When ACL is applied to a subnet, affects ACL rules based on security groups, such as pg group？

[BigCousin-z]

ovn acl ：
logical_switch :
_uuid : 12b25a3d-b32c-4f37-a89d-7c1b7cf81772
action : allow-related
direction : to-lport
external_ids : {acl_group=ACL-1}
label : 0
log : false
match : "ip4.src == 0.0.0.0/0 && tcp && 8080 <= tcp.dst <= 8080"
meter : []
name : ACL-1-in-3
options : {}
priority : 1497
severity : []

port group:
_uuid : 5a98ec19-a151-4f20-a12d-26fbd4bf5014
action : drop
direction : from-lport
external_ids : {}
label : 0
log : false
match : "ip && inport == @ovn_pg_1"
meter : []
name : []
options : {}
priority : 2000
severity : []

If the lsp interface of the VM exists in both logical switch and port group， the ACLs can only take effect at one level logcal switch or pg.
Is it correct that this kind of security policy affects each other when the actual effective scope is inconsistent? Or how can I configure it so that the two types of ACLs do not affect each other

[BigCousin-z]

@almusil pls hava a look

[BigCousin-z]

anyone ？

[almusil]

Hi, I'm not sure if I understand the question correctly. But from the info provided it's correct that both ACL might be evaluated for the same VM.

[BigCousin-z]

Hi, I'm not sure if I understand the question correctly. But from the info provided it's correct that both ACL might be evaluated for the same VM.

Although it belongs to the same VM, but this VM is in the PG and in the subnet, there are two ACLs, one is configured on the PG and the other is on the subnet, I expect both ACLs to take effect, in different directions, different ACLs take effect, and not as long as there is a high priority in effect，is there any way?

Q1: VM1-->PG-x->Subnet-->VM2
If the ACL of the PG is rejected, the rule priority is low, but the ACL rule of the subnet is allowed to be moved and the rule priority is high, and the final action should be to reject the ACL on the PG instead of the highest priority
Q2: VM1<-x-PG<--Subnet<--VM2
If the ACL of the subnet is rejected, the rule priority is low, but the ACL rule of the PG is allowed to be moved and the rule has a high priority, and the final action should be to reject the ACL on the PG instead of the one with the highest priority

[almusil]

Hi,

this issue has been inactive for more than 6 months, closing it as stale. In case the issue still persists with recent version of OVN please feel free to re-open it with info from new version.

Thanks,
Ales