]> git.proxmox.com Git - mirror_ovs.git/blame - ovn/ovn-sb.xml
projects / mirror_ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tests: Add new pmd test for pmd-rxq-affinity.
[mirror_ovs.git] / ovn / ovn-sb.xml
CommitLineData
fe36184b 1<?xml version="1.0" encoding="utf-8"?>
ec78987f 2<database name="ovn-sb" title="OVN Southbound Database">
fe36184b
BP		 3 <p>
4 This database holds logical and physical configuration and state for the
5 Open Virtual Network (OVN) system to support virtual network abstraction.
6 For an introduction to OVN, please see <code>ovn-architecture</code>(7).
7 </p>
8
9 <p>
ec78987f
JP		 10 The OVN Southbound database sits at the center of the OVN
11 architecture. It is the one component that speaks both southbound
12 directly to all the hypervisors and gateways, via
88058f19
AW		 13 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>, and
14 northbound to the Cloud Management System, via <code>ovn-northd</code>:
fe36184b
BP		 15 </p>
16
17 <h2>Database Structure</h2>
18
19 <p>
0bac7164 20 The OVN Southbound database contains classes of data with
ec78987f 21 different properties, as described in the sections below.
fe36184b
BP		 22 </p>
23
24 <h3>Physical Network (PN) data</h3>
25
26 <p>
27 PN tables contain information about the chassis nodes in the system. This
28 contains all the information necessary to wire the overlay, such as IP
29 addresses, supported tunnel types, and security keys.
30 </p>
31
32 <p>
33 The amount of PN data is small (O(n) in the number of chassis) and it
34 changes infrequently, so it can be replicated to every chassis.
35 </p>
36
37 <p>
62fdd819 38 The <ref table="Chassis"/> table comprises the PN tables.
fe36184b
BP		 39 </p>
40
41 <h3>Logical Network (LN) data</h3>
42
43 <p>
44 LN tables contain the topology of logical switches and routers, ACLs,
45 firewall rules, and everything needed to describe how packets traverse a
46 logical network, represented as logical datapath flows (see Logical
47 Datapath Flows, below).
48 </p>
49
50 <p>
51 LN data may be large (O(n) in the number of logical ports, ACL rules,
52 etc.). Thus, to improve scaling, each chassis should receive only data
53 related to logical networks in which that chassis participates. Past
54 experience shows that in the presence of large logical networks, even
55 finer-grained partitioning of data, e.g. designing logical flows so that
56 only the chassis hosting a logical port needs related flows, pays off
57 scale-wise. (This is not necessary initially but it is worth bearing in
58 mind in the design.)
59 </p>
60
61 <p>
62 The LN is a slave of the cloud management system running northbound of OVN.
63 That CMS determines the entire OVN logical configuration and therefore the
64 LN's content at any given time is a deterministic function of the CMS's
09986f8c
JP		 65 configuration, although that happens indirectly via the
66 <ref db="OVN_Northbound"/> database and <code>ovn-northd</code>.
fe36184b
BP		 67 </p>
68
69 <p>
70 LN data is likely to change more quickly than PN data. This is especially
71 true in a container environment where VMs are created and destroyed (and
72 therefore added to and deleted from logical switches) quickly.
73 </p>
74
75 <p>
5868eb24
BP		 76 <ref table="Logical_Flow"/> and <ref table="Multicast_Group"/> contain LN
77 data.
fe36184b
BP		 78 </p>
79
0bac7164 80 <h3>Logical-physical bindings</h3>
fe36184b
BP		 81
82 <p>
0bac7164 83 These tables link logical and physical components. They show the current
5868eb24
BP		 84 placement of logical components (such as VMs and VIFs) onto chassis, and
85 map logical entities to the values that represent them in tunnel
86 encapsulations.
fe36184b
BP		 87 </p>
88
89 <p>
0bac7164 90 These tables change frequently, at least every time a VM powers up or down
fe36184b
BP		 91 or migrates, and especially quickly in a container environment. The
92 amount of data per VM (or VIF) is small.
93 </p>
94
95 <p>
96 Each chassis is authoritative about the VMs and VIFs that it hosts at any
97 given time and can efficiently flood that state to a central location, so
98 the consistency needs are minimal.
99 </p>
100
101 <p>
5868eb24
BP		 102 The <ref table="Port_Binding"/> and <ref table="Datapath_Binding"/> tables
103 contain binding data.
fe36184b
BP		 104 </p>
105
0bac7164
BP		 106 <h3>MAC bindings</h3>
107
108 <p>
109 The <ref table="MAC_Binding"/> table tracks the bindings from IP addresses
110 to Ethernet addresses that are dynamically discovered using ARP (for IPv4)
111 and neighbor discovery (for IPv6). Usually, IP-to-MAC bindings for virtual
112 machines are statically populated into the <ref table="Port_Binding"/>
113 table, so <ref table="MAC_Binding"/> is primarily used to discover bindings
114 on physical networks.
115 </p>
116
5868eb24
BP		 117 <h2>Common Columns</h2>
118
119 <p>
120 Some tables contain a special column named <code>external_ids</code>. This
121 column has the same form and purpose each place that it appears, so we
122 describe it here to save space later.
123 </p>
124
125 <dl>
126 <dt><code>external_ids</code>: map of string-string pairs</dt>
127 <dd>
128 Key-value pairs for use by the software that manages the OVN Southbound
88058f19
AW		 129 database rather than by
130 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>. In
131 particular, <code>ovn-northd</code> can use key-value pairs in this
132 column to relate entities in the southbound database to higher-level
133 entities (such as entities in the OVN Northbound database). Individual
134 key-value pairs in this column may be documented in some cases to aid
135 in understanding and troubleshooting, but the reader should not mistake
136 such documentation as comprehensive.
5868eb24
BP		 137 </dd>
138 </dl>
139
fa183acc
BP		 140 <table name="SB_Global" title="Southbound configuration">
141 <p>
142 Southbound configuration for an OVN system. This table must have exactly
143 one row.
144 </p>
145
146 <group title="Status">
147 This column allow a client to track the overall configuration state of
148 the system.
149
150 <column name="nb_cfg">
151 Sequence number for the configuration. When a CMS or
152 <code>ovn-nbctl</code> updates the northbound database, it increments
153 the <code>nb_cfg</code> column in the <code>NB_Global</code> table in
154 the northbound database. In turn, when <code>ovn-northd</code> updates
155 the southbound database to bring it up to date with these changes, it
156 updates this column to the same value.
157 </column>
158 </group>
159
160 <group title="Common Columns">
161 <column name="external_ids">
162 See <em>External IDs</em> at the beginning of this document.
163 </column>
164 </group>
165 </table>
166
fe36184b
BP		 167 <table name="Chassis" title="Physical Network Hypervisor and Gateway Information">
168 <p>
169 Each row in this table represents a hypervisor or gateway (a chassis) in
170 the physical network (PN). Each chassis, via
88058f19
AW		 171 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>, adds
172 and updates its own row, and keeps a copy of the remaining rows to
173 determine how to reach other hypervisors.
fe36184b
BP		 174 </p>
175
176 <p>
177 When a chassis shuts down gracefully, it should remove its own row.
178 (This is not critical because resources hosted on the chassis are equally
179 unreachable regardless of whether the row is present.) If a chassis
180 shuts down permanently without removing its row, some kind of manual or
181 automatic cleanup is eventually needed; we can devise a process for that
182 as necessary.
183 </p>
184
185 <column name="name">
fc26cf25
RB		 186 OVN does not prescribe a particular format for chassis names.
187 ovn-controller populates this column using <ref key="system-id"
188 table="Open_vSwitch" column="external_ids" db="Open_vSwitch"/>
189 in the Open_vSwitch database's <ref table="Open_vSwitch"
190 db="Open_vSwitch"/> table. ovn-controller-vtep populates this
191 column with <ref table="Physical_Switch" column="name"
192 db="hardware_vtep"/> in the hardware_vtep database's
193 <ref table="Physical_Switch" db="hardware_vtep"/> table.
fe36184b
BP		 194 </column>
195
2229f3ec
RB		 196 <column name="hostname">
197 The hostname of the chassis, if applicable. ovn-controller will populate
198 this column with the hostname of the host it is running on.
199 ovn-controller-vtep will leave this column empty.
200 </column>
201
fa183acc
BP		 202 <column name="nb_cfg">
203 Sequence number for the configuration. When <code>ovn-controller</code>
204 updates the configuration of a chassis from the contents of the
205 southbound database, it copies <ref table="SB_Global" column="nb_cfg"/>
206 from the <ref table="SB_Global"/> table into this column.
207 </column>
208
4250ee37
RB		 209 <column name="external_ids" key="ovn-bridge-mappings">
210 <code>ovn-controller</code> populates this key with the set of bridge
211 mappings it has been configured to use. Other applications should treat
212 this key as read-only. See <code>ovn-controller</code>(8) for more
213 information.
214 </column>
215
1cef5fff
RB		 216 <group title="Common Columns">
217 The overall purpose of these columns is described under <code>Common
218 Columns</code> at the beginning of this document.
219
220 <column name="external_ids"/>
221 </group>
222
09db214c 223 <group title="Encapsulation Configuration">
fe36184b 224 <p>
09db214c
JP		 225 OVN uses encapsulation to transmit logical dataplane packets
226 between chassis.
fe36184b
BP		 227 </p>
228
09db214c
JP		 229 <column name="encaps">
230 Points to supported encapsulation configurations to transmit
231 logical dataplane packets to this chassis. Each entry is a <ref
232 table="Encap"/> record that describes the configuration.
fe36184b
BP		 233 </column>
234 </group>
235
62fdd819
AW		 236 <group title="Gateway Configuration">
237 <p>
238 A <dfn>gateway</dfn> is a chassis that forwards traffic between the
239 OVN-managed part of a logical network and a physical VLAN, extending a
240 tunnel-based logical network into a physical network. Gateways are
88058f19
AW		 241 typically dedicated nodes that do not host VMs and will be controlled
242 by <code>ovn-controller-vtep</code>.
fe36184b
BP		 243 </p>
244
62fdd819 245 <column name="vtep_logical_switches">
88058f19
AW		 246 Stores all VTEP logical switch names connected by this gateway
247 chassis. The <ref table="Port_Binding"/> table entry with
248 <ref column="options" table="Port_Binding"/>:<code>vtep-physical-switch</code>
249 equal <ref table="Chassis"/> <ref column="name" table="Chassis"/>, and
250 <ref column="options" table="Port_Binding"/>:<code>vtep-logical-switch</code>
251 value in <ref table="Chassis"/>
252 <ref column="vtep_logical_switches" table="Chassis"/>, will be
253 associated with this <ref table="Chassis"/>.
fe36184b 254 </column>
62fdd819 255 </group>
fe36184b
BP		 256 </table>
257
09db214c
JP		 258 <table name="Encap" title="Encapsulation Types">
259 <p>
260 The <ref column="encaps" table="Chassis"/> column in the <ref
261 table="Chassis"/> table refers to rows in this table to identify
262 how OVN may transmit logical dataplane packets to this chassis.
88058f19
AW		 263 Each chassis, via <code>ovn-controller</code>(8) or
264 <code>ovn-controller-vtep</code>(8), adds and updates its own rows
265 and keeps a copy of the remaining rows to determine how to reach
266 other chassis.
09db214c
JP		 267 </p>
268
269 <column name="type">
270 The encapsulation to use to transmit packets to this chassis.
b705f9ea
JP		 271 Hypervisors must use either <code>geneve</code> or
272 <code>stt</code>. Gateways may use <code>vxlan</code>,
273 <code>geneve</code>, or <code>stt</code>.
09db214c
JP		 274 </column>
275
276 <column name="options">
277 Options for configuring the encapsulation, e.g. IPsec parameters when
278 IPsec support is introduced. No options are currently defined.
279 </column>
280
281 <column name="ip">
282 The IPv4 address of the encapsulation tunnel endpoint.
283 </column>
284 </table>
285
ea382567
RB		 286 <table name="Address_Set" title="Address Sets">
287 <p>
288 See the documentation for the <ref table="Address_Set"
289 db="OVN_Northbound"/> table in the <ref db="OVN_Northbound"/> database
290 for details.
291 </p>
292
293 <column name="name"/>
294 <column name="addresses"/>
295 </table>
296
5868eb24 297 <table name="Logical_Flow" title="Logical Network Flows">
fe36184b 298 <p>
09986f8c
JP		 299 Each row in this table represents one logical flow.
300 <code>ovn-northd</code> populates this table with logical flows
301 that implement the L2 and L3 topologies specified in the
302 <ref db="OVN_Northbound"/> database. Each hypervisor, via
303 <code>ovn-controller</code>, translates the logical flows into
304 OpenFlow flows specific to its hypervisor and installs them into
305 Open vSwitch.
fe36184b
BP		 306 </p>
307
308 <p>
309 Logical flows are expressed in an OVN-specific format, described here. A
310 logical datapath flow is much like an OpenFlow flow, except that the
311 flows are written in terms of logical ports and logical datapaths instead
312 of physical ports and physical datapaths. Translation between logical
313 and physical flows helps to ensure isolation between logical datapaths.
09986f8c
JP		 314 (The logical flow abstraction also allows the OVN centralized
315 components to do less work, since they do not have to separately
316 compute and push out physical flows to each chassis.)
fe36184b
BP		 317 </p>
318
319 <p>
320 The default action when no flow matches is to drop packets.
321 </p>
322
69a832cf 323 <p><em>Architectural Logical Life Cycle of a Packet</em></p>
5868eb24
BP		 324
325 <p>
326 This following description focuses on the life cycle of a packet through
327 a logical datapath, ignoring physical details of the implementation.
69a832cf 328 Please refer to <em>Architectural Physical Life Cycle of a Packet</em> in
5868eb24
BP		 329 <code>ovn-architecture</code>(7) for the physical information.
330 </p>
331
332 <p>
333 The description here is written as if OVN itself executes these steps,
334 but in fact OVN (that is, <code>ovn-controller</code>) programs Open
335 vSwitch, via OpenFlow and OVSDB, to execute them on its behalf.
336 </p>
337
338 <p>
339 At a high level, OVN passes each packet through the logical datapath's
340 logical ingress pipeline, which may output the packet to one or more
341 logical port or logical multicast groups. For each such logical output
342 port, OVN passes the packet through the datapath's logical egress
343 pipeline, which may either drop the packet or deliver it to the
344 destination. Between the two pipelines, outputs to logical multicast
345 groups are expanded into logical ports, so that the egress pipeline only
346 processes a single logical output port at a time. Between the two
347 pipelines is also where, when necessary, OVN encapsulates a packet in a
348 tunnel (or tunnels) to transmit to remote hypervisors.
349 </p>
350
351 <p>
352 In more detail, to start, OVN searches the <ref table="Logical_Flow"/>
353 table for a row with correct <ref column="logical_datapath"/>, a <ref
354 column="pipeline"/> of <code>ingress</code>, a <ref column="table_id"/>
355 of 0, and a <ref column="match"/> that is true for the packet. If none
356 is found, OVN drops the packet. If OVN finds more than one, it chooses
357 the match with the highest <ref column="priority"/>. Then OVN executes
358 each of the actions specified in the row's <ref table="actions"/> column,
359 in the order specified. Some actions, such as those to modify packet
360 headers, require no further details. The <code>next</code> and
361 <code>output</code> actions are special.
362 </p>
363
364 <p>
365 The <code>next</code> action causes the above process to be repeated
366 recursively, except that OVN searches for <ref column="table_id"/> of 1
367 instead of 0. Similarly, any <code>next</code> action in a row found in
368 that table would cause a further search for a <ref column="table_id"/> of
369 2, and so on. When recursive processing completes, flow control returns
370 to the action following <code>next</code>.
371 </p>
372
373 <p>
374 The <code>output</code> action also introduces recursion. Its effect
375 depends on the current value of the <code>outport</code> field. Suppose
376 <code>outport</code> designates a logical port. First, OVN compares
377 <code>inport</code> to <code>outport</code>; if they are equal, it treats
378 the <code>output</code> as a no-op. In the common case, where they are
379 different, the packet enters the egress pipeline. This transition to the
78aab811 380 egress pipeline discards register data, e.g. <code>reg0</code> ...
cc5e28d8 381 <code>reg9</code> and connection tracking state, to achieve
78aab811
JP		 382 uniform behavior regardless of whether the egress pipeline is on a
383 different hypervisor (because registers aren't preserve across
384 tunnel encapsulation).
5868eb24
BP		 385 </p>
386
387 <p>
388 To execute the egress pipeline, OVN again searches the <ref
389 table="Logical_Flow"/> table for a row with correct <ref
390 column="logical_datapath"/>, a <ref column="table_id"/> of 0, a <ref
391 column="match"/> that is true for the packet, but now looking for a <ref
392 column="pipeline"/> of <code>egress</code>. If no matching row is found,
393 the output becomes a no-op. Otherwise, OVN executes the actions for the
394 matching flow (which is chosen from multiple, if necessary, as already
395 described).
396 </p>
397
398 <p>
399 In the <code>egress</code> pipeline, the <code>next</code> action acts as
400 already described, except that it, of course, searches for
401 <code>egress</code> flows. The <code>output</code> action, however, now
402 directly outputs the packet to the output port (which is now fixed,
403 because <code>outport</code> is read-only within the egress pipeline).
404 </p>
405
406 <p>
407 The description earlier assumed that <code>outport</code> referred to a
408 logical port. If it instead designates a logical multicast group, then
409 the description above still applies, with the addition of fan-out from
410 the logical multicast group to each logical port in the group. For each
411 member of the group, OVN executes the logical pipeline as described, with
412 the logical output port replaced by the group member.
413 </p>
414
8d6e5516
JP		 415 <p><em>Pipeline Stages</em></p>
416
417 <p>
418 <code>ovn-northd</code> is responsible for populating the
419 <ref table="Logical_Flow"/> table, so the stages are an
420 implementation detail and subject to change. This section
421 describes the current logical flow table.
422 </p>
423
424 <p>
425 The ingress pipeline consists of the following stages:
426 </p>
427 <ul>
428 <li>
429 Port Security (Table 0): Validates the source address, drops
430 packets with a VLAN tag, and, if configured, verifies that the
431 logical port is allowed to send with the source address.
432 </li>
433
434 <li>
435 L2 Destination Lookup (Table 1): Forwards known unicast
436 addresses to the appropriate logical port. Unicast packets to
437 unknown hosts are forwarded to logical ports configured with the
438 special <code>unknown</code> mac address. Broadcast, and
439 multicast are flooded to all ports in the logical switch.
440 </li>
441 </ul>
442
443 <p>
444 The egress pipeline consists of the following stages:
445 </p>
446 <ul>
447 <li>
448 ACL (Table 0): Applies any specified access control lists.
449 </li>
450
451 <li>
452 Port Security (Table 1): If configured, verifies that the
453 logical port is allowed to receive packets with the destination
454 address.
455 </li>
456 </ul>
457
747b2a45 458 <column name="logical_datapath">
5868eb24
BP		 459 The logical datapath to which the logical flow belongs.
460 </column>
461
462 <column name="pipeline">
463 <p>
464 The primary flows used for deciding on a packet's destination are the
465 <code>ingress</code> flows. The <code>egress</code> flows implement
466 ACLs. See <em>Logical Life Cycle of a Packet</em>, above, for details.
467 </p>
747b2a45
BP		 468 </column>
469
fe36184b
BP		 470 <column name="table_id">
471 The stage in the logical pipeline, analogous to an OpenFlow table number.
472 </column>
473
474 <column name="priority">
475 The flow's priority. Flows with numerically higher priority take
476 precedence over those with lower. If two logical datapath flows with the
477 same priority both match, then the one actually applied to the packet is
478 undefined.
479 </column>
480
481 <column name="match">
482 <p>
483 A matching expression. OVN provides a superset of OpenFlow matching
484 capabilities, using a syntax similar to Boolean expressions in a
485 programming language.
486 </p>
487
488 <p>
fa6aeaeb
RB		 489 The most important components of match expression are
490 <dfn>comparisons</dfn> between <dfn>symbols</dfn> and
491 <dfn>constants</dfn>, e.g. <code>ip4.dst == 192.168.0.1</code>,
492 <code>ip.proto == 6</code>, <code>arp.op == 1</code>, <code>eth.type ==
493 0x800</code>. The logical AND operator <code>&amp;&amp;</code> and
494 logical OR operator <code>||</code> can combine comparisons into a
495 larger expression.
fe36184b
BP		 496 </p>
497
fe36184b 498 <p>
e0840f11
BP		 499 Matching expressions also support parentheses for grouping, the logical
500 NOT prefix operator <code>!</code>, and literals <code>0</code> and
501 <code>1</code> to express ``false'' or ``true,'' respectively. The
502 latter is useful by itself as a catch-all expression that matches every
503 packet.
fe36184b
BP		 504 </p>
505
e0840f11 506 <p><em>Symbols</em></p>
fe36184b
BP		 507
508 <p>
fa6aeaeb
RB		 509 <em>Type</em>. Symbols have <dfn>integer</dfn> or <dfn>string</dfn>
510 type. Integer symbols have a <dfn>width</dfn> in bits.
fe36184b
BP		 511 </p>
512
513 <p>
fa6aeaeb 514 <em>Kinds</em>. There are three kinds of symbols:
fe36184b
BP		 515 </p>
516
e0840f11 517 <ul>
fa6aeaeb
RB		 518 <li>
519 <p>
520 <dfn>Fields</dfn>. A field symbol represents a packet header or
521 metadata field. For example, a field
522 named <code>vlan.tci</code> might represent the VLAN TCI field in a
523 packet.
524 </p>
525
526 <p>
527 A field symbol can have integer or string type. Integer fields can
528 be nominal or ordinal (see <em>Level of Measurement</em>,
529 below).
530 </p>
531 </li>
532
533 <li>
534 <p>
535 <dfn>Subfields</dfn>. A subfield represents a subset of bits from
536 a larger field. For example, a field <code>vlan.vid</code> might
537 be defined as an alias for <code>vlan.tci[0..11]</code>. Subfields
538 are provided for syntactic convenience, because it is always
539 possible to instead refer to a subset of bits from a field
540 directly.
541 </p>
542
543 <p>
544 Only ordinal fields (see <em>Level of Measurement</em>,
545 below) may have subfields. Subfields are always ordinal.
546 </p>
547 </li>
548
549 <li>
550 <p>
551 <dfn>Predicates</dfn>. A predicate is shorthand for a Boolean
552 expression. Predicates may be used much like 1-bit fields. For
553 example, <code>ip4</code> might expand to <code>eth.type ==
554 0x800</code>. Predicates are provided for syntactic convenience,
555 because it is always possible to instead specify the underlying
556 expression directly.
557 </p>
558
559 <p>
560 A predicate whose expansion refers to any nominal field or
561 predicate (see <em>Level of Measurement</em>, below) is nominal;
562 other predicates have Boolean level of measurement.
563 </p>
564 </li>
e0840f11
BP		 565 </ul>
566
fe36184b 567 <p>
fa6aeaeb
RB		 568 <em>Level of Measurement</em>. See
569 http://en.wikipedia.org/wiki/Level_of_measurement for the statistical
570 concept on which this classification is based. There are three
571 levels:
fe36184b
BP		 572 </p>
573
574 <ul>
fa6aeaeb
RB		 575 <li>
576 <p>
577 <dfn>Ordinal</dfn>. In statistics, ordinal values can be ordered
578 on a scale. OVN considers a field (or subfield) to be ordinal if
579 its bits can be examined individually. This is true for the
580 OpenFlow fields that OpenFlow or Open vSwitch makes ``maskable.''
581 </p>
582
583 <p>
584 Any use of a nominal field may specify a single bit or a range of
585 bits, e.g. <code>vlan.tci[13..15]</code> refers to the PCP field
586 within the VLAN TCI, and <code>eth.dst[40]</code> refers to the
587 multicast bit in the Ethernet destination address.
588 </p>
589
590 <p>
591 OVN supports all the usual arithmetic relations (<code>==</code>,
592 <code>!=</code>, <code>&lt;</code>, <code>&lt;=</code>,
593 <code>&gt;</code>, and <code>&gt;=</code>) on ordinal fields and
594 their subfields, because OVN can implement these in OpenFlow and
595 Open vSwitch as collections of bitwise tests.
596 </p>
597 </li>
598
599 <li>
600 <p>
601 <dfn>Nominal</dfn>. In statistics, nominal values cannot be
602 usefully compared except for equality. This is true of OpenFlow
603 port numbers, Ethernet types, and IP protocols are examples: all of
604 these are just identifiers assigned arbitrarily with no deeper
605 meaning. In OpenFlow and Open vSwitch, bits in these fields
606 generally aren't individually addressable.
607 </p>
608
609 <p>
610 OVN only supports arithmetic tests for equality on nominal fields,
611 because OpenFlow and Open vSwitch provide no way for a flow to
612 efficiently implement other comparisons on them. (A test for
613 inequality can be sort of built out of two flows with different
614 priorities, but OVN matching expressions always generate flows with
615 a single priority.)
616 </p>
617
618 <p>
619 String fields are always nominal.
620 </p>
621 </li>
622
623 <li>
624 <p>
625 <dfn>Boolean</dfn>. A nominal field that has only two values, 0
626 and 1, is somewhat exceptional, since it is easy to support both
627 equality and inequality tests on such a field: either one can be
628 implemented as a test for 0 or 1.
629 </p>
630
631 <p>
632 Only predicates (see above) have a Boolean level of measurement.
633 </p>
634
635 <p>
636 This isn't a standard level of measurement.
637 </p>
638 </li>
fe36184b
BP		 639 </ul>
640
641 <p>
fa6aeaeb
RB		 642 <em>Prerequisites</em>. Any symbol can have prerequisites, which are
643 additional condition implied by the use of the symbol. For example,
644 For example, <code>icmp4.type</code> symbol might have prerequisite
645 <code>icmp4</code>, which would cause an expression <code>icmp4.type ==
646 0</code> to be interpreted as <code>icmp4.type == 0 &amp;&amp;
647 icmp4</code>, which would in turn expand to <code>icmp4.type == 0
648 &amp;&amp; eth.type == 0x800 &amp;&amp; ip4.proto == 1</code> (assuming
649 <code>icmp4</code> is a predicate defined as suggested under
650 <em>Types</em> above).
fe36184b
BP		 651 </p>
652
e0840f11
BP		 653 <p><em>Relational operators</em></p>
654
fe36184b 655 <p>
fa6aeaeb
RB		 656 All of the standard relational operators <code>==</code>,
657 <code>!=</code>, <code>&lt;</code>, <code>&lt;=</code>,
658 <code>&gt;</code>, and <code>&gt;=</code> are supported. Nominal
659 fields support only <code>==</code> and <code>!=</code>, and only in a
660 positive sense when outer <code>!</code> are taken into account,
661 e.g. given string field <code>inport</code>, <code>inport ==
662 "eth0"</code> and <code>!(inport != "eth0")</code> are acceptable, but
663 not <code>inport != "eth0"</code>.
fe36184b
BP		 664 </p>
665
666 <p>
fa6aeaeb
RB		 667 The implementation of <code>==</code> (or <code>!=</code> when it is
668 negated), is more efficient than that of the other relational
669 operators.
fe36184b
BP		 670 </p>
671
e0840f11
BP		 672 <p><em>Constants</em></p>
673
fe36184b 674 <p>
e0840f11
BP		 675 Integer constants may be expressed in decimal, hexadecimal prefixed by
676 <code>0x</code>, or as dotted-quad IPv4 addresses, IPv6 addresses in
677 their standard forms, or Ethernet addresses as colon-separated hex
678 digits. A constant in any of these forms may be followed by a slash
679 and a second constant (the mask) in the same form, to form a masked
680 constant. IPv4 and IPv6 masks may be given as integers, to express
681 CIDR prefixes.
682 </p>
683
684 <p>
685 String constants have the same syntax as quoted strings in JSON (thus,
5868eb24 686 they are Unicode strings).
fe36184b
BP		 687 </p>
688
689 <p>
e0840f11
BP		 690 Some operators support sets of constants written inside curly braces
691 <code>{</code> ... <code>}</code>. Commas between elements of a set,
692 and after the last elements, are optional. With <code>==</code>,
693 ``<code><var>field</var> == { <var>constant1</var>,
694 <var>constant2</var>,</code> ... <code>}</code>'' is syntactic sugar
695 for ``<code><var>field</var> == <var>constant1</var> ||
696 <var>field</var> == <var>constant2</var> || </code>...<code></code>.
697 Similarly, ``<code><var>field</var> != { <var>constant1</var>,
698 <var>constant2</var>, </code>...<code> }</code>'' is equivalent to
699 ``<code><var>field</var> != <var>constant1</var> &amp;&amp;
fe36184b 700 <var>field</var> != <var>constant2</var> &amp;&amp;
e0840f11 701 </code>...<code></code>''.
fe36184b
BP		 702 </p>
703
ea382567
RB		 704 <p>
705 You may refer to a set of IPv4, IPv6, or MAC addresses stored in the
706 <ref table="Address_Set"/> table by its <ref column="name"
707 table="Address_Set"/>. An <ref table="Address_Set"/> with a name
708 of <code>set1</code> can be referred to as
709 <code>$set1</code>.
710 </p>
711
e0840f11
BP		 712 <p><em>Miscellaneous</em></p>
713
fe36184b 714 <p>
fa6aeaeb
RB		 715 Comparisons may name the symbol or the constant first,
716 e.g. <code>tcp.src == 80</code> and <code>80 == tcp.src</code> are both
717 acceptable.
fe36184b
BP		 718 </p>
719
720 <p>
fa6aeaeb
RB		 721 Tests for a range may be expressed using a syntax like <code>1024 &lt;=
722 tcp.src &lt;= 49151</code>, which is equivalent to <code>1024 &lt;=
723 tcp.src &amp;&amp; tcp.src &lt;= 49151</code>.
fe36184b
BP		 724 </p>
725
726 <p>
fa6aeaeb
RB		 727 For a one-bit field or predicate, a mention of its name is equivalent
728 to <code><var>symobl</var> == 1</code>, e.g. <code>vlan.present</code>
729 is equivalent to <code>vlan.present == 1</code>. The same is true for
730 one-bit subfields, e.g. <code>vlan.tci[12]</code>. There is no
731 technical limitation to implementing the same for ordinal fields of all
732 widths, but the implementation is expensive enough that the syntax
733 parser requires writing an explicit comparison against zero to make
734 mistakes less likely, e.g. in <code>tcp.src != 0</code> the comparison
735 against 0 is required.
fe36184b
BP		 736 </p>
737
738 <p>
fa6aeaeb
RB		 739 <em>Operator precedence</em> is as shown below, from highest to lowest.
740 There are two exceptions where parentheses are required even though the
741 table would suggest that they are not: <code>&amp;&amp;</code> and
742 <code>||</code> require parentheses when used together, and
743 <code>!</code> requires parentheses when applied to a relational
744 expression. Thus, in <code>(eth.type == 0x800 || eth.type == 0x86dd)
745 &amp;&amp; ip.proto == 6</code> or <code>!(arp.op == 1)</code>, the
746 parentheses are mandatory.
fe36184b
BP		 747 </p>
748
e0840f11
BP		 749 <ul>
750 <li><code>()</code></li>
751 <li><code>== != &lt; &lt;= &gt; &gt;=</code></li>
752 <li><code>!</code></li>
753 <li><code>&amp;&amp; ||</code></li>
754 </ul>
755
10b1662b
BP		 756 <p>
757 <em>Comments</em> may be introduced by <code>//</code>, which extends
758 to the next new-line. Comments within a line may be bracketed by
759 <code>/*</code> and <code>*/</code>. Multiline comments are not
760 supported.
761 </p>
762
e0840f11
BP		 763 <p><em>Symbols</em></p>
764
5868eb24
BP		 765 <p>
766 Most of the symbols below have integer type. Only <code>inport</code>
767 and <code>outport</code> have string type. <code>inport</code> names a
768 logical port. Thus, its value is a <ref column="logical_port"/> name
62fdd819
AW		 769 from the <ref table="Port_Binding"/> table. <code>outport</code> may
770 name a logical port, as <code>inport</code>, or a logical multicast
771 group defined in the <ref table="Multicast_Group"/> table. For both
772 symbols, only names within the flow's logical datapath may be used.
5868eb24
BP		 773 </p>
774
394e883d
JP		 775 <p>
776 The <code>reg</code><var>X</var> symbols are 32-bit integers.
777 The <code>xxreg</code><var>X</var> symbols are 128-bit integers,
778 which overlay four of the 32-bit registers: <code>xxreg0</code>
779 overlays <code>reg0</code> through <code>reg3</code>, with
780 <code>reg0</code> supplying the most-significant bits of
781 <code>xxreg0</code> and <code>reg3</code> the least-signficant.
782 <code>xxreg1</code> similarly overlays <code>reg4</code> through
783 <code>reg7</code>.
784 </p>
785
e0840f11 786 <ul>
cc5e28d8 787 <li><code>reg0</code>...<code>reg9</code></li>
394e883d 788 <li><code>xxreg0</code> <code>xxreg1</code></li>
5868eb24 789 <li><code>inport</code> <code>outport</code></li>
e0840f11
BP		 790 <li><code>eth.src</code> <code>eth.dst</code> <code>eth.type</code></li>
791 <li><code>vlan.tci</code> <code>vlan.vid</code> <code>vlan.pcp</code> <code>vlan.present</code></li>
792 <li><code>ip.proto</code> <code>ip.dscp</code> <code>ip.ecn</code> <code>ip.ttl</code> <code>ip.frag</code></li>
793 <li><code>ip4.src</code> <code>ip4.dst</code></li>
794 <li><code>ip6.src</code> <code>ip6.dst</code> <code>ip6.label</code></li>
795 <li><code>arp.op</code> <code>arp.spa</code> <code>arp.tpa</code> <code>arp.sha</code> <code>arp.tha</code></li>
796 <li><code>tcp.src</code> <code>tcp.dst</code> <code>tcp.flags</code></li>
797 <li><code>udp.src</code> <code>udp.dst</code></li>
798 <li><code>sctp.src</code> <code>sctp.dst</code></li>
799 <li><code>icmp4.type</code> <code>icmp4.code</code></li>
800 <li><code>icmp6.type</code> <code>icmp6.code</code></li>
801 <li><code>nd.target</code> <code>nd.sll</code> <code>nd.tll</code></li>
e3d81ade 802 <li><code>ct_mark</code> <code>ct_label</code></li>
78aab811
JP		 803 <li>
804 <p>
805 <code>ct_state</code>, which has the following Boolean subfields:
806 </p>
807 <ul>
808 <li><code>ct.new</code>: True for a new flow</li>
809 <li><code>ct.est</code>: True for an established flow</li>
810 <li><code>ct.rel</code>: True for a related flow</li>
811 <li><code>ct.rpl</code>: True for a reply flow</li>
812 <li><code>ct.inv</code>: True for a connection entry in a bad state</li>
813 </ul>
814 <p>
815 <code>ct_state</code> and its subfields are initialized by the
816 <code>ct_next</code> action, described below.
817 </p>
818 </li>
e0840f11
BP		 819 </ul>
820
25030d47
RB		 821 <p>
822 The following predicates are supported:
823 </p>
824
825 <ul>
a2011117
BP		 826 <li><code>eth.bcast</code> expands to <code>eth.dst == ff:ff:ff:ff:ff:ff</code></li>
827 <li><code>eth.mcast</code> expands to <code>eth.dst[40]</code></li>
25030d47
RB		 828 <li><code>vlan.present</code> expands to <code>vlan.tci[12]</code></li>
829 <li><code>ip4</code> expands to <code>eth.type == 0x800</code></li>
a2011117 830 <li><code>ip4.mcast</code> expands to <code>ip4.dst[28..31] == 0xe</code></li>
25030d47
RB		 831 <li><code>ip6</code> expands to <code>eth.type == 0x86dd</code></li>
832 <li><code>ip</code> expands to <code>ip4 || ip6</code></li>
833 <li><code>icmp4</code> expands to <code>ip4 &amp;&amp; ip.proto == 1</code></li>
834 <li><code>icmp6</code> expands to <code>ip6 &amp;&amp; ip.proto == 58</code></li>
835 <li><code>icmp</code> expands to <code>icmp4 || icmp6</code></li>
836 <li><code>ip.is_frag</code> expands to <code>ip.frag[0]</code></li>
837 <li><code>ip.later_frag</code> expands to <code>ip.frag[1]</code></li>
838 <li><code>ip.first_frag</code> expands to <code>ip.is_frag &amp;&amp; !ip.later_frag</code></li>
839 <li><code>arp</code> expands to <code>eth.type == 0x806</code></li>
840 <li><code>nd</code> expands to <code>icmp6.type == {135, 136} &amp;&amp; icmp6.code == 0</code></li>
841 <li><code>tcp</code> expands to <code>ip.proto == 6</code></li>
842 <li><code>udp</code> expands to <code>ip.proto == 17</code></li>
843 <li><code>sctp</code> expands to <code>ip.proto == 132</code></li>
844 </ul>
fe36184b
BP		 845 </column>
846
847 <column name="actions">
848 <p>
2cd87fce
RB		 849 Logical datapath actions, to be executed when the logical flow
850 represented by this row is the highest-priority match.
fe36184b
BP		 851 </p>
852
35060cdc 853 <p>
2cd87fce
RB		 854 Actions share lexical syntax with the <ref column="match"/> column. An
855 empty set of actions (or one that contains just white space or
856 comments), or a set of actions that consists of just
857 <code>drop;</code>, causes the matched packets to be dropped.
858 Otherwise, the column should contain a sequence of actions, each
859 terminated by a semicolon.
35060cdc 860 </p>
fe36184b 861
35060cdc 862 <p>
eee7a8ed 863 The following actions are defined:
35060cdc 864 </p>
fe36184b 865
35060cdc
BP		 866 <dl>
867 <dt><code>output;</code></dt>
868 <dd>
5868eb24 869 <p>
eee7a8ed
JP		 870 In the ingress pipeline, this action executes the
871 <code>egress</code> pipeline as a subroutine. If
872 <code>outport</code> names a logical port, the egress pipeline
873 executes once; if it is a multicast group, the egress pipeline runs
874 once for each logical port in the group.
5868eb24
BP		 875 </p>
876
877 <p>
878 In the egress pipeline, this action performs the actual
879 output to the <code>outport</code> logical port. (In the egress
880 pipeline, <code>outport</code> never names a multicast group.)
881 </p>
882
883 <p>
884 Output to the input port is implicitly dropped, that is,
885 <code>output</code> becomes a no-op if <code>outport</code> ==
b4970837
BP		 886 <code>inport</code>. Occasionally it may be useful to override
887 this behavior, e.g. to send an ARP reply to an ARP request; to do
888 so, use <code>inport = "";</code> to set the logical input port to
889 an empty string (which should not be used as the name of any
890 logical port).
5868eb24 891 </p>
eee7a8ed 892 </dd>
fe36184b 893
35060cdc 894 <dt><code>next;</code></dt>
558ec83d 895 <dt><code>next(<var>table</var>);</code></dt>
35060cdc 896 <dd>
558ec83d
BP		 897 Executes another logical datapath table as a subroutine. By default,
898 the table after the current one is executed. Specify
899 <var>table</var> to jump to a specific table in the same pipeline.
2cd87fce 900 </dd>
fe36184b 901
35060cdc
BP		 902 <dt><code><var>field</var> = <var>constant</var>;</code></dt>
903 <dd>
5868eb24 904 <p>
5ee054fb
BP		 905 Sets data or metadata field <var>field</var> to constant value
906 <var>constant</var>, e.g. <code>outport = "vif0";</code> to set the
907 logical output port. To set only a subset of bits in a field,
908 specify a subfield for <var>field</var> or a masked
909 <var>constant</var>, e.g. one may use <code>vlan.pcp[2] = 1;</code>
910 or <code>vlan.pcp = 4/4;</code> to set the most sigificant bit of
911 the VLAN PCP.
5868eb24
BP		 912 </p>
913
914 <p>
915 Assigning to a field with prerequisites implicitly adds those
916 prerequisites to <ref column="match"/>; thus, for example, a flow
917 that sets <code>tcp.dst</code> applies only to TCP flows,
918 regardless of whether its <ref column="match"/> mentions any TCP
919 field.
920 </p>
921
922 <p>
923 Not all fields are modifiable (e.g. <code>eth.type</code> and
924 <code>ip.proto</code> are read-only), and not all modifiable fields
925 may be partially modified (e.g. <code>ip.ttl</code> must assigned
926 as a whole). The <code>outport</code> field is modifiable in the
927 <code>ingress</code> pipeline but not in the <code>egress</code>
928 pipeline.
929 </p>
eee7a8ed 930 </dd>
5ee054fb
BP		 931
932 <dt><code><var>field1</var> = <var>field2</var>;</code></dt>
933 <dd>
934 <p>
935 Sets data or metadata field <var>field1</var> to the value of data
936 or metadata field <var>field2</var>, e.g. <code>reg0 =
937 ip4.src;</code> copies <code>ip4.src</code> into <code>reg0</code>.
938 To modify only a subset of a field's bits, specify a subfield for
939 <var>field1</var> or <var>field2</var> or both, e.g. <code>vlan.pcp
940 = reg0[0..2];</code> copies the least-significant bits of
941 <code>reg0</code> into the VLAN PCP.
942 </p>
943
944 <p>
945 <var>field1</var> and <var>field2</var> must be the same type,
946 either both string or both integer fields. If they are both
947 integer fields, they must have the same width.
948 </p>
949
950 <p>
951 If <var>field1</var> or <var>field2</var> has prerequisites, they
952 are added implicitly to <ref column="match"/>. It is possible to
953 write an assignment with contradictory prerequisites, such as
954 <code>ip4.src = ip6.src[0..31];</code>, but the contradiction means
955 that a logical flow with such an assignment will never be matched.
956 </p>
957 </dd>
a20c96c6
BP		 958
959 <dt><code><var>field1</var> &lt;-&gt; <var>field2</var>;</code></dt>
960 <dd>
961 <p>
962 Similar to <code><var>field1</var> = <var>field2</var>;</code>
963 except that the two values are exchanged instead of copied. Both
964 <var>field1</var> and <var>field2</var> must modifiable.
965 </p>
966 </dd>
78aab811 967
00ea19e4
BP		 968 <dt><code>ip.ttl--;</code></dt>
969 <dd>
970 <p>
971 Decrements the IPv4 or IPv6 TTL. If this would make the TTL zero
972 or negative, then processing of the packet halts; no further
973 actions are processed. (To properly handle such cases, a
4c20b9f2
JP		 974 higher-priority flow should match on
975 <code>ip.ttl == {0, 1};</code>.)
00ea19e4
BP		 976 </p>
977
978 <p><b>Prerequisite:</b> <code>ip</code></p>
979 </dd>
980
78aab811
JP		 981 <dt><code>ct_next;</code></dt>
982 <dd>
983 <p>
984 Apply connection tracking to the flow, initializing
985 <code>ct_state</code> for matching in later tables.
986 Automatically moves on to the next table, as if followed by
987 <code>next</code>.
988 </p>
989
990 <p>
991 As a side effect, IP fragments will be reassembled for matching.
992 If a fragmented packet is output, then it will be sent with any
993 overlapping fragments squashed. The connection tracking state is
994 scoped by the logical port, so overlapping addresses may be used.
995 To allow traffic related to the matched flow, execute
996 <code>ct_commit</code>.
997 </p>
998
999 <p>
1000 It is possible to have actions follow <code>ct_next</code>,
1001 but they will not have access to any of its side-effects and
1002 is not generally useful.
1003 </p>
1004 </dd>
1005
1006 <dt><code>ct_commit;</code></dt>
a9e1b66f
RB		 1007 <dt><code>ct_commit(ct_mark=<var>value[/mask]</var>);</code></dt>
1008 <dt><code>ct_commit(ct_label=<var>value[/mask]</var>);</code></dt>
1009 <dt><code>ct_commit(ct_mark=<var>value[/mask]</var>, ct_label=<var>value[/mask]</var>);</code></dt>
78aab811 1010 <dd>
c4623bb8 1011 <p>
a9e1b66f
RB		 1012 Commit the flow to the connection tracking entry associated with it
1013 by a previous call to <code>ct_next</code>. When
1014 <code>ct_mark=<var>value[/mask]</var></code> and/or
1015 <code>ct_label=<var>value[/mask]</var></code> are supplied,
1016 <code>ct_mark</code> and/or <code>ct_label</code> will be set to the
1017 values indicated by <var>value[/mask]</var> on the connection
1018 tracking entry. <code>ct_mark</code> is a 32-bit field.
354b8f27
NS		 1019 <code>ct_label</code> is a 128-bit field. The <var>value[/mask]</var>
1020 should be specified in hex string if more than 64bits are to be used.
c4623bb8 1021 </p>
a9e1b66f 1022
c4623bb8
RB		 1023 <p>
1024 Note that if you want processing to continue in the next table,
1025 you must execute the <code>next</code> action after
a9e1b66f
RB		 1026 <code>ct_commit</code>. You may also leave out <code>next</code>
1027 which will commit connection tracking state, and then drop the
1028 packet. This could be useful for setting <code>ct_mark</code>
1029 on a connection tracking entry before dropping a packet,
1030 for example.
c4623bb8 1031 </p>
78aab811 1032 </dd>
fe36184b 1033
de297547
GS		 1034 <dt><code>ct_dnat;</code></dt>
1035 <dt><code>ct_dnat(<var>IP</var>);</code></dt>
1036 <dd>
1037 <p>
1038 <code>ct_dnat</code> sends the packet through the DNAT zone in
1039 connection tracking table to unDNAT any packet that was DNATed in
1040 the opposite direction. The packet is then automatically sent to
1041 to the next tables as if followed by <code>next;</code> action.
1042 The next tables will see the changes in the packet caused by
1043 the connection tracker.
1044 </p>
1045 <p>
1046 <code>ct_dnat(<var>IP</var>)</code> sends the packet through the
1047 DNAT zone to change the destination IP address of the packet to
467085fd 1048 the one provided inside the parentheses and commits the connection.
de297547
GS		 1049 The packet is then automatically sent to the next tables as if
1050 followed by <code>next;</code> action. The next tables will see
1051 the changes in the packet caused by the connection tracker.
1052 </p>
1053 </dd>
1054
1055 <dt><code>ct_snat;</code></dt>
1056 <dt><code>ct_snat(<var>IP</var>);</code></dt>
1057 <dd>
1058 <p>
1059 <code>ct_snat</code> sends the packet through the SNAT zone to
1060 unSNAT any packet that was SNATed in the opposite direction. If
1061 the packet needs to be sent to the next tables, then it should be
1062 followed by a <code>next;</code> action. The next tables will not
1063 see the changes in the packet caused by the connection tracker.
1064 </p>
1065 <p>
1066 <code>ct_snat(<var>IP</var>)</code> sends the packet through the
1067 SNAT zone to change the source IP address of the packet to
1068 the one provided inside the parenthesis and commits the connection.
1069 The packet is then automatically sent to the next tables as if
1070 followed by <code>next;</code> action. The next tables will see the
1071 changes in the packet caused by the connection tracker.
1072 </p>
1073 </dd>
1074
69a832cf
BP		 1075 <dt><code>arp { <var>action</var>; </code>...<code> };</code></dt>
1076 <dd>
1077 <p>
1078 Temporarily replaces the IPv4 packet being processed by an ARP
1079 packet and executes each nested <var>action</var> on the ARP
1080 packet. Actions following the <var>arp</var> action, if any, apply
1081 to the original, unmodified packet.
1082 </p>
1083
1084 <p>
1085 The ARP packet that this action operates on is initialized based on
1086 the IPv4 packet being processed, as follows. These are default
1087 values that the nested actions will probably want to change:
1088 </p>
1089
1090 <ul>
1091 <li><code>eth.src</code> unchanged</li>
1092 <li><code>eth.dst</code> unchanged</li>
1093 <li><code>eth.type = 0x0806</code></li>
1094 <li><code>arp.op = 1</code> (ARP request)</li>
1095 <li><code>arp.sha</code> copied from <code>eth.src</code></li>
1096 <li><code>arp.spa</code> copied from <code>ip4.src</code></li>
1097 <li><code>arp.tha = 00:00:00:00:00:00</code></li>
1098 <li><code>arp.tpa</code> copied from <code>ip4.dst</code></li>
1099 </ul>
1100
6335d074
BP		 1101 <p>
1102 The ARP packet has the same VLAN header, if any, as the IP packet
1103 it replaces.
1104 </p>
1105
69a832cf
BP		 1106 <p><b>Prerequisite:</b> <code>ip4</code></p>
1107 </dd>
1108
e75451fe
ZKL		 1109 <dt>
1110 <code>na { <var>action</var>; </code>...<code> };</code>
1111 </dt>
1112
1113 <dd>
1114 <p>
1115 Temporarily replaces the IPv6 packet being processed by an IPv6
1116 neighbor advertisement (NA) packet and executes each nested
1117 <var>action</var> on the NA packet. Actions following the
1118 <var>na</var> action, if any, apply to the original, unmodified
1119 packet.
1120 </p>
1121
1122 <p>
1123 The NA packet that this action operates on is initialized based on
1124 the IPv6 packet being processed, as follows. These are default
1125 values that the nested actions will probably want to change:
1126 </p>
1127
1128 <ul>
1129 <li><code>eth.dst</code> exchanged with <code>eth.src</code></li>
1130 <li><code>eth.type = 0x86dd</code></li>
1131 <li><code>ip6.dst</code> copied from <code>ip6.src</code></li>
1132 <li><code>ip6.src</code> copied from <code>nd.target</code></li>
1133 <li><code>icmp6.type = 136</code> (Neighbor Advertisement)</li>
1134 <li><code>nd.target</code> unchanged</li>
1135 <li><code>nd.sll = 00:00:00:00:00:00</code></li>
1136 <li><code>nd.tll</code> copied from <code>eth.dst</code></li>
1137 </ul>
1138
1139 <p>
1140 The ND packet has the same VLAN header, if any, as the IPv6 packet
1141 it replaces.
1142 </p>
1143
1144 <p>
1145 <b>Prerequisite:</b> <code>nd</code>
1146 </p>
1147 </dd>
1148
0bac7164
BP		 1149 <dt><code>get_arp(<var>P</var>, <var>A</var>);</code></dt>
1150
1151 <dd>
1152 <p>
1153 <b>Parameters</b>: logical port string field <var>P</var>, 32-bit
1154 IP address field <var>A</var>.
1155 </p>
1156
1157 <p>
1158 Looks up <var>A</var> in <var>P</var>'s ARP table. If an entry is
1159 found, stores its Ethernet address in <code>eth.dst</code>,
1160 otherwise stores <code>00:00:00:00:00:00</code> in
1161 <code>eth.dst</code>.
1162 </p>
1163
1164 <p><b>Example:</b> <code>get_arp(outport, ip4.dst);</code></p>
1165 </dd>
1166
1167 <dt>
1168 <code>put_arp(<var>P</var>, <var>A</var>, <var>E</var>);</code>
1169 </dt>
1170
1171 <dd>
1172 <p>
1173 <b>Parameters</b>: logical port string field <var>P</var>, 32-bit
1174 IP address field <var>A</var>, 48-bit Ethernet address field
1175 <var>E</var>.
1176 </p>
1177
1178 <p>
1179 Adds or updates the entry for IP address <var>A</var> in logical
1180 port <var>P</var>'s ARP table, setting its Ethernet address to
1181 <var>E</var>.
1182 </p>
1183
1184 <p><b>Example:</b> <code>put_arp(inport, arp.spa, arp.sha);</code></p>
1185 </dd>
42814145
NS		 1186
1187 <dt>
1188 <code><var>R</var> = put_dhcp_opts(<code>offerip</code> = <var>IP</var>, <var>D1</var> = <var>V1</var>, <var>D2</var> = <var>V2</var>, ..., <var>Dn</var> = <var>Vn</var>);</code>
1189 </dt>
1190
1191 <dd>
1192 <p>
1193 <b>Parameters</b>: one or more DHCP option/value pairs, the first
1194 of which must set a value for the offered IP, <code>offerip</code>.
1195 </p>
1196
1197 <p>
1198 <b>Result</b>: stored to a 1-bit subfield <var>R</var>.
1199 </p>
1200
1201 <p>
1202 Valid only in the ingress pipeline.
1203 </p>
1204
1205 <p>
1206 When this action is applied to a DHCP request packet (DHCPDISCOVER
1207 or DHCPREQUEST), it changes the packet into a DHCP reply (DHCPOFFER
1208 or DHCPACK, respectively), replaces the options by those specified
1209 as parameters, and stores 1 in <var>R</var>.
1210 </p>
1211
1212 <p>
1213 When this action is applied to a non-DHCP packet or a DHCP packet
1214 that is not DHCPDISCOVER or DHCPREQUEST, it leaves the packet
1215 unchanged and stores 0 in <var>R</var>.
1216 </p>
1217
1218 <p>
1219 The contents of the <ref table="DHCP_Option"/> table control the
1220 DHCP option names and values that this action supports.
1221 </p>
1222
1223 <p>
1224 <b>Example:</b>
1225 <code>
1226 reg0[0] = put_dhcp_opts(offerip = 10.0.0.2, router = 10.0.0.1,
1227 netmask = 255.255.255.0, dns_server = {8.8.8.8, 7.7.7.7});
1228 </code>
1229 </p>
1230 </dd>
467085fd
GS		 1231
1232 <dt><code>ct_lb;</code></dt>
1233 <dt><code>ct_lb(</code><var>ip</var>[<code>:</code><var>port</var>]...<code>);</code></dt>
1234 <dd>
1235 <p>
1236 With one or more arguments, <code>ct_lb</code> commits the packet
1237 to the connection tracking table and DNATs the packet's destination
1238 IP address (and port) to the IP address or addresses (and optional
1239 ports) specified in the string. If multiple comma-separated IP
1240 addresses are specified, each is given equal weight for picking the
1241 DNAT address. Processing automatically moves on to the next table,
1242 as if <code>next;</code> were specified, and later tables act on
1243 the packet as modified by the connection tracker. Connection
1244 tracking state is scoped by the logical port, so overlapping
1245 addresses may be used.
1246 </p>
1247 <p>
1248 Without arguments, <code>ct_lb</code> sends the packet to the
1249 connection tracking table to NAT the packets. If the packet is
1250 part of an established connection that was previously committed to
1251 the connection tracker via <code>ct_lb(</code>...<code>)</code>, it
1252 will automatically get DNATed to the same IP address as the first
1253 packet in that connection.
1254 </p>
1255 </dd>
6335d074
BP		 1256 </dl>
1257
1258 <p>
1259 The following actions will likely be useful later, but they have not
1260 been thought out carefully.
1261 </p>
1262
1263 <dl>
69a832cf
BP		 1264 <dt><code>icmp4 { <var>action</var>; </code>...<code> };</code></dt>
1265 <dd>
1266 <p>
1267 Temporarily replaces the IPv4 packet being processed by an ICMPv4
1268 packet and executes each nested <var>action</var> on the ICMPv4
1269 packet. Actions following the <var>icmp4</var> action, if any,
1270 apply to the original, unmodified packet.
1271 </p>
1272
1273 <p>
1274 The ICMPv4 packet that this action operates on is initialized based
1275 on the IPv4 packet being processed, as follows. These are default
1276 values that the nested actions will probably want to change.
1277 Ethernet and IPv4 fields not listed here are not changed:
1278 </p>
1279
1280 <ul>
1281 <li><code>ip.proto = 1</code> (ICMPv4)</li>
1282 <li><code>ip.frag = 0</code> (not a fragment)</li>
1283 <li><code>icmp4.type = 3</code> (destination unreachable)</li>
1284 <li><code>icmp4.code = 1</code> (host unreachable)</li>
1285 </ul>
1286
1287 <p>
1288 Details TBD.
1289 </p>
fe36184b 1290
69a832cf
BP		 1291 <p><b>Prerequisite:</b> <code>ip4</code></p>
1292 </dd>
1293
1294 <dt><code>tcp_reset;</code></dt>
1295 <dd>
1296 <p>
1297 This action transforms the current TCP packet according to the
1298 following pseudocode:
1299 </p>
1300
1301 <pre>
1302if (tcp.ack) {
1303 tcp.seq = tcp.ack;
1304} else {
1305 tcp.ack = tcp.seq + length(tcp.payload);
1306 tcp.seq = 0;
1307}
1308tcp.flags = RST;
1309</pre>
1310
1311 <p>
1312 Then, the action drops all TCP options and payload data, and
1313 updates the TCP checksum.
1314 </p>
1315
1316 <p>
1317 Details TBD.
1318 </p>
1319
1320 <p><b>Prerequisite:</b> <code>tcp</code></p>
1321 </dd>
fe36184b 1322 </dl>
fe36184b 1323 </column>
091e3af9
JP		 1324
1325 <column name="external_ids" key="stage-name">
1326 Human-readable name for this flow's stage in the pipeline.
1327 </column>
1328
1329 <group title="Common Columns">
1330 The overall purpose of these columns is described under <code>Common
1331 Columns</code> at the beginning of this document.
1332
1333 <column name="external_ids"/>
1334 </group>
fe36184b
BP		 1335 </table>
1336
5868eb24
BP		 1337 <table name="Multicast_Group" title="Logical Port Multicast Groups">
1338 <p>
1339 The rows in this table define multicast groups of logical ports.
1340 Multicast groups allow a single packet transmitted over a tunnel to a
1341 hypervisor to be delivered to multiple VMs on that hypervisor, which
1342 uses bandwidth more efficiently.
1343 </p>
1344
1345 <p>
1346 Each row in this table defines a logical multicast group numbered <ref
1347 column="tunnel_key"/> within <ref column="datapath"/>, whose logical
1348 ports are listed in the <ref column="ports"/> column.
1349 </p>
1350
1351 <column name="datapath">
1352 The logical datapath in which the multicast group resides.
1353 </column>
1354
1355 <column name="tunnel_key">
1356 The value used to designate this logical egress port in tunnel
1357 encapsulations. An index forces the key to be unique within the <ref
1358 column="datapath"/>. The unusual range ensures that multicast group IDs
1359 do not overlap with logical port IDs.
1360 </column>
1361
1362 <column name="name">
1363 <p>
1364 The logical multicast group's name. An index forces the name to be
1365 unique within the <ref column="datapath"/>. Logical flows in the
1366 ingress pipeline may output to the group just as for individual logical
1367 ports, by assigning the group's name to <code>outport</code> and
1368 executing an <code>output</code> action.
1369 </p>
1370
1371 <p>
1372 Multicast group names and logical port names share a single namespace
1373 and thus should not overlap (but the database schema cannot enforce
1374 this). To try to avoid conflicts, <code>ovn-northd</code> uses names
1375 that begin with <code>_MC_</code>.
1376 </p>
1377 </column>
1378
1379 <column name="ports">
1380 The logical ports included in the multicast group. All of these ports
1381 must be in the <ref column="datapath"/> logical datapath (but the
1382 database schema cannot enforce this).
1383 </column>
1384 </table>
1385
1386 <table name="Datapath_Binding" title="Physical-Logical Datapath Bindings">
1387 <p>
1388 Each row in this table identifies physical bindings of a logical
1389 datapath. A logical datapath implements a logical pipeline among the
1390 ports in the <ref table="Port_Binding"/> table associated with it. In
1391 practice, the pipeline in a given logical datapath implements either a
1392 logical switch or a logical router.
1393 </p>
1394
1395 <column name="tunnel_key">
1396 The tunnel key value to which the logical datapath is bound.
1397 The <code>Tunnel Encapsulation</code> section in
1398 <code>ovn-architecture</code>(7) describes how tunnel keys are
1399 constructed for each supported encapsulation.
1400 </column>
1401
9975d7be
BP		 1402 <group title="OVN_Northbound Relationship">
1403 <p>
1404 Each row in <ref table="Datapath_Binding"/> is associated with some
1405 logical datapath. <code>ovn-northd</code> uses these keys to track the
1406 association of a logical datapath with concepts in the <ref
1407 db="OVN_Northbound"/> database.
1408 </p>
1409
1410 <column name="external_ids" key="logical-switch" type='{"type": "uuid"}'>
1411 For a logical datapath that represents a logical switch,
1412 <code>ovn-northd</code> stores in this key the UUID of the
1413 corresponding <ref table="Logical_Switch" db="OVN_Northbound"/> row in
1414 the <ref db="OVN_Northbound"/> database.
1415 </column>
1416
1417 <column name="external_ids" key="logical-router" type='{"type": "uuid"}'>
1418 For a logical datapath that represents a logical router,
1419 <code>ovn-northd</code> stores in this key the UUID of the
1420 corresponding <ref table="Logical_Router" db="OVN_Northbound"/> row in
1421 the <ref db="OVN_Northbound"/> database.
1422 </column>
1423 </group>
5868eb24
BP		 1424
1425 <group title="Common Columns">
1426 The overall purpose of these columns is described under <code>Common
1427 Columns</code> at the beginning of this document.
1428
1429 <column name="external_ids"/>
1430 </group>
1431 </table>
1432
dcda6e0d 1433 <table name="Port_Binding" title="Physical-Logical Port Bindings">
fe36184b 1434 <p>
d387d24d
BP		 1435 Most rows in this table identify the physical location of a logical port.
1436 (The exceptions are logical patch ports, which do not have any physical
1437 location.)
fe36184b
BP		 1438 </p>
1439
1440 <p>
80f408f4
JP		 1441 For every <code>Logical_Switch_Port</code> record in
1442 <code>OVN_Northbound</code> database, <code>ovn-northd</code>
1443 creates a record in this table. <code>ovn-northd</code> populates
1444 and maintains every column except the <code>chassis</code> column,
1445 which it leaves empty in new records.
9fb4636f
GS		 1446 </p>
1447
1448 <p>
88058f19
AW		 1449 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>
1450 populates the <code>chassis</code> column for the records that
1451 identify the logical ports that are located on its hypervisor/gateway,
1452 which <code>ovn-controller</code>/<code>ovn-controller-vtep</code> in
1453 turn finds out by monitoring the local hypervisor's Open_vSwitch
1454 database, which identifies logical ports via the conventions described
c1645003
GS		 1455 in <code>IntegrationGuide.md</code>. (The exceptions are for
1456 <code>Port_Binding</code> records with <code>type</code> of
17bac0ff
RB		 1457 <code>l3gateway</code>, whose locations are identified by
1458 <code>ovn-northd</code> via the <code>options:l3gateway-chassis</code>
c1645003
GS		 1459 column in this table. <code>ovn-controller</code> is still responsible
1460 to populate the <code>chassis</code> column.)
9fb4636f
GS		 1461 </p>
1462
1463 <p>
5868eb24 1464 When a chassis shuts down gracefully, it should clean up the
9fb4636f 1465 <code>chassis</code> column that it previously had populated.
fe36184b
BP		 1466 (This is not critical because resources hosted on the chassis are equally
1467 unreachable regardless of whether their rows are present.) To handle the
1468 case where a VM is shut down abruptly on one chassis, then brought up
88058f19
AW		 1469 again on a different one,
1470 <code>ovn-controller</code>/<code>ovn-controller-vtep</code> must
1471 overwrite the <code>chassis</code> column with new information.
fe36184b
BP		 1472 </p>
1473
c96ba502
BP		 1474 <group title="Core Features">
1475 <column name="datapath">
1476 The logical datapath to which the logical port belongs.
1477 </column>
1a76c93e 1478
c96ba502 1479 <column name="logical_port">
80f408f4
JP		 1480 A logical port, taken from <ref table="Logical_Switch_Port"
1481 column="name" db="OVN_Northbound"/> in the OVN_Northbound
1482 database's <ref table="Logical_Switch_Port" db="OVN_Northbound"/>
1483 table. OVN does not prescribe a particular format for the
1484 logical port ID.
c96ba502 1485 </column>
c0281929 1486
c96ba502 1487 <column name="chassis">
184bc3ca
RB		 1488 The meaning of this column depends on the value of the <ref column="type"/>
1489 column. This is the meaning for each <ref column="type"/>
1490
1491 <dl>
1492 <dt>(empty string)</dt>
1493 <dd>
1494 The physical location of the logical port. To successfully identify a
1495 chassis, this column must be a <ref table="Chassis"/> record. This is
1496 populated by <code>ovn-controller</code>.
1497 </dd>
1498
1499 <dt>vtep</dt>
1500 <dd>
1501 The physical location of the hardware_vtep gateway. To successfully
1502 identify a chassis, this column must be a <ref table="Chassis"/> record.
1503 This is populated by <code>ovn-controller-vtep</code>.
1504 </dd>
1505
1506 <dt>localnet</dt>
1507 <dd>
1508 Always empty. A localnet port is realized on every chassis that has
1509 connectivity to the corresponding physical network.
1510 </dd>
1511
17bac0ff 1512 <dt>l3gateway</dt>
184bc3ca
RB		 1513 <dd>
1514 The physical location of the L3 gateway. To successfully identify a
1515 chassis, this column must be a <ref table="Chassis"/> record. This is
1516 populated by <code>ovn-controller</code> based on the value of
17bac0ff 1517 the <code>options:l3gateway-chassis</code> column in this table.
184bc3ca
RB		 1518 </dd>
1519
1520 <dt>l2gateway</dt>
1521 <dd>
1522 The physical location of this L2 gateway. To successfully identify a
1523 chassis, this column must be a <ref table="Chassis"/> record.
62b87eab
NS		 1524 This is populated by <code>ovn-controller</code> based on the value
1525 of the <code>options:l2gateway-chassis</code> column in this table.
184bc3ca
RB		 1526 </dd>
1527 </dl>
1528
c96ba502 1529 </column>
c0281929 1530
c96ba502
BP		 1531 <column name="tunnel_key">
1532 <p>
1533 A number that represents the logical port in the key (e.g. STT key or
1534 Geneve TLV) field carried within tunnel protocol packets.
1535 </p>
c0281929 1536
c96ba502
BP		 1537 <p>
1538 The tunnel ID must be unique within the scope of a logical datapath.
1539 </p>
1540 </column>
88058f19 1541
c96ba502
BP		 1542 <column name="mac">
1543 <p>
1544 The Ethernet address or addresses used as a source address on the
1545 logical port, each in the form
1546 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
1547 The string <code>unknown</code> is also allowed to indicate that the
1548 logical port has an unknown set of (additional) source addresses.
1549 </p>
1550
1551 <p>
1552 A VM interface would ordinarily have a single Ethernet address. A
1553 gateway port might initially only have <code>unknown</code>, and then
1554 add MAC addresses to the set as it learns new source addresses.
1555 </p>
1556 </column>
88058f19 1557
c96ba502
BP		 1558 <column name="type">
1559 <p>
1560 A type for this logical port. Logical ports can be used to model other
1561 types of connectivity into an OVN logical switch. The following types
1562 are defined:
1563 </p>
1564
1565 <dl>
1566 <dt>(empty string)</dt>
1567 <dd>VM (or VIF) interface.</dd>
d387d24d
BP		 1568
1569 <dt><code>patch</code></dt>
1570 <dd>
1571 One of a pair of logical ports that act as if connected by a patch
1572 cable. Useful for connecting two logical datapaths, e.g. to connect
1573 a logical router to a logical switch or to another logical router.
1574 </dd>
1575
17bac0ff 1576 <dt><code>l3gateway</code></dt>
c1645003
GS		 1577 <dd>
1578 One of a pair of logical ports that act as if connected by a patch
1579 cable across multiple chassis. Useful for connecting a logical
1580 switch with a Gateway router (which is only resident on a
1581 particular chassis).
1582 </dd>
1583
c96ba502
BP		 1584 <dt><code>localnet</code></dt>
1585 <dd>
1586 A connection to a locally accessible network from each
1587 <code>ovn-controller</code> instance. A logical switch can only
6e6c3f91
HZ		 1588 have a single <code>localnet</code> port attached. This is used
1589 to model direct connectivity to an existing network.
c96ba502
BP		 1590 </dd>
1591
184bc3ca
RB		 1592 <dt><code>l2gateway</code></dt>
1593 <dd>
1594 An L2 connection to a physical network. The chassis this
1595 <ref table="Port_Binding"/> is bound to will serve as
1596 an L2 gateway to the network named by
1597 <ref column="options" table="Port_Binding"/>:<code>network_name</code>.
1598 </dd>
1599
c96ba502
BP		 1600 <dt><code>vtep</code></dt>
1601 <dd>
1602 A port to a logical switch on a VTEP gateway chassis. In order to
1603 get this port correctly recognized by the OVN controller, the <ref
1604 column="options"
1605 table="Port_Binding"/>:<code>vtep-physical-switch</code> and <ref
1606 column="options"
1607 table="Port_Binding"/>:<code>vtep-logical-switch</code> must also
1608 be defined.
1609 </dd>
1610 </dl>
1611 </column>
1612 </group>
1a76c93e 1613
d387d24d
BP		 1614 <group title="Patch Options">
1615 <p>
1616 These options apply to logical ports with <ref column="type"/> of
1617 <code>patch</code>.
1618 </p>
1619
1620 <column name="options" key="peer">
1621 The <ref column="logical_port"/> in the <ref table="Port_Binding"/>
1622 record for the other side of the patch. The named <ref
1623 column="logical_port"/> must specify this <ref column="logical_port"/>
1624 in its own <code>peer</code> option. That is, the two patch logical
1625 ports must have reversed <ref column="logical_port"/> and
1626 <code>peer</code> values.
1627 </column>
1628 </group>
1629
184bc3ca 1630 <group title="L3 Gateway Options">
c1645003
GS		 1631 <p>
1632 These options apply to logical ports with <ref column="type"/> of
17bac0ff 1633 <code>l3gateway</code>.
c1645003
GS		 1634 </p>
1635
1636 <column name="options" key="peer">
1637 The <ref column="logical_port"/> in the <ref table="Port_Binding"/>
17bac0ff 1638 record for the other side of the 'l3gateway' port. The named <ref
c1645003 1639 column="logical_port"/> must specify this <ref column="logical_port"/>
17bac0ff 1640 in its own <code>peer</code> option. That is, the two 'l3gateway'
c1645003
GS		 1641 logical ports must have reversed <ref column="logical_port"/> and
1642 <code>peer</code> values.
1643 </column>
1644
17bac0ff 1645 <column name="options" key="l3gateway-chassis">
c1645003
GS		 1646 The <code>chassis</code> in which the port resides.
1647 </column>
1648 </group>
1649
c96ba502 1650 <group title="Localnet Options">
eb00399e 1651 <p>
c96ba502
BP		 1652 These options apply to logical ports with <ref column="type"/> of
1653 <code>localnet</code>.
eb00399e
BP		 1654 </p>
1655
c96ba502
BP		 1656 <column name="options" key="network_name">
1657 Required. <code>ovn-controller</code> uses the configuration entry
1658 <code>ovn-bridge-mappings</code> to determine how to connect to this
1659 network. <code>ovn-bridge-mappings</code> is a list of network names
1660 mapped to a local OVS bridge that provides access to that network. An
1661 example of configuring <code>ovn-bridge-mappings</code> would be:
1662
1663 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1</pre>
1664
1665 <p>
1666 When a logical switch has a <code>localnet</code> port attached,
1667 every chassis that may have a local vif attached to that logical
1668 switch must have a bridge mapping configured to reach that
1669 <code>localnet</code>. Traffic that arrives on a
1670 <code>localnet</code> port is never forwarded over a tunnel to
1671 another chassis.
1672 </p>
1673 </column>
1674
1675 <column name="tag">
1676 If set, indicates that the port represents a connection to a specific
1677 VLAN on a locally accessible network. The VLAN ID is used to match
1678 incoming traffic and is also added to outgoing traffic.
1679 </column>
1680 </group>
1681
184bc3ca
RB		 1682 <group title="L2 Gateway Options">
1683 <p>
1684 These options apply to logical ports with <ref column="type"/> of
1685 <code>l2gateway</code>.
1686 </p>
1687
1688 <column name="options" key="network_name">
1689 Required. <code>ovn-controller</code> uses the configuration entry
1690 <code>ovn-bridge-mappings</code> to determine how to connect to this
1691 network. <code>ovn-bridge-mappings</code> is a list of network names
1692 mapped to a local OVS bridge that provides access to that network. An
1693 example of configuring <code>ovn-bridge-mappings</code> would be:
1694
1695 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1</pre>
1696
1697 <p>
1698 When a logical switch has a <code>l2gateway</code> port attached,
1699 the chassis that the <code>l2gateway</code> port is bound to
1700 must have a bridge mapping configured to reach the network
1701 identified by <code>network_name</code>.
1702 </p>
1703 </column>
1704
62b87eab
NS		 1705 <column name="options" key="l2gateway-chassis">
1706 Required. The <code>chassis</code> in which the port resides.
1707 </column>
1708
184bc3ca
RB		 1709 <column name="tag">
1710 If set, indicates that the gateway is connected to a specific
1711 VLAN on the physical network. The VLAN ID is used to match
1712 incoming traffic and is also added to outgoing traffic.
1713 </column>
1714 </group>
1715
c96ba502 1716 <group title="VTEP Options">
eb00399e 1717 <p>
c96ba502
BP		 1718 These options apply to logical ports with <ref column="type"/> of
1719 <code>vtep</code>.
eb00399e 1720 </p>
9fb4636f 1721
c96ba502
BP		 1722 <column name="options" key="vtep-physical-switch">
1723 Required. The name of the VTEP gateway.
1724 </column>
fe36184b 1725
c96ba502
BP		 1726 <column name="options" key="vtep-logical-switch">
1727 Required. A logical switch name connected by the VTEP gateway. Must
1728 be set when <ref column="type"/> is <code>vtep</code>.
1729 </column>
1730 </group>
fe36184b 1731
aef5f431
BP		 1732 <group title="VMI (or VIF) Options">
1733 <p>
1734 These options apply to logical ports with <ref column="type"/> having
1735 (empty string)
1736 </p>
1737
1738 <column name="options" key="policing_rate">
1739 If set, indicates the maximum rate for data sent from this interface,
1740 in kbps. Data exceeding this rate is dropped.
1741 </column>
1742
1743 <column name="options" key="policing_burst">
1744 If set, indicates the maximum burst size for data sent from this
1745 interface, in kb.
1746 </column>
1747 </group>
1748
c96ba502 1749 <group title="Nested Containers">
fe36184b 1750 <p>
c96ba502
BP		 1751 These columns support containers nested within a VM. Specifically,
1752 they are used when <ref column="type"/> is empty and <ref
1753 column="logical_port"/> identifies the interface of a container spawned
1754 inside a VM. They are empty for containers or VMs that run directly on
1755 a hypervisor.
fe36184b
BP		 1756 </p>
1757
c96ba502
BP		 1758 <column name="parent_port">
1759 This is taken from
80f408f4
JP		 1760 <ref table="Logical_Switch_Port" column="parent_name"
1761 db="OVN_Northbound"/> in the OVN_Northbound database's
1762 <ref table="Logical_Switch_Port" db="OVN_Northbound"/> table.
c96ba502
BP		 1763 </column>
1764
1765 <column name="tag">
1766 <p>
1767 Identifies the VLAN tag in the network traffic associated with that
1768 container's network interface.
1769 </p>
1770
1771 <p>
1772 This column is used for a different purpose when <ref column="type"/>
184bc3ca
RB		 1773 is <code>localnet</code> (see <code>Localnet Options</code>, above)
1774 or <code>l2gateway</code> (see <code>L2 Gateway Options</code>, above).
c96ba502
BP		 1775 </p>
1776 </column>
1777 </group>
fe36184b 1778 </table>
0bac7164
BP		 1779
1780 <table name="MAC_Binding" title="IP to MAC bindings">
1781 <p>
1782 Each row in this table specifies a binding from an IP address to an
1783 Ethernet address that has been discovered through ARP (for IPv4) or
1784 neighbor discovery (for IPv6). This table is primarily used to discover
1785 bindings on physical networks, because IP-to-MAC bindings for virtual
1786 machines are usually populated statically into the <ref
1787 table="Port_Binding"/> table.
1788 </p>
1789
1790 <p>
1791 This table expresses a functional relationship: <ref
1792 table="MAC_Binding"/>(<ref column="logical_port"/>, <ref column="ip"/>) =
1793 <ref column="mac"/>.
1794 </p>
1795
1796 <p>
1797 In outline, the lifetime of a logical router's MAC binding looks like
1798 this:
1799 </p>
1800
1801 <ol>
1802 <li>
1803 On hypervisor 1, a logical router determines that a packet should be
1804 forwarded to IP address <var>A</var> on one of its router ports. It
1805 uses its logical flow table to determine that <var>A</var> lacks a
1806 static IP-to-MAC binding and the <code>get_arp</code> action to
1807 determine that it lacks a dynamic IP-to-MAC binding.
1808 </li>
1809
1810 <li>
1811 Using an OVN logical <code>arp</code> action, the logical router
1812 generates and sends a broadcast ARP request to the router port. It
1813 drops the IP packet.
1814 </li>
1815
1816 <li>
1817 The logical switch attached to the router port delivers the ARP request
1818 to all of its ports. (It might make sense to deliver it only to ports
1819 that have no static IP-to-MAC bindings, but this could also be
1820 surprising behavior.)
1821 </li>
1822
1823 <li>
1824 A host or VM on hypervisor 2 (which might be the same as hypervisor 1)
1825 attached to the logical switch owns the IP address in question. It
1826 composes an ARP reply and unicasts it to the logical router port's
1827 Ethernet address.
1828 </li>
1829
1830 <li>
1831 The logical switch delivers the ARP reply to the logical router port.
1832 </li>
1833
1834 <li>
1835 The logical router flow table executes a <code>put_arp</code> action.
1836 To record the IP-to-MAC binding, <code>ovn-controller</code> adds a row
1837 to the <ref table="MAC_Binding"/> table.
1838 </li>
1839
1840 <li>
1841 On hypervisor 1, <code>ovn-controller</code> receives the updated <ref
1842 table="MAC_Binding"/> table from the OVN southbound database. The next
1843 packet destined to <var>A</var> through the logical router is sent
1844 directly to the bound Ethernet address.
1845 </li>
1846 </ol>
1847
1848 <column name="logical_port">
1849 The logical port on which the binding was discovered.
1850 </column>
1851
1852 <column name="ip">
1853 The bound IP address.
1854 </column>
1855
1856 <column name="mac">
1857 The Ethernet address to which the IP is bound.
1858 </column>
791a7747
LS		 1859 <column name="datapath">
1860 The logical datapath to which the logical port belongs.
1861 </column>
0bac7164 1862 </table>
42814145
NS		 1863
1864 <table name="DHCP_Options" title="DHCP Options supported by native OVN DHCP">
1865 <p>
1866 Each row in this table stores the DHCP Options supported by native OVN
1867 DHCP. <code>ovn-northd</code> populates this table with the supported
1868 DHCP options. <code>ovn-controller</code> looks up this table to get the
1869 DHCP codes of the DHCP options defined in the "put_dhcp_opts" action.
1870 Please refer to the RFC 2132 <code>"https://tools.ietf.org/html/rfc2132"</code>
1871 for the possible list of DHCP options that can be defined here.
1872 </p>
1873
1874 <column name="name">
1875 <p>
1876 Name of the DHCP option.
1877 </p>
1878
1879 <p>
1880 Example. name="router"
1881 </p>
1882 </column>
1883
1884 <column name="code">
1885 <p>
1886 DHCP option code for the DHCP option as defined in the RFC 2132.
1887 </p>
1888
1889 <p>
1890 Example. code=3
1891 </p>
1892 </column>
1893
1894 <column name="type">
1895 <p>
1896 Data type of the DHCP option code.
1897 </p>
1898
1899 <dl>
1900 <dt><code>value: bool</code></dt>
1901 <dd>
1902 <p>
1903 This indicates that the value of the DHCP option is a bool.
1904 </p>
1905
1906 <p>
1907 Example. "name=ip_forward_enable", "code=19", "type=bool".
1908 </p>
1909
1910 <p>
1911 put_dhcp_opts(..., ip_forward_enable = 1,...)
1912 </p>
1913 </dd>
1914
1915 <dt><code>value: uint8</code></dt>
1916 <dd>
1917 <p>
1918 This indicates that the value of the DHCP option is an unsigned
1919 int8 (8 bits)
1920 </p>
1921
1922 <p>
1923 Example. "name=default_ttl", "code=23", "type=uint8".
1924 </p>
1925
1926 <p>
1927 put_dhcp_opts(..., default_ttl = 50,...)
1928 </p>
1929 </dd>
1930
1931 <dt><code>value: uint16</code></dt>
1932 <dd>
1933 <p>
1934 This indicates that the value of the DHCP option is an unsigned
1935 int16 (16 bits).
1936 </p>
1937
1938 <p>
1939 Example. "name=mtu", "code=26", "type=uint16".
1940 </p>
1941
1942 <p>
1943 put_dhcp_opts(..., mtu = 1450,...)
1944 </p>
1945 </dd>
1946
1947 <dt><code>value: uint32</code></dt>
1948 <dd>
1949 <p>
1950 This indicates that the value of the DHCP option is an unsigned
1951 int32 (32 bits).
1952 </p>
1953
1954 <p>
1955 Example. "name=lease_time", "code=51", "type=uint32".
1956 </p>
1957
1958 <p>
1959 put_dhcp_opts(..., lease_time = 86400,...)
1960 </p>
1961 </dd>
1962
1963 <dt><code>value: ipv4</code></dt>
1964 <dd>
1965 <p>
1966 This indicates that the value of the DHCP option is an IPv4
1967 address or addresses.
1968 </p>
1969
1970 <p>
1971 Example. "name=router", "code=3", "type=ipv4".
1972 </p>
1973
1974 <p>
1975 put_dhcp_opts(..., router = 10.0.0.1,...)
1976 </p>
1977
1978 <p>
1979 Example. "name=dns_server", "code=6", "type=ipv4".
1980 </p>
1981
1982 <p>
1983 put_dhcp_opts(..., dns_server = {8.8.8.8 7.7.7.7},...)
1984 </p>
1985 </dd>
1986
1987 <dt><code>value: static_routes</code></dt>
1988 <dd>
1989 <p>
1990 This indicates that the value of the DHCP option contains a pair of
1991 IPv4 route and next hop addresses.
1992 </p>
1993
1994 <p>
1995 Example. "name=classless_static_route", "code=121", "type=static_routes".
1996 </p>
1997
1998 <p>
1999 put_dhcp_opts(..., classless_static_route = {30.0.0.0/24,10.0.0.4,0.0.0.0/0,10.0.0.1}...)
2000 </p>
2001 </dd>
2002
2003 <dt><code>value: str</code></dt>
2004 <dd>
2005 <p>
2006 This indicates that the value of the DHCP option is a string.
2007 </p>
2008
2009 <p>
2010 Example. "name=host_name", "code=12", "type=str".
2011 </p>
2012 </dd>
2013 </dl>
2014 </column>
2015 </table>
fe36184b 2016</database>
openvswitch mirror