]> git.proxmox.com Git - mirror_ovs.git/blame - ovn/ovn-sb.xml
projects / mirror_ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ovn: add rbac tables to ovn southbound schema
[mirror_ovs.git] / ovn / ovn-sb.xml
CommitLineData
fe36184b 1<?xml version="1.0" encoding="utf-8"?>
ec78987f 2<database name="ovn-sb" title="OVN Southbound Database">
fe36184b
BP		 3 <p>
4 This database holds logical and physical configuration and state for the
5 Open Virtual Network (OVN) system to support virtual network abstraction.
6 For an introduction to OVN, please see <code>ovn-architecture</code>(7).
7 </p>
8
9 <p>
ec78987f
JP		 10 The OVN Southbound database sits at the center of the OVN
11 architecture. It is the one component that speaks both southbound
12 directly to all the hypervisors and gateways, via
88058f19
AW		 13 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>, and
14 northbound to the Cloud Management System, via <code>ovn-northd</code>:
fe36184b
BP		 15 </p>
16
17 <h2>Database Structure</h2>
18
19 <p>
0bac7164 20 The OVN Southbound database contains classes of data with
ec78987f 21 different properties, as described in the sections below.
fe36184b
BP		 22 </p>
23
2357e695 24 <h3>Physical network</h3>
fe36184b
BP		 25
26 <p>
2357e695
BP		 27 Physical network tables contain information about the chassis nodes in the
28 system. This contains all the information necessary to wire the overlay,
29 such as IP addresses, supported tunnel types, and security keys.
fe36184b
BP		 30 </p>
31
32 <p>
2357e695
BP		 33 The amount of physical network data is small (O(n) in the number of
34 chassis) and it changes infrequently, so it can be replicated to every
35 chassis.
fe36184b
BP		 36 </p>
37
38 <p>
2357e695
BP		 39 The <ref table="Chassis"/> and <ref table="Encap"/> tables are the physical
40 network tables.
fe36184b
BP		 41 </p>
42
2357e695 43 <h3>Logical Network</h3>
fe36184b
BP		 44
45 <p>
2357e695
BP		 46 Logical network tables contain the topology of logical switches and
47 routers, ACLs, firewall rules, and everything needed to describe how
48 packets traverse a logical network, represented as logical datapath flows
49 (see Logical Datapath Flows, below).
fe36184b
BP		 50 </p>
51
52 <p>
2357e695
BP		 53 Logical network data may be large (O(n) in the number of logical ports, ACL
54 rules, etc.). Thus, to improve scaling, each chassis should receive only
55 data related to logical networks in which that chassis participates.
fe36184b
BP		 56 </p>
57
58 <p>
2357e695
BP		 59 The logical network data is ultimately controlled by the cloud management
60 system (CMS) running northbound of OVN. That CMS determines the entire OVN
61 logical configuration and therefore the logical network data at any given
62 time is a deterministic function of the CMS's configuration, although that
63 happens indirectly via the <ref db="OVN_Northbound"/> database and
64 <code>ovn-northd</code>.
fe36184b
BP		 65 </p>
66
67 <p>
2357e695
BP		 68 Logical network data is likely to change more quickly than physical network
69 data. This is especially true in a container environment where containers
70 are created and destroyed (and therefore added to and deleted from logical
71 switches) quickly.
fe36184b
BP		 72 </p>
73
74 <p>
2357e695
BP		 75 The <ref table="Logical_Flow"/>, <ref table="Multicast_Group"/>, <ref
76 table="Address_Group"/>, <ref table="DHCP_Options"/>, <ref
77 table="DHCPv6_Options"/>, and <ref table="DNS"/> tables contain logical
78 network data.
fe36184b
BP		 79 </p>
80
0bac7164 81 <h3>Logical-physical bindings</h3>
fe36184b
BP		 82
83 <p>
0bac7164 84 These tables link logical and physical components. They show the current
5868eb24
BP		 85 placement of logical components (such as VMs and VIFs) onto chassis, and
86 map logical entities to the values that represent them in tunnel
87 encapsulations.
fe36184b
BP		 88 </p>
89
90 <p>
0bac7164 91 These tables change frequently, at least every time a VM powers up or down
fe36184b
BP		 92 or migrates, and especially quickly in a container environment. The
93 amount of data per VM (or VIF) is small.
94 </p>
95
96 <p>
97 Each chassis is authoritative about the VMs and VIFs that it hosts at any
98 given time and can efficiently flood that state to a central location, so
99 the consistency needs are minimal.
100 </p>
101
102 <p>
5868eb24
BP		 103 The <ref table="Port_Binding"/> and <ref table="Datapath_Binding"/> tables
104 contain binding data.
fe36184b
BP		 105 </p>
106
0bac7164
BP		 107 <h3>MAC bindings</h3>
108
109 <p>
110 The <ref table="MAC_Binding"/> table tracks the bindings from IP addresses
111 to Ethernet addresses that are dynamically discovered using ARP (for IPv4)
112 and neighbor discovery (for IPv6). Usually, IP-to-MAC bindings for virtual
113 machines are statically populated into the <ref table="Port_Binding"/>
114 table, so <ref table="MAC_Binding"/> is primarily used to discover bindings
115 on physical networks.
116 </p>
117
5868eb24
BP		 118 <h2>Common Columns</h2>
119
120 <p>
121 Some tables contain a special column named <code>external_ids</code>. This
122 column has the same form and purpose each place that it appears, so we
123 describe it here to save space later.
124 </p>
125
126 <dl>
127 <dt><code>external_ids</code>: map of string-string pairs</dt>
128 <dd>
129 Key-value pairs for use by the software that manages the OVN Southbound
88058f19
AW		 130 database rather than by
131 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>. In
132 particular, <code>ovn-northd</code> can use key-value pairs in this
133 column to relate entities in the southbound database to higher-level
134 entities (such as entities in the OVN Northbound database). Individual
135 key-value pairs in this column may be documented in some cases to aid
136 in understanding and troubleshooting, but the reader should not mistake
137 such documentation as comprehensive.
5868eb24
BP		 138 </dd>
139 </dl>
140
fa183acc
BP		 141 <table name="SB_Global" title="Southbound configuration">
142 <p>
143 Southbound configuration for an OVN system. This table must have exactly
144 one row.
145 </p>
146
147 <group title="Status">
148 This column allow a client to track the overall configuration state of
149 the system.
150
151 <column name="nb_cfg">
152 Sequence number for the configuration. When a CMS or
153 <code>ovn-nbctl</code> updates the northbound database, it increments
154 the <code>nb_cfg</code> column in the <code>NB_Global</code> table in
155 the northbound database. In turn, when <code>ovn-northd</code> updates
156 the southbound database to bring it up to date with these changes, it
157 updates this column to the same value.
158 </column>
159 </group>
160
161 <group title="Common Columns">
162 <column name="external_ids">
163 See <em>External IDs</em> at the beginning of this document.
164 </column>
165 </group>
7fff4eb7
LR		 166 <group title="Connection Options">
167 <column name="connections">
168 Database clients to which the Open vSwitch database server should
169 connect or on which it should listen, along with options for how these
170 connections should be configured. See the <ref table="Connection"/>
171 table for more information.
172 </column>
10471820
LR		 173 <column name="ssl">
174 Global SSL configuration.
175 </column>
7fff4eb7 176 </group>
fa183acc
BP		 177 </table>
178
fe36184b
BP		 179 <table name="Chassis" title="Physical Network Hypervisor and Gateway Information">
180 <p>
181 Each row in this table represents a hypervisor or gateway (a chassis) in
2357e695 182 the physical network. Each chassis, via
88058f19
AW		 183 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>, adds
184 and updates its own row, and keeps a copy of the remaining rows to
185 determine how to reach other hypervisors.
fe36184b
BP		 186 </p>
187
188 <p>
189 When a chassis shuts down gracefully, it should remove its own row.
190 (This is not critical because resources hosted on the chassis are equally
191 unreachable regardless of whether the row is present.) If a chassis
192 shuts down permanently without removing its row, some kind of manual or
193 automatic cleanup is eventually needed; we can devise a process for that
194 as necessary.
195 </p>
196
197 <column name="name">
fc26cf25
RB		 198 OVN does not prescribe a particular format for chassis names.
199 ovn-controller populates this column using <ref key="system-id"
200 table="Open_vSwitch" column="external_ids" db="Open_vSwitch"/>
201 in the Open_vSwitch database's <ref table="Open_vSwitch"
202 db="Open_vSwitch"/> table. ovn-controller-vtep populates this
203 column with <ref table="Physical_Switch" column="name"
204 db="hardware_vtep"/> in the hardware_vtep database's
205 <ref table="Physical_Switch" db="hardware_vtep"/> table.
fe36184b
BP		 206 </column>
207
2229f3ec
RB		 208 <column name="hostname">
209 The hostname of the chassis, if applicable. ovn-controller will populate
210 this column with the hostname of the host it is running on.
211 ovn-controller-vtep will leave this column empty.
212 </column>
213
fa183acc
BP		 214 <column name="nb_cfg">
215 Sequence number for the configuration. When <code>ovn-controller</code>
216 updates the configuration of a chassis from the contents of the
217 southbound database, it copies <ref table="SB_Global" column="nb_cfg"/>
218 from the <ref table="SB_Global"/> table into this column.
219 </column>
220
4250ee37
RB		 221 <column name="external_ids" key="ovn-bridge-mappings">
222 <code>ovn-controller</code> populates this key with the set of bridge
223 mappings it has been configured to use. Other applications should treat
224 this key as read-only. See <code>ovn-controller</code>(8) for more
225 information.
226 </column>
227
5236c73a
NS		 228 <column name="external_ids" key="datapath-type">
229 <code>ovn-controller</code> populates this key with the datapath type
230 configured in the <ref table="Bridge" column="datapath_type"/> column of
231 the Open_vSwitch database's <ref table="Bridge" db="Open_vSwitch"/>
232 table. Other applications should treat this key as read-only. See
233 <code>ovn-controller</code>(8) for more information.
234 </column>
235
236 <column name="external_ids" key="iface-types">
237 <code>ovn-controller</code> populates this key with the interface types
238 configured in the <ref table="Open_vSwitch" column="iface_types"/> column
239 of the Open_vSwitch database's <ref table="Open_vSwitch"
240 db="Open_vSwitch"/> table. Other applications should treat this key as
241 read-only. See <code>ovn-controller</code>(8) for more information.
242 </column>
243
1cef5fff
RB		 244 <group title="Common Columns">
245 The overall purpose of these columns is described under <code>Common
246 Columns</code> at the beginning of this document.
247
248 <column name="external_ids"/>
249 </group>
250
09db214c 251 <group title="Encapsulation Configuration">
fe36184b 252 <p>
09db214c
JP		 253 OVN uses encapsulation to transmit logical dataplane packets
254 between chassis.
fe36184b
BP		 255 </p>
256
09db214c
JP		 257 <column name="encaps">
258 Points to supported encapsulation configurations to transmit
259 logical dataplane packets to this chassis. Each entry is a <ref
260 table="Encap"/> record that describes the configuration.
fe36184b
BP		 261 </column>
262 </group>
263
a8cb558a
DJ		 264 <group title="Gateway Configuration">
265 <p>
62fdd819
AW		 266 A <dfn>gateway</dfn> is a chassis that forwards traffic between the
267 OVN-managed part of a logical network and a physical VLAN, extending a
268 tunnel-based logical network into a physical network. Gateways are
88058f19
AW		 269 typically dedicated nodes that do not host VMs and will be controlled
270 by <code>ovn-controller-vtep</code>.
fe36184b
BP		 271 </p>
272
62fdd819 273 <column name="vtep_logical_switches">
88058f19
AW		 274 Stores all VTEP logical switch names connected by this gateway
275 chassis. The <ref table="Port_Binding"/> table entry with
276 <ref column="options" table="Port_Binding"/>:<code>vtep-physical-switch</code>
277 equal <ref table="Chassis"/> <ref column="name" table="Chassis"/>, and
278 <ref column="options" table="Port_Binding"/>:<code>vtep-logical-switch</code>
279 value in <ref table="Chassis"/>
280 <ref column="vtep_logical_switches" table="Chassis"/>, will be
281 associated with this <ref table="Chassis"/>.
fe36184b 282 </column>
a8cb558a 283 </group>
fe36184b
BP		 284 </table>
285
09db214c
JP		 286 <table name="Encap" title="Encapsulation Types">
287 <p>
288 The <ref column="encaps" table="Chassis"/> column in the <ref
289 table="Chassis"/> table refers to rows in this table to identify
290 how OVN may transmit logical dataplane packets to this chassis.
88058f19
AW		 291 Each chassis, via <code>ovn-controller</code>(8) or
292 <code>ovn-controller-vtep</code>(8), adds and updates its own rows
293 and keeps a copy of the remaining rows to determine how to reach
294 other chassis.
09db214c
JP		 295 </p>
296
297 <column name="type">
298 The encapsulation to use to transmit packets to this chassis.
b705f9ea
JP		 299 Hypervisors must use either <code>geneve</code> or
300 <code>stt</code>. Gateways may use <code>vxlan</code>,
301 <code>geneve</code>, or <code>stt</code>.
09db214c
JP		 302 </column>
303
304 <column name="options">
36283d78
JG		 305 <p>
306 Options for configuring the encapsulation. Currently, the only
307 option that has been defined is <code>csum</code>.
a8cb558a 308 </p>
36283d78
JG		 309
310 <p>
311 <code>csum</code> indicates that encapsulation checksums can be
312 transmitted and received with reasonable performance. It is a hint
313 to senders transmitting data to this chassis that they should use
924f0e9f 314 checksums to protect OVN metadata. <code>ovn-controller</code>
ea991ad2 315 populates this key with the value defined in
924f0e9f
NS		 316 <ref table="Open_vSwitch" column="external_ids:ovn-encap-csum"/> column
317 of the Open_vSwitch database's <ref table="Open_vSwitch"
318 db="Open_vSwitch"/> table. Other applications should treat this key as
319 read-only. See <code>ovn-controller</code>(8) for more information.
36283d78
JG		 320 </p>
321
322 <p>
323 In terms of performance, this actually significantly increases
324 throughput in most common cases when running on Linux based hosts
325 without NICs supporting encapsulation hardware offload (around 60% for
326 bulk traffic). The reason is that generally all NICs are capable of
327 offloading transmitted and received TCP/UDP checksums (viewed as
328 ordinary data packets and not as tunnels). The benefit comes on the
329 receive side where the validated outer checksum can be used to
330 additionally validate an inner checksum (such as TCP), which in turn
331 allows aggregation of packets to be more efficiently handled by the
332 rest of the stack.
333 </p>
334
335 <p>
336 Not all devices see such a benefit. The most notable exception is
337 hardware VTEPs. These devices are designed to not buffer entire
338 packets in their switching engines and are therefore unable to
339 efficiently compute or validate full packet checksums. In addition
340 certain versions of the Linux kernel are not able to fully take
341 advantage of encapsulation NIC offloads in the presence of checksums.
342 (This is actually a pretty narrow corner case though - earlier
343 versions of Linux don't support encapsulation offloads at all and
344 later versions support both offloads and checksums well.)
345 </p>
346
347 <p>
348 <code>csum</code> defaults to <code>false</code> for hardware VTEPs and
349 <code>true</code> for all other cases.
350 </p>
09db214c
JP		 351 </column>
352
353 <column name="ip">
354 The IPv4 address of the encapsulation tunnel endpoint.
355 </column>
356 </table>
357
ea382567
RB		 358 <table name="Address_Set" title="Address Sets">
359 <p>
360 See the documentation for the <ref table="Address_Set"
361 db="OVN_Northbound"/> table in the <ref db="OVN_Northbound"/> database
362 for details.
363 </p>
364
365 <column name="name"/>
366 <column name="addresses"/>
367 </table>
368
5868eb24 369 <table name="Logical_Flow" title="Logical Network Flows">
fe36184b 370 <p>
09986f8c
JP		 371 Each row in this table represents one logical flow.
372 <code>ovn-northd</code> populates this table with logical flows
373 that implement the L2 and L3 topologies specified in the
374 <ref db="OVN_Northbound"/> database. Each hypervisor, via
375 <code>ovn-controller</code>, translates the logical flows into
376 OpenFlow flows specific to its hypervisor and installs them into
377 Open vSwitch.
fe36184b
BP		 378 </p>
379
380 <p>
381 Logical flows are expressed in an OVN-specific format, described here. A
382 logical datapath flow is much like an OpenFlow flow, except that the
383 flows are written in terms of logical ports and logical datapaths instead
384 of physical ports and physical datapaths. Translation between logical
385 and physical flows helps to ensure isolation between logical datapaths.
09986f8c
JP		 386 (The logical flow abstraction also allows the OVN centralized
387 components to do less work, since they do not have to separately
388 compute and push out physical flows to each chassis.)
fe36184b
BP		 389 </p>
390
391 <p>
392 The default action when no flow matches is to drop packets.
393 </p>
394
69a832cf 395 <p><em>Architectural Logical Life Cycle of a Packet</em></p>
5868eb24
BP		 396
397 <p>
398 This following description focuses on the life cycle of a packet through
399 a logical datapath, ignoring physical details of the implementation.
69a832cf 400 Please refer to <em>Architectural Physical Life Cycle of a Packet</em> in
5868eb24
BP		 401 <code>ovn-architecture</code>(7) for the physical information.
402 </p>
403
404 <p>
405 The description here is written as if OVN itself executes these steps,
406 but in fact OVN (that is, <code>ovn-controller</code>) programs Open
407 vSwitch, via OpenFlow and OVSDB, to execute them on its behalf.
408 </p>
409
410 <p>
411 At a high level, OVN passes each packet through the logical datapath's
412 logical ingress pipeline, which may output the packet to one or more
413 logical port or logical multicast groups. For each such logical output
414 port, OVN passes the packet through the datapath's logical egress
415 pipeline, which may either drop the packet or deliver it to the
416 destination. Between the two pipelines, outputs to logical multicast
417 groups are expanded into logical ports, so that the egress pipeline only
418 processes a single logical output port at a time. Between the two
419 pipelines is also where, when necessary, OVN encapsulates a packet in a
420 tunnel (or tunnels) to transmit to remote hypervisors.
421 </p>
422
423 <p>
424 In more detail, to start, OVN searches the <ref table="Logical_Flow"/>
425 table for a row with correct <ref column="logical_datapath"/>, a <ref
426 column="pipeline"/> of <code>ingress</code>, a <ref column="table_id"/>
427 of 0, and a <ref column="match"/> that is true for the packet. If none
428 is found, OVN drops the packet. If OVN finds more than one, it chooses
429 the match with the highest <ref column="priority"/>. Then OVN executes
430 each of the actions specified in the row's <ref table="actions"/> column,
431 in the order specified. Some actions, such as those to modify packet
432 headers, require no further details. The <code>next</code> and
433 <code>output</code> actions are special.
434 </p>
435
436 <p>
437 The <code>next</code> action causes the above process to be repeated
438 recursively, except that OVN searches for <ref column="table_id"/> of 1
439 instead of 0. Similarly, any <code>next</code> action in a row found in
440 that table would cause a further search for a <ref column="table_id"/> of
441 2, and so on. When recursive processing completes, flow control returns
442 to the action following <code>next</code>.
443 </p>
444
445 <p>
446 The <code>output</code> action also introduces recursion. Its effect
447 depends on the current value of the <code>outport</code> field. Suppose
448 <code>outport</code> designates a logical port. First, OVN compares
449 <code>inport</code> to <code>outport</code>; if they are equal, it treats
bf143492
JP		 450 the <code>output</code> as a no-op by default. In the common
451 case, where they are different, the packet enters the egress
452 pipeline. This transition to the egress pipeline discards
453 register data, e.g. <code>reg0</code> ... <code>reg9</code> and
454 connection tracking state, to achieve uniform behavior regardless
455 of whether the egress pipeline is on a different hypervisor
456 (because registers aren't preserve across tunnel encapsulation).
5868eb24
BP		 457 </p>
458
459 <p>
460 To execute the egress pipeline, OVN again searches the <ref
461 table="Logical_Flow"/> table for a row with correct <ref
462 column="logical_datapath"/>, a <ref column="table_id"/> of 0, a <ref
463 column="match"/> that is true for the packet, but now looking for a <ref
464 column="pipeline"/> of <code>egress</code>. If no matching row is found,
465 the output becomes a no-op. Otherwise, OVN executes the actions for the
466 matching flow (which is chosen from multiple, if necessary, as already
467 described).
468 </p>
469
470 <p>
471 In the <code>egress</code> pipeline, the <code>next</code> action acts as
472 already described, except that it, of course, searches for
473 <code>egress</code> flows. The <code>output</code> action, however, now
474 directly outputs the packet to the output port (which is now fixed,
475 because <code>outport</code> is read-only within the egress pipeline).
476 </p>
477
478 <p>
479 The description earlier assumed that <code>outport</code> referred to a
480 logical port. If it instead designates a logical multicast group, then
481 the description above still applies, with the addition of fan-out from
482 the logical multicast group to each logical port in the group. For each
483 member of the group, OVN executes the logical pipeline as described, with
484 the logical output port replaced by the group member.
485 </p>
486
8d6e5516
JP		 487 <p><em>Pipeline Stages</em></p>
488
489 <p>
398be42b
BP		 490 <code>ovn-northd</code> populates the <ref table="Logical_Flow"/> table
491 with the logical flows described in detail in <code>ovn-northd</code>(8).
8d6e5516
JP		 492 </p>
493
747b2a45 494 <column name="logical_datapath">
5868eb24
BP		 495 The logical datapath to which the logical flow belongs.
496 </column>
497
498 <column name="pipeline">
499 <p>
500 The primary flows used for deciding on a packet's destination are the
501 <code>ingress</code> flows. The <code>egress</code> flows implement
502 ACLs. See <em>Logical Life Cycle of a Packet</em>, above, for details.
503 </p>
747b2a45
BP		 504 </column>
505
fe36184b
BP		 506 <column name="table_id">
507 The stage in the logical pipeline, analogous to an OpenFlow table number.
508 </column>
509
510 <column name="priority">
511 The flow's priority. Flows with numerically higher priority take
512 precedence over those with lower. If two logical datapath flows with the
513 same priority both match, then the one actually applied to the packet is
514 undefined.
515 </column>
516
517 <column name="match">
518 <p>
519 A matching expression. OVN provides a superset of OpenFlow matching
520 capabilities, using a syntax similar to Boolean expressions in a
521 programming language.
522 </p>
523
524 <p>
fa6aeaeb
RB		 525 The most important components of match expression are
526 <dfn>comparisons</dfn> between <dfn>symbols</dfn> and
527 <dfn>constants</dfn>, e.g. <code>ip4.dst == 192.168.0.1</code>,
528 <code>ip.proto == 6</code>, <code>arp.op == 1</code>, <code>eth.type ==
529 0x800</code>. The logical AND operator <code>&amp;&amp;</code> and
530 logical OR operator <code>||</code> can combine comparisons into a
531 larger expression.
fe36184b
BP		 532 </p>
533
fe36184b 534 <p>
e0840f11
BP		 535 Matching expressions also support parentheses for grouping, the logical
536 NOT prefix operator <code>!</code>, and literals <code>0</code> and
537 <code>1</code> to express ``false'' or ``true,'' respectively. The
538 latter is useful by itself as a catch-all expression that matches every
539 packet.
fe36184b
BP		 540 </p>
541
ba8d3816
MS		 542 <p>
543 Match expressions also support a kind of function syntax. The
544 following functions are supported:
545 </p>
546
547 <dl>
548 <dt><code>is_chassis_resident(<var>lport</var>)</code></dt>
549 <dd>
550 Evaluates to true on a chassis on which logical port <var>lport</var>
551 (a quoted string) resides, and to false elsewhere. This function was
552 introduced in OVN 2.7.
553 </dd>
554 </dl>
555
e0840f11 556 <p><em>Symbols</em></p>
fe36184b
BP		 557
558 <p>
fa6aeaeb
RB		 559 <em>Type</em>. Symbols have <dfn>integer</dfn> or <dfn>string</dfn>
560 type. Integer symbols have a <dfn>width</dfn> in bits.
fe36184b
BP		 561 </p>
562
563 <p>
fa6aeaeb 564 <em>Kinds</em>. There are three kinds of symbols:
fe36184b
BP		 565 </p>
566
e0840f11 567 <ul>
fa6aeaeb
RB		 568 <li>
569 <p>
570 <dfn>Fields</dfn>. A field symbol represents a packet header or
571 metadata field. For example, a field
572 named <code>vlan.tci</code> might represent the VLAN TCI field in a
573 packet.
574 </p>
575
576 <p>
577 A field symbol can have integer or string type. Integer fields can
578 be nominal or ordinal (see <em>Level of Measurement</em>,
579 below).
580 </p>
581 </li>
582
583 <li>
584 <p>
585 <dfn>Subfields</dfn>. A subfield represents a subset of bits from
586 a larger field. For example, a field <code>vlan.vid</code> might
587 be defined as an alias for <code>vlan.tci[0..11]</code>. Subfields
588 are provided for syntactic convenience, because it is always
589 possible to instead refer to a subset of bits from a field
590 directly.
591 </p>
592
593 <p>
594 Only ordinal fields (see <em>Level of Measurement</em>,
595 below) may have subfields. Subfields are always ordinal.
596 </p>
597 </li>
598
599 <li>
600 <p>
601 <dfn>Predicates</dfn>. A predicate is shorthand for a Boolean
602 expression. Predicates may be used much like 1-bit fields. For
603 example, <code>ip4</code> might expand to <code>eth.type ==
604 0x800</code>. Predicates are provided for syntactic convenience,
605 because it is always possible to instead specify the underlying
606 expression directly.
607 </p>
608
609 <p>
610 A predicate whose expansion refers to any nominal field or
611 predicate (see <em>Level of Measurement</em>, below) is nominal;
612 other predicates have Boolean level of measurement.
613 </p>
614 </li>
e0840f11
BP		 615 </ul>
616
fe36184b 617 <p>
fa6aeaeb
RB		 618 <em>Level of Measurement</em>. See
619 http://en.wikipedia.org/wiki/Level_of_measurement for the statistical
620 concept on which this classification is based. There are three
621 levels:
fe36184b
BP		 622 </p>
623
624 <ul>
fa6aeaeb
RB		 625 <li>
626 <p>
627 <dfn>Ordinal</dfn>. In statistics, ordinal values can be ordered
628 on a scale. OVN considers a field (or subfield) to be ordinal if
629 its bits can be examined individually. This is true for the
630 OpenFlow fields that OpenFlow or Open vSwitch makes ``maskable.''
631 </p>
632
633 <p>
634 Any use of a nominal field may specify a single bit or a range of
635 bits, e.g. <code>vlan.tci[13..15]</code> refers to the PCP field
636 within the VLAN TCI, and <code>eth.dst[40]</code> refers to the
637 multicast bit in the Ethernet destination address.
638 </p>
639
640 <p>
641 OVN supports all the usual arithmetic relations (<code>==</code>,
642 <code>!=</code>, <code>&lt;</code>, <code>&lt;=</code>,
643 <code>&gt;</code>, and <code>&gt;=</code>) on ordinal fields and
644 their subfields, because OVN can implement these in OpenFlow and
645 Open vSwitch as collections of bitwise tests.
646 </p>
647 </li>
648
649 <li>
650 <p>
651 <dfn>Nominal</dfn>. In statistics, nominal values cannot be
652 usefully compared except for equality. This is true of OpenFlow
653 port numbers, Ethernet types, and IP protocols are examples: all of
654 these are just identifiers assigned arbitrarily with no deeper
655 meaning. In OpenFlow and Open vSwitch, bits in these fields
656 generally aren't individually addressable.
657 </p>
658
659 <p>
660 OVN only supports arithmetic tests for equality on nominal fields,
661 because OpenFlow and Open vSwitch provide no way for a flow to
662 efficiently implement other comparisons on them. (A test for
663 inequality can be sort of built out of two flows with different
664 priorities, but OVN matching expressions always generate flows with
665 a single priority.)
666 </p>
667
668 <p>
669 String fields are always nominal.
670 </p>
671 </li>
672
673 <li>
674 <p>
675 <dfn>Boolean</dfn>. A nominal field that has only two values, 0
676 and 1, is somewhat exceptional, since it is easy to support both
677 equality and inequality tests on such a field: either one can be
678 implemented as a test for 0 or 1.
679 </p>
680
681 <p>
682 Only predicates (see above) have a Boolean level of measurement.
683 </p>
684
685 <p>
686 This isn't a standard level of measurement.
687 </p>
688 </li>
fe36184b
BP		 689 </ul>
690
691 <p>
fa6aeaeb
RB		 692 <em>Prerequisites</em>. Any symbol can have prerequisites, which are
693 additional condition implied by the use of the symbol. For example,
694 For example, <code>icmp4.type</code> symbol might have prerequisite
695 <code>icmp4</code>, which would cause an expression <code>icmp4.type ==
696 0</code> to be interpreted as <code>icmp4.type == 0 &amp;&amp;
697 icmp4</code>, which would in turn expand to <code>icmp4.type == 0
698 &amp;&amp; eth.type == 0x800 &amp;&amp; ip4.proto == 1</code> (assuming
699 <code>icmp4</code> is a predicate defined as suggested under
700 <em>Types</em> above).
fe36184b
BP		 701 </p>
702
e0840f11
BP		 703 <p><em>Relational operators</em></p>
704
fe36184b 705 <p>
fa6aeaeb
RB		 706 All of the standard relational operators <code>==</code>,
707 <code>!=</code>, <code>&lt;</code>, <code>&lt;=</code>,
708 <code>&gt;</code>, and <code>&gt;=</code> are supported. Nominal
709 fields support only <code>==</code> and <code>!=</code>, and only in a
710 positive sense when outer <code>!</code> are taken into account,
711 e.g. given string field <code>inport</code>, <code>inport ==
712 "eth0"</code> and <code>!(inport != "eth0")</code> are acceptable, but
713 not <code>inport != "eth0"</code>.
fe36184b
BP		 714 </p>
715
716 <p>
fa6aeaeb
RB		 717 The implementation of <code>==</code> (or <code>!=</code> when it is
718 negated), is more efficient than that of the other relational
719 operators.
fe36184b
BP		 720 </p>
721
e0840f11
BP		 722 <p><em>Constants</em></p>
723
fe36184b 724 <p>
e0840f11
BP		 725 Integer constants may be expressed in decimal, hexadecimal prefixed by
726 <code>0x</code>, or as dotted-quad IPv4 addresses, IPv6 addresses in
727 their standard forms, or Ethernet addresses as colon-separated hex
728 digits. A constant in any of these forms may be followed by a slash
729 and a second constant (the mask) in the same form, to form a masked
730 constant. IPv4 and IPv6 masks may be given as integers, to express
731 CIDR prefixes.
732 </p>
733
734 <p>
735 String constants have the same syntax as quoted strings in JSON (thus,
5868eb24 736 they are Unicode strings).
fe36184b
BP		 737 </p>
738
739 <p>
e0840f11
BP		 740 Some operators support sets of constants written inside curly braces
741 <code>{</code> ... <code>}</code>. Commas between elements of a set,
742 and after the last elements, are optional. With <code>==</code>,
743 ``<code><var>field</var> == { <var>constant1</var>,
744 <var>constant2</var>,</code> ... <code>}</code>'' is syntactic sugar
745 for ``<code><var>field</var> == <var>constant1</var> ||
746 <var>field</var> == <var>constant2</var> || </code>...<code></code>.
747 Similarly, ``<code><var>field</var> != { <var>constant1</var>,
748 <var>constant2</var>, </code>...<code> }</code>'' is equivalent to
749 ``<code><var>field</var> != <var>constant1</var> &amp;&amp;
fe36184b 750 <var>field</var> != <var>constant2</var> &amp;&amp;
e0840f11 751 </code>...<code></code>''.
fe36184b
BP		 752 </p>
753
ea382567
RB		 754 <p>
755 You may refer to a set of IPv4, IPv6, or MAC addresses stored in the
756 <ref table="Address_Set"/> table by its <ref column="name"
757 table="Address_Set"/>. An <ref table="Address_Set"/> with a name
758 of <code>set1</code> can be referred to as
759 <code>$set1</code>.
760 </p>
761
e0840f11
BP		 762 <p><em>Miscellaneous</em></p>
763
fe36184b 764 <p>
fa6aeaeb
RB		 765 Comparisons may name the symbol or the constant first,
766 e.g. <code>tcp.src == 80</code> and <code>80 == tcp.src</code> are both
767 acceptable.
fe36184b
BP		 768 </p>
769
770 <p>
fa6aeaeb
RB		 771 Tests for a range may be expressed using a syntax like <code>1024 &lt;=
772 tcp.src &lt;= 49151</code>, which is equivalent to <code>1024 &lt;=
773 tcp.src &amp;&amp; tcp.src &lt;= 49151</code>.
fe36184b
BP		 774 </p>
775
776 <p>
fa6aeaeb
RB		 777 For a one-bit field or predicate, a mention of its name is equivalent
778 to <code><var>symobl</var> == 1</code>, e.g. <code>vlan.present</code>
779 is equivalent to <code>vlan.present == 1</code>. The same is true for
780 one-bit subfields, e.g. <code>vlan.tci[12]</code>. There is no
781 technical limitation to implementing the same for ordinal fields of all
782 widths, but the implementation is expensive enough that the syntax
783 parser requires writing an explicit comparison against zero to make
784 mistakes less likely, e.g. in <code>tcp.src != 0</code> the comparison
785 against 0 is required.
fe36184b
BP		 786 </p>
787
788 <p>
fa6aeaeb
RB		 789 <em>Operator precedence</em> is as shown below, from highest to lowest.
790 There are two exceptions where parentheses are required even though the
791 table would suggest that they are not: <code>&amp;&amp;</code> and
792 <code>||</code> require parentheses when used together, and
793 <code>!</code> requires parentheses when applied to a relational
794 expression. Thus, in <code>(eth.type == 0x800 || eth.type == 0x86dd)
795 &amp;&amp; ip.proto == 6</code> or <code>!(arp.op == 1)</code>, the
796 parentheses are mandatory.
fe36184b
BP		 797 </p>
798
e0840f11
BP		 799 <ul>
800 <li><code>()</code></li>
801 <li><code>== != &lt; &lt;= &gt; &gt;=</code></li>
802 <li><code>!</code></li>
803 <li><code>&amp;&amp; ||</code></li>
804 </ul>
805
10b1662b
BP		 806 <p>
807 <em>Comments</em> may be introduced by <code>//</code>, which extends
808 to the next new-line. Comments within a line may be bracketed by
809 <code>/*</code> and <code>*/</code>. Multiline comments are not
810 supported.
811 </p>
812
e0840f11
BP		 813 <p><em>Symbols</em></p>
814
5868eb24
BP		 815 <p>
816 Most of the symbols below have integer type. Only <code>inport</code>
817 and <code>outport</code> have string type. <code>inport</code> names a
818 logical port. Thus, its value is a <ref column="logical_port"/> name
62fdd819
AW		 819 from the <ref table="Port_Binding"/> table. <code>outport</code> may
820 name a logical port, as <code>inport</code>, or a logical multicast
821 group defined in the <ref table="Multicast_Group"/> table. For both
822 symbols, only names within the flow's logical datapath may be used.
5868eb24
BP		 823 </p>
824
394e883d
JP		 825 <p>
826 The <code>reg</code><var>X</var> symbols are 32-bit integers.
827 The <code>xxreg</code><var>X</var> symbols are 128-bit integers,
828 which overlay four of the 32-bit registers: <code>xxreg0</code>
829 overlays <code>reg0</code> through <code>reg3</code>, with
830 <code>reg0</code> supplying the most-significant bits of
831 <code>xxreg0</code> and <code>reg3</code> the least-signficant.
832 <code>xxreg1</code> similarly overlays <code>reg4</code> through
833 <code>reg7</code>.
834 </p>
835
e0840f11 836 <ul>
cc5e28d8 837 <li><code>reg0</code>...<code>reg9</code></li>
394e883d 838 <li><code>xxreg0</code> <code>xxreg1</code></li>
5868eb24 839 <li><code>inport</code> <code>outport</code></li>
bf143492 840 <li><code>flags.loopback</code></li>
e0840f11
BP		 841 <li><code>eth.src</code> <code>eth.dst</code> <code>eth.type</code></li>
842 <li><code>vlan.tci</code> <code>vlan.vid</code> <code>vlan.pcp</code> <code>vlan.present</code></li>
843 <li><code>ip.proto</code> <code>ip.dscp</code> <code>ip.ecn</code> <code>ip.ttl</code> <code>ip.frag</code></li>
844 <li><code>ip4.src</code> <code>ip4.dst</code></li>
845 <li><code>ip6.src</code> <code>ip6.dst</code> <code>ip6.label</code></li>
846 <li><code>arp.op</code> <code>arp.spa</code> <code>arp.tpa</code> <code>arp.sha</code> <code>arp.tha</code></li>
847 <li><code>tcp.src</code> <code>tcp.dst</code> <code>tcp.flags</code></li>
848 <li><code>udp.src</code> <code>udp.dst</code></li>
849 <li><code>sctp.src</code> <code>sctp.dst</code></li>
850 <li><code>icmp4.type</code> <code>icmp4.code</code></li>
851 <li><code>icmp6.type</code> <code>icmp6.code</code></li>
852 <li><code>nd.target</code> <code>nd.sll</code> <code>nd.tll</code></li>
e3d81ade 853 <li><code>ct_mark</code> <code>ct_label</code></li>
78aab811
JP		 854 <li>
855 <p>
a96d26d7
BP		 856 <code>ct_state</code>, which has several Boolean subfields. The
857 <code>ct_next</code> action initializes the following subfields:
78aab811
JP		 858 </p>
859 <ul>
a96d26d7
BP		 860 <li>
861 <code>ct.trk</code>: Always set to true by <code>ct_next</code>
862 to indicate that connection tracking has taken place. All other
863 <code>ct</code> subfields have <code>ct.trk</code> as a
864 prerequisite.
865 </li>
78aab811
JP		 866 <li><code>ct.new</code>: True for a new flow</li>
867 <li><code>ct.est</code>: True for an established flow</li>
868 <li><code>ct.rel</code>: True for a related flow</li>
869 <li><code>ct.rpl</code>: True for a reply flow</li>
870 <li><code>ct.inv</code>: True for a connection entry in a bad state</li>
871 </ul>
872 <p>
a96d26d7
BP		 873 The <code>ct_dnat</code>, <code>ct_snat</code>, and
874 <code>ct_lb</code> actions initialize the following subfields:
858c2f76
GS		 875 </p>
876 <ul>
877 <li>
878 <code>ct.dnat</code>: True for a packet whose destination IP
879 address has been changed.
880 </li>
881 <li>
882 <code>ct.snat</code>: True for a packet whose source IP
883 address has been changed.
884 </li>
885 </ul>
78aab811 886 </li>
e0840f11
BP		 887 </ul>
888
25030d47
RB		 889 <p>
890 The following predicates are supported:
891 </p>
892
893 <ul>
a2011117
BP		 894 <li><code>eth.bcast</code> expands to <code>eth.dst == ff:ff:ff:ff:ff:ff</code></li>
895 <li><code>eth.mcast</code> expands to <code>eth.dst[40]</code></li>
25030d47
RB		 896 <li><code>vlan.present</code> expands to <code>vlan.tci[12]</code></li>
897 <li><code>ip4</code> expands to <code>eth.type == 0x800</code></li>
a2011117 898 <li><code>ip4.mcast</code> expands to <code>ip4.dst[28..31] == 0xe</code></li>
25030d47
RB		 899 <li><code>ip6</code> expands to <code>eth.type == 0x86dd</code></li>
900 <li><code>ip</code> expands to <code>ip4 || ip6</code></li>
901 <li><code>icmp4</code> expands to <code>ip4 &amp;&amp; ip.proto == 1</code></li>
902 <li><code>icmp6</code> expands to <code>ip6 &amp;&amp; ip.proto == 58</code></li>
903 <li><code>icmp</code> expands to <code>icmp4 || icmp6</code></li>
904 <li><code>ip.is_frag</code> expands to <code>ip.frag[0]</code></li>
905 <li><code>ip.later_frag</code> expands to <code>ip.frag[1]</code></li>
906 <li><code>ip.first_frag</code> expands to <code>ip.is_frag &amp;&amp; !ip.later_frag</code></li>
907 <li><code>arp</code> expands to <code>eth.type == 0x806</code></li>
acdd9220
JP		 908 <li><code>nd</code> expands to <code>icmp6.type == {135, 136} &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
909 <li><code>nd_ns</code> expands to <code>icmp6.type == 135 &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
910 <li><code>nd_na</code> expands to <code>icmp6.type == 136 &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
25030d47
RB		 911 <li><code>tcp</code> expands to <code>ip.proto == 6</code></li>
912 <li><code>udp</code> expands to <code>ip.proto == 17</code></li>
913 <li><code>sctp</code> expands to <code>ip.proto == 132</code></li>
914 </ul>
fe36184b
BP		 915 </column>
916
917 <column name="actions">
918 <p>
2cd87fce
RB		 919 Logical datapath actions, to be executed when the logical flow
920 represented by this row is the highest-priority match.
fe36184b
BP		 921 </p>
922
35060cdc 923 <p>
2cd87fce
RB		 924 Actions share lexical syntax with the <ref column="match"/> column. An
925 empty set of actions (or one that contains just white space or
926 comments), or a set of actions that consists of just
927 <code>drop;</code>, causes the matched packets to be dropped.
928 Otherwise, the column should contain a sequence of actions, each
929 terminated by a semicolon.
35060cdc 930 </p>
fe36184b 931
35060cdc 932 <p>
eee7a8ed 933 The following actions are defined:
35060cdc 934 </p>
fe36184b 935
35060cdc
BP		 936 <dl>
937 <dt><code>output;</code></dt>
938 <dd>
5868eb24 939 <p>
eee7a8ed
JP		 940 In the ingress pipeline, this action executes the
941 <code>egress</code> pipeline as a subroutine. If
942 <code>outport</code> names a logical port, the egress pipeline
943 executes once; if it is a multicast group, the egress pipeline runs
944 once for each logical port in the group.
5868eb24
BP		 945 </p>
946
947 <p>
948 In the egress pipeline, this action performs the actual
949 output to the <code>outport</code> logical port. (In the egress
950 pipeline, <code>outport</code> never names a multicast group.)
951 </p>
952
953 <p>
bf143492
JP		 954 By default, output to the input port is implicitly dropped,
955 that is, <code>output</code> becomes a no-op if
956 <code>outport</code> == <code>inport</code>. Occasionally
957 it may be useful to override this behavior, e.g. to send an
958 ARP reply to an ARP request; to do so, use
959 <code>flags.loopback = 1</code> to allow the packet to
960 "hair-pin" back to the input port.
5868eb24 961 </p>
eee7a8ed 962 </dd>
fe36184b 963
35060cdc 964 <dt><code>next;</code></dt>
558ec83d 965 <dt><code>next(<var>table</var>);</code></dt>
4c99cb18 966 <dt><code>next(pipeline=<var>pipeline</var>, table=<var>table</var>);</code></dt>
35060cdc 967 <dd>
4c99cb18
BP		 968 Executes the given logical datapath <var>table</var> in
969 <var>pipeline</var> as a subroutine. The default <var>table</var> is
970 just after the current one. If <var>pipeline</var> is specified, it
971 may be <code>ingress</code> or <code>egress</code>; the default
972 <var>pipeline</var> is the one currently executing. Actions in the
973 ingress pipeline may not use <code>next</code> to jump into the
974 egress pipeline (use the <code>output</code> instead), but
975 transitions in the opposite direction are allowed.
2cd87fce 976 </dd>
fe36184b 977
35060cdc
BP		 978 <dt><code><var>field</var> = <var>constant</var>;</code></dt>
979 <dd>
5868eb24 980 <p>
5ee054fb
BP		 981 Sets data or metadata field <var>field</var> to constant value
982 <var>constant</var>, e.g. <code>outport = "vif0";</code> to set the
983 logical output port. To set only a subset of bits in a field,
984 specify a subfield for <var>field</var> or a masked
985 <var>constant</var>, e.g. one may use <code>vlan.pcp[2] = 1;</code>
986 or <code>vlan.pcp = 4/4;</code> to set the most sigificant bit of
987 the VLAN PCP.
5868eb24
BP		 988 </p>
989
990 <p>
991 Assigning to a field with prerequisites implicitly adds those
992 prerequisites to <ref column="match"/>; thus, for example, a flow
993 that sets <code>tcp.dst</code> applies only to TCP flows,
994 regardless of whether its <ref column="match"/> mentions any TCP
995 field.
996 </p>
997
998 <p>
999 Not all fields are modifiable (e.g. <code>eth.type</code> and
1000 <code>ip.proto</code> are read-only), and not all modifiable fields
1001 may be partially modified (e.g. <code>ip.ttl</code> must assigned
1002 as a whole). The <code>outport</code> field is modifiable in the
1003 <code>ingress</code> pipeline but not in the <code>egress</code>
1004 pipeline.
1005 </p>
eee7a8ed 1006 </dd>
5ee054fb
BP		 1007
1008 <dt><code><var>field1</var> = <var>field2</var>;</code></dt>
1009 <dd>
1010 <p>
1011 Sets data or metadata field <var>field1</var> to the value of data
1012 or metadata field <var>field2</var>, e.g. <code>reg0 =
1013 ip4.src;</code> copies <code>ip4.src</code> into <code>reg0</code>.
1014 To modify only a subset of a field's bits, specify a subfield for
1015 <var>field1</var> or <var>field2</var> or both, e.g. <code>vlan.pcp
1016 = reg0[0..2];</code> copies the least-significant bits of
1017 <code>reg0</code> into the VLAN PCP.
1018 </p>
1019
1020 <p>
1021 <var>field1</var> and <var>field2</var> must be the same type,
1022 either both string or both integer fields. If they are both
1023 integer fields, they must have the same width.
1024 </p>
1025
1026 <p>
1027 If <var>field1</var> or <var>field2</var> has prerequisites, they
1028 are added implicitly to <ref column="match"/>. It is possible to
1029 write an assignment with contradictory prerequisites, such as
1030 <code>ip4.src = ip6.src[0..31];</code>, but the contradiction means
1031 that a logical flow with such an assignment will never be matched.
1032 </p>
1033 </dd>
a20c96c6
BP		 1034
1035 <dt><code><var>field1</var> &lt;-&gt; <var>field2</var>;</code></dt>
1036 <dd>
1037 <p>
1038 Similar to <code><var>field1</var> = <var>field2</var>;</code>
1039 except that the two values are exchanged instead of copied. Both
1040 <var>field1</var> and <var>field2</var> must modifiable.
1041 </p>
1042 </dd>
78aab811 1043
00ea19e4
BP		 1044 <dt><code>ip.ttl--;</code></dt>
1045 <dd>
1046 <p>
1047 Decrements the IPv4 or IPv6 TTL. If this would make the TTL zero
1048 or negative, then processing of the packet halts; no further
1049 actions are processed. (To properly handle such cases, a
4c20b9f2
JP		 1050 higher-priority flow should match on
1051 <code>ip.ttl == {0, 1};</code>.)
00ea19e4
BP		 1052 </p>
1053
1054 <p><b>Prerequisite:</b> <code>ip</code></p>
1055 </dd>
1056
78aab811
JP		 1057 <dt><code>ct_next;</code></dt>
1058 <dd>
1059 <p>
1060 Apply connection tracking to the flow, initializing
1061 <code>ct_state</code> for matching in later tables.
1062 Automatically moves on to the next table, as if followed by
1063 <code>next</code>.
1064 </p>
1065
1066 <p>
1067 As a side effect, IP fragments will be reassembled for matching.
1068 If a fragmented packet is output, then it will be sent with any
1069 overlapping fragments squashed. The connection tracking state is
d7039b9a
GS		 1070 scoped by the logical port when the action is used in a flow for
1071 a logical switch, so overlapping addresses may be used. To allow
1072 traffic related to the matched flow, execute <code>ct_commit
1073 </code>. Connection tracking state is scoped by the logical
1074 topology when the action is used in a flow for a router.
78aab811
JP		 1075 </p>
1076
1077 <p>
1078 It is possible to have actions follow <code>ct_next</code>,
1079 but they will not have access to any of its side-effects and
1080 is not generally useful.
1081 </p>
1082 </dd>
1083
1084 <dt><code>ct_commit;</code></dt>
a9e1b66f
RB		 1085 <dt><code>ct_commit(ct_mark=<var>value[/mask]</var>);</code></dt>
1086 <dt><code>ct_commit(ct_label=<var>value[/mask]</var>);</code></dt>
1087 <dt><code>ct_commit(ct_mark=<var>value[/mask]</var>, ct_label=<var>value[/mask]</var>);</code></dt>
78aab811 1088 <dd>
c4623bb8 1089 <p>
a9e1b66f
RB		 1090 Commit the flow to the connection tracking entry associated with it
1091 by a previous call to <code>ct_next</code>. When
1092 <code>ct_mark=<var>value[/mask]</var></code> and/or
1093 <code>ct_label=<var>value[/mask]</var></code> are supplied,
1094 <code>ct_mark</code> and/or <code>ct_label</code> will be set to the
1095 values indicated by <var>value[/mask]</var> on the connection
1096 tracking entry. <code>ct_mark</code> is a 32-bit field.
354b8f27
NS		 1097 <code>ct_label</code> is a 128-bit field. The <var>value[/mask]</var>
1098 should be specified in hex string if more than 64bits are to be used.
c4623bb8 1099 </p>
a9e1b66f 1100
c4623bb8
RB		 1101 <p>
1102 Note that if you want processing to continue in the next table,
1103 you must execute the <code>next</code> action after
a9e1b66f
RB		 1104 <code>ct_commit</code>. You may also leave out <code>next</code>
1105 which will commit connection tracking state, and then drop the
1106 packet. This could be useful for setting <code>ct_mark</code>
1107 on a connection tracking entry before dropping a packet,
1108 for example.
c4623bb8 1109 </p>
78aab811 1110 </dd>
fe36184b 1111
de297547
GS		 1112 <dt><code>ct_dnat;</code></dt>
1113 <dt><code>ct_dnat(<var>IP</var>);</code></dt>
1114 <dd>
1115 <p>
1116 <code>ct_dnat</code> sends the packet through the DNAT zone in
1117 connection tracking table to unDNAT any packet that was DNATed in
1118 the opposite direction. The packet is then automatically sent to
1119 to the next tables as if followed by <code>next;</code> action.
1120 The next tables will see the changes in the packet caused by
1121 the connection tracker.
1122 </p>
1123 <p>
1124 <code>ct_dnat(<var>IP</var>)</code> sends the packet through the
1125 DNAT zone to change the destination IP address of the packet to
467085fd 1126 the one provided inside the parentheses and commits the connection.
de297547
GS		 1127 The packet is then automatically sent to the next tables as if
1128 followed by <code>next;</code> action. The next tables will see
1129 the changes in the packet caused by the connection tracker.
1130 </p>
1131 </dd>
1132
1133 <dt><code>ct_snat;</code></dt>
1134 <dt><code>ct_snat(<var>IP</var>);</code></dt>
1135 <dd>
1136 <p>
1137 <code>ct_snat</code> sends the packet through the SNAT zone to
1b441300
MS		 1138 unSNAT any packet that was SNATed in the opposite direction. The
1139 behavior on gateway routers differs from the behavior on a
1140 distributed router:
de297547 1141 </p>
1b441300
MS		 1142 <ul>
1143 <li>
1144 On a gateway router, if the packet needs to be sent to the next
1145 tables, then it should be followed by a <code>next;</code>
1146 action. The next tables will not see the changes in the packet
1147 caused by the connection tracker.
1148 </li>
1149 <li>
1150 On a distributed router, if the connection tracker finds a
1151 connection that was SNATed in the opposite direction, then the
1152 destination IP address of the packet is UNSNATed. The packet is
1153 automatically sent to the next tables as if followed by the
1154 <code>next;</code> action. The next tables will see the changes
1155 in the packet caused by the connection tracker.
1156 </li>
1157 </ul>
de297547
GS		 1158 <p>
1159 <code>ct_snat(<var>IP</var>)</code> sends the packet through the
1160 SNAT zone to change the source IP address of the packet to
1161 the one provided inside the parenthesis and commits the connection.
1162 The packet is then automatically sent to the next tables as if
1163 followed by <code>next;</code> action. The next tables will see the
1164 changes in the packet caused by the connection tracker.
1165 </p>
1166 </dd>
1167
db0e819b
BP		 1168 <dt><code>ct_clear;</code></dt>
1169 <dd>
1170 Clears connection tracking state.
1171 </dd>
b3bd2c33
BP		 1172
1173 <dt><code>clone { <var>action</var>; </code>...<code> };</code></dt>
1174 <dd>
1175 Makes a copy of the packet being processed and executes each
1176 <code>action</code> on the copy. Actions following the
1177 <var>clone</var> action, if any, apply to the original, unmodified
1178 packet. This can be used as a way to ``save and restore'' the packet
1179 around a set of actions that may modify it and should not persist.
1180 </dd>
1181
69a832cf
BP		 1182 <dt><code>arp { <var>action</var>; </code>...<code> };</code></dt>
1183 <dd>
1184 <p>
1185 Temporarily replaces the IPv4 packet being processed by an ARP
1186 packet and executes each nested <var>action</var> on the ARP
1187 packet. Actions following the <var>arp</var> action, if any, apply
1188 to the original, unmodified packet.
1189 </p>
1190
1191 <p>
1192 The ARP packet that this action operates on is initialized based on
1193 the IPv4 packet being processed, as follows. These are default
1194 values that the nested actions will probably want to change:
1195 </p>
1196
1197 <ul>
1198 <li><code>eth.src</code> unchanged</li>
1199 <li><code>eth.dst</code> unchanged</li>
1200 <li><code>eth.type = 0x0806</code></li>
1201 <li><code>arp.op = 1</code> (ARP request)</li>
1202 <li><code>arp.sha</code> copied from <code>eth.src</code></li>
1203 <li><code>arp.spa</code> copied from <code>ip4.src</code></li>
1204 <li><code>arp.tha = 00:00:00:00:00:00</code></li>
1205 <li><code>arp.tpa</code> copied from <code>ip4.dst</code></li>
1206 </ul>
1207
6335d074
BP		 1208 <p>
1209 The ARP packet has the same VLAN header, if any, as the IP packet
1210 it replaces.
1211 </p>
1212
69a832cf
BP		 1213 <p><b>Prerequisite:</b> <code>ip4</code></p>
1214 </dd>
1215
c34a87b6
JP		 1216 <dt><code>get_arp(<var>P</var>, <var>A</var>);</code></dt>
1217
1218 <dd>
1219 <p>
1220 <b>Parameters</b>: logical port string field <var>P</var>, 32-bit
1221 IP address field <var>A</var>.
1222 </p>
1223
1224 <p>
1225 Looks up <var>A</var> in <var>P</var>'s mac binding table.
1226 If an entry is found, stores its Ethernet address in
1227 <code>eth.dst</code>, otherwise stores
1228 <code>00:00:00:00:00:00</code> in <code>eth.dst</code>.
1229 </p>
1230
1231 <p><b>Example:</b> <code>get_arp(outport, ip4.dst);</code></p>
1232 </dd>
1233
1234 <dt>
1235 <code>put_arp(<var>P</var>, <var>A</var>, <var>E</var>);</code>
1236 </dt>
1237
1238 <dd>
1239 <p>
1240 <b>Parameters</b>: logical port string field <var>P</var>, 32-bit
1241 IP address field <var>A</var>, 48-bit Ethernet address field
1242 <var>E</var>.
1243 </p>
1244
1245 <p>
1246 Adds or updates the entry for IP address <var>A</var> in
1247 logical port <var>P</var>'s mac binding table, setting its
1248 Ethernet address to <var>E</var>.
1249 </p>
1250
1251 <p><b>Example:</b> <code>put_arp(inport, arp.spa, arp.sha);</code></p>
1252 </dd>
1253
e75451fe 1254 <dt>
f8a8db39 1255 <code>nd_na { <var>action</var>; </code>...<code> };</code>
e75451fe
ZKL		 1256 </dt>
1257
1258 <dd>
1259 <p>
f8a8db39
JP		 1260 Temporarily replaces the IPv6 neighbor solicitation packet
1261 being processed by an IPv6 neighbor advertisement (NA)
1262 packet and executes each nested <var>action</var> on the NA
1263 packet. Actions following the <code>nd_na</code> action,
1264 if any, apply to the original, unmodified packet.
e75451fe
ZKL		 1265 </p>
1266
1267 <p>
1268 The NA packet that this action operates on is initialized based on
1269 the IPv6 packet being processed, as follows. These are default
1270 values that the nested actions will probably want to change:
1271 </p>
1272
1273 <ul>
1274 <li><code>eth.dst</code> exchanged with <code>eth.src</code></li>
1275 <li><code>eth.type = 0x86dd</code></li>
1276 <li><code>ip6.dst</code> copied from <code>ip6.src</code></li>
1277 <li><code>ip6.src</code> copied from <code>nd.target</code></li>
1278 <li><code>icmp6.type = 136</code> (Neighbor Advertisement)</li>
1279 <li><code>nd.target</code> unchanged</li>
1280 <li><code>nd.sll = 00:00:00:00:00:00</code></li>
1281 <li><code>nd.tll</code> copied from <code>eth.dst</code></li>
1282 </ul>
1283
1284 <p>
1285 The ND packet has the same VLAN header, if any, as the IPv6 packet
1286 it replaces.
1287 </p>
1288
1289 <p>
f8a8db39 1290 <b>Prerequisite:</b> <code>nd_ns</code>
e75451fe
ZKL		 1291 </p>
1292 </dd>
1293
c34a87b6 1294 <dt><code>get_nd(<var>P</var>, <var>A</var>);</code></dt>
0bac7164
BP		 1295
1296 <dd>
1297 <p>
c34a87b6
JP		 1298 <b>Parameters</b>: logical port string field <var>P</var>, 128-bit
1299 IPv6 address field <var>A</var>.
0bac7164
BP		 1300 </p>
1301
1302 <p>
c34a87b6
JP		 1303 Looks up <var>A</var> in <var>P</var>'s mac binding table.
1304 If an entry is found, stores its Ethernet address in
1305 <code>eth.dst</code>, otherwise stores
1306 <code>00:00:00:00:00:00</code> in <code>eth.dst</code>.
0bac7164
BP		 1307 </p>
1308
c34a87b6 1309 <p><b>Example:</b> <code>get_nd(outport, ip6.dst);</code></p>
0bac7164
BP		 1310 </dd>
1311
1312 <dt>
c34a87b6 1313 <code>put_nd(<var>P</var>, <var>A</var>, <var>E</var>);</code>
0bac7164
BP		 1314 </dt>
1315
1316 <dd>
1317 <p>
c34a87b6
JP		 1318 <b>Parameters</b>: logical port string field <var>P</var>,
1319 128-bit IPv6 address field <var>A</var>, 48-bit Ethernet
1320 address field <var>E</var>.
0bac7164
BP		 1321 </p>
1322
1323 <p>
c34a87b6
JP		 1324 Adds or updates the entry for IPv6 address <var>A</var> in
1325 logical port <var>P</var>'s mac binding table, setting its
1326 Ethernet address to <var>E</var>.
0bac7164
BP		 1327 </p>
1328
c34a87b6 1329 <p><b>Example:</b> <code>put_nd(inport, nd.target, nd.tll);</code></p>
0bac7164 1330 </dd>
42814145
NS		 1331
1332 <dt>
d5a76da4 1333 <code><var>R</var> = put_dhcp_opts(<var>D1</var> = <var>V1</var>, <var>D2</var> = <var>V2</var>, ..., <var>Dn</var> = <var>Vn</var>);</code>
42814145
NS		 1334 </dt>
1335
1336 <dd>
1337 <p>
d5a76da4
BP		 1338 <b>Parameters</b>: one or more DHCP option/value pairs, which must
1339 include an <code>offerip</code> option (with code 0).
42814145
NS		 1340 </p>
1341
1342 <p>
1343 <b>Result</b>: stored to a 1-bit subfield <var>R</var>.
1344 </p>
1345
1346 <p>
1347 Valid only in the ingress pipeline.
1348 </p>
1349
1350 <p>
1351 When this action is applied to a DHCP request packet (DHCPDISCOVER
1352 or DHCPREQUEST), it changes the packet into a DHCP reply (DHCPOFFER
1353 or DHCPACK, respectively), replaces the options by those specified
1354 as parameters, and stores 1 in <var>R</var>.
1355 </p>
1356
1357 <p>
1358 When this action is applied to a non-DHCP packet or a DHCP packet
1359 that is not DHCPDISCOVER or DHCPREQUEST, it leaves the packet
1360 unchanged and stores 0 in <var>R</var>.
1361 </p>
1362
1363 <p>
1364 The contents of the <ref table="DHCP_Option"/> table control the
1365 DHCP option names and values that this action supports.
1366 </p>
1367
1368 <p>
1369 <b>Example:</b>
1370 <code>
1371 reg0[0] = put_dhcp_opts(offerip = 10.0.0.2, router = 10.0.0.1,
1372 netmask = 255.255.255.0, dns_server = {8.8.8.8, 7.7.7.7});
1373 </code>
1374 </p>
1375 </dd>
467085fd 1376
01cfdb2f
NS		 1377 <dt>
1378 <code><var>R</var> = put_dhcpv6_opts(<var>D1</var> = <var>V1</var>, <var>D2</var> = <var>V2</var>, ..., <var>Dn</var> = <var>Vn</var>);</code>
1379 </dt>
1380
1381 <dd>
1382 <p>
1383 <b>Parameters</b>: one or more DHCPv6 option/value pairs.
1384 </p>
1385
1386 <p>
1387 <b>Result</b>: stored to a 1-bit subfield <var>R</var>.
1388 </p>
1389
1390 <p>
1391 Valid only in the ingress pipeline.
1392 </p>
1393
1394 <p>
1395 When this action is applied to a DHCPv6 request packet, it changes
1396 the packet into a DHCPv6 reply, replaces the options by those
1397 specified as parameters, and stores 1 in <var>R</var>.
1398 </p>
1399
1400 <p>
1401 When this action is applied to a non-DHCPv6 packet or an invalid
1402 DHCPv6 request packet , it leaves the packet unchanged and stores
1403 0 in <var>R</var>.
1404 </p>
1405
1406 <p>
1407 The contents of the <ref table="DHCPv6_Options"/> table control the
1408 DHCPv6 option names and values that this action supports.
1409 </p>
1410
1411 <p>
1412 <b>Example:</b>
1413 <code>
1414 reg0[3] = put_dhcpv6_opts(ia_addr = aef0::4, server_id = 00:00:00:00:10:02,
1415 dns_server={ae70::1,ae70::2});
1416 </code>
1417 </p>
1418 </dd>
1419
a6095f81
BS		 1420 <dt>
1421 <code>set_queue(<var>queue_number</var>);</code>
1422 </dt>
1423
1424 <dd>
1425 <p>
1426 <b>Parameters</b>: Queue number <var>queue_number</var>, in the range 0 to 61440.
1427 </p>
1428
1429 <p>
1430 This is a logical equivalent of the OpenFlow <code>set_queue</code>
1431 action. It affects packets that egress a hypervisor through a
1432 physical interface. For nonzero <var>queue_number</var>, it
1433 configures packet queuing to match the settings configured for the
1434 <ref table="Port_Binding"/> with
1435 <code>options:qdisc_queue_id</code> matching
1436 <var>queue_number</var>. When <var>queue_number</var> is zero, it
1437 resets queuing to the default strategy.
1438 </p>
1439
1440 <p><b>Example:</b> <code>set_queue(10);</code></p>
1441 </dd>
1442
467085fd
GS		 1443 <dt><code>ct_lb;</code></dt>
1444 <dt><code>ct_lb(</code><var>ip</var>[<code>:</code><var>port</var>]...<code>);</code></dt>
1445 <dd>
1446 <p>
1447 With one or more arguments, <code>ct_lb</code> commits the packet
1448 to the connection tracking table and DNATs the packet's destination
1449 IP address (and port) to the IP address or addresses (and optional
1450 ports) specified in the string. If multiple comma-separated IP
1451 addresses are specified, each is given equal weight for picking the
1452 DNAT address. Processing automatically moves on to the next table,
1453 as if <code>next;</code> were specified, and later tables act on
1454 the packet as modified by the connection tracker. Connection
c2e954a1
GS		 1455 tracking state is scoped by the logical port when the action is
1456 used in a flow for a logical switch, so overlapping
1457 addresses may be used. Connection tracking state is scoped by the
1458 logical topology when the action is used in a flow for a router.
467085fd
GS		 1459 </p>
1460 <p>
1461 Without arguments, <code>ct_lb</code> sends the packet to the
1462 connection tracking table to NAT the packets. If the packet is
1463 part of an established connection that was previously committed to
1464 the connection tracker via <code>ct_lb(</code>...<code>)</code>, it
1465 will automatically get DNATed to the same IP address as the first
1466 packet in that connection.
1467 </p>
1468 </dd>
ea991ad2
NS		 1469
1470 <dt>
1471 <code><var>R</var> = dns_lookup();</code>
1472 </dt>
1473
1474 <dd>
1475 <p>
1476 <b>Parameters</b>: No parameters.
1477 </p>
1478
1479 <p>
1480 <b>Result</b>: stored to a 1-bit subfield <var>R</var>.
1481 </p>
1482
1483 <p>
1484 Valid only in the ingress pipeline.
1485 </p>
1486
1487 <p>
1488 When this action is applied to a valid DNS request (a UDP packet
1489 typically directed to port 53), it attempts to resolve the query
1490 using the contents of the <ref table="DNS"/> table. If it is
1491 successful, it changes the packet into a DNS reply and stores 1 in
1492 <var>R</var>. If the action is applied to a non-DNS packet, an
1493 invalid DNS request packet, or a valid DNS request for which the
1494 <ref table="DNS"/> table does not supply an answer, it leaves the
1495 packet unchanged and stores 0 in <var>R</var>.
1496 </p>
1497
1498 <p>
1499 Regardless of success, the action does not make any of the changes
1500 to the flow that are necessary to direct the packet back to the
1501 requester. The logical pipeline can implement this behavior with
1502 matches and actions in later tables.
1503 </p>
1504
1505 <p>
1506 <b>Example:</b>
1507 <code>
1508 reg0[3] = dns_lookup();
1509 </code>
1510 </p>
1511
1512 <p>
1513 <b>Prerequisite:</b> <code>udp</code>
1514 </p>
1515 </dd>
6335d074
BP		 1516 </dl>
1517
1518 <p>
1519 The following actions will likely be useful later, but they have not
1520 been thought out carefully.
1521 </p>
1522
1523 <dl>
69a832cf
BP		 1524 <dt><code>icmp4 { <var>action</var>; </code>...<code> };</code></dt>
1525 <dd>
1526 <p>
1527 Temporarily replaces the IPv4 packet being processed by an ICMPv4
1528 packet and executes each nested <var>action</var> on the ICMPv4
1529 packet. Actions following the <var>icmp4</var> action, if any,
1530 apply to the original, unmodified packet.
1531 </p>
1532
1533 <p>
1534 The ICMPv4 packet that this action operates on is initialized based
1535 on the IPv4 packet being processed, as follows. These are default
1536 values that the nested actions will probably want to change.
1537 Ethernet and IPv4 fields not listed here are not changed:
1538 </p>
1539
1540 <ul>
1541 <li><code>ip.proto = 1</code> (ICMPv4)</li>
1542 <li><code>ip.frag = 0</code> (not a fragment)</li>
1543 <li><code>icmp4.type = 3</code> (destination unreachable)</li>
1544 <li><code>icmp4.code = 1</code> (host unreachable)</li>
1545 </ul>
1546
1547 <p>
1548 Details TBD.
1549 </p>
fe36184b 1550
69a832cf
BP		 1551 <p><b>Prerequisite:</b> <code>ip4</code></p>
1552 </dd>
1553
1554 <dt><code>tcp_reset;</code></dt>
1555 <dd>
1556 <p>
1557 This action transforms the current TCP packet according to the
1558 following pseudocode:
1559 </p>
1560
1561 <pre>
1562if (tcp.ack) {
1563 tcp.seq = tcp.ack;
1564} else {
1565 tcp.ack = tcp.seq + length(tcp.payload);
1566 tcp.seq = 0;
1567}
1568tcp.flags = RST;
1569</pre>
1570
1571 <p>
1572 Then, the action drops all TCP options and payload data, and
1573 updates the TCP checksum.
1574 </p>
1575
1576 <p>
1577 Details TBD.
1578 </p>
1579
1580 <p><b>Prerequisite:</b> <code>tcp</code></p>
1581 </dd>
fe36184b 1582 </dl>
fe36184b 1583 </column>
091e3af9
JP		 1584
1585 <column name="external_ids" key="stage-name">
1586 Human-readable name for this flow's stage in the pipeline.
1587 </column>
1588
17bfa2aa
HZ		 1589 <column name="external_ids" key="stage-hint" type='{"type": "uuid"}'>
1590 UUID of a <ref db="OVN_Northbound"/> record that caused this logical flow
1591 to be created. Currently used only for attribute of logical flows to
1592 northbound <ref db="OVN_Northbound" table="ACL"/> records.
1593 </column>
1594
d8026bbf
BP		 1595 <column name="external_ids" key="source">
1596 Source file and line number of the code that added this flow to the
1597 pipeline.
1598 </column>
1599
091e3af9
JP		 1600 <group title="Common Columns">
1601 The overall purpose of these columns is described under <code>Common
1602 Columns</code> at the beginning of this document.
1603
1604 <column name="external_ids"/>
1605 </group>
fe36184b
BP		 1606 </table>
1607
5868eb24
BP		 1608 <table name="Multicast_Group" title="Logical Port Multicast Groups">
1609 <p>
1610 The rows in this table define multicast groups of logical ports.
1611 Multicast groups allow a single packet transmitted over a tunnel to a
1612 hypervisor to be delivered to multiple VMs on that hypervisor, which
1613 uses bandwidth more efficiently.
1614 </p>
1615
1616 <p>
1617 Each row in this table defines a logical multicast group numbered <ref
1618 column="tunnel_key"/> within <ref column="datapath"/>, whose logical
1619 ports are listed in the <ref column="ports"/> column.
1620 </p>
1621
1622 <column name="datapath">
1623 The logical datapath in which the multicast group resides.
1624 </column>
1625
1626 <column name="tunnel_key">
1627 The value used to designate this logical egress port in tunnel
1628 encapsulations. An index forces the key to be unique within the <ref
1629 column="datapath"/>. The unusual range ensures that multicast group IDs
1630 do not overlap with logical port IDs.
1631 </column>
1632
1633 <column name="name">
1634 <p>
1635 The logical multicast group's name. An index forces the name to be
1636 unique within the <ref column="datapath"/>. Logical flows in the
1637 ingress pipeline may output to the group just as for individual logical
1638 ports, by assigning the group's name to <code>outport</code> and
1639 executing an <code>output</code> action.
1640 </p>
1641
1642 <p>
1643 Multicast group names and logical port names share a single namespace
1644 and thus should not overlap (but the database schema cannot enforce
1645 this). To try to avoid conflicts, <code>ovn-northd</code> uses names
1646 that begin with <code>_MC_</code>.
1647 </p>
1648 </column>
1649
1650 <column name="ports">
1651 The logical ports included in the multicast group. All of these ports
1652 must be in the <ref column="datapath"/> logical datapath (but the
1653 database schema cannot enforce this).
1654 </column>
1655 </table>
1656
1657 <table name="Datapath_Binding" title="Physical-Logical Datapath Bindings">
1658 <p>
2357e695
BP		 1659 Each row in this table represents a logical datapath, which implements a
1660 logical pipeline among the ports in the <ref table="Port_Binding"/> table
1661 associated with it. In practice, the pipeline in a given logical
1662 datapath implements either a logical switch or a logical router.
1663 </p>
1664
1665 <p>
1666 The main purpose of a row in this table is provide a physical binding for
1667 a logical datapath. A logical datapath does not have a physical
1668 location, so its physical binding information is limited: just <ref
1669 column="tunnel_key"/>. The rest of the data in this table does not
1670 affect packet forwarding.
5868eb24
BP		 1671 </p>
1672
1673 <column name="tunnel_key">
1674 The tunnel key value to which the logical datapath is bound.
1675 The <code>Tunnel Encapsulation</code> section in
1676 <code>ovn-architecture</code>(7) describes how tunnel keys are
1677 constructed for each supported encapsulation.
1678 </column>
1679
9975d7be
BP		 1680 <group title="OVN_Northbound Relationship">
1681 <p>
1682 Each row in <ref table="Datapath_Binding"/> is associated with some
1683 logical datapath. <code>ovn-northd</code> uses these keys to track the
1684 association of a logical datapath with concepts in the <ref
1685 db="OVN_Northbound"/> database.
1686 </p>
1687
1688 <column name="external_ids" key="logical-switch" type='{"type": "uuid"}'>
1689 For a logical datapath that represents a logical switch,
1690 <code>ovn-northd</code> stores in this key the UUID of the
1691 corresponding <ref table="Logical_Switch" db="OVN_Northbound"/> row in
1692 the <ref db="OVN_Northbound"/> database.
1693 </column>
1694
1695 <column name="external_ids" key="logical-router" type='{"type": "uuid"}'>
1696 For a logical datapath that represents a logical router,
1697 <code>ovn-northd</code> stores in this key the UUID of the
1698 corresponding <ref table="Logical_Router" db="OVN_Northbound"/> row in
1699 the <ref db="OVN_Northbound"/> database.
1700 </column>
0f8e9c12 1701
cacc55af
BP		 1702 <group title="Naming">
1703 <p>
1704 <code>ovn-northd</code> copies these from the name fields in the <ref
1705 db="OVN_Northbound"/> database, either from <ref
1706 table="Logical_Router" db="OVN_Northbound" column="name"/> and <ref
1707 table="Logical_Router" db="OVN_Northbound" column="external_ids"
1708 key="neutron:router_name"/> in the <ref table="Logical_Router"
1709 db="OVN_Northbound"/> table or from <ref table="Logical_Switch"
1710 db="OVN_Northbound" column="name"/> and <ref table="Logical_Switch"
1711 db="OVN_Northbound" column="external_ids"
1712 key="neutron:network_name"/> in the <ref table="Logical_Switch"
1713 db="OVN_Northbound"/> table.
1714 </p>
1715
1716 <column name="external_ids" key="name">
1717 A name for the logical datapath.
1718 </column>
1719
1720 <column name="external_ids" key="name2">
1721 Another name for the logical datapath.
1722 </column>
1723 </group>
9975d7be 1724 </group>
5868eb24
BP		 1725
1726 <group title="Common Columns">
1727 The overall purpose of these columns is described under <code>Common
1728 Columns</code> at the beginning of this document.
1729
1730 <column name="external_ids"/>
1731 </group>
1732 </table>
1733
dcda6e0d 1734 <table name="Port_Binding" title="Physical-Logical Port Bindings">
fe36184b 1735 <p>
2357e695
BP		 1736 Each row in this table binds a logical port to a realization. For most
1737 logical ports, this means binding to some physical location, for example
1738 by binding a logical port to a VIF that belongs to a VM running on a
1739 particular hypervisor. Other logical ports, such as logical patch ports,
1740 can be realized without a specific physical location, but their bindings
1741 are still expressed through rows in this table.
fe36184b
BP		 1742 </p>
1743
1744 <p>
80f408f4
JP		 1745 For every <code>Logical_Switch_Port</code> record in
1746 <code>OVN_Northbound</code> database, <code>ovn-northd</code>
1747 creates a record in this table. <code>ovn-northd</code> populates
1748 and maintains every column except the <code>chassis</code> column,
1749 which it leaves empty in new records.
9fb4636f
GS		 1750 </p>
1751
1752 <p>
88058f19
AW		 1753 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>
1754 populates the <code>chassis</code> column for the records that
1755 identify the logical ports that are located on its hypervisor/gateway,
1756 which <code>ovn-controller</code>/<code>ovn-controller-vtep</code> in
1757 turn finds out by monitoring the local hypervisor's Open_vSwitch
1758 database, which identifies logical ports via the conventions described
2567fb84 1759 in <code>IntegrationGuide.rst</code>. (The exceptions are for
c1645003 1760 <code>Port_Binding</code> records with <code>type</code> of
17bac0ff
RB		 1761 <code>l3gateway</code>, whose locations are identified by
1762 <code>ovn-northd</code> via the <code>options:l3gateway-chassis</code>
c1645003
GS		 1763 column in this table. <code>ovn-controller</code> is still responsible
1764 to populate the <code>chassis</code> column.)
9fb4636f
GS		 1765 </p>
1766
1767 <p>
5868eb24 1768 When a chassis shuts down gracefully, it should clean up the
9fb4636f 1769 <code>chassis</code> column that it previously had populated.
fe36184b
BP		 1770 (This is not critical because resources hosted on the chassis are equally
1771 unreachable regardless of whether their rows are present.) To handle the
1772 case where a VM is shut down abruptly on one chassis, then brought up
88058f19
AW		 1773 again on a different one,
1774 <code>ovn-controller</code>/<code>ovn-controller-vtep</code> must
1775 overwrite the <code>chassis</code> column with new information.
fe36184b
BP		 1776 </p>
1777
c96ba502
BP		 1778 <group title="Core Features">
1779 <column name="datapath">
1780 The logical datapath to which the logical port belongs.
1781 </column>
1a76c93e 1782
c96ba502 1783 <column name="logical_port">
80f408f4
JP		 1784 A logical port, taken from <ref table="Logical_Switch_Port"
1785 column="name" db="OVN_Northbound"/> in the OVN_Northbound
1786 database's <ref table="Logical_Switch_Port" db="OVN_Northbound"/>
1787 table. OVN does not prescribe a particular format for the
1788 logical port ID.
c96ba502 1789 </column>
c0281929 1790
c96ba502 1791 <column name="chassis">
184bc3ca
RB		 1792 The meaning of this column depends on the value of the <ref column="type"/>
1793 column. This is the meaning for each <ref column="type"/>
1794
1795 <dl>
1796 <dt>(empty string)</dt>
1797 <dd>
1798 The physical location of the logical port. To successfully identify a
1799 chassis, this column must be a <ref table="Chassis"/> record. This is
1800 populated by <code>ovn-controller</code>.
1801 </dd>
1802
1803 <dt>vtep</dt>
1804 <dd>
1805 The physical location of the hardware_vtep gateway. To successfully
1806 identify a chassis, this column must be a <ref table="Chassis"/> record.
1807 This is populated by <code>ovn-controller-vtep</code>.
1808 </dd>
1809
1810 <dt>localnet</dt>
1811 <dd>
1812 Always empty. A localnet port is realized on every chassis that has
1813 connectivity to the corresponding physical network.
1814 </dd>
1815
2a38ef45
DA		 1816 <dt>localport</dt>
1817 <dd>
1818 Always empty. A localport port is present on every chassis.
1819 </dd>
1820
17bac0ff 1821 <dt>l3gateway</dt>
184bc3ca
RB		 1822 <dd>
1823 The physical location of the L3 gateway. To successfully identify a
1824 chassis, this column must be a <ref table="Chassis"/> record. This is
1825 populated by <code>ovn-controller</code> based on the value of
17bac0ff 1826 the <code>options:l3gateway-chassis</code> column in this table.
184bc3ca
RB		 1827 </dd>
1828
1829 <dt>l2gateway</dt>
1830 <dd>
1831 The physical location of this L2 gateway. To successfully identify a
1832 chassis, this column must be a <ref table="Chassis"/> record.
62b87eab
NS		 1833 This is populated by <code>ovn-controller</code> based on the value
1834 of the <code>options:l2gateway-chassis</code> column in this table.
184bc3ca
RB		 1835 </dd>
1836 </dl>
1837
c96ba502 1838 </column>
c0281929 1839
c96ba502
BP		 1840 <column name="tunnel_key">
1841 <p>
1842 A number that represents the logical port in the key (e.g. STT key or
1843 Geneve TLV) field carried within tunnel protocol packets.
1844 </p>
c0281929 1845
c96ba502
BP		 1846 <p>
1847 The tunnel ID must be unique within the scope of a logical datapath.
1848 </p>
1849 </column>
88058f19 1850
c96ba502
BP		 1851 <column name="mac">
1852 <p>
1853 The Ethernet address or addresses used as a source address on the
1854 logical port, each in the form
1855 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
1856 The string <code>unknown</code> is also allowed to indicate that the
1857 logical port has an unknown set of (additional) source addresses.
1858 </p>
1859
1860 <p>
1861 A VM interface would ordinarily have a single Ethernet address. A
1862 gateway port might initially only have <code>unknown</code>, and then
1863 add MAC addresses to the set as it learns new source addresses.
1864 </p>
1865 </column>
88058f19 1866
c96ba502
BP		 1867 <column name="type">
1868 <p>
1869 A type for this logical port. Logical ports can be used to model other
1870 types of connectivity into an OVN logical switch. The following types
1871 are defined:
1872 </p>
1873
1874 <dl>
1875 <dt>(empty string)</dt>
1876 <dd>VM (or VIF) interface.</dd>
d387d24d
BP		 1877
1878 <dt><code>patch</code></dt>
1879 <dd>
1880 One of a pair of logical ports that act as if connected by a patch
1881 cable. Useful for connecting two logical datapaths, e.g. to connect
1882 a logical router to a logical switch or to another logical router.
1883 </dd>
1884
17bac0ff 1885 <dt><code>l3gateway</code></dt>
c1645003
GS		 1886 <dd>
1887 One of a pair of logical ports that act as if connected by a patch
1888 cable across multiple chassis. Useful for connecting a logical
1889 switch with a Gateway router (which is only resident on a
1890 particular chassis).
1891 </dd>
1892
c96ba502
BP		 1893 <dt><code>localnet</code></dt>
1894 <dd>
1895 A connection to a locally accessible network from each
1896 <code>ovn-controller</code> instance. A logical switch can only
6e6c3f91
HZ		 1897 have a single <code>localnet</code> port attached. This is used
1898 to model direct connectivity to an existing network.
c96ba502
BP		 1899 </dd>
1900
2a38ef45
DA		 1901 <dt><code>localport</code></dt>
1902 <dd>
1903 A connection to a local VIF. Traffic that arrives on a
1904 <code>localport</code> is never forwarded over a tunnel to another
1905 chassis. These ports are present on every chassis and have the same
1906 address in all of them. This is used to model connectivity to local
1907 services that run on every hypervisor.
1908 </dd>
1909
184bc3ca
RB		 1910 <dt><code>l2gateway</code></dt>
1911 <dd>
1912 An L2 connection to a physical network. The chassis this
1913 <ref table="Port_Binding"/> is bound to will serve as
1914 an L2 gateway to the network named by
1915 <ref column="options" table="Port_Binding"/>:<code>network_name</code>.
1916 </dd>
1917
c96ba502
BP		 1918 <dt><code>vtep</code></dt>
1919 <dd>
1920 A port to a logical switch on a VTEP gateway chassis. In order to
1921 get this port correctly recognized by the OVN controller, the <ref
1922 column="options"
1923 table="Port_Binding"/>:<code>vtep-physical-switch</code> and <ref
1924 column="options"
1925 table="Port_Binding"/>:<code>vtep-logical-switch</code> must also
1926 be defined.
1927 </dd>
41a15b71
MS		 1928
1929 <dt><code>chassisredirect</code></dt>
1930 <dd>
1931 A logical port that represents a particular instance, bound
1932 to a specific chassis, of an otherwise distributed parent
1933 port (e.g. of type <code>patch</code>). A
1934 <code>chassisredirect</code> port should never be used as an
1935 <code>inport</code>. When an ingress pipeline sets the
1936 <code>outport</code>, it may set the value to a logical port
1937 of type <code>chassisredirect</code>. This will cause the
1938 packet to be directed to a specific chassis to carry out the
1939 egress pipeline. At the beginning of the egress pipeline,
1940 the <code>outport</code> will be reset to the value of the
1941 distributed port.
1942 </dd>
c96ba502
BP		 1943 </dl>
1944 </column>
1945 </group>
1a76c93e 1946
d387d24d
BP		 1947 <group title="Patch Options">
1948 <p>
1949 These options apply to logical ports with <ref column="type"/> of
1950 <code>patch</code>.
1951 </p>
1952
1953 <column name="options" key="peer">
1954 The <ref column="logical_port"/> in the <ref table="Port_Binding"/>
1955 record for the other side of the patch. The named <ref
1956 column="logical_port"/> must specify this <ref column="logical_port"/>
1957 in its own <code>peer</code> option. That is, the two patch logical
1958 ports must have reversed <ref column="logical_port"/> and
1959 <code>peer</code> values.
1960 </column>
26b9e08d 1961
f40c5588
MS		 1962 <column name="nat_addresses">
1963 MAC address followed by a list of SNAT and DNAT external IP
1964 addresses, followed by
26b9e08d
MS		 1965 <code>is_chassis_resident("<var>lport</var>")</code>, where
1966 <var>lport</var> is the name of a logical port on the same chassis
1967 where the corresponding NAT rules are applied. This is used to
1968 send gratuitous ARPs for SNAT and DNAT external IP addresses via
1969 <code>localnet</code>, from the chassis where <var>lport</var>
1970 resides. Example: <code>80:fa:5b:06:72:b7 158.36.44.22
1971 158.36.44.24 is_chassis_resident("foo1")</code>. This would result
1972 in generation of gratuitous ARPs for IP addresses 158.36.44.22 and
1973 158.36.44.24 with a MAC address of 80:fa:5b:06:72:b7 from the chassis
1974 where the logical port "foo1" resides.
1975 </column>
d387d24d
BP		 1976 </group>
1977
184bc3ca 1978 <group title="L3 Gateway Options">
c1645003
GS		 1979 <p>
1980 These options apply to logical ports with <ref column="type"/> of
17bac0ff 1981 <code>l3gateway</code>.
c1645003
GS		 1982 </p>
1983
1984 <column name="options" key="peer">
1985 The <ref column="logical_port"/> in the <ref table="Port_Binding"/>
17bac0ff 1986 record for the other side of the 'l3gateway' port. The named <ref
c1645003 1987 column="logical_port"/> must specify this <ref column="logical_port"/>
17bac0ff 1988 in its own <code>peer</code> option. That is, the two 'l3gateway'
c1645003
GS		 1989 logical ports must have reversed <ref column="logical_port"/> and
1990 <code>peer</code> values.
1991 </column>
1992
17bac0ff 1993 <column name="options" key="l3gateway-chassis">
c1645003
GS		 1994 The <code>chassis</code> in which the port resides.
1995 </column>
8439c2eb 1996
26b9e08d
MS		 1997 <column name="options" key="nat-addresses">
1998 MAC address of the <code>l3gateway</code> port followed by a list of
1999 SNAT and DNAT external IP addresses. This is used to send gratuitous
2000 ARPs for SNAT and DNAT external IP addresses via <code>localnet</code>.
2001 Example: <code>80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24</code>.
2002 This would result in generation of gratuitous ARPs for IP addresses
2003 158.36.44.22 and 158.36.44.24 with a MAC address of 80:fa:5b:06:72:b7.
f40c5588
MS		 2004 This is used in OVS versions prior to 2.8.
2005 </column>
2006
2007 <column name="nat_addresses">
2008 MAC address of the <code>l3gateway</code> port followed by a list of
2009 SNAT and DNAT external IP addresses. This is used to send gratuitous
2010 ARPs for SNAT and DNAT external IP addresses via <code>localnet</code>.
2011 Example: <code>80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24</code>.
2012 This would result in generation of gratuitous ARPs for IP addresses
2013 158.36.44.22 and 158.36.44.24 with a MAC address of 80:fa:5b:06:72:b7.
2014 This is used in OVS version 2.8 and later versions.
26b9e08d 2015 </column>
c1645003
GS		 2016 </group>
2017
c96ba502 2018 <group title="Localnet Options">
eb00399e 2019 <p>
c96ba502
BP		 2020 These options apply to logical ports with <ref column="type"/> of
2021 <code>localnet</code>.
eb00399e
BP		 2022 </p>
2023
c96ba502
BP		 2024 <column name="options" key="network_name">
2025 Required. <code>ovn-controller</code> uses the configuration entry
2026 <code>ovn-bridge-mappings</code> to determine how to connect to this
2027 network. <code>ovn-bridge-mappings</code> is a list of network names
2028 mapped to a local OVS bridge that provides access to that network. An
2029 example of configuring <code>ovn-bridge-mappings</code> would be:
2030
2031 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1</pre>
2032
2033 <p>
2034 When a logical switch has a <code>localnet</code> port attached,
2035 every chassis that may have a local vif attached to that logical
2036 switch must have a bridge mapping configured to reach that
2037 <code>localnet</code>. Traffic that arrives on a
2038 <code>localnet</code> port is never forwarded over a tunnel to
2039 another chassis.
2040 </p>
2041 </column>
2042
2043 <column name="tag">
2044 If set, indicates that the port represents a connection to a specific
2045 VLAN on a locally accessible network. The VLAN ID is used to match
2046 incoming traffic and is also added to outgoing traffic.
2047 </column>
2048 </group>
2049
184bc3ca
RB		 2050 <group title="L2 Gateway Options">
2051 <p>
2052 These options apply to logical ports with <ref column="type"/> of
2053 <code>l2gateway</code>.
2054 </p>
2055
2056 <column name="options" key="network_name">
2057 Required. <code>ovn-controller</code> uses the configuration entry
2058 <code>ovn-bridge-mappings</code> to determine how to connect to this
2059 network. <code>ovn-bridge-mappings</code> is a list of network names
2060 mapped to a local OVS bridge that provides access to that network. An
2061 example of configuring <code>ovn-bridge-mappings</code> would be:
2062
2063 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1</pre>
2064
2065 <p>
2066 When a logical switch has a <code>l2gateway</code> port attached,
2067 the chassis that the <code>l2gateway</code> port is bound to
2068 must have a bridge mapping configured to reach the network
2069 identified by <code>network_name</code>.
2070 </p>
2071 </column>
2072
62b87eab
NS		 2073 <column name="options" key="l2gateway-chassis">
2074 Required. The <code>chassis</code> in which the port resides.
2075 </column>
2076
184bc3ca
RB		 2077 <column name="tag">
2078 If set, indicates that the gateway is connected to a specific
2079 VLAN on the physical network. The VLAN ID is used to match
2080 incoming traffic and is also added to outgoing traffic.
2081 </column>
2082 </group>
2083
c96ba502 2084 <group title="VTEP Options">
eb00399e 2085 <p>
c96ba502
BP		 2086 These options apply to logical ports with <ref column="type"/> of
2087 <code>vtep</code>.
eb00399e 2088 </p>
9fb4636f 2089
c96ba502
BP		 2090 <column name="options" key="vtep-physical-switch">
2091 Required. The name of the VTEP gateway.
2092 </column>
fe36184b 2093
c96ba502
BP		 2094 <column name="options" key="vtep-logical-switch">
2095 Required. A logical switch name connected by the VTEP gateway. Must
2096 be set when <ref column="type"/> is <code>vtep</code>.
2097 </column>
2098 </group>
fe36184b 2099
aef5f431
BP		 2100 <group title="VMI (or VIF) Options">
2101 <p>
2102 These options apply to logical ports with <ref column="type"/> having
2103 (empty string)
2104 </p>
2105
a6095f81 2106 <column name="options" key="qos_max_rate">
aef5f431 2107 If set, indicates the maximum rate for data sent from this interface,
a6095f81 2108 in bit/s. The traffic will be shaped according to this limit.
aef5f431
BP		 2109 </column>
2110
a6095f81 2111 <column name="options" key="qos_burst">
aef5f431 2112 If set, indicates the maximum burst size for data sent from this
a6095f81
BS		 2113 interface, in bits.
2114 </column>
2115
2116 <column name="options" key="qdisc_queue_id"
2117 type='{"type": "integer", "minInteger": 1, "maxInteger": 61440}'>
2118 Indicates the queue number on the physical device. This is same as the
2119 <code>queue_id</code> used in OpenFlow in <code>struct
2120 ofp_action_enqueue</code>.
aef5f431
BP		 2121 </column>
2122 </group>
2123
41a15b71
MS		 2124 <group title="Chassis Redirect Options">
2125 <p>
2126 These options apply to logical ports with <ref column="type"/>
2127 of <code>chassisredirect</code>.
2128 </p>
2129
2130 <column name="options" key="distributed-port">
2131 The name of the distributed port for which this
2132 <code>chassisredirect</code> port represents a particular instance.
2133 </column>
2134
2135 <column name="options" key="redirect-chassis">
2136 The <code>chassis</code> that this <code>chassisredirect</code> port
2137 is bound to. This is taken from <ref table="Logical_Router_Port"
2138 column="options" key="redirect-chassis" db="OVN_Northbound"/>
2139 in the OVN_Northbound database's <ref table="Logical_Router_Port"
2140 db="OVN_Northbound"/> table.
2141 </column>
2142 </group>
2143
c96ba502 2144 <group title="Nested Containers">
fe36184b 2145 <p>
c96ba502
BP		 2146 These columns support containers nested within a VM. Specifically,
2147 they are used when <ref column="type"/> is empty and <ref
2148 column="logical_port"/> identifies the interface of a container spawned
2149 inside a VM. They are empty for containers or VMs that run directly on
2150 a hypervisor.
fe36184b
BP		 2151 </p>
2152
c96ba502
BP		 2153 <column name="parent_port">
2154 This is taken from
80f408f4
JP		 2155 <ref table="Logical_Switch_Port" column="parent_name"
2156 db="OVN_Northbound"/> in the OVN_Northbound database's
2157 <ref table="Logical_Switch_Port" db="OVN_Northbound"/> table.
c96ba502
BP		 2158 </column>
2159
2160 <column name="tag">
2161 <p>
2162 Identifies the VLAN tag in the network traffic associated with that
2163 container's network interface.
2164 </p>
2165
2166 <p>
2167 This column is used for a different purpose when <ref column="type"/>
184bc3ca
RB		 2168 is <code>localnet</code> (see <code>Localnet Options</code>, above)
2169 or <code>l2gateway</code> (see <code>L2 Gateway Options</code>, above).
c96ba502
BP		 2170 </p>
2171 </column>
2172 </group>
4a680bff
BP		 2173
2174 <group title="Naming">
2175 <column name="external_ids" key="name">
2176 <p>
2177 For a logical switch port, <code>ovn-northd</code> copies this from
2178 <ref table="Logical_Switch_Port" db="OVN_Northbound"
2179 column="external_ids" key="neutron:port_name"/> in the <ref
2180 table="Logical_Switch_Port" db="OVN_Northbound"/> table in the
2181 OVN_Northbound database, if it is a nonempty string.
2182 </p>
2183
2184 <p>
2185 For a logical switch port, <code>ovn-northd</code> does not currently
2186 set this key.
2187 </p>
2188 </column>
2189 </group>
2190
2191 <group title="Common Columns">
2192 <column name="external_ids">
37737b96
DAS		 2193 <p>
2194 See <em>External IDs</em> at the beginning of this document.
2195 </p>
2196
2197 <p>
2198 The <code>ovn-northd</code> program populates this column with
2199 all entries into the <ref column="external_ids"/> column of the
2200 <ref table="Logical_Switch_Port"/> table of the
2201 <ref db="OVN_Northbound"/> database.
2202 </p>
4a680bff
BP		 2203 </column>
2204 </group>
fe36184b 2205 </table>
0bac7164
BP		 2206
2207 <table name="MAC_Binding" title="IP to MAC bindings">
2208 <p>
2209 Each row in this table specifies a binding from an IP address to an
2210 Ethernet address that has been discovered through ARP (for IPv4) or
2211 neighbor discovery (for IPv6). This table is primarily used to discover
2212 bindings on physical networks, because IP-to-MAC bindings for virtual
2213 machines are usually populated statically into the <ref
2214 table="Port_Binding"/> table.
2215 </p>
2216
2217 <p>
2218 This table expresses a functional relationship: <ref
2219 table="MAC_Binding"/>(<ref column="logical_port"/>, <ref column="ip"/>) =
2220 <ref column="mac"/>.
2221 </p>
2222
2223 <p>
2224 In outline, the lifetime of a logical router's MAC binding looks like
2225 this:
2226 </p>
2227
2228 <ol>
2229 <li>
2230 On hypervisor 1, a logical router determines that a packet should be
2231 forwarded to IP address <var>A</var> on one of its router ports. It
2232 uses its logical flow table to determine that <var>A</var> lacks a
2233 static IP-to-MAC binding and the <code>get_arp</code> action to
2234 determine that it lacks a dynamic IP-to-MAC binding.
2235 </li>
2236
2237 <li>
2238 Using an OVN logical <code>arp</code> action, the logical router
2239 generates and sends a broadcast ARP request to the router port. It
2240 drops the IP packet.
2241 </li>
2242
2243 <li>
2244 The logical switch attached to the router port delivers the ARP request
2245 to all of its ports. (It might make sense to deliver it only to ports
2246 that have no static IP-to-MAC bindings, but this could also be
2247 surprising behavior.)
2248 </li>
2249
2250 <li>
2251 A host or VM on hypervisor 2 (which might be the same as hypervisor 1)
2252 attached to the logical switch owns the IP address in question. It
2253 composes an ARP reply and unicasts it to the logical router port's
2254 Ethernet address.
2255 </li>
2256
2257 <li>
2258 The logical switch delivers the ARP reply to the logical router port.
2259 </li>
2260
2261 <li>
2262 The logical router flow table executes a <code>put_arp</code> action.
2263 To record the IP-to-MAC binding, <code>ovn-controller</code> adds a row
2264 to the <ref table="MAC_Binding"/> table.
2265 </li>
2266
2267 <li>
2268 On hypervisor 1, <code>ovn-controller</code> receives the updated <ref
2269 table="MAC_Binding"/> table from the OVN southbound database. The next
2270 packet destined to <var>A</var> through the logical router is sent
2271 directly to the bound Ethernet address.
2272 </li>
2273 </ol>
2274
2275 <column name="logical_port">
2276 The logical port on which the binding was discovered.
2277 </column>
2278
2279 <column name="ip">
2280 The bound IP address.
2281 </column>
2282
2283 <column name="mac">
2284 The Ethernet address to which the IP is bound.
2285 </column>
791a7747
LS		 2286 <column name="datapath">
2287 The logical datapath to which the logical port belongs.
2288 </column>
0bac7164 2289 </table>
42814145
NS		 2290
2291 <table name="DHCP_Options" title="DHCP Options supported by native OVN DHCP">
2292 <p>
2293 Each row in this table stores the DHCP Options supported by native OVN
2294 DHCP. <code>ovn-northd</code> populates this table with the supported
2295 DHCP options. <code>ovn-controller</code> looks up this table to get the
2296 DHCP codes of the DHCP options defined in the "put_dhcp_opts" action.
2297 Please refer to the RFC 2132 <code>"https://tools.ietf.org/html/rfc2132"</code>
2298 for the possible list of DHCP options that can be defined here.
2299 </p>
2300
2301 <column name="name">
2302 <p>
2303 Name of the DHCP option.
2304 </p>
2305
2306 <p>
2307 Example. name="router"
2308 </p>
2309 </column>
2310
2311 <column name="code">
2312 <p>
2313 DHCP option code for the DHCP option as defined in the RFC 2132.
2314 </p>
2315
2316 <p>
2317 Example. code=3
2318 </p>
2319 </column>
2320
2321 <column name="type">
2322 <p>
2323 Data type of the DHCP option code.
2324 </p>
2325
2326 <dl>
2327 <dt><code>value: bool</code></dt>
2328 <dd>
2329 <p>
2330 This indicates that the value of the DHCP option is a bool.
2331 </p>
2332
2333 <p>
2334 Example. "name=ip_forward_enable", "code=19", "type=bool".
2335 </p>
2336
2337 <p>
2338 put_dhcp_opts(..., ip_forward_enable = 1,...)
2339 </p>
2340 </dd>
2341
2342 <dt><code>value: uint8</code></dt>
2343 <dd>
2344 <p>
2345 This indicates that the value of the DHCP option is an unsigned
2346 int8 (8 bits)
2347 </p>
2348
2349 <p>
2350 Example. "name=default_ttl", "code=23", "type=uint8".
2351 </p>
2352
2353 <p>
2354 put_dhcp_opts(..., default_ttl = 50,...)
2355 </p>
2356 </dd>
2357
2358 <dt><code>value: uint16</code></dt>
2359 <dd>
2360 <p>
2361 This indicates that the value of the DHCP option is an unsigned
2362 int16 (16 bits).
2363 </p>
2364
2365 <p>
2366 Example. "name=mtu", "code=26", "type=uint16".
2367 </p>
2368
2369 <p>
2370 put_dhcp_opts(..., mtu = 1450,...)
2371 </p>
2372 </dd>
2373
2374 <dt><code>value: uint32</code></dt>
2375 <dd>
2376 <p>
2377 This indicates that the value of the DHCP option is an unsigned
2378 int32 (32 bits).
2379 </p>
2380
2381 <p>
2382 Example. "name=lease_time", "code=51", "type=uint32".
2383 </p>
2384
2385 <p>
2386 put_dhcp_opts(..., lease_time = 86400,...)
2387 </p>
2388 </dd>
2389
2390 <dt><code>value: ipv4</code></dt>
2391 <dd>
2392 <p>
2393 This indicates that the value of the DHCP option is an IPv4
2394 address or addresses.
2395 </p>
2396
2397 <p>
2398 Example. "name=router", "code=3", "type=ipv4".
2399 </p>
2400
2401 <p>
2402 put_dhcp_opts(..., router = 10.0.0.1,...)
2403 </p>
2404
2405 <p>
2406 Example. "name=dns_server", "code=6", "type=ipv4".
2407 </p>
2408
2409 <p>
2410 put_dhcp_opts(..., dns_server = {8.8.8.8 7.7.7.7},...)
2411 </p>
2412 </dd>
2413
2414 <dt><code>value: static_routes</code></dt>
2415 <dd>
2416 <p>
2417 This indicates that the value of the DHCP option contains a pair of
2418 IPv4 route and next hop addresses.
2419 </p>
2420
2421 <p>
2422 Example. "name=classless_static_route", "code=121", "type=static_routes".
2423 </p>
2424
2425 <p>
2426 put_dhcp_opts(..., classless_static_route = {30.0.0.0/24,10.0.0.4,0.0.0.0/0,10.0.0.1}...)
2427 </p>
2428 </dd>
2429
2430 <dt><code>value: str</code></dt>
2431 <dd>
2432 <p>
2433 This indicates that the value of the DHCP option is a string.
2434 </p>
2435
2436 <p>
2437 Example. "name=host_name", "code=12", "type=str".
2438 </p>
2439 </dd>
2440 </dl>
2441 </column>
2442 </table>
01cfdb2f
NS		 2443
2444 <table name="DHCPv6_Options" title="DHCPv6 Options supported by native OVN DHCPv6">
2445 <p>
2446 Each row in this table stores the DHCPv6 Options supported by native OVN
2447 DHCPv6. <code>ovn-northd</code> populates this table with the supported
2448 DHCPv6 options. <code>ovn-controller</code> looks up this table to get
2449 the DHCPv6 codes of the DHCPv6 options defined in the
2450 <code>put_dhcpv6_opts</code> action. Please refer to RFC 3315 and RFC
2451 3646 for the list of DHCPv6 options that can be defined here.
2452 </p>
2453
2454 <column name="name">
2455 <p>
2456 Name of the DHCPv6 option.
2457 </p>
2458
2459 <p>
2460 Example. name="ia_addr"
2461 </p>
2462 </column>
2463
2464 <column name="code">
2465 <p>
2466 DHCPv6 option code for the DHCPv6 option as defined in the appropriate
2467 RFC.
2468 </p>
2469
2470 <p>
2471 Example. code=3
2472 </p>
2473 </column>
2474
2475 <column name="type">
2476 <p>
2477 Data type of the DHCPv6 option code.
2478 </p>
2479
2480 <dl>
2481 <dt><code>value: ipv6</code></dt>
2482 <dd>
2483 <p>
2484 This indicates that the value of the DHCPv6 option is an IPv6
2485 address(es).
2486 </p>
2487
2488 <p>
2489 Example. "name=ia_addr", "code=5", "type=ipv6".
2490 </p>
2491
2492 <p>
2493 put_dhcpv6_opts(..., ia_addr = ae70::4,...)
2494 </p>
2495 </dd>
2496
2497 <dt><code>value: str</code></dt>
2498 <dd>
2499 <p>
2500 This indicates that the value of the DHCPv6 option is a string.
2501 </p>
2502
2503 <p>
2504 Example. "name=domain_search", "code=24", "type=str".
2505 </p>
2506
2507 <p>
2508 put_dhcpv6_opts(..., domain_search = ovn.domain,...)
2509 </p>
2510 </dd>
2511
2512 <dt><code>value: mac</code></dt>
2513 <dd>
2514 <p>
2515 This indicates that the value of the DHCPv6 option is a MAC address.
2516 </p>
2517
2518 <p>
2519 Example. "name=server_id", "code=2", "type=mac".
2520 </p>
2521
2522 <p>
2523 put_dhcpv6_opts(..., server_id = 01:02:03:04L05:06,...)
2524 </p>
2525 </dd>
2526 </dl>
2527 </column>
2528 </table>
7fff4eb7
LR		 2529 <table name="Connection" title="OVSDB client connections.">
2530 <p>
2531 Configuration for a database connection to an Open vSwitch database
2532 (OVSDB) client.
2533 </p>
2534
2535 <p>
2536 This table primarily configures the Open vSwitch database server
2537 (<code>ovsdb-server</code>).
2538 </p>
2539
2540 <p>
2541 The Open vSwitch database server can initiate and maintain active
2542 connections to remote clients. It can also listen for database
2543 connections.
2544 </p>
2545
2546 <group title="Core Features">
2547 <column name="target">
2548 <p>Connection methods for clients.</p>
2549 <p>
2550 The following connection methods are currently supported:
2551 </p>
2552 <dl>
2553 <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
2554 <dd>
2555 <p>
2556 The specified SSL <var>port</var> on the host at the given
2557 <var>ip</var>, which must be expressed as an IP address
10471820
LR		 2558 (not a DNS name). A valid SSL configuration must be provided
2559 when this form is used, this configuration can be specified
2560 via command-line options or the <ref table="SSL"/> table.
7fff4eb7
LR		 2561 </p>
2562 <p>
2563 If <var>port</var> is not specified, it defaults to 6640.
2564 </p>
2565 <p>
2566 SSL support is an optional feature that is not always
2567 built as part of Open vSwitch.
2568 </p>
2569 </dd>
2570
2571 <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
2572 <dd>
2573 <p>
2574 The specified TCP <var>port</var> on the host at the given
2575 <var>ip</var>, which must be expressed as an IP address (not a
2576 DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
2577 <var>ip</var> is an IPv6 address, wrap it in square brackets,
2578 e.g. <code>tcp:[::1]:6640</code>.
2579 </p>
2580 <p>
2581 If <var>port</var> is not specified, it defaults to 6640.
2582 </p>
2583 </dd>
2584 <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
2585 <dd>
2586 <p>
2587 Listens for SSL connections on the specified TCP <var>port</var>.
2588 Specify 0 for <var>port</var> to have the kernel automatically
2589 choose an available port. If <var>ip</var>, which must be
2590 expressed as an IP address (not a DNS name), is specified, then
2591 connections are restricted to the specified local IP address
2592 (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
2593 address, wrap in square brackets,
2594 e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not
2595 specified then it listens only on IPv4 (but not IPv6) addresses.
10471820 2596 A valid SSL configuration must be provided when this form is used,
a8cb558a
DJ		 2597 this can be specified either via command-line options or the
2598 <ref table="SSL"/> table.
7fff4eb7
LR		 2599 </p>
2600 <p>
2601 If <var>port</var> is not specified, it defaults to 6640.
2602 </p>
2603 <p>
2604 SSL support is an optional feature that is not always built as
2605 part of Open vSwitch.
2606 </p>
2607 </dd>
2608 <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
2609 <dd>
2610 <p>
2611 Listens for connections on the specified TCP <var>port</var>.
2612 Specify 0 for <var>port</var> to have the kernel automatically
2613 choose an available port. If <var>ip</var>, which must be
2614 expressed as an IP address (not a DNS name), is specified, then
2615 connections are restricted to the specified local IP address
2616 (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
2617 address, wrap it in square brackets,
2618 e.g. <code>ptcp:6640:[::1]</code>. If <var>ip</var> is not
2619 specified then it listens only on IPv4 addresses.
2620 </p>
2621 <p>
2622 If <var>port</var> is not specified, it defaults to 6640.
2623 </p>
2624 </dd>
2625 </dl>
2626 <p>When multiple clients are configured, the <ref column="target"/>
2627 values must be unique. Duplicate <ref column="target"/> values yield
2628 unspecified results.</p>
2629 </column>
2630
2631 <column name="read_only">
2632 <code>true</code> to restrict these connections to read-only
2633 transactions, <code>false</code> to allow them to modify the database.
2634 </column>
75ddb5f4
LR		 2635 <column name="role">
2636 String containing role name for this connection entry.
2637 </column>
7fff4eb7
LR		 2638 </group>
2639
2640 <group title="Client Failure Detection and Handling">
2641 <column name="max_backoff">
2642 Maximum number of milliseconds to wait between connection attempts.
2643 Default is implementation-specific.
2644 </column>
2645
2646 <column name="inactivity_probe">
2647 Maximum number of milliseconds of idle time on connection to the client
2648 before sending an inactivity probe message. If Open vSwitch does not
2649 communicate with the client for the specified number of seconds, it
2650 will send a probe. If a response is not received for the same
2651 additional amount of time, Open vSwitch assumes the connection has been
2652 broken and attempts to reconnect. Default is implementation-specific.
2653 A value of 0 disables inactivity probes.
2654 </column>
2655 </group>
2656
2657 <group title="Status">
2658 <p>
2659 Key-value pair of <ref column="is_connected"/> is always updated.
2660 Other key-value pairs in the status columns may be updated depends
2661 on the <ref column="target"/> type.
2662 </p>
2663
2664 <p>
2665 When <ref column="target"/> specifies a connection method that
2666 listens for inbound connections (e.g. <code>ptcp:</code> or
2667 <code>punix:</code>), both <ref column="n_connections"/> and
2668 <ref column="is_connected"/> may also be updated while the
2669 remaining key-value pairs are omitted.
2670 </p>
2671
2672 <p>
2673 On the other hand, when <ref column="target"/> specifies an
2674 outbound connection, all key-value pairs may be updated, except
2675 the above-mentioned two key-value pairs associated with inbound
2676 connection targets. They are omitted.
2677 </p>
2678
a8cb558a 2679 <column name="is_connected">
7fff4eb7
LR		 2680 <code>true</code> if currently connected to this client,
2681 <code>false</code> otherwise.
2682 </column>
2683
2684 <column name="status" key="last_error">
2685 A human-readable description of the last error on the connection
2686 to the manager; i.e. <code>strerror(errno)</code>. This key
2687 will exist only if an error has occurred.
2688 </column>
2689
2690 <column name="status" key="state"
2691 type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
2692 <p>
2693 The state of the connection to the manager:
2694 </p>
2695 <dl>
2696 <dt><code>VOID</code></dt>
2697 <dd>Connection is disabled.</dd>
2698
2699 <dt><code>BACKOFF</code></dt>
2700 <dd>Attempting to reconnect at an increasing period.</dd>
2701
2702 <dt><code>CONNECTING</code></dt>
2703 <dd>Attempting to connect.</dd>
2704
2705 <dt><code>ACTIVE</code></dt>
2706 <dd>Connected, remote host responsive.</dd>
2707
2708 <dt><code>IDLE</code></dt>
2709 <dd>Connection is idle. Waiting for response to keep-alive.</dd>
2710 </dl>
2711 <p>
2712 These values may change in the future. They are provided only for
2713 human consumption.
2714 </p>
2715 </column>
2716
2717 <column name="status" key="sec_since_connect"
2718 type='{"type": "integer", "minInteger": 0}'>
2719 The amount of time since this client last successfully connected
2720 to the database (in seconds). Value is empty if client has never
2721 successfully been connected.
2722 </column>
2723
2724 <column name="status" key="sec_since_disconnect"
2725 type='{"type": "integer", "minInteger": 0}'>
2726 The amount of time since this client last disconnected from the
2727 database (in seconds). Value is empty if client has never
2728 disconnected.
2729 </column>
2730
2731 <column name="status" key="locks_held">
2732 Space-separated list of the names of OVSDB locks that the connection
2733 holds. Omitted if the connection does not hold any locks.
2734 </column>
2735
2736 <column name="status" key="locks_waiting">
2737 Space-separated list of the names of OVSDB locks that the connection is
2738 currently waiting to acquire. Omitted if the connection is not waiting
2739 for any locks.
2740 </column>
2741
2742 <column name="status" key="locks_lost">
2743 Space-separated list of the names of OVSDB locks that the connection
2744 has had stolen by another OVSDB client. Omitted if no locks have been
2745 stolen from this connection.
2746 </column>
2747
2748 <column name="status" key="n_connections"
2749 type='{"type": "integer", "minInteger": 2}'>
2750 When <ref column="target"/> specifies a connection method that
2751 listens for inbound connections (e.g. <code>ptcp:</code> or
2752 <code>pssl:</code>) and more than one connection is actually active,
2753 the value is the number of active connections. Otherwise, this
2754 key-value pair is omitted.
2755 </column>
2756
2757 <column name="status" key="bound_port" type='{"type": "integer"}'>
2758 When <ref column="target"/> is <code>ptcp:</code> or
2759 <code>pssl:</code>, this is the TCP port on which the OVSDB server is
2760 listening. (This is particularly useful when <ref
2761 column="target"/> specifies a port of 0, allowing the kernel to
2762 choose any available port.)
2763 </column>
2764 </group>
2765
2766 <group title="Common Columns">
2767 The overall purpose of these columns is described under <code>Common
2768 Columns</code> at the beginning of this document.
2769
2770 <column name="external_ids"/>
2771 <column name="other_config"/>
2772 </group>
2773 </table>
10471820
LR		 2774 <table name="SSL">
2775 SSL configuration for ovn-sb database access.
2776
2777 <column name="private_key">
2778 Name of a PEM file containing the private key used as the switch's
2779 identity for SSL connections to the controller.
2780 </column>
2781
2782 <column name="certificate">
2783 Name of a PEM file containing a certificate, signed by the
2784 certificate authority (CA) used by the controller and manager,
2785 that certifies the switch's private key, identifying a trustworthy
2786 switch.
2787 </column>
2788
2789 <column name="ca_cert">
2790 Name of a PEM file containing the CA certificate used to verify
2791 that the switch is connected to a trustworthy controller.
2792 </column>
2793
2794 <column name="bootstrap_ca_cert">
2795 If set to <code>true</code>, then Open vSwitch will attempt to
2796 obtain the CA certificate from the controller on its first SSL
2797 connection and save it to the named PEM file. If it is successful,
2798 it will immediately drop the connection and reconnect, and from then
2799 on all SSL connections must be authenticated by a certificate signed
2800 by the CA certificate thus obtained. <em>This option exposes the
2801 SSL connection to a man-in-the-middle attack obtaining the initial
2802 CA certificate.</em> It may still be useful for bootstrapping.
2803 </column>
2804
51af591b
LR		 2805 <column name="ssl_protocols">
2806 List of SSL protocols to be enabled for SSL connections. The default
2807 when this option is omitted is <code>TLSv1,TLSv1.1,TLSv1.2</code>.
2808 </column>
2809
2810 <column name="ssl_ciphers">
2811 List of ciphers (in OpenSSL cipher string format) to be supported
2812 for SSL connections. The default when this option is omitted is
2813 <code>HIGH:!aNULL:!MD5</code>.
2814 </column>
2815
10471820
LR		 2816 <group title="Common Columns">
2817 The overall purpose of these columns is described under <code>Common
2818 Columns</code> at the beginning of this document.
2819
2820 <column name="external_ids"/>
2821 </group>
2822 </table>
ea991ad2
NS		 2823 <table name="DNS" title="Native DNS resolution">
2824 <p>
2825 Each row in this table stores the DNS records. The OVN action
2826 <code>dns_lookup</code> uses this table for DNS resolution.
2827 </p>
2828
2829 <column name="records">
2830 Key-value pair of DNS records with <code>DNS query name</code> as the key
2831 and a string of IP address(es) separated by comma or space as the
2832 value.
2833
2834 <p><b>Example: </b> "vm1.ovn.org" = "10.0.0.4 aef0::4"</p>
2835 </column>
2836
2837 <column name="datapaths">
2838 The DNS records defined in the column <ref column="records"/> will be
2839 applied only to the DNS queries originating from the datapaths defined
2840 in this column.
2841 </column>
2842
2843 <group title="Common Columns">
2844 <column name="external_ids">
2845 See <em>External IDs</em> at the beginning of this document.
2846 </column>
2847 </group>
2848 </table>
75ddb5f4
LR		 2849
2850 <table name="RBAC_Role">
2851 Role table for role-based access controls.
2852
2853 <column name="name">
2854 The role name, corresponding to the <code>role</code>
2855 column in the <code>Connection</code> table.
2856 </column>
2857
2858 <column name="permissions">
2859 A mapping of table names to rows in the
2860 <code>RBAC_Permission</code> table.
2861 </column>
2862 </table>
2863 <table name="RBAC_Permission">
2864 Permissions table for role-based access controls.
2865
2866 <column name="table">
2867 Name of table to which this row applies.
2868 </column>
2869
2870 <column name="authorization">
2871 Set of strings identifying columns and column:key pairs to be compared
2872 with client ID. At least one match is required in order to be
2873 authorized. A zero-length string is treated as a special value
2874 indicating all clients should be considered authorized.
2875 </column>
2876
2877 <column name="insert_delete">
2878 When "true", row insertions and authorized row
2879 deletions are permitted.
2880 </column>
2881 <column name="update">
2882 Set of strings identifying columns and column:key pairs that authorized
2883 clients are allowed to modify.
2884 </column>
2885 </table>
fe36184b 2886</database>
openvswitch mirror