exec ovn-central-6b6c89b467-wkdwf -n kube-system -c ovn-central -- ovn-trace ovn-default 'inport == "toolbox-2.default" && ip.ttl == 64 && icmp && eth.src == 42:59:2f:f3:3e:70 && ip4.src == 240.0.0.153 && eth.dst == 00:00:00:66:27:A5 && ip4.dst == 240.0.0.1 && ct.new'
# ct_state=new|trk,icmp,reg14=0x69,vlan_tci=0x0000,dl_src=42:59:2f:f3:3e:70,dl_dst=00:00:00:66:27:a5,nw_src=240.0.0.153,nw_dst=240.0.0.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=0,icmp_code=0

ingress(dp="ovn-default", inport="toolbox-2.default")
-----------------------------------------------------
 0. ls_in_check_port_sec (northd.c:8869): 1, priority 50, uuid 2ebb3566
    reg0[15] = check_in_port_sec();
    next;
 4. ls_in_pre_acl (northd.c:5897): ip4.dst == 240.0.0.1, priority 3001, uuid b30d9b6b
    reg0[16] = 1;
    next;
 5. ls_in_pre_lb (northd.c:6149): reg0[16] == 1, priority 110, uuid 1196be41
    next;
 7. ls_in_acl_hint (northd.c:6367): ct.new && !ct.est, priority 7, uuid 3293d3d1
    reg0[7] = 1;
    reg0[9] = 1;
    next;
 8. ls_in_acl_eval (northd.c:6694): reg0[9] == 1 && (inport == @ovn.sg.kubeovn_deny_all && ip), priority 3003, uuid e4691482
    reg8[17] = 1;
    next;
 9. ls_in_acl_action (northd.c:6833): reg8[17] == 1, priority 1000, uuid 946fd36b
    reg8[16] = 0;
    reg8[17] = 0;
    reg8[18] = 0;
+ set +x


lflow-list命令
kubectl-ko sbctl lflow-list | grep ovn.sg.sg.example
  table=8 (ls_in_acl_eval     ), priority=3100 , match=(reg0[7] == 1 && (inport == @ovn.sg.sg.example && ip4 && ip4.dst == 0.0.0.0)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3100 , match=(reg0[8] == 1 && (inport == @ovn.sg.sg.example && ip4 && ip4.dst == 0.0.0.0)), action=(reg8[16] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3005 , match=(reg0[7] == 1 && (inport == @ovn.sg.sg.example && arp)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3005 , match=(reg0[7] == 1 && (inport == @ovn.sg.sg.example && icmp6.type == {130, 133, 135, 136} && icmp6.code == 0 && ip.ttl == 255)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3005 , match=(reg0[7] == 1 && (inport == @ovn.sg.sg.example && ip.proto == 112)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3005 , match=(reg0[7] == 1 && (inport == @ovn.sg.sg.example && udp.src == 546 && udp.dst == 547 && ip6)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3005 , match=(reg0[7] == 1 && (inport == @ovn.sg.sg.example && udp.src == 68 && udp.dst == 67 && ip4)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3005 , match=(reg0[8] == 1 && (inport == @ovn.sg.sg.example && arp)), action=(reg8[16] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3005 , match=(reg0[8] == 1 && (inport == @ovn.sg.sg.example && icmp6.type == {130, 133, 135, 136} && icmp6.code == 0 && ip.ttl == 255)), action=(reg8[16] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3005 , match=(reg0[8] == 1 && (inport == @ovn.sg.sg.example && ip.proto == 112)), action=(reg8[16] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3005 , match=(reg0[8] == 1 && (inport == @ovn.sg.sg.example && udp.src == 546 && udp.dst == 547 && ip6)), action=(reg8[16] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3005 , match=(reg0[8] == 1 && (inport == @ovn.sg.sg.example && udp.src == 68 && udp.dst == 67 && ip4)), action=(reg8[16] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3004 , match=(reg0[7] == 1 && (inport == @ovn.sg.sg.example && ip4 && ip4.dst == $ovn.sg.sg.example.associated.v4)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3004 , match=(reg0[7] == 1 && (inport == @ovn.sg.sg.example && ip6 && ip6.dst == $ovn.sg.sg.example.associated.v6)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3004 , match=(reg0[8] == 1 && (inport == @ovn.sg.sg.example && ip4 && ip4.dst == $ovn.sg.sg.example.associated.v4)), action=(reg8[16] = 1; next;)
  table=8 (ls_in_acl_eval     ), priority=3004 , match=(reg0[8] == 1 && (inport == @ovn.sg.sg.example && ip6 && ip6.dst == $ovn.sg.sg.example.associated.v6)), action=(reg8[16] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3100 , match=(reg0[7] == 1 && (outport == @ovn.sg.sg.example && ip4 && ip4.src == 0.0.0.0)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3100 , match=(reg0[8] == 1 && (outport == @ovn.sg.sg.example && ip4 && ip4.src == 0.0.0.0)), action=(reg8[16] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3005 , match=(reg0[7] == 1 && (outport == @ovn.sg.sg.example && arp)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3005 , match=(reg0[7] == 1 && (outport == @ovn.sg.sg.example && icmp6.type == {130, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3005 , match=(reg0[7] == 1 && (outport == @ovn.sg.sg.example && ip.proto == 112)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3005 , match=(reg0[7] == 1 && (outport == @ovn.sg.sg.example && udp.src == 547 && udp.dst == 546 && ip6)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3005 , match=(reg0[7] == 1 && (outport == @ovn.sg.sg.example && udp.src == 67 && udp.dst == 68 && ip4)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3005 , match=(reg0[8] == 1 && (outport == @ovn.sg.sg.example && arp)), action=(reg8[16] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3005 , match=(reg0[8] == 1 && (outport == @ovn.sg.sg.example && icmp6.type == {130, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255)), action=(reg8[16] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3005 , match=(reg0[8] == 1 && (outport == @ovn.sg.sg.example && ip.proto == 112)), action=(reg8[16] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3005 , match=(reg0[8] == 1 && (outport == @ovn.sg.sg.example && udp.src == 547 && udp.dst == 546 && ip6)), action=(reg8[16] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3005 , match=(reg0[8] == 1 && (outport == @ovn.sg.sg.example && udp.src == 67 && udp.dst == 68 && ip4)), action=(reg8[16] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3004 , match=(reg0[7] == 1 && (outport == @ovn.sg.sg.example && ip4 && ip4.src == $ovn.sg.sg.example.associated.v4)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3004 , match=(reg0[7] == 1 && (outport == @ovn.sg.sg.example && ip6 && ip6.src == $ovn.sg.sg.example.associated.v6)), action=(reg8[16] = 1; reg0[1] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3004 , match=(reg0[8] == 1 && (outport == @ovn.sg.sg.example && ip4 && ip4.src == $ovn.sg.sg.example.associated.v4)), action=(reg8[16] = 1; next;)
  table=4 (ls_out_acl_eval    ), priority=3004 , match=(reg0[8] == 1 && (outport == @ovn.sg.sg.example && ip6 && ip6.src == $ovn.sg.sg.example.associated.v6)), action=(reg8[16] = 1; next;)