]> git.proxmox.com Git - ovs.git/blame - ovn/ovn-sb.xml
projects / ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ovn-util: Add a new util function extract_ip_addresses
[ovs.git] / ovn / ovn-sb.xml
CommitLineData
fe36184b 1<?xml version="1.0" encoding="utf-8"?>
ec78987f 2<database name="ovn-sb" title="OVN Southbound Database">
fe36184b
BP		 3 <p>
4 This database holds logical and physical configuration and state for the
5 Open Virtual Network (OVN) system to support virtual network abstraction.
6 For an introduction to OVN, please see <code>ovn-architecture</code>(7).
7 </p>
8
9 <p>
ec78987f
JP		 10 The OVN Southbound database sits at the center of the OVN
11 architecture. It is the one component that speaks both southbound
12 directly to all the hypervisors and gateways, via
88058f19
AW		 13 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>, and
14 northbound to the Cloud Management System, via <code>ovn-northd</code>:
fe36184b
BP		 15 </p>
16
17 <h2>Database Structure</h2>
18
19 <p>
0bac7164 20 The OVN Southbound database contains classes of data with
ec78987f 21 different properties, as described in the sections below.
fe36184b
BP		 22 </p>
23
24 <h3>Physical Network (PN) data</h3>
25
26 <p>
27 PN tables contain information about the chassis nodes in the system. This
28 contains all the information necessary to wire the overlay, such as IP
29 addresses, supported tunnel types, and security keys.
30 </p>
31
32 <p>
33 The amount of PN data is small (O(n) in the number of chassis) and it
34 changes infrequently, so it can be replicated to every chassis.
35 </p>
36
37 <p>
62fdd819 38 The <ref table="Chassis"/> table comprises the PN tables.
fe36184b
BP		 39 </p>
40
41 <h3>Logical Network (LN) data</h3>
42
43 <p>
44 LN tables contain the topology of logical switches and routers, ACLs,
45 firewall rules, and everything needed to describe how packets traverse a
46 logical network, represented as logical datapath flows (see Logical
47 Datapath Flows, below).
48 </p>
49
50 <p>
51 LN data may be large (O(n) in the number of logical ports, ACL rules,
52 etc.). Thus, to improve scaling, each chassis should receive only data
53 related to logical networks in which that chassis participates. Past
54 experience shows that in the presence of large logical networks, even
55 finer-grained partitioning of data, e.g. designing logical flows so that
56 only the chassis hosting a logical port needs related flows, pays off
57 scale-wise. (This is not necessary initially but it is worth bearing in
58 mind in the design.)
59 </p>
60
61 <p>
62 The LN is a slave of the cloud management system running northbound of OVN.
63 That CMS determines the entire OVN logical configuration and therefore the
64 LN's content at any given time is a deterministic function of the CMS's
09986f8c
JP		 65 configuration, although that happens indirectly via the
66 <ref db="OVN_Northbound"/> database and <code>ovn-northd</code>.
fe36184b
BP		 67 </p>
68
69 <p>
70 LN data is likely to change more quickly than PN data. This is especially
71 true in a container environment where VMs are created and destroyed (and
72 therefore added to and deleted from logical switches) quickly.
73 </p>
74
75 <p>
5868eb24
BP		 76 <ref table="Logical_Flow"/> and <ref table="Multicast_Group"/> contain LN
77 data.
fe36184b
BP		 78 </p>
79
0bac7164 80 <h3>Logical-physical bindings</h3>
fe36184b
BP		 81
82 <p>
0bac7164 83 These tables link logical and physical components. They show the current
5868eb24
BP		 84 placement of logical components (such as VMs and VIFs) onto chassis, and
85 map logical entities to the values that represent them in tunnel
86 encapsulations.
fe36184b
BP		 87 </p>
88
89 <p>
0bac7164 90 These tables change frequently, at least every time a VM powers up or down
fe36184b
BP		 91 or migrates, and especially quickly in a container environment. The
92 amount of data per VM (or VIF) is small.
93 </p>
94
95 <p>
96 Each chassis is authoritative about the VMs and VIFs that it hosts at any
97 given time and can efficiently flood that state to a central location, so
98 the consistency needs are minimal.
99 </p>
100
101 <p>
5868eb24
BP		 102 The <ref table="Port_Binding"/> and <ref table="Datapath_Binding"/> tables
103 contain binding data.
fe36184b
BP		 104 </p>
105
0bac7164
BP		 106 <h3>MAC bindings</h3>
107
108 <p>
109 The <ref table="MAC_Binding"/> table tracks the bindings from IP addresses
110 to Ethernet addresses that are dynamically discovered using ARP (for IPv4)
111 and neighbor discovery (for IPv6). Usually, IP-to-MAC bindings for virtual
112 machines are statically populated into the <ref table="Port_Binding"/>
113 table, so <ref table="MAC_Binding"/> is primarily used to discover bindings
114 on physical networks.
115 </p>
116
5868eb24
BP		 117 <h2>Common Columns</h2>
118
119 <p>
120 Some tables contain a special column named <code>external_ids</code>. This
121 column has the same form and purpose each place that it appears, so we
122 describe it here to save space later.
123 </p>
124
125 <dl>
126 <dt><code>external_ids</code>: map of string-string pairs</dt>
127 <dd>
128 Key-value pairs for use by the software that manages the OVN Southbound
88058f19
AW		 129 database rather than by
130 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>. In
131 particular, <code>ovn-northd</code> can use key-value pairs in this
132 column to relate entities in the southbound database to higher-level
133 entities (such as entities in the OVN Northbound database). Individual
134 key-value pairs in this column may be documented in some cases to aid
135 in understanding and troubleshooting, but the reader should not mistake
136 such documentation as comprehensive.
5868eb24
BP		 137 </dd>
138 </dl>
139
fa183acc
BP		 140 <table name="SB_Global" title="Southbound configuration">
141 <p>
142 Southbound configuration for an OVN system. This table must have exactly
143 one row.
144 </p>
145
146 <group title="Status">
147 This column allow a client to track the overall configuration state of
148 the system.
149
150 <column name="nb_cfg">
151 Sequence number for the configuration. When a CMS or
152 <code>ovn-nbctl</code> updates the northbound database, it increments
153 the <code>nb_cfg</code> column in the <code>NB_Global</code> table in
154 the northbound database. In turn, when <code>ovn-northd</code> updates
155 the southbound database to bring it up to date with these changes, it
156 updates this column to the same value.
157 </column>
158 </group>
159
160 <group title="Common Columns">
161 <column name="external_ids">
162 See <em>External IDs</em> at the beginning of this document.
163 </column>
164 </group>
7fff4eb7
LR		 165 <group title="Connection Options">
166 <column name="connections">
167 Database clients to which the Open vSwitch database server should
168 connect or on which it should listen, along with options for how these
169 connections should be configured. See the <ref table="Connection"/>
170 table for more information.
171 </column>
10471820
LR		 172 <column name="ssl">
173 Global SSL configuration.
174 </column>
7fff4eb7 175 </group>
fa183acc
BP		 176 </table>
177
fe36184b
BP		 178 <table name="Chassis" title="Physical Network Hypervisor and Gateway Information">
179 <p>
180 Each row in this table represents a hypervisor or gateway (a chassis) in
181 the physical network (PN). Each chassis, via
88058f19
AW		 182 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>, adds
183 and updates its own row, and keeps a copy of the remaining rows to
184 determine how to reach other hypervisors.
fe36184b
BP		 185 </p>
186
187 <p>
188 When a chassis shuts down gracefully, it should remove its own row.
189 (This is not critical because resources hosted on the chassis are equally
190 unreachable regardless of whether the row is present.) If a chassis
191 shuts down permanently without removing its row, some kind of manual or
192 automatic cleanup is eventually needed; we can devise a process for that
193 as necessary.
194 </p>
195
196 <column name="name">
fc26cf25
RB		 197 OVN does not prescribe a particular format for chassis names.
198 ovn-controller populates this column using <ref key="system-id"
199 table="Open_vSwitch" column="external_ids" db="Open_vSwitch"/>
200 in the Open_vSwitch database's <ref table="Open_vSwitch"
201 db="Open_vSwitch"/> table. ovn-controller-vtep populates this
202 column with <ref table="Physical_Switch" column="name"
203 db="hardware_vtep"/> in the hardware_vtep database's
204 <ref table="Physical_Switch" db="hardware_vtep"/> table.
fe36184b
BP		 205 </column>
206
2229f3ec
RB		 207 <column name="hostname">
208 The hostname of the chassis, if applicable. ovn-controller will populate
209 this column with the hostname of the host it is running on.
210 ovn-controller-vtep will leave this column empty.
211 </column>
212
fa183acc
BP		 213 <column name="nb_cfg">
214 Sequence number for the configuration. When <code>ovn-controller</code>
215 updates the configuration of a chassis from the contents of the
216 southbound database, it copies <ref table="SB_Global" column="nb_cfg"/>
217 from the <ref table="SB_Global"/> table into this column.
218 </column>
219
4250ee37
RB		 220 <column name="external_ids" key="ovn-bridge-mappings">
221 <code>ovn-controller</code> populates this key with the set of bridge
222 mappings it has been configured to use. Other applications should treat
223 this key as read-only. See <code>ovn-controller</code>(8) for more
224 information.
225 </column>
226
5236c73a
NS		 227 <column name="external_ids" key="datapath-type">
228 <code>ovn-controller</code> populates this key with the datapath type
229 configured in the <ref table="Bridge" column="datapath_type"/> column of
230 the Open_vSwitch database's <ref table="Bridge" db="Open_vSwitch"/>
231 table. Other applications should treat this key as read-only. See
232 <code>ovn-controller</code>(8) for more information.
233 </column>
234
235 <column name="external_ids" key="iface-types">
236 <code>ovn-controller</code> populates this key with the interface types
237 configured in the <ref table="Open_vSwitch" column="iface_types"/> column
238 of the Open_vSwitch database's <ref table="Open_vSwitch"
239 db="Open_vSwitch"/> table. Other applications should treat this key as
240 read-only. See <code>ovn-controller</code>(8) for more information.
241 </column>
242
1cef5fff
RB		 243 <group title="Common Columns">
244 The overall purpose of these columns is described under <code>Common
245 Columns</code> at the beginning of this document.
246
247 <column name="external_ids"/>
248 </group>
249
09db214c 250 <group title="Encapsulation Configuration">
fe36184b 251 <p>
09db214c
JP		 252 OVN uses encapsulation to transmit logical dataplane packets
253 between chassis.
fe36184b
BP		 254 </p>
255
09db214c
JP		 256 <column name="encaps">
257 Points to supported encapsulation configurations to transmit
258 logical dataplane packets to this chassis. Each entry is a <ref
259 table="Encap"/> record that describes the configuration.
fe36184b
BP		 260 </column>
261 </group>
262
62fdd819
AW		 263 <group title="Gateway Configuration">
264 <p>
265 A <dfn>gateway</dfn> is a chassis that forwards traffic between the
266 OVN-managed part of a logical network and a physical VLAN, extending a
267 tunnel-based logical network into a physical network. Gateways are
88058f19
AW		 268 typically dedicated nodes that do not host VMs and will be controlled
269 by <code>ovn-controller-vtep</code>.
fe36184b
BP		 270 </p>
271
62fdd819 272 <column name="vtep_logical_switches">
88058f19
AW		 273 Stores all VTEP logical switch names connected by this gateway
274 chassis. The <ref table="Port_Binding"/> table entry with
275 <ref column="options" table="Port_Binding"/>:<code>vtep-physical-switch</code>
276 equal <ref table="Chassis"/> <ref column="name" table="Chassis"/>, and
277 <ref column="options" table="Port_Binding"/>:<code>vtep-logical-switch</code>
278 value in <ref table="Chassis"/>
279 <ref column="vtep_logical_switches" table="Chassis"/>, will be
280 associated with this <ref table="Chassis"/>.
fe36184b 281 </column>
62fdd819 282 </group>
fe36184b
BP		 283 </table>
284
09db214c
JP		 285 <table name="Encap" title="Encapsulation Types">
286 <p>
287 The <ref column="encaps" table="Chassis"/> column in the <ref
288 table="Chassis"/> table refers to rows in this table to identify
289 how OVN may transmit logical dataplane packets to this chassis.
88058f19
AW		 290 Each chassis, via <code>ovn-controller</code>(8) or
291 <code>ovn-controller-vtep</code>(8), adds and updates its own rows
292 and keeps a copy of the remaining rows to determine how to reach
293 other chassis.
09db214c
JP		 294 </p>
295
296 <column name="type">
297 The encapsulation to use to transmit packets to this chassis.
b705f9ea
JP		 298 Hypervisors must use either <code>geneve</code> or
299 <code>stt</code>. Gateways may use <code>vxlan</code>,
300 <code>geneve</code>, or <code>stt</code>.
09db214c
JP		 301 </column>
302
303 <column name="options">
36283d78
JG		 304 <p>
305 Options for configuring the encapsulation. Currently, the only
306 option that has been defined is <code>csum</code>.
307 </p>
308
309 <p>
310 <code>csum</code> indicates that encapsulation checksums can be
311 transmitted and received with reasonable performance. It is a hint
312 to senders transmitting data to this chassis that they should use
924f0e9f
NS		 313 checksums to protect OVN metadata. <code>ovn-controller</code>
314 populates this key with the value defined in
315 <ref table="Open_vSwitch" column="external_ids:ovn-encap-csum"/> column
316 of the Open_vSwitch database's <ref table="Open_vSwitch"
317 db="Open_vSwitch"/> table. Other applications should treat this key as
318 read-only. See <code>ovn-controller</code>(8) for more information.
36283d78
JG		 319 </p>
320
321 <p>
322 In terms of performance, this actually significantly increases
323 throughput in most common cases when running on Linux based hosts
324 without NICs supporting encapsulation hardware offload (around 60% for
325 bulk traffic). The reason is that generally all NICs are capable of
326 offloading transmitted and received TCP/UDP checksums (viewed as
327 ordinary data packets and not as tunnels). The benefit comes on the
328 receive side where the validated outer checksum can be used to
329 additionally validate an inner checksum (such as TCP), which in turn
330 allows aggregation of packets to be more efficiently handled by the
331 rest of the stack.
332 </p>
333
334 <p>
335 Not all devices see such a benefit. The most notable exception is
336 hardware VTEPs. These devices are designed to not buffer entire
337 packets in their switching engines and are therefore unable to
338 efficiently compute or validate full packet checksums. In addition
339 certain versions of the Linux kernel are not able to fully take
340 advantage of encapsulation NIC offloads in the presence of checksums.
341 (This is actually a pretty narrow corner case though - earlier
342 versions of Linux don't support encapsulation offloads at all and
343 later versions support both offloads and checksums well.)
344 </p>
345
346 <p>
347 <code>csum</code> defaults to <code>false</code> for hardware VTEPs and
348 <code>true</code> for all other cases.
349 </p>
09db214c
JP		 350 </column>
351
352 <column name="ip">
353 The IPv4 address of the encapsulation tunnel endpoint.
354 </column>
355 </table>
356
ea382567
RB		 357 <table name="Address_Set" title="Address Sets">
358 <p>
359 See the documentation for the <ref table="Address_Set"
360 db="OVN_Northbound"/> table in the <ref db="OVN_Northbound"/> database
361 for details.
362 </p>
363
364 <column name="name"/>
365 <column name="addresses"/>
366 </table>
367
5868eb24 368 <table name="Logical_Flow" title="Logical Network Flows">
fe36184b 369 <p>
09986f8c
JP		 370 Each row in this table represents one logical flow.
371 <code>ovn-northd</code> populates this table with logical flows
372 that implement the L2 and L3 topologies specified in the
373 <ref db="OVN_Northbound"/> database. Each hypervisor, via
374 <code>ovn-controller</code>, translates the logical flows into
375 OpenFlow flows specific to its hypervisor and installs them into
376 Open vSwitch.
fe36184b
BP		 377 </p>
378
379 <p>
380 Logical flows are expressed in an OVN-specific format, described here. A
381 logical datapath flow is much like an OpenFlow flow, except that the
382 flows are written in terms of logical ports and logical datapaths instead
383 of physical ports and physical datapaths. Translation between logical
384 and physical flows helps to ensure isolation between logical datapaths.
09986f8c
JP		 385 (The logical flow abstraction also allows the OVN centralized
386 components to do less work, since they do not have to separately
387 compute and push out physical flows to each chassis.)
fe36184b
BP		 388 </p>
389
390 <p>
391 The default action when no flow matches is to drop packets.
392 </p>
393
69a832cf 394 <p><em>Architectural Logical Life Cycle of a Packet</em></p>
5868eb24
BP		 395
396 <p>
397 This following description focuses on the life cycle of a packet through
398 a logical datapath, ignoring physical details of the implementation.
69a832cf 399 Please refer to <em>Architectural Physical Life Cycle of a Packet</em> in
5868eb24
BP		 400 <code>ovn-architecture</code>(7) for the physical information.
401 </p>
402
403 <p>
404 The description here is written as if OVN itself executes these steps,
405 but in fact OVN (that is, <code>ovn-controller</code>) programs Open
406 vSwitch, via OpenFlow and OVSDB, to execute them on its behalf.
407 </p>
408
409 <p>
410 At a high level, OVN passes each packet through the logical datapath's
411 logical ingress pipeline, which may output the packet to one or more
412 logical port or logical multicast groups. For each such logical output
413 port, OVN passes the packet through the datapath's logical egress
414 pipeline, which may either drop the packet or deliver it to the
415 destination. Between the two pipelines, outputs to logical multicast
416 groups are expanded into logical ports, so that the egress pipeline only
417 processes a single logical output port at a time. Between the two
418 pipelines is also where, when necessary, OVN encapsulates a packet in a
419 tunnel (or tunnels) to transmit to remote hypervisors.
420 </p>
421
422 <p>
423 In more detail, to start, OVN searches the <ref table="Logical_Flow"/>
424 table for a row with correct <ref column="logical_datapath"/>, a <ref
425 column="pipeline"/> of <code>ingress</code>, a <ref column="table_id"/>
426 of 0, and a <ref column="match"/> that is true for the packet. If none
427 is found, OVN drops the packet. If OVN finds more than one, it chooses
428 the match with the highest <ref column="priority"/>. Then OVN executes
429 each of the actions specified in the row's <ref table="actions"/> column,
430 in the order specified. Some actions, such as those to modify packet
431 headers, require no further details. The <code>next</code> and
432 <code>output</code> actions are special.
433 </p>
434
435 <p>
436 The <code>next</code> action causes the above process to be repeated
437 recursively, except that OVN searches for <ref column="table_id"/> of 1
438 instead of 0. Similarly, any <code>next</code> action in a row found in
439 that table would cause a further search for a <ref column="table_id"/> of
440 2, and so on. When recursive processing completes, flow control returns
441 to the action following <code>next</code>.
442 </p>
443
444 <p>
445 The <code>output</code> action also introduces recursion. Its effect
446 depends on the current value of the <code>outport</code> field. Suppose
447 <code>outport</code> designates a logical port. First, OVN compares
448 <code>inport</code> to <code>outport</code>; if they are equal, it treats
bf143492
JP		 449 the <code>output</code> as a no-op by default. In the common
450 case, where they are different, the packet enters the egress
451 pipeline. This transition to the egress pipeline discards
452 register data, e.g. <code>reg0</code> ... <code>reg9</code> and
453 connection tracking state, to achieve uniform behavior regardless
454 of whether the egress pipeline is on a different hypervisor
455 (because registers aren't preserve across tunnel encapsulation).
5868eb24
BP		 456 </p>
457
458 <p>
459 To execute the egress pipeline, OVN again searches the <ref
460 table="Logical_Flow"/> table for a row with correct <ref
461 column="logical_datapath"/>, a <ref column="table_id"/> of 0, a <ref
462 column="match"/> that is true for the packet, but now looking for a <ref
463 column="pipeline"/> of <code>egress</code>. If no matching row is found,
464 the output becomes a no-op. Otherwise, OVN executes the actions for the
465 matching flow (which is chosen from multiple, if necessary, as already
466 described).
467 </p>
468
469 <p>
470 In the <code>egress</code> pipeline, the <code>next</code> action acts as
471 already described, except that it, of course, searches for
472 <code>egress</code> flows. The <code>output</code> action, however, now
473 directly outputs the packet to the output port (which is now fixed,
474 because <code>outport</code> is read-only within the egress pipeline).
475 </p>
476
477 <p>
478 The description earlier assumed that <code>outport</code> referred to a
479 logical port. If it instead designates a logical multicast group, then
480 the description above still applies, with the addition of fan-out from
481 the logical multicast group to each logical port in the group. For each
482 member of the group, OVN executes the logical pipeline as described, with
483 the logical output port replaced by the group member.
484 </p>
485
8d6e5516
JP		 486 <p><em>Pipeline Stages</em></p>
487
488 <p>
398be42b
BP		 489 <code>ovn-northd</code> populates the <ref table="Logical_Flow"/> table
490 with the logical flows described in detail in <code>ovn-northd</code>(8).
8d6e5516
JP		 491 </p>
492
747b2a45 493 <column name="logical_datapath">
5868eb24
BP		 494 The logical datapath to which the logical flow belongs.
495 </column>
496
497 <column name="pipeline">
498 <p>
499 The primary flows used for deciding on a packet's destination are the
500 <code>ingress</code> flows. The <code>egress</code> flows implement
501 ACLs. See <em>Logical Life Cycle of a Packet</em>, above, for details.
502 </p>
747b2a45
BP		 503 </column>
504
fe36184b
BP		 505 <column name="table_id">
506 The stage in the logical pipeline, analogous to an OpenFlow table number.
507 </column>
508
509 <column name="priority">
510 The flow's priority. Flows with numerically higher priority take
511 precedence over those with lower. If two logical datapath flows with the
512 same priority both match, then the one actually applied to the packet is
513 undefined.
514 </column>
515
516 <column name="match">
517 <p>
518 A matching expression. OVN provides a superset of OpenFlow matching
519 capabilities, using a syntax similar to Boolean expressions in a
520 programming language.
521 </p>
522
523 <p>
fa6aeaeb
RB		 524 The most important components of match expression are
525 <dfn>comparisons</dfn> between <dfn>symbols</dfn> and
526 <dfn>constants</dfn>, e.g. <code>ip4.dst == 192.168.0.1</code>,
527 <code>ip.proto == 6</code>, <code>arp.op == 1</code>, <code>eth.type ==
528 0x800</code>. The logical AND operator <code>&amp;&amp;</code> and
529 logical OR operator <code>||</code> can combine comparisons into a
530 larger expression.
fe36184b
BP		 531 </p>
532
fe36184b 533 <p>
e0840f11
BP		 534 Matching expressions also support parentheses for grouping, the logical
535 NOT prefix operator <code>!</code>, and literals <code>0</code> and
536 <code>1</code> to express ``false'' or ``true,'' respectively. The
537 latter is useful by itself as a catch-all expression that matches every
538 packet.
fe36184b
BP		 539 </p>
540
ba8d3816
MS		 541 <p>
542 Match expressions also support a kind of function syntax. The
543 following functions are supported:
544 </p>
545
546 <dl>
547 <dt><code>is_chassis_resident(<var>lport</var>)</code></dt>
548 <dd>
549 Evaluates to true on a chassis on which logical port <var>lport</var>
550 (a quoted string) resides, and to false elsewhere. This function was
551 introduced in OVN 2.7.
552 </dd>
553 </dl>
554
e0840f11 555 <p><em>Symbols</em></p>
fe36184b
BP		 556
557 <p>
fa6aeaeb
RB		 558 <em>Type</em>. Symbols have <dfn>integer</dfn> or <dfn>string</dfn>
559 type. Integer symbols have a <dfn>width</dfn> in bits.
fe36184b
BP		 560 </p>
561
562 <p>
fa6aeaeb 563 <em>Kinds</em>. There are three kinds of symbols:
fe36184b
BP		 564 </p>
565
e0840f11 566 <ul>
fa6aeaeb
RB		 567 <li>
568 <p>
569 <dfn>Fields</dfn>. A field symbol represents a packet header or
570 metadata field. For example, a field
571 named <code>vlan.tci</code> might represent the VLAN TCI field in a
572 packet.
573 </p>
574
575 <p>
576 A field symbol can have integer or string type. Integer fields can
577 be nominal or ordinal (see <em>Level of Measurement</em>,
578 below).
579 </p>
580 </li>
581
582 <li>
583 <p>
584 <dfn>Subfields</dfn>. A subfield represents a subset of bits from
585 a larger field. For example, a field <code>vlan.vid</code> might
586 be defined as an alias for <code>vlan.tci[0..11]</code>. Subfields
587 are provided for syntactic convenience, because it is always
588 possible to instead refer to a subset of bits from a field
589 directly.
590 </p>
591
592 <p>
593 Only ordinal fields (see <em>Level of Measurement</em>,
594 below) may have subfields. Subfields are always ordinal.
595 </p>
596 </li>
597
598 <li>
599 <p>
600 <dfn>Predicates</dfn>. A predicate is shorthand for a Boolean
601 expression. Predicates may be used much like 1-bit fields. For
602 example, <code>ip4</code> might expand to <code>eth.type ==
603 0x800</code>. Predicates are provided for syntactic convenience,
604 because it is always possible to instead specify the underlying
605 expression directly.
606 </p>
607
608 <p>
609 A predicate whose expansion refers to any nominal field or
610 predicate (see <em>Level of Measurement</em>, below) is nominal;
611 other predicates have Boolean level of measurement.
612 </p>
613 </li>
e0840f11
BP		 614 </ul>
615
fe36184b 616 <p>
fa6aeaeb
RB		 617 <em>Level of Measurement</em>. See
618 http://en.wikipedia.org/wiki/Level_of_measurement for the statistical
619 concept on which this classification is based. There are three
620 levels:
fe36184b
BP		 621 </p>
622
623 <ul>
fa6aeaeb
RB		 624 <li>
625 <p>
626 <dfn>Ordinal</dfn>. In statistics, ordinal values can be ordered
627 on a scale. OVN considers a field (or subfield) to be ordinal if
628 its bits can be examined individually. This is true for the
629 OpenFlow fields that OpenFlow or Open vSwitch makes ``maskable.''
630 </p>
631
632 <p>
633 Any use of a nominal field may specify a single bit or a range of
634 bits, e.g. <code>vlan.tci[13..15]</code> refers to the PCP field
635 within the VLAN TCI, and <code>eth.dst[40]</code> refers to the
636 multicast bit in the Ethernet destination address.
637 </p>
638
639 <p>
640 OVN supports all the usual arithmetic relations (<code>==</code>,
641 <code>!=</code>, <code>&lt;</code>, <code>&lt;=</code>,
642 <code>&gt;</code>, and <code>&gt;=</code>) on ordinal fields and
643 their subfields, because OVN can implement these in OpenFlow and
644 Open vSwitch as collections of bitwise tests.
645 </p>
646 </li>
647
648 <li>
649 <p>
650 <dfn>Nominal</dfn>. In statistics, nominal values cannot be
651 usefully compared except for equality. This is true of OpenFlow
652 port numbers, Ethernet types, and IP protocols are examples: all of
653 these are just identifiers assigned arbitrarily with no deeper
654 meaning. In OpenFlow and Open vSwitch, bits in these fields
655 generally aren't individually addressable.
656 </p>
657
658 <p>
659 OVN only supports arithmetic tests for equality on nominal fields,
660 because OpenFlow and Open vSwitch provide no way for a flow to
661 efficiently implement other comparisons on them. (A test for
662 inequality can be sort of built out of two flows with different
663 priorities, but OVN matching expressions always generate flows with
664 a single priority.)
665 </p>
666
667 <p>
668 String fields are always nominal.
669 </p>
670 </li>
671
672 <li>
673 <p>
674 <dfn>Boolean</dfn>. A nominal field that has only two values, 0
675 and 1, is somewhat exceptional, since it is easy to support both
676 equality and inequality tests on such a field: either one can be
677 implemented as a test for 0 or 1.
678 </p>
679
680 <p>
681 Only predicates (see above) have a Boolean level of measurement.
682 </p>
683
684 <p>
685 This isn't a standard level of measurement.
686 </p>
687 </li>
fe36184b
BP		 688 </ul>
689
690 <p>
fa6aeaeb
RB		 691 <em>Prerequisites</em>. Any symbol can have prerequisites, which are
692 additional condition implied by the use of the symbol. For example,
693 For example, <code>icmp4.type</code> symbol might have prerequisite
694 <code>icmp4</code>, which would cause an expression <code>icmp4.type ==
695 0</code> to be interpreted as <code>icmp4.type == 0 &amp;&amp;
696 icmp4</code>, which would in turn expand to <code>icmp4.type == 0
697 &amp;&amp; eth.type == 0x800 &amp;&amp; ip4.proto == 1</code> (assuming
698 <code>icmp4</code> is a predicate defined as suggested under
699 <em>Types</em> above).
fe36184b
BP		 700 </p>
701
e0840f11
BP		 702 <p><em>Relational operators</em></p>
703
fe36184b 704 <p>
fa6aeaeb
RB		 705 All of the standard relational operators <code>==</code>,
706 <code>!=</code>, <code>&lt;</code>, <code>&lt;=</code>,
707 <code>&gt;</code>, and <code>&gt;=</code> are supported. Nominal
708 fields support only <code>==</code> and <code>!=</code>, and only in a
709 positive sense when outer <code>!</code> are taken into account,
710 e.g. given string field <code>inport</code>, <code>inport ==
711 "eth0"</code> and <code>!(inport != "eth0")</code> are acceptable, but
712 not <code>inport != "eth0"</code>.
fe36184b
BP		 713 </p>
714
715 <p>
fa6aeaeb
RB		 716 The implementation of <code>==</code> (or <code>!=</code> when it is
717 negated), is more efficient than that of the other relational
718 operators.
fe36184b
BP		 719 </p>
720
e0840f11
BP		 721 <p><em>Constants</em></p>
722
fe36184b 723 <p>
e0840f11
BP		 724 Integer constants may be expressed in decimal, hexadecimal prefixed by
725 <code>0x</code>, or as dotted-quad IPv4 addresses, IPv6 addresses in
726 their standard forms, or Ethernet addresses as colon-separated hex
727 digits. A constant in any of these forms may be followed by a slash
728 and a second constant (the mask) in the same form, to form a masked
729 constant. IPv4 and IPv6 masks may be given as integers, to express
730 CIDR prefixes.
731 </p>
732
733 <p>
734 String constants have the same syntax as quoted strings in JSON (thus,
5868eb24 735 they are Unicode strings).
fe36184b
BP		 736 </p>
737
738 <p>
e0840f11
BP		 739 Some operators support sets of constants written inside curly braces
740 <code>{</code> ... <code>}</code>. Commas between elements of a set,
741 and after the last elements, are optional. With <code>==</code>,
742 ``<code><var>field</var> == { <var>constant1</var>,
743 <var>constant2</var>,</code> ... <code>}</code>'' is syntactic sugar
744 for ``<code><var>field</var> == <var>constant1</var> ||
745 <var>field</var> == <var>constant2</var> || </code>...<code></code>.
746 Similarly, ``<code><var>field</var> != { <var>constant1</var>,
747 <var>constant2</var>, </code>...<code> }</code>'' is equivalent to
748 ``<code><var>field</var> != <var>constant1</var> &amp;&amp;
fe36184b 749 <var>field</var> != <var>constant2</var> &amp;&amp;
e0840f11 750 </code>...<code></code>''.
fe36184b
BP		 751 </p>
752
ea382567
RB		 753 <p>
754 You may refer to a set of IPv4, IPv6, or MAC addresses stored in the
755 <ref table="Address_Set"/> table by its <ref column="name"
756 table="Address_Set"/>. An <ref table="Address_Set"/> with a name
757 of <code>set1</code> can be referred to as
758 <code>$set1</code>.
759 </p>
760
e0840f11
BP		 761 <p><em>Miscellaneous</em></p>
762
fe36184b 763 <p>
fa6aeaeb
RB		 764 Comparisons may name the symbol or the constant first,
765 e.g. <code>tcp.src == 80</code> and <code>80 == tcp.src</code> are both
766 acceptable.
fe36184b
BP		 767 </p>
768
769 <p>
fa6aeaeb
RB		 770 Tests for a range may be expressed using a syntax like <code>1024 &lt;=
771 tcp.src &lt;= 49151</code>, which is equivalent to <code>1024 &lt;=
772 tcp.src &amp;&amp; tcp.src &lt;= 49151</code>.
fe36184b
BP		 773 </p>
774
775 <p>
fa6aeaeb
RB		 776 For a one-bit field or predicate, a mention of its name is equivalent
777 to <code><var>symobl</var> == 1</code>, e.g. <code>vlan.present</code>
778 is equivalent to <code>vlan.present == 1</code>. The same is true for
779 one-bit subfields, e.g. <code>vlan.tci[12]</code>. There is no
780 technical limitation to implementing the same for ordinal fields of all
781 widths, but the implementation is expensive enough that the syntax
782 parser requires writing an explicit comparison against zero to make
783 mistakes less likely, e.g. in <code>tcp.src != 0</code> the comparison
784 against 0 is required.
fe36184b
BP		 785 </p>
786
787 <p>
fa6aeaeb
RB		 788 <em>Operator precedence</em> is as shown below, from highest to lowest.
789 There are two exceptions where parentheses are required even though the
790 table would suggest that they are not: <code>&amp;&amp;</code> and
791 <code>||</code> require parentheses when used together, and
792 <code>!</code> requires parentheses when applied to a relational
793 expression. Thus, in <code>(eth.type == 0x800 || eth.type == 0x86dd)
794 &amp;&amp; ip.proto == 6</code> or <code>!(arp.op == 1)</code>, the
795 parentheses are mandatory.
fe36184b
BP		 796 </p>
797
e0840f11
BP		 798 <ul>
799 <li><code>()</code></li>
800 <li><code>== != &lt; &lt;= &gt; &gt;=</code></li>
801 <li><code>!</code></li>
802 <li><code>&amp;&amp; ||</code></li>
803 </ul>
804
10b1662b
BP		 805 <p>
806 <em>Comments</em> may be introduced by <code>//</code>, which extends
807 to the next new-line. Comments within a line may be bracketed by
808 <code>/*</code> and <code>*/</code>. Multiline comments are not
809 supported.
810 </p>
811
e0840f11
BP		 812 <p><em>Symbols</em></p>
813
5868eb24
BP		 814 <p>
815 Most of the symbols below have integer type. Only <code>inport</code>
816 and <code>outport</code> have string type. <code>inport</code> names a
817 logical port. Thus, its value is a <ref column="logical_port"/> name
62fdd819
AW		 818 from the <ref table="Port_Binding"/> table. <code>outport</code> may
819 name a logical port, as <code>inport</code>, or a logical multicast
820 group defined in the <ref table="Multicast_Group"/> table. For both
821 symbols, only names within the flow's logical datapath may be used.
5868eb24
BP		 822 </p>
823
394e883d
JP		 824 <p>
825 The <code>reg</code><var>X</var> symbols are 32-bit integers.
826 The <code>xxreg</code><var>X</var> symbols are 128-bit integers,
827 which overlay four of the 32-bit registers: <code>xxreg0</code>
828 overlays <code>reg0</code> through <code>reg3</code>, with
829 <code>reg0</code> supplying the most-significant bits of
830 <code>xxreg0</code> and <code>reg3</code> the least-signficant.
831 <code>xxreg1</code> similarly overlays <code>reg4</code> through
832 <code>reg7</code>.
833 </p>
834
e0840f11 835 <ul>
cc5e28d8 836 <li><code>reg0</code>...<code>reg9</code></li>
394e883d 837 <li><code>xxreg0</code> <code>xxreg1</code></li>
5868eb24 838 <li><code>inport</code> <code>outport</code></li>
bf143492 839 <li><code>flags.loopback</code></li>
e0840f11
BP		 840 <li><code>eth.src</code> <code>eth.dst</code> <code>eth.type</code></li>
841 <li><code>vlan.tci</code> <code>vlan.vid</code> <code>vlan.pcp</code> <code>vlan.present</code></li>
842 <li><code>ip.proto</code> <code>ip.dscp</code> <code>ip.ecn</code> <code>ip.ttl</code> <code>ip.frag</code></li>
843 <li><code>ip4.src</code> <code>ip4.dst</code></li>
844 <li><code>ip6.src</code> <code>ip6.dst</code> <code>ip6.label</code></li>
845 <li><code>arp.op</code> <code>arp.spa</code> <code>arp.tpa</code> <code>arp.sha</code> <code>arp.tha</code></li>
846 <li><code>tcp.src</code> <code>tcp.dst</code> <code>tcp.flags</code></li>
847 <li><code>udp.src</code> <code>udp.dst</code></li>
848 <li><code>sctp.src</code> <code>sctp.dst</code></li>
849 <li><code>icmp4.type</code> <code>icmp4.code</code></li>
850 <li><code>icmp6.type</code> <code>icmp6.code</code></li>
851 <li><code>nd.target</code> <code>nd.sll</code> <code>nd.tll</code></li>
e3d81ade 852 <li><code>ct_mark</code> <code>ct_label</code></li>
78aab811
JP		 853 <li>
854 <p>
a96d26d7
BP		 855 <code>ct_state</code>, which has several Boolean subfields. The
856 <code>ct_next</code> action initializes the following subfields:
78aab811
JP		 857 </p>
858 <ul>
a96d26d7
BP		 859 <li>
860 <code>ct.trk</code>: Always set to true by <code>ct_next</code>
861 to indicate that connection tracking has taken place. All other
862 <code>ct</code> subfields have <code>ct.trk</code> as a
863 prerequisite.
864 </li>
78aab811
JP		 865 <li><code>ct.new</code>: True for a new flow</li>
866 <li><code>ct.est</code>: True for an established flow</li>
867 <li><code>ct.rel</code>: True for a related flow</li>
868 <li><code>ct.rpl</code>: True for a reply flow</li>
869 <li><code>ct.inv</code>: True for a connection entry in a bad state</li>
870 </ul>
871 <p>
a96d26d7
BP		 872 The <code>ct_dnat</code>, <code>ct_snat</code>, and
873 <code>ct_lb</code> actions initialize the following subfields:
858c2f76
GS		 874 </p>
875 <ul>
876 <li>
877 <code>ct.dnat</code>: True for a packet whose destination IP
878 address has been changed.
879 </li>
880 <li>
881 <code>ct.snat</code>: True for a packet whose source IP
882 address has been changed.
883 </li>
884 </ul>
78aab811 885 </li>
e0840f11
BP		 886 </ul>
887
25030d47
RB		 888 <p>
889 The following predicates are supported:
890 </p>
891
892 <ul>
a2011117
BP		 893 <li><code>eth.bcast</code> expands to <code>eth.dst == ff:ff:ff:ff:ff:ff</code></li>
894 <li><code>eth.mcast</code> expands to <code>eth.dst[40]</code></li>
25030d47
RB		 895 <li><code>vlan.present</code> expands to <code>vlan.tci[12]</code></li>
896 <li><code>ip4</code> expands to <code>eth.type == 0x800</code></li>
a2011117 897 <li><code>ip4.mcast</code> expands to <code>ip4.dst[28..31] == 0xe</code></li>
25030d47
RB		 898 <li><code>ip6</code> expands to <code>eth.type == 0x86dd</code></li>
899 <li><code>ip</code> expands to <code>ip4 || ip6</code></li>
900 <li><code>icmp4</code> expands to <code>ip4 &amp;&amp; ip.proto == 1</code></li>
901 <li><code>icmp6</code> expands to <code>ip6 &amp;&amp; ip.proto == 58</code></li>
902 <li><code>icmp</code> expands to <code>icmp4 || icmp6</code></li>
903 <li><code>ip.is_frag</code> expands to <code>ip.frag[0]</code></li>
904 <li><code>ip.later_frag</code> expands to <code>ip.frag[1]</code></li>
905 <li><code>ip.first_frag</code> expands to <code>ip.is_frag &amp;&amp; !ip.later_frag</code></li>
906 <li><code>arp</code> expands to <code>eth.type == 0x806</code></li>
acdd9220
JP		 907 <li><code>nd</code> expands to <code>icmp6.type == {135, 136} &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
908 <li><code>nd_ns</code> expands to <code>icmp6.type == 135 &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
909 <li><code>nd_na</code> expands to <code>icmp6.type == 136 &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
25030d47
RB		 910 <li><code>tcp</code> expands to <code>ip.proto == 6</code></li>
911 <li><code>udp</code> expands to <code>ip.proto == 17</code></li>
912 <li><code>sctp</code> expands to <code>ip.proto == 132</code></li>
913 </ul>
fe36184b
BP		 914 </column>
915
916 <column name="actions">
917 <p>
2cd87fce
RB		 918 Logical datapath actions, to be executed when the logical flow
919 represented by this row is the highest-priority match.
fe36184b
BP		 920 </p>
921
35060cdc 922 <p>
2cd87fce
RB		 923 Actions share lexical syntax with the <ref column="match"/> column. An
924 empty set of actions (or one that contains just white space or
925 comments), or a set of actions that consists of just
926 <code>drop;</code>, causes the matched packets to be dropped.
927 Otherwise, the column should contain a sequence of actions, each
928 terminated by a semicolon.
35060cdc 929 </p>
fe36184b 930
35060cdc 931 <p>
eee7a8ed 932 The following actions are defined:
35060cdc 933 </p>
fe36184b 934
35060cdc
BP		 935 <dl>
936 <dt><code>output;</code></dt>
937 <dd>
5868eb24 938 <p>
eee7a8ed
JP		 939 In the ingress pipeline, this action executes the
940 <code>egress</code> pipeline as a subroutine. If
941 <code>outport</code> names a logical port, the egress pipeline
942 executes once; if it is a multicast group, the egress pipeline runs
943 once for each logical port in the group.
5868eb24
BP		 944 </p>
945
946 <p>
947 In the egress pipeline, this action performs the actual
948 output to the <code>outport</code> logical port. (In the egress
949 pipeline, <code>outport</code> never names a multicast group.)
950 </p>
951
952 <p>
bf143492
JP		 953 By default, output to the input port is implicitly dropped,
954 that is, <code>output</code> becomes a no-op if
955 <code>outport</code> == <code>inport</code>. Occasionally
956 it may be useful to override this behavior, e.g. to send an
957 ARP reply to an ARP request; to do so, use
958 <code>flags.loopback = 1</code> to allow the packet to
959 "hair-pin" back to the input port.
5868eb24 960 </p>
eee7a8ed 961 </dd>
fe36184b 962
35060cdc 963 <dt><code>next;</code></dt>
558ec83d 964 <dt><code>next(<var>table</var>);</code></dt>
4c99cb18 965 <dt><code>next(pipeline=<var>pipeline</var>, table=<var>table</var>);</code></dt>
35060cdc 966 <dd>
4c99cb18
BP		 967 Executes the given logical datapath <var>table</var> in
968 <var>pipeline</var> as a subroutine. The default <var>table</var> is
969 just after the current one. If <var>pipeline</var> is specified, it
970 may be <code>ingress</code> or <code>egress</code>; the default
971 <var>pipeline</var> is the one currently executing. Actions in the
972 ingress pipeline may not use <code>next</code> to jump into the
973 egress pipeline (use the <code>output</code> instead), but
974 transitions in the opposite direction are allowed.
2cd87fce 975 </dd>
fe36184b 976
35060cdc
BP		 977 <dt><code><var>field</var> = <var>constant</var>;</code></dt>
978 <dd>
5868eb24 979 <p>
5ee054fb
BP		 980 Sets data or metadata field <var>field</var> to constant value
981 <var>constant</var>, e.g. <code>outport = "vif0";</code> to set the
982 logical output port. To set only a subset of bits in a field,
983 specify a subfield for <var>field</var> or a masked
984 <var>constant</var>, e.g. one may use <code>vlan.pcp[2] = 1;</code>
985 or <code>vlan.pcp = 4/4;</code> to set the most sigificant bit of
986 the VLAN PCP.
5868eb24
BP		 987 </p>
988
989 <p>
990 Assigning to a field with prerequisites implicitly adds those
991 prerequisites to <ref column="match"/>; thus, for example, a flow
992 that sets <code>tcp.dst</code> applies only to TCP flows,
993 regardless of whether its <ref column="match"/> mentions any TCP
994 field.
995 </p>
996
997 <p>
998 Not all fields are modifiable (e.g. <code>eth.type</code> and
999 <code>ip.proto</code> are read-only), and not all modifiable fields
1000 may be partially modified (e.g. <code>ip.ttl</code> must assigned
1001 as a whole). The <code>outport</code> field is modifiable in the
1002 <code>ingress</code> pipeline but not in the <code>egress</code>
1003 pipeline.
1004 </p>
eee7a8ed 1005 </dd>
5ee054fb
BP		 1006
1007 <dt><code><var>field1</var> = <var>field2</var>;</code></dt>
1008 <dd>
1009 <p>
1010 Sets data or metadata field <var>field1</var> to the value of data
1011 or metadata field <var>field2</var>, e.g. <code>reg0 =
1012 ip4.src;</code> copies <code>ip4.src</code> into <code>reg0</code>.
1013 To modify only a subset of a field's bits, specify a subfield for
1014 <var>field1</var> or <var>field2</var> or both, e.g. <code>vlan.pcp
1015 = reg0[0..2];</code> copies the least-significant bits of
1016 <code>reg0</code> into the VLAN PCP.
1017 </p>
1018
1019 <p>
1020 <var>field1</var> and <var>field2</var> must be the same type,
1021 either both string or both integer fields. If they are both
1022 integer fields, they must have the same width.
1023 </p>
1024
1025 <p>
1026 If <var>field1</var> or <var>field2</var> has prerequisites, they
1027 are added implicitly to <ref column="match"/>. It is possible to
1028 write an assignment with contradictory prerequisites, such as
1029 <code>ip4.src = ip6.src[0..31];</code>, but the contradiction means
1030 that a logical flow with such an assignment will never be matched.
1031 </p>
1032 </dd>
a20c96c6
BP		 1033
1034 <dt><code><var>field1</var> &lt;-&gt; <var>field2</var>;</code></dt>
1035 <dd>
1036 <p>
1037 Similar to <code><var>field1</var> = <var>field2</var>;</code>
1038 except that the two values are exchanged instead of copied. Both
1039 <var>field1</var> and <var>field2</var> must modifiable.
1040 </p>
1041 </dd>
78aab811 1042
00ea19e4
BP		 1043 <dt><code>ip.ttl--;</code></dt>
1044 <dd>
1045 <p>
1046 Decrements the IPv4 or IPv6 TTL. If this would make the TTL zero
1047 or negative, then processing of the packet halts; no further
1048 actions are processed. (To properly handle such cases, a
4c20b9f2
JP		 1049 higher-priority flow should match on
1050 <code>ip.ttl == {0, 1};</code>.)
00ea19e4
BP		 1051 </p>
1052
1053 <p><b>Prerequisite:</b> <code>ip</code></p>
1054 </dd>
1055
78aab811
JP		 1056 <dt><code>ct_next;</code></dt>
1057 <dd>
1058 <p>
1059 Apply connection tracking to the flow, initializing
1060 <code>ct_state</code> for matching in later tables.
1061 Automatically moves on to the next table, as if followed by
1062 <code>next</code>.
1063 </p>
1064
1065 <p>
1066 As a side effect, IP fragments will be reassembled for matching.
1067 If a fragmented packet is output, then it will be sent with any
1068 overlapping fragments squashed. The connection tracking state is
d7039b9a
GS		 1069 scoped by the logical port when the action is used in a flow for
1070 a logical switch, so overlapping addresses may be used. To allow
1071 traffic related to the matched flow, execute <code>ct_commit
1072 </code>. Connection tracking state is scoped by the logical
1073 topology when the action is used in a flow for a router.
78aab811
JP		 1074 </p>
1075
1076 <p>
1077 It is possible to have actions follow <code>ct_next</code>,
1078 but they will not have access to any of its side-effects and
1079 is not generally useful.
1080 </p>
1081 </dd>
1082
1083 <dt><code>ct_commit;</code></dt>
a9e1b66f
RB		 1084 <dt><code>ct_commit(ct_mark=<var>value[/mask]</var>);</code></dt>
1085 <dt><code>ct_commit(ct_label=<var>value[/mask]</var>);</code></dt>
1086 <dt><code>ct_commit(ct_mark=<var>value[/mask]</var>, ct_label=<var>value[/mask]</var>);</code></dt>
78aab811 1087 <dd>
c4623bb8 1088 <p>
a9e1b66f
RB		 1089 Commit the flow to the connection tracking entry associated with it
1090 by a previous call to <code>ct_next</code>. When
1091 <code>ct_mark=<var>value[/mask]</var></code> and/or
1092 <code>ct_label=<var>value[/mask]</var></code> are supplied,
1093 <code>ct_mark</code> and/or <code>ct_label</code> will be set to the
1094 values indicated by <var>value[/mask]</var> on the connection
1095 tracking entry. <code>ct_mark</code> is a 32-bit field.
354b8f27
NS		 1096 <code>ct_label</code> is a 128-bit field. The <var>value[/mask]</var>
1097 should be specified in hex string if more than 64bits are to be used.
c4623bb8 1098 </p>
a9e1b66f 1099
c4623bb8
RB		 1100 <p>
1101 Note that if you want processing to continue in the next table,
1102 you must execute the <code>next</code> action after
a9e1b66f
RB		 1103 <code>ct_commit</code>. You may also leave out <code>next</code>
1104 which will commit connection tracking state, and then drop the
1105 packet. This could be useful for setting <code>ct_mark</code>
1106 on a connection tracking entry before dropping a packet,
1107 for example.
c4623bb8 1108 </p>
78aab811 1109 </dd>
fe36184b 1110
de297547
GS		 1111 <dt><code>ct_dnat;</code></dt>
1112 <dt><code>ct_dnat(<var>IP</var>);</code></dt>
1113 <dd>
1114 <p>
1115 <code>ct_dnat</code> sends the packet through the DNAT zone in
1116 connection tracking table to unDNAT any packet that was DNATed in
1117 the opposite direction. The packet is then automatically sent to
1118 to the next tables as if followed by <code>next;</code> action.
1119 The next tables will see the changes in the packet caused by
1120 the connection tracker.
1121 </p>
1122 <p>
1123 <code>ct_dnat(<var>IP</var>)</code> sends the packet through the
1124 DNAT zone to change the destination IP address of the packet to
467085fd 1125 the one provided inside the parentheses and commits the connection.
de297547
GS		 1126 The packet is then automatically sent to the next tables as if
1127 followed by <code>next;</code> action. The next tables will see
1128 the changes in the packet caused by the connection tracker.
1129 </p>
1130 </dd>
1131
1132 <dt><code>ct_snat;</code></dt>
1133 <dt><code>ct_snat(<var>IP</var>);</code></dt>
1134 <dd>
1135 <p>
1136 <code>ct_snat</code> sends the packet through the SNAT zone to
1b441300
MS		 1137 unSNAT any packet that was SNATed in the opposite direction. The
1138 behavior on gateway routers differs from the behavior on a
1139 distributed router:
de297547 1140 </p>
1b441300
MS		 1141 <ul>
1142 <li>
1143 On a gateway router, if the packet needs to be sent to the next
1144 tables, then it should be followed by a <code>next;</code>
1145 action. The next tables will not see the changes in the packet
1146 caused by the connection tracker.
1147 </li>
1148 <li>
1149 On a distributed router, if the connection tracker finds a
1150 connection that was SNATed in the opposite direction, then the
1151 destination IP address of the packet is UNSNATed. The packet is
1152 automatically sent to the next tables as if followed by the
1153 <code>next;</code> action. The next tables will see the changes
1154 in the packet caused by the connection tracker.
1155 </li>
1156 </ul>
de297547
GS		 1157 <p>
1158 <code>ct_snat(<var>IP</var>)</code> sends the packet through the
1159 SNAT zone to change the source IP address of the packet to
1160 the one provided inside the parenthesis and commits the connection.
1161 The packet is then automatically sent to the next tables as if
1162 followed by <code>next;</code> action. The next tables will see the
1163 changes in the packet caused by the connection tracker.
1164 </p>
1165 </dd>
1166
db0e819b
BP		 1167 <dt><code>ct_clear;</code></dt>
1168 <dd>
1169 Clears connection tracking state.
1170 </dd>
b3bd2c33
BP		 1171
1172 <dt><code>clone { <var>action</var>; </code>...<code> };</code></dt>
1173 <dd>
1174 Makes a copy of the packet being processed and executes each
1175 <code>action</code> on the copy. Actions following the
1176 <var>clone</var> action, if any, apply to the original, unmodified
1177 packet. This can be used as a way to ``save and restore'' the packet
1178 around a set of actions that may modify it and should not persist.
1179 </dd>
1180
69a832cf
BP		 1181 <dt><code>arp { <var>action</var>; </code>...<code> };</code></dt>
1182 <dd>
1183 <p>
1184 Temporarily replaces the IPv4 packet being processed by an ARP
1185 packet and executes each nested <var>action</var> on the ARP
1186 packet. Actions following the <var>arp</var> action, if any, apply
1187 to the original, unmodified packet.
1188 </p>
1189
1190 <p>
1191 The ARP packet that this action operates on is initialized based on
1192 the IPv4 packet being processed, as follows. These are default
1193 values that the nested actions will probably want to change:
1194 </p>
1195
1196 <ul>
1197 <li><code>eth.src</code> unchanged</li>
1198 <li><code>eth.dst</code> unchanged</li>
1199 <li><code>eth.type = 0x0806</code></li>
1200 <li><code>arp.op = 1</code> (ARP request)</li>
1201 <li><code>arp.sha</code> copied from <code>eth.src</code></li>
1202 <li><code>arp.spa</code> copied from <code>ip4.src</code></li>
1203 <li><code>arp.tha = 00:00:00:00:00:00</code></li>
1204 <li><code>arp.tpa</code> copied from <code>ip4.dst</code></li>
1205 </ul>
1206
6335d074
BP		 1207 <p>
1208 The ARP packet has the same VLAN header, if any, as the IP packet
1209 it replaces.
1210 </p>
1211
69a832cf
BP		 1212 <p><b>Prerequisite:</b> <code>ip4</code></p>
1213 </dd>
1214
c34a87b6
JP		 1215 <dt><code>get_arp(<var>P</var>, <var>A</var>);</code></dt>
1216
1217 <dd>
1218 <p>
1219 <b>Parameters</b>: logical port string field <var>P</var>, 32-bit
1220 IP address field <var>A</var>.
1221 </p>
1222
1223 <p>
1224 Looks up <var>A</var> in <var>P</var>'s mac binding table.
1225 If an entry is found, stores its Ethernet address in
1226 <code>eth.dst</code>, otherwise stores
1227 <code>00:00:00:00:00:00</code> in <code>eth.dst</code>.
1228 </p>
1229
1230 <p><b>Example:</b> <code>get_arp(outport, ip4.dst);</code></p>
1231 </dd>
1232
1233 <dt>
1234 <code>put_arp(<var>P</var>, <var>A</var>, <var>E</var>);</code>
1235 </dt>
1236
1237 <dd>
1238 <p>
1239 <b>Parameters</b>: logical port string field <var>P</var>, 32-bit
1240 IP address field <var>A</var>, 48-bit Ethernet address field
1241 <var>E</var>.
1242 </p>
1243
1244 <p>
1245 Adds or updates the entry for IP address <var>A</var> in
1246 logical port <var>P</var>'s mac binding table, setting its
1247 Ethernet address to <var>E</var>.
1248 </p>
1249
1250 <p><b>Example:</b> <code>put_arp(inport, arp.spa, arp.sha);</code></p>
1251 </dd>
1252
e75451fe 1253 <dt>
f8a8db39 1254 <code>nd_na { <var>action</var>; </code>...<code> };</code>
e75451fe
ZKL		 1255 </dt>
1256
1257 <dd>
1258 <p>
f8a8db39
JP		 1259 Temporarily replaces the IPv6 neighbor solicitation packet
1260 being processed by an IPv6 neighbor advertisement (NA)
1261 packet and executes each nested <var>action</var> on the NA
1262 packet. Actions following the <code>nd_na</code> action,
1263 if any, apply to the original, unmodified packet.
e75451fe
ZKL		 1264 </p>
1265
1266 <p>
1267 The NA packet that this action operates on is initialized based on
1268 the IPv6 packet being processed, as follows. These are default
1269 values that the nested actions will probably want to change:
1270 </p>
1271
1272 <ul>
1273 <li><code>eth.dst</code> exchanged with <code>eth.src</code></li>
1274 <li><code>eth.type = 0x86dd</code></li>
1275 <li><code>ip6.dst</code> copied from <code>ip6.src</code></li>
1276 <li><code>ip6.src</code> copied from <code>nd.target</code></li>
1277 <li><code>icmp6.type = 136</code> (Neighbor Advertisement)</li>
1278 <li><code>nd.target</code> unchanged</li>
1279 <li><code>nd.sll = 00:00:00:00:00:00</code></li>
1280 <li><code>nd.tll</code> copied from <code>eth.dst</code></li>
1281 </ul>
1282
1283 <p>
1284 The ND packet has the same VLAN header, if any, as the IPv6 packet
1285 it replaces.
1286 </p>
1287
1288 <p>
f8a8db39 1289 <b>Prerequisite:</b> <code>nd_ns</code>
e75451fe
ZKL		 1290 </p>
1291 </dd>
1292
c34a87b6 1293 <dt><code>get_nd(<var>P</var>, <var>A</var>);</code></dt>
0bac7164
BP		 1294
1295 <dd>
1296 <p>
c34a87b6
JP		 1297 <b>Parameters</b>: logical port string field <var>P</var>, 128-bit
1298 IPv6 address field <var>A</var>.
0bac7164
BP		 1299 </p>
1300
1301 <p>
c34a87b6
JP		 1302 Looks up <var>A</var> in <var>P</var>'s mac binding table.
1303 If an entry is found, stores its Ethernet address in
1304 <code>eth.dst</code>, otherwise stores
1305 <code>00:00:00:00:00:00</code> in <code>eth.dst</code>.
0bac7164
BP		 1306 </p>
1307
c34a87b6 1308 <p><b>Example:</b> <code>get_nd(outport, ip6.dst);</code></p>
0bac7164
BP		 1309 </dd>
1310
1311 <dt>
c34a87b6 1312 <code>put_nd(<var>P</var>, <var>A</var>, <var>E</var>);</code>
0bac7164
BP		 1313 </dt>
1314
1315 <dd>
1316 <p>
c34a87b6
JP		 1317 <b>Parameters</b>: logical port string field <var>P</var>,
1318 128-bit IPv6 address field <var>A</var>, 48-bit Ethernet
1319 address field <var>E</var>.
0bac7164
BP		 1320 </p>
1321
1322 <p>
c34a87b6
JP		 1323 Adds or updates the entry for IPv6 address <var>A</var> in
1324 logical port <var>P</var>'s mac binding table, setting its
1325 Ethernet address to <var>E</var>.
0bac7164
BP		 1326 </p>
1327
c34a87b6 1328 <p><b>Example:</b> <code>put_nd(inport, nd.target, nd.tll);</code></p>
0bac7164 1329 </dd>
42814145
NS		 1330
1331 <dt>
d5a76da4 1332 <code><var>R</var> = put_dhcp_opts(<var>D1</var> = <var>V1</var>, <var>D2</var> = <var>V2</var>, ..., <var>Dn</var> = <var>Vn</var>);</code>
42814145
NS		 1333 </dt>
1334
1335 <dd>
1336 <p>
d5a76da4
BP		 1337 <b>Parameters</b>: one or more DHCP option/value pairs, which must
1338 include an <code>offerip</code> option (with code 0).
42814145
NS		 1339 </p>
1340
1341 <p>
1342 <b>Result</b>: stored to a 1-bit subfield <var>R</var>.
1343 </p>
1344
1345 <p>
1346 Valid only in the ingress pipeline.
1347 </p>
1348
1349 <p>
1350 When this action is applied to a DHCP request packet (DHCPDISCOVER
1351 or DHCPREQUEST), it changes the packet into a DHCP reply (DHCPOFFER
1352 or DHCPACK, respectively), replaces the options by those specified
1353 as parameters, and stores 1 in <var>R</var>.
1354 </p>
1355
1356 <p>
1357 When this action is applied to a non-DHCP packet or a DHCP packet
1358 that is not DHCPDISCOVER or DHCPREQUEST, it leaves the packet
1359 unchanged and stores 0 in <var>R</var>.
1360 </p>
1361
1362 <p>
1363 The contents of the <ref table="DHCP_Option"/> table control the
1364 DHCP option names and values that this action supports.
1365 </p>
1366
1367 <p>
1368 <b>Example:</b>
1369 <code>
1370 reg0[0] = put_dhcp_opts(offerip = 10.0.0.2, router = 10.0.0.1,
1371 netmask = 255.255.255.0, dns_server = {8.8.8.8, 7.7.7.7});
1372 </code>
1373 </p>
1374 </dd>
467085fd 1375
01cfdb2f
NS		 1376 <dt>
1377 <code><var>R</var> = put_dhcpv6_opts(<var>D1</var> = <var>V1</var>, <var>D2</var> = <var>V2</var>, ..., <var>Dn</var> = <var>Vn</var>);</code>
1378 </dt>
1379
1380 <dd>
1381 <p>
1382 <b>Parameters</b>: one or more DHCPv6 option/value pairs.
1383 </p>
1384
1385 <p>
1386 <b>Result</b>: stored to a 1-bit subfield <var>R</var>.
1387 </p>
1388
1389 <p>
1390 Valid only in the ingress pipeline.
1391 </p>
1392
1393 <p>
1394 When this action is applied to a DHCPv6 request packet, it changes
1395 the packet into a DHCPv6 reply, replaces the options by those
1396 specified as parameters, and stores 1 in <var>R</var>.
1397 </p>
1398
1399 <p>
1400 When this action is applied to a non-DHCPv6 packet or an invalid
1401 DHCPv6 request packet , it leaves the packet unchanged and stores
1402 0 in <var>R</var>.
1403 </p>
1404
1405 <p>
1406 The contents of the <ref table="DHCPv6_Options"/> table control the
1407 DHCPv6 option names and values that this action supports.
1408 </p>
1409
1410 <p>
1411 <b>Example:</b>
1412 <code>
1413 reg0[3] = put_dhcpv6_opts(ia_addr = aef0::4, server_id = 00:00:00:00:10:02,
1414 dns_server={ae70::1,ae70::2});
1415 </code>
1416 </p>
1417 </dd>
1418
a6095f81
BS		 1419 <dt>
1420 <code>set_queue(<var>queue_number</var>);</code>
1421 </dt>
1422
1423 <dd>
1424 <p>
1425 <b>Parameters</b>: Queue number <var>queue_number</var>, in the range 0 to 61440.
1426 </p>
1427
1428 <p>
1429 This is a logical equivalent of the OpenFlow <code>set_queue</code>
1430 action. It affects packets that egress a hypervisor through a
1431 physical interface. For nonzero <var>queue_number</var>, it
1432 configures packet queuing to match the settings configured for the
1433 <ref table="Port_Binding"/> with
1434 <code>options:qdisc_queue_id</code> matching
1435 <var>queue_number</var>. When <var>queue_number</var> is zero, it
1436 resets queuing to the default strategy.
1437 </p>
1438
1439 <p><b>Example:</b> <code>set_queue(10);</code></p>
1440 </dd>
1441
467085fd
GS		 1442 <dt><code>ct_lb;</code></dt>
1443 <dt><code>ct_lb(</code><var>ip</var>[<code>:</code><var>port</var>]...<code>);</code></dt>
1444 <dd>
1445 <p>
1446 With one or more arguments, <code>ct_lb</code> commits the packet
1447 to the connection tracking table and DNATs the packet's destination
1448 IP address (and port) to the IP address or addresses (and optional
1449 ports) specified in the string. If multiple comma-separated IP
1450 addresses are specified, each is given equal weight for picking the
1451 DNAT address. Processing automatically moves on to the next table,
1452 as if <code>next;</code> were specified, and later tables act on
1453 the packet as modified by the connection tracker. Connection
c2e954a1
GS		 1454 tracking state is scoped by the logical port when the action is
1455 used in a flow for a logical switch, so overlapping
1456 addresses may be used. Connection tracking state is scoped by the
1457 logical topology when the action is used in a flow for a router.
467085fd
GS		 1458 </p>
1459 <p>
1460 Without arguments, <code>ct_lb</code> sends the packet to the
1461 connection tracking table to NAT the packets. If the packet is
1462 part of an established connection that was previously committed to
1463 the connection tracker via <code>ct_lb(</code>...<code>)</code>, it
1464 will automatically get DNATed to the same IP address as the first
1465 packet in that connection.
1466 </p>
1467 </dd>
6335d074
BP		 1468 </dl>
1469
1470 <p>
1471 The following actions will likely be useful later, but they have not
1472 been thought out carefully.
1473 </p>
1474
1475 <dl>
69a832cf
BP		 1476 <dt><code>icmp4 { <var>action</var>; </code>...<code> };</code></dt>
1477 <dd>
1478 <p>
1479 Temporarily replaces the IPv4 packet being processed by an ICMPv4
1480 packet and executes each nested <var>action</var> on the ICMPv4
1481 packet. Actions following the <var>icmp4</var> action, if any,
1482 apply to the original, unmodified packet.
1483 </p>
1484
1485 <p>
1486 The ICMPv4 packet that this action operates on is initialized based
1487 on the IPv4 packet being processed, as follows. These are default
1488 values that the nested actions will probably want to change.
1489 Ethernet and IPv4 fields not listed here are not changed:
1490 </p>
1491
1492 <ul>
1493 <li><code>ip.proto = 1</code> (ICMPv4)</li>
1494 <li><code>ip.frag = 0</code> (not a fragment)</li>
1495 <li><code>icmp4.type = 3</code> (destination unreachable)</li>
1496 <li><code>icmp4.code = 1</code> (host unreachable)</li>
1497 </ul>
1498
1499 <p>
1500 Details TBD.
1501 </p>
fe36184b 1502
69a832cf
BP		 1503 <p><b>Prerequisite:</b> <code>ip4</code></p>
1504 </dd>
1505
1506 <dt><code>tcp_reset;</code></dt>
1507 <dd>
1508 <p>
1509 This action transforms the current TCP packet according to the
1510 following pseudocode:
1511 </p>
1512
1513 <pre>
1514if (tcp.ack) {
1515 tcp.seq = tcp.ack;
1516} else {
1517 tcp.ack = tcp.seq + length(tcp.payload);
1518 tcp.seq = 0;
1519}
1520tcp.flags = RST;
1521</pre>
1522
1523 <p>
1524 Then, the action drops all TCP options and payload data, and
1525 updates the TCP checksum.
1526 </p>
1527
1528 <p>
1529 Details TBD.
1530 </p>
1531
1532 <p><b>Prerequisite:</b> <code>tcp</code></p>
1533 </dd>
fe36184b 1534 </dl>
fe36184b 1535 </column>
091e3af9
JP		 1536
1537 <column name="external_ids" key="stage-name">
1538 Human-readable name for this flow's stage in the pipeline.
1539 </column>
1540
17bfa2aa
HZ		 1541 <column name="external_ids" key="stage-hint" type='{"type": "uuid"}'>
1542 UUID of a <ref db="OVN_Northbound"/> record that caused this logical flow
1543 to be created. Currently used only for attribute of logical flows to
1544 northbound <ref db="OVN_Northbound" table="ACL"/> records.
1545 </column>
1546
d8026bbf
BP		 1547 <column name="external_ids" key="source">
1548 Source file and line number of the code that added this flow to the
1549 pipeline.
1550 </column>
1551
091e3af9
JP		 1552 <group title="Common Columns">
1553 The overall purpose of these columns is described under <code>Common
1554 Columns</code> at the beginning of this document.
1555
1556 <column name="external_ids"/>
1557 </group>
fe36184b
BP		 1558 </table>
1559
5868eb24
BP		 1560 <table name="Multicast_Group" title="Logical Port Multicast Groups">
1561 <p>
1562 The rows in this table define multicast groups of logical ports.
1563 Multicast groups allow a single packet transmitted over a tunnel to a
1564 hypervisor to be delivered to multiple VMs on that hypervisor, which
1565 uses bandwidth more efficiently.
1566 </p>
1567
1568 <p>
1569 Each row in this table defines a logical multicast group numbered <ref
1570 column="tunnel_key"/> within <ref column="datapath"/>, whose logical
1571 ports are listed in the <ref column="ports"/> column.
1572 </p>
1573
1574 <column name="datapath">
1575 The logical datapath in which the multicast group resides.
1576 </column>
1577
1578 <column name="tunnel_key">
1579 The value used to designate this logical egress port in tunnel
1580 encapsulations. An index forces the key to be unique within the <ref
1581 column="datapath"/>. The unusual range ensures that multicast group IDs
1582 do not overlap with logical port IDs.
1583 </column>
1584
1585 <column name="name">
1586 <p>
1587 The logical multicast group's name. An index forces the name to be
1588 unique within the <ref column="datapath"/>. Logical flows in the
1589 ingress pipeline may output to the group just as for individual logical
1590 ports, by assigning the group's name to <code>outport</code> and
1591 executing an <code>output</code> action.
1592 </p>
1593
1594 <p>
1595 Multicast group names and logical port names share a single namespace
1596 and thus should not overlap (but the database schema cannot enforce
1597 this). To try to avoid conflicts, <code>ovn-northd</code> uses names
1598 that begin with <code>_MC_</code>.
1599 </p>
1600 </column>
1601
1602 <column name="ports">
1603 The logical ports included in the multicast group. All of these ports
1604 must be in the <ref column="datapath"/> logical datapath (but the
1605 database schema cannot enforce this).
1606 </column>
1607 </table>
1608
1609 <table name="Datapath_Binding" title="Physical-Logical Datapath Bindings">
1610 <p>
1611 Each row in this table identifies physical bindings of a logical
1612 datapath. A logical datapath implements a logical pipeline among the
1613 ports in the <ref table="Port_Binding"/> table associated with it. In
1614 practice, the pipeline in a given logical datapath implements either a
1615 logical switch or a logical router.
1616 </p>
1617
1618 <column name="tunnel_key">
1619 The tunnel key value to which the logical datapath is bound.
1620 The <code>Tunnel Encapsulation</code> section in
1621 <code>ovn-architecture</code>(7) describes how tunnel keys are
1622 constructed for each supported encapsulation.
1623 </column>
1624
9975d7be
BP		 1625 <group title="OVN_Northbound Relationship">
1626 <p>
1627 Each row in <ref table="Datapath_Binding"/> is associated with some
1628 logical datapath. <code>ovn-northd</code> uses these keys to track the
1629 association of a logical datapath with concepts in the <ref
1630 db="OVN_Northbound"/> database.
1631 </p>
1632
1633 <column name="external_ids" key="logical-switch" type='{"type": "uuid"}'>
1634 For a logical datapath that represents a logical switch,
1635 <code>ovn-northd</code> stores in this key the UUID of the
1636 corresponding <ref table="Logical_Switch" db="OVN_Northbound"/> row in
1637 the <ref db="OVN_Northbound"/> database.
1638 </column>
1639
1640 <column name="external_ids" key="logical-router" type='{"type": "uuid"}'>
1641 For a logical datapath that represents a logical router,
1642 <code>ovn-northd</code> stores in this key the UUID of the
1643 corresponding <ref table="Logical_Router" db="OVN_Northbound"/> row in
1644 the <ref db="OVN_Northbound"/> database.
1645 </column>
0f8e9c12
BP		 1646
1647 <column name="external_ids" key="name">
1648 <code>ovn-northd</code> copies this from the <ref
1649 table="Logical_Router" db="OVN_Northbound"/> or <ref
1650 table="Logical_Switch" db="OVN_Northbound"/> table in the <ref
1651 db="OVN_Northbound"/> database, when that column is nonempty.
1652 </column>
9975d7be 1653 </group>
5868eb24
BP		 1654
1655 <group title="Common Columns">
1656 The overall purpose of these columns is described under <code>Common
1657 Columns</code> at the beginning of this document.
1658
1659 <column name="external_ids"/>
1660 </group>
1661 </table>
1662
dcda6e0d 1663 <table name="Port_Binding" title="Physical-Logical Port Bindings">
fe36184b 1664 <p>
d387d24d
BP		 1665 Most rows in this table identify the physical location of a logical port.
1666 (The exceptions are logical patch ports, which do not have any physical
1667 location.)
fe36184b
BP		 1668 </p>
1669
1670 <p>
80f408f4
JP		 1671 For every <code>Logical_Switch_Port</code> record in
1672 <code>OVN_Northbound</code> database, <code>ovn-northd</code>
1673 creates a record in this table. <code>ovn-northd</code> populates
1674 and maintains every column except the <code>chassis</code> column,
1675 which it leaves empty in new records.
9fb4636f
GS		 1676 </p>
1677
1678 <p>
88058f19
AW		 1679 <code>ovn-controller</code>/<code>ovn-controller-vtep</code>
1680 populates the <code>chassis</code> column for the records that
1681 identify the logical ports that are located on its hypervisor/gateway,
1682 which <code>ovn-controller</code>/<code>ovn-controller-vtep</code> in
1683 turn finds out by monitoring the local hypervisor's Open_vSwitch
1684 database, which identifies logical ports via the conventions described
2567fb84 1685 in <code>IntegrationGuide.rst</code>. (The exceptions are for
c1645003 1686 <code>Port_Binding</code> records with <code>type</code> of
17bac0ff
RB		 1687 <code>l3gateway</code>, whose locations are identified by
1688 <code>ovn-northd</code> via the <code>options:l3gateway-chassis</code>
c1645003
GS		 1689 column in this table. <code>ovn-controller</code> is still responsible
1690 to populate the <code>chassis</code> column.)
9fb4636f
GS		 1691 </p>
1692
1693 <p>
5868eb24 1694 When a chassis shuts down gracefully, it should clean up the
9fb4636f 1695 <code>chassis</code> column that it previously had populated.
fe36184b
BP		 1696 (This is not critical because resources hosted on the chassis are equally
1697 unreachable regardless of whether their rows are present.) To handle the
1698 case where a VM is shut down abruptly on one chassis, then brought up
88058f19
AW		 1699 again on a different one,
1700 <code>ovn-controller</code>/<code>ovn-controller-vtep</code> must
1701 overwrite the <code>chassis</code> column with new information.
fe36184b
BP		 1702 </p>
1703
c96ba502
BP		 1704 <group title="Core Features">
1705 <column name="datapath">
1706 The logical datapath to which the logical port belongs.
1707 </column>
1a76c93e 1708
c96ba502 1709 <column name="logical_port">
80f408f4
JP		 1710 A logical port, taken from <ref table="Logical_Switch_Port"
1711 column="name" db="OVN_Northbound"/> in the OVN_Northbound
1712 database's <ref table="Logical_Switch_Port" db="OVN_Northbound"/>
1713 table. OVN does not prescribe a particular format for the
1714 logical port ID.
c96ba502 1715 </column>
c0281929 1716
c96ba502 1717 <column name="chassis">
184bc3ca
RB		 1718 The meaning of this column depends on the value of the <ref column="type"/>
1719 column. This is the meaning for each <ref column="type"/>
1720
1721 <dl>
1722 <dt>(empty string)</dt>
1723 <dd>
1724 The physical location of the logical port. To successfully identify a
1725 chassis, this column must be a <ref table="Chassis"/> record. This is
1726 populated by <code>ovn-controller</code>.
1727 </dd>
1728
1729 <dt>vtep</dt>
1730 <dd>
1731 The physical location of the hardware_vtep gateway. To successfully
1732 identify a chassis, this column must be a <ref table="Chassis"/> record.
1733 This is populated by <code>ovn-controller-vtep</code>.
1734 </dd>
1735
1736 <dt>localnet</dt>
1737 <dd>
1738 Always empty. A localnet port is realized on every chassis that has
1739 connectivity to the corresponding physical network.
1740 </dd>
1741
17bac0ff 1742 <dt>l3gateway</dt>
184bc3ca
RB		 1743 <dd>
1744 The physical location of the L3 gateway. To successfully identify a
1745 chassis, this column must be a <ref table="Chassis"/> record. This is
1746 populated by <code>ovn-controller</code> based on the value of
17bac0ff 1747 the <code>options:l3gateway-chassis</code> column in this table.
184bc3ca
RB		 1748 </dd>
1749
1750 <dt>l2gateway</dt>
1751 <dd>
1752 The physical location of this L2 gateway. To successfully identify a
1753 chassis, this column must be a <ref table="Chassis"/> record.
62b87eab
NS		 1754 This is populated by <code>ovn-controller</code> based on the value
1755 of the <code>options:l2gateway-chassis</code> column in this table.
184bc3ca
RB		 1756 </dd>
1757 </dl>
1758
c96ba502 1759 </column>
c0281929 1760
c96ba502
BP		 1761 <column name="tunnel_key">
1762 <p>
1763 A number that represents the logical port in the key (e.g. STT key or
1764 Geneve TLV) field carried within tunnel protocol packets.
1765 </p>
c0281929 1766
c96ba502
BP		 1767 <p>
1768 The tunnel ID must be unique within the scope of a logical datapath.
1769 </p>
1770 </column>
88058f19 1771
c96ba502
BP		 1772 <column name="mac">
1773 <p>
1774 The Ethernet address or addresses used as a source address on the
1775 logical port, each in the form
1776 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
1777 The string <code>unknown</code> is also allowed to indicate that the
1778 logical port has an unknown set of (additional) source addresses.
1779 </p>
1780
1781 <p>
1782 A VM interface would ordinarily have a single Ethernet address. A
1783 gateway port might initially only have <code>unknown</code>, and then
1784 add MAC addresses to the set as it learns new source addresses.
1785 </p>
1786 </column>
88058f19 1787
c96ba502
BP		 1788 <column name="type">
1789 <p>
1790 A type for this logical port. Logical ports can be used to model other
1791 types of connectivity into an OVN logical switch. The following types
1792 are defined:
1793 </p>
1794
1795 <dl>
1796 <dt>(empty string)</dt>
1797 <dd>VM (or VIF) interface.</dd>
d387d24d
BP		 1798
1799 <dt><code>patch</code></dt>
1800 <dd>
1801 One of a pair of logical ports that act as if connected by a patch
1802 cable. Useful for connecting two logical datapaths, e.g. to connect
1803 a logical router to a logical switch or to another logical router.
1804 </dd>
1805
17bac0ff 1806 <dt><code>l3gateway</code></dt>
c1645003
GS		 1807 <dd>
1808 One of a pair of logical ports that act as if connected by a patch
1809 cable across multiple chassis. Useful for connecting a logical
1810 switch with a Gateway router (which is only resident on a
1811 particular chassis).
1812 </dd>
1813
c96ba502
BP		 1814 <dt><code>localnet</code></dt>
1815 <dd>
1816 A connection to a locally accessible network from each
1817 <code>ovn-controller</code> instance. A logical switch can only
6e6c3f91
HZ		 1818 have a single <code>localnet</code> port attached. This is used
1819 to model direct connectivity to an existing network.
c96ba502
BP		 1820 </dd>
1821
184bc3ca
RB		 1822 <dt><code>l2gateway</code></dt>
1823 <dd>
1824 An L2 connection to a physical network. The chassis this
1825 <ref table="Port_Binding"/> is bound to will serve as
1826 an L2 gateway to the network named by
1827 <ref column="options" table="Port_Binding"/>:<code>network_name</code>.
1828 </dd>
1829
c96ba502
BP		 1830 <dt><code>vtep</code></dt>
1831 <dd>
1832 A port to a logical switch on a VTEP gateway chassis. In order to
1833 get this port correctly recognized by the OVN controller, the <ref
1834 column="options"
1835 table="Port_Binding"/>:<code>vtep-physical-switch</code> and <ref
1836 column="options"
1837 table="Port_Binding"/>:<code>vtep-logical-switch</code> must also
1838 be defined.
1839 </dd>
41a15b71
MS		 1840
1841 <dt><code>chassisredirect</code></dt>
1842 <dd>
1843 A logical port that represents a particular instance, bound
1844 to a specific chassis, of an otherwise distributed parent
1845 port (e.g. of type <code>patch</code>). A
1846 <code>chassisredirect</code> port should never be used as an
1847 <code>inport</code>. When an ingress pipeline sets the
1848 <code>outport</code>, it may set the value to a logical port
1849 of type <code>chassisredirect</code>. This will cause the
1850 packet to be directed to a specific chassis to carry out the
1851 egress pipeline. At the beginning of the egress pipeline,
1852 the <code>outport</code> will be reset to the value of the
1853 distributed port.
1854 </dd>
c96ba502
BP		 1855 </dl>
1856 </column>
1857 </group>
1a76c93e 1858
d387d24d
BP		 1859 <group title="Patch Options">
1860 <p>
1861 These options apply to logical ports with <ref column="type"/> of
1862 <code>patch</code>.
1863 </p>
1864
1865 <column name="options" key="peer">
1866 The <ref column="logical_port"/> in the <ref table="Port_Binding"/>
1867 record for the other side of the patch. The named <ref
1868 column="logical_port"/> must specify this <ref column="logical_port"/>
1869 in its own <code>peer</code> option. That is, the two patch logical
1870 ports must have reversed <ref column="logical_port"/> and
1871 <code>peer</code> values.
1872 </column>
26b9e08d 1873
f40c5588
MS		 1874 <column name="nat_addresses">
1875 MAC address followed by a list of SNAT and DNAT external IP
1876 addresses, followed by
26b9e08d
MS		 1877 <code>is_chassis_resident("<var>lport</var>")</code>, where
1878 <var>lport</var> is the name of a logical port on the same chassis
1879 where the corresponding NAT rules are applied. This is used to
1880 send gratuitous ARPs for SNAT and DNAT external IP addresses via
1881 <code>localnet</code>, from the chassis where <var>lport</var>
1882 resides. Example: <code>80:fa:5b:06:72:b7 158.36.44.22
1883 158.36.44.24 is_chassis_resident("foo1")</code>. This would result
1884 in generation of gratuitous ARPs for IP addresses 158.36.44.22 and
1885 158.36.44.24 with a MAC address of 80:fa:5b:06:72:b7 from the chassis
1886 where the logical port "foo1" resides.
1887 </column>
d387d24d
BP		 1888 </group>
1889
184bc3ca 1890 <group title="L3 Gateway Options">
c1645003
GS		 1891 <p>
1892 These options apply to logical ports with <ref column="type"/> of
17bac0ff 1893 <code>l3gateway</code>.
c1645003
GS		 1894 </p>
1895
1896 <column name="options" key="peer">
1897 The <ref column="logical_port"/> in the <ref table="Port_Binding"/>
17bac0ff 1898 record for the other side of the 'l3gateway' port. The named <ref
c1645003 1899 column="logical_port"/> must specify this <ref column="logical_port"/>
17bac0ff 1900 in its own <code>peer</code> option. That is, the two 'l3gateway'
c1645003
GS		 1901 logical ports must have reversed <ref column="logical_port"/> and
1902 <code>peer</code> values.
1903 </column>
1904
17bac0ff 1905 <column name="options" key="l3gateway-chassis">
c1645003
GS		 1906 The <code>chassis</code> in which the port resides.
1907 </column>
8439c2eb 1908
26b9e08d
MS		 1909 <column name="options" key="nat-addresses">
1910 MAC address of the <code>l3gateway</code> port followed by a list of
1911 SNAT and DNAT external IP addresses. This is used to send gratuitous
1912 ARPs for SNAT and DNAT external IP addresses via <code>localnet</code>.
1913 Example: <code>80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24</code>.
1914 This would result in generation of gratuitous ARPs for IP addresses
1915 158.36.44.22 and 158.36.44.24 with a MAC address of 80:fa:5b:06:72:b7.
f40c5588
MS		 1916 This is used in OVS versions prior to 2.8.
1917 </column>
1918
1919 <column name="nat_addresses">
1920 MAC address of the <code>l3gateway</code> port followed by a list of
1921 SNAT and DNAT external IP addresses. This is used to send gratuitous
1922 ARPs for SNAT and DNAT external IP addresses via <code>localnet</code>.
1923 Example: <code>80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24</code>.
1924 This would result in generation of gratuitous ARPs for IP addresses
1925 158.36.44.22 and 158.36.44.24 with a MAC address of 80:fa:5b:06:72:b7.
1926 This is used in OVS version 2.8 and later versions.
26b9e08d 1927 </column>
c1645003
GS		 1928 </group>
1929
c96ba502 1930 <group title="Localnet Options">
eb00399e 1931 <p>
c96ba502
BP		 1932 These options apply to logical ports with <ref column="type"/> of
1933 <code>localnet</code>.
eb00399e
BP		 1934 </p>
1935
c96ba502
BP		 1936 <column name="options" key="network_name">
1937 Required. <code>ovn-controller</code> uses the configuration entry
1938 <code>ovn-bridge-mappings</code> to determine how to connect to this
1939 network. <code>ovn-bridge-mappings</code> is a list of network names
1940 mapped to a local OVS bridge that provides access to that network. An
1941 example of configuring <code>ovn-bridge-mappings</code> would be:
1942
1943 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1</pre>
1944
1945 <p>
1946 When a logical switch has a <code>localnet</code> port attached,
1947 every chassis that may have a local vif attached to that logical
1948 switch must have a bridge mapping configured to reach that
1949 <code>localnet</code>. Traffic that arrives on a
1950 <code>localnet</code> port is never forwarded over a tunnel to
1951 another chassis.
1952 </p>
1953 </column>
1954
1955 <column name="tag">
1956 If set, indicates that the port represents a connection to a specific
1957 VLAN on a locally accessible network. The VLAN ID is used to match
1958 incoming traffic and is also added to outgoing traffic.
1959 </column>
1960 </group>
1961
184bc3ca
RB		 1962 <group title="L2 Gateway Options">
1963 <p>
1964 These options apply to logical ports with <ref column="type"/> of
1965 <code>l2gateway</code>.
1966 </p>
1967
1968 <column name="options" key="network_name">
1969 Required. <code>ovn-controller</code> uses the configuration entry
1970 <code>ovn-bridge-mappings</code> to determine how to connect to this
1971 network. <code>ovn-bridge-mappings</code> is a list of network names
1972 mapped to a local OVS bridge that provides access to that network. An
1973 example of configuring <code>ovn-bridge-mappings</code> would be:
1974
1975 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1</pre>
1976
1977 <p>
1978 When a logical switch has a <code>l2gateway</code> port attached,
1979 the chassis that the <code>l2gateway</code> port is bound to
1980 must have a bridge mapping configured to reach the network
1981 identified by <code>network_name</code>.
1982 </p>
1983 </column>
1984
62b87eab
NS		 1985 <column name="options" key="l2gateway-chassis">
1986 Required. The <code>chassis</code> in which the port resides.
1987 </column>
1988
184bc3ca
RB		 1989 <column name="tag">
1990 If set, indicates that the gateway is connected to a specific
1991 VLAN on the physical network. The VLAN ID is used to match
1992 incoming traffic and is also added to outgoing traffic.
1993 </column>
1994 </group>
1995
c96ba502 1996 <group title="VTEP Options">
eb00399e 1997 <p>
c96ba502
BP		 1998 These options apply to logical ports with <ref column="type"/> of
1999 <code>vtep</code>.
eb00399e 2000 </p>
9fb4636f 2001
c96ba502
BP		 2002 <column name="options" key="vtep-physical-switch">
2003 Required. The name of the VTEP gateway.
2004 </column>
fe36184b 2005
c96ba502
BP		 2006 <column name="options" key="vtep-logical-switch">
2007 Required. A logical switch name connected by the VTEP gateway. Must
2008 be set when <ref column="type"/> is <code>vtep</code>.
2009 </column>
2010 </group>
fe36184b 2011
aef5f431
BP		 2012 <group title="VMI (or VIF) Options">
2013 <p>
2014 These options apply to logical ports with <ref column="type"/> having
2015 (empty string)
2016 </p>
2017
a6095f81 2018 <column name="options" key="qos_max_rate">
aef5f431 2019 If set, indicates the maximum rate for data sent from this interface,
a6095f81 2020 in bit/s. The traffic will be shaped according to this limit.
aef5f431
BP		 2021 </column>
2022
a6095f81 2023 <column name="options" key="qos_burst">
aef5f431 2024 If set, indicates the maximum burst size for data sent from this
a6095f81
BS		 2025 interface, in bits.
2026 </column>
2027
2028 <column name="options" key="qdisc_queue_id"
2029 type='{"type": "integer", "minInteger": 1, "maxInteger": 61440}'>
2030 Indicates the queue number on the physical device. This is same as the
2031 <code>queue_id</code> used in OpenFlow in <code>struct
2032 ofp_action_enqueue</code>.
aef5f431
BP		 2033 </column>
2034 </group>
2035
41a15b71
MS		 2036 <group title="Chassis Redirect Options">
2037 <p>
2038 These options apply to logical ports with <ref column="type"/>
2039 of <code>chassisredirect</code>.
2040 </p>
2041
2042 <column name="options" key="distributed-port">
2043 The name of the distributed port for which this
2044 <code>chassisredirect</code> port represents a particular instance.
2045 </column>
2046
2047 <column name="options" key="redirect-chassis">
2048 The <code>chassis</code> that this <code>chassisredirect</code> port
2049 is bound to. This is taken from <ref table="Logical_Router_Port"
2050 column="options" key="redirect-chassis" db="OVN_Northbound"/>
2051 in the OVN_Northbound database's <ref table="Logical_Router_Port"
2052 db="OVN_Northbound"/> table.
2053 </column>
2054 </group>
2055
c96ba502 2056 <group title="Nested Containers">
fe36184b 2057 <p>
c96ba502
BP		 2058 These columns support containers nested within a VM. Specifically,
2059 they are used when <ref column="type"/> is empty and <ref
2060 column="logical_port"/> identifies the interface of a container spawned
2061 inside a VM. They are empty for containers or VMs that run directly on
2062 a hypervisor.
fe36184b
BP		 2063 </p>
2064
c96ba502
BP		 2065 <column name="parent_port">
2066 This is taken from
80f408f4
JP		 2067 <ref table="Logical_Switch_Port" column="parent_name"
2068 db="OVN_Northbound"/> in the OVN_Northbound database's
2069 <ref table="Logical_Switch_Port" db="OVN_Northbound"/> table.
c96ba502
BP		 2070 </column>
2071
2072 <column name="tag">
2073 <p>
2074 Identifies the VLAN tag in the network traffic associated with that
2075 container's network interface.
2076 </p>
2077
2078 <p>
2079 This column is used for a different purpose when <ref column="type"/>
184bc3ca
RB		 2080 is <code>localnet</code> (see <code>Localnet Options</code>, above)
2081 or <code>l2gateway</code> (see <code>L2 Gateway Options</code>, above).
c96ba502
BP		 2082 </p>
2083 </column>
2084 </group>
fe36184b 2085 </table>
0bac7164
BP		 2086
2087 <table name="MAC_Binding" title="IP to MAC bindings">
2088 <p>
2089 Each row in this table specifies a binding from an IP address to an
2090 Ethernet address that has been discovered through ARP (for IPv4) or
2091 neighbor discovery (for IPv6). This table is primarily used to discover
2092 bindings on physical networks, because IP-to-MAC bindings for virtual
2093 machines are usually populated statically into the <ref
2094 table="Port_Binding"/> table.
2095 </p>
2096
2097 <p>
2098 This table expresses a functional relationship: <ref
2099 table="MAC_Binding"/>(<ref column="logical_port"/>, <ref column="ip"/>) =
2100 <ref column="mac"/>.
2101 </p>
2102
2103 <p>
2104 In outline, the lifetime of a logical router's MAC binding looks like
2105 this:
2106 </p>
2107
2108 <ol>
2109 <li>
2110 On hypervisor 1, a logical router determines that a packet should be
2111 forwarded to IP address <var>A</var> on one of its router ports. It
2112 uses its logical flow table to determine that <var>A</var> lacks a
2113 static IP-to-MAC binding and the <code>get_arp</code> action to
2114 determine that it lacks a dynamic IP-to-MAC binding.
2115 </li>
2116
2117 <li>
2118 Using an OVN logical <code>arp</code> action, the logical router
2119 generates and sends a broadcast ARP request to the router port. It
2120 drops the IP packet.
2121 </li>
2122
2123 <li>
2124 The logical switch attached to the router port delivers the ARP request
2125 to all of its ports. (It might make sense to deliver it only to ports
2126 that have no static IP-to-MAC bindings, but this could also be
2127 surprising behavior.)
2128 </li>
2129
2130 <li>
2131 A host or VM on hypervisor 2 (which might be the same as hypervisor 1)
2132 attached to the logical switch owns the IP address in question. It
2133 composes an ARP reply and unicasts it to the logical router port's
2134 Ethernet address.
2135 </li>
2136
2137 <li>
2138 The logical switch delivers the ARP reply to the logical router port.
2139 </li>
2140
2141 <li>
2142 The logical router flow table executes a <code>put_arp</code> action.
2143 To record the IP-to-MAC binding, <code>ovn-controller</code> adds a row
2144 to the <ref table="MAC_Binding"/> table.
2145 </li>
2146
2147 <li>
2148 On hypervisor 1, <code>ovn-controller</code> receives the updated <ref
2149 table="MAC_Binding"/> table from the OVN southbound database. The next
2150 packet destined to <var>A</var> through the logical router is sent
2151 directly to the bound Ethernet address.
2152 </li>
2153 </ol>
2154
2155 <column name="logical_port">
2156 The logical port on which the binding was discovered.
2157 </column>
2158
2159 <column name="ip">
2160 The bound IP address.
2161 </column>
2162
2163 <column name="mac">
2164 The Ethernet address to which the IP is bound.
2165 </column>
791a7747
LS		 2166 <column name="datapath">
2167 The logical datapath to which the logical port belongs.
2168 </column>
0bac7164 2169 </table>
42814145
NS		 2170
2171 <table name="DHCP_Options" title="DHCP Options supported by native OVN DHCP">
2172 <p>
2173 Each row in this table stores the DHCP Options supported by native OVN
2174 DHCP. <code>ovn-northd</code> populates this table with the supported
2175 DHCP options. <code>ovn-controller</code> looks up this table to get the
2176 DHCP codes of the DHCP options defined in the "put_dhcp_opts" action.
2177 Please refer to the RFC 2132 <code>"https://tools.ietf.org/html/rfc2132"</code>
2178 for the possible list of DHCP options that can be defined here.
2179 </p>
2180
2181 <column name="name">
2182 <p>
2183 Name of the DHCP option.
2184 </p>
2185
2186 <p>
2187 Example. name="router"
2188 </p>
2189 </column>
2190
2191 <column name="code">
2192 <p>
2193 DHCP option code for the DHCP option as defined in the RFC 2132.
2194 </p>
2195
2196 <p>
2197 Example. code=3
2198 </p>
2199 </column>
2200
2201 <column name="type">
2202 <p>
2203 Data type of the DHCP option code.
2204 </p>
2205
2206 <dl>
2207 <dt><code>value: bool</code></dt>
2208 <dd>
2209 <p>
2210 This indicates that the value of the DHCP option is a bool.
2211 </p>
2212
2213 <p>
2214 Example. "name=ip_forward_enable", "code=19", "type=bool".
2215 </p>
2216
2217 <p>
2218 put_dhcp_opts(..., ip_forward_enable = 1,...)
2219 </p>
2220 </dd>
2221
2222 <dt><code>value: uint8</code></dt>
2223 <dd>
2224 <p>
2225 This indicates that the value of the DHCP option is an unsigned
2226 int8 (8 bits)
2227 </p>
2228
2229 <p>
2230 Example. "name=default_ttl", "code=23", "type=uint8".
2231 </p>
2232
2233 <p>
2234 put_dhcp_opts(..., default_ttl = 50,...)
2235 </p>
2236 </dd>
2237
2238 <dt><code>value: uint16</code></dt>
2239 <dd>
2240 <p>
2241 This indicates that the value of the DHCP option is an unsigned
2242 int16 (16 bits).
2243 </p>
2244
2245 <p>
2246 Example. "name=mtu", "code=26", "type=uint16".
2247 </p>
2248
2249 <p>
2250 put_dhcp_opts(..., mtu = 1450,...)
2251 </p>
2252 </dd>
2253
2254 <dt><code>value: uint32</code></dt>
2255 <dd>
2256 <p>
2257 This indicates that the value of the DHCP option is an unsigned
2258 int32 (32 bits).
2259 </p>
2260
2261 <p>
2262 Example. "name=lease_time", "code=51", "type=uint32".
2263 </p>
2264
2265 <p>
2266 put_dhcp_opts(..., lease_time = 86400,...)
2267 </p>
2268 </dd>
2269
2270 <dt><code>value: ipv4</code></dt>
2271 <dd>
2272 <p>
2273 This indicates that the value of the DHCP option is an IPv4
2274 address or addresses.
2275 </p>
2276
2277 <p>
2278 Example. "name=router", "code=3", "type=ipv4".
2279 </p>
2280
2281 <p>
2282 put_dhcp_opts(..., router = 10.0.0.1,...)
2283 </p>
2284
2285 <p>
2286 Example. "name=dns_server", "code=6", "type=ipv4".
2287 </p>
2288
2289 <p>
2290 put_dhcp_opts(..., dns_server = {8.8.8.8 7.7.7.7},...)
2291 </p>
2292 </dd>
2293
2294 <dt><code>value: static_routes</code></dt>
2295 <dd>
2296 <p>
2297 This indicates that the value of the DHCP option contains a pair of
2298 IPv4 route and next hop addresses.
2299 </p>
2300
2301 <p>
2302 Example. "name=classless_static_route", "code=121", "type=static_routes".
2303 </p>
2304
2305 <p>
2306 put_dhcp_opts(..., classless_static_route = {30.0.0.0/24,10.0.0.4,0.0.0.0/0,10.0.0.1}...)
2307 </p>
2308 </dd>
2309
2310 <dt><code>value: str</code></dt>
2311 <dd>
2312 <p>
2313 This indicates that the value of the DHCP option is a string.
2314 </p>
2315
2316 <p>
2317 Example. "name=host_name", "code=12", "type=str".
2318 </p>
2319 </dd>
2320 </dl>
2321 </column>
2322 </table>
01cfdb2f
NS		 2323
2324 <table name="DHCPv6_Options" title="DHCPv6 Options supported by native OVN DHCPv6">
2325 <p>
2326 Each row in this table stores the DHCPv6 Options supported by native OVN
2327 DHCPv6. <code>ovn-northd</code> populates this table with the supported
2328 DHCPv6 options. <code>ovn-controller</code> looks up this table to get
2329 the DHCPv6 codes of the DHCPv6 options defined in the
2330 <code>put_dhcpv6_opts</code> action. Please refer to RFC 3315 and RFC
2331 3646 for the list of DHCPv6 options that can be defined here.
2332 </p>
2333
2334 <column name="name">
2335 <p>
2336 Name of the DHCPv6 option.
2337 </p>
2338
2339 <p>
2340 Example. name="ia_addr"
2341 </p>
2342 </column>
2343
2344 <column name="code">
2345 <p>
2346 DHCPv6 option code for the DHCPv6 option as defined in the appropriate
2347 RFC.
2348 </p>
2349
2350 <p>
2351 Example. code=3
2352 </p>
2353 </column>
2354
2355 <column name="type">
2356 <p>
2357 Data type of the DHCPv6 option code.
2358 </p>
2359
2360 <dl>
2361 <dt><code>value: ipv6</code></dt>
2362 <dd>
2363 <p>
2364 This indicates that the value of the DHCPv6 option is an IPv6
2365 address(es).
2366 </p>
2367
2368 <p>
2369 Example. "name=ia_addr", "code=5", "type=ipv6".
2370 </p>
2371
2372 <p>
2373 put_dhcpv6_opts(..., ia_addr = ae70::4,...)
2374 </p>
2375 </dd>
2376
2377 <dt><code>value: str</code></dt>
2378 <dd>
2379 <p>
2380 This indicates that the value of the DHCPv6 option is a string.
2381 </p>
2382
2383 <p>
2384 Example. "name=domain_search", "code=24", "type=str".
2385 </p>
2386
2387 <p>
2388 put_dhcpv6_opts(..., domain_search = ovn.domain,...)
2389 </p>
2390 </dd>
2391
2392 <dt><code>value: mac</code></dt>
2393 <dd>
2394 <p>
2395 This indicates that the value of the DHCPv6 option is a MAC address.
2396 </p>
2397
2398 <p>
2399 Example. "name=server_id", "code=2", "type=mac".
2400 </p>
2401
2402 <p>
2403 put_dhcpv6_opts(..., server_id = 01:02:03:04L05:06,...)
2404 </p>
2405 </dd>
2406 </dl>
2407 </column>
2408 </table>
7fff4eb7
LR		 2409 <table name="Connection" title="OVSDB client connections.">
2410 <p>
2411 Configuration for a database connection to an Open vSwitch database
2412 (OVSDB) client.
2413 </p>
2414
2415 <p>
2416 This table primarily configures the Open vSwitch database server
2417 (<code>ovsdb-server</code>).
2418 </p>
2419
2420 <p>
2421 The Open vSwitch database server can initiate and maintain active
2422 connections to remote clients. It can also listen for database
2423 connections.
2424 </p>
2425
2426 <group title="Core Features">
2427 <column name="target">
2428 <p>Connection methods for clients.</p>
2429 <p>
2430 The following connection methods are currently supported:
2431 </p>
2432 <dl>
2433 <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
2434 <dd>
2435 <p>
2436 The specified SSL <var>port</var> on the host at the given
2437 <var>ip</var>, which must be expressed as an IP address
10471820
LR		 2438 (not a DNS name). A valid SSL configuration must be provided
2439 when this form is used, this configuration can be specified
2440 via command-line options or the <ref table="SSL"/> table.
7fff4eb7
LR		 2441 </p>
2442 <p>
2443 If <var>port</var> is not specified, it defaults to 6640.
2444 </p>
2445 <p>
2446 SSL support is an optional feature that is not always
2447 built as part of Open vSwitch.
2448 </p>
2449 </dd>
2450
2451 <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
2452 <dd>
2453 <p>
2454 The specified TCP <var>port</var> on the host at the given
2455 <var>ip</var>, which must be expressed as an IP address (not a
2456 DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
2457 <var>ip</var> is an IPv6 address, wrap it in square brackets,
2458 e.g. <code>tcp:[::1]:6640</code>.
2459 </p>
2460 <p>
2461 If <var>port</var> is not specified, it defaults to 6640.
2462 </p>
2463 </dd>
2464 <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
2465 <dd>
2466 <p>
2467 Listens for SSL connections on the specified TCP <var>port</var>.
2468 Specify 0 for <var>port</var> to have the kernel automatically
2469 choose an available port. If <var>ip</var>, which must be
2470 expressed as an IP address (not a DNS name), is specified, then
2471 connections are restricted to the specified local IP address
2472 (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
2473 address, wrap in square brackets,
2474 e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not
2475 specified then it listens only on IPv4 (but not IPv6) addresses.
10471820
LR		 2476 A valid SSL configuration must be provided when this form is used,
2477 this can be specified either via command-line options or the
2478 <ref table="SSL"/> table.
7fff4eb7
LR		 2479 </p>
2480 <p>
2481 If <var>port</var> is not specified, it defaults to 6640.
2482 </p>
2483 <p>
2484 SSL support is an optional feature that is not always built as
2485 part of Open vSwitch.
2486 </p>
2487 </dd>
2488 <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
2489 <dd>
2490 <p>
2491 Listens for connections on the specified TCP <var>port</var>.
2492 Specify 0 for <var>port</var> to have the kernel automatically
2493 choose an available port. If <var>ip</var>, which must be
2494 expressed as an IP address (not a DNS name), is specified, then
2495 connections are restricted to the specified local IP address
2496 (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
2497 address, wrap it in square brackets,
2498 e.g. <code>ptcp:6640:[::1]</code>. If <var>ip</var> is not
2499 specified then it listens only on IPv4 addresses.
2500 </p>
2501 <p>
2502 If <var>port</var> is not specified, it defaults to 6640.
2503 </p>
2504 </dd>
2505 </dl>
2506 <p>When multiple clients are configured, the <ref column="target"/>
2507 values must be unique. Duplicate <ref column="target"/> values yield
2508 unspecified results.</p>
2509 </column>
2510
2511 <column name="read_only">
2512 <code>true</code> to restrict these connections to read-only
2513 transactions, <code>false</code> to allow them to modify the database.
2514 </column>
2515 </group>
2516
2517 <group title="Client Failure Detection and Handling">
2518 <column name="max_backoff">
2519 Maximum number of milliseconds to wait between connection attempts.
2520 Default is implementation-specific.
2521 </column>
2522
2523 <column name="inactivity_probe">
2524 Maximum number of milliseconds of idle time on connection to the client
2525 before sending an inactivity probe message. If Open vSwitch does not
2526 communicate with the client for the specified number of seconds, it
2527 will send a probe. If a response is not received for the same
2528 additional amount of time, Open vSwitch assumes the connection has been
2529 broken and attempts to reconnect. Default is implementation-specific.
2530 A value of 0 disables inactivity probes.
2531 </column>
2532 </group>
2533
2534 <group title="Status">
2535 <p>
2536 Key-value pair of <ref column="is_connected"/> is always updated.
2537 Other key-value pairs in the status columns may be updated depends
2538 on the <ref column="target"/> type.
2539 </p>
2540
2541 <p>
2542 When <ref column="target"/> specifies a connection method that
2543 listens for inbound connections (e.g. <code>ptcp:</code> or
2544 <code>punix:</code>), both <ref column="n_connections"/> and
2545 <ref column="is_connected"/> may also be updated while the
2546 remaining key-value pairs are omitted.
2547 </p>
2548
2549 <p>
2550 On the other hand, when <ref column="target"/> specifies an
2551 outbound connection, all key-value pairs may be updated, except
2552 the above-mentioned two key-value pairs associated with inbound
2553 connection targets. They are omitted.
2554 </p>
2555
2556 <column name="is_connected">
2557 <code>true</code> if currently connected to this client,
2558 <code>false</code> otherwise.
2559 </column>
2560
2561 <column name="status" key="last_error">
2562 A human-readable description of the last error on the connection
2563 to the manager; i.e. <code>strerror(errno)</code>. This key
2564 will exist only if an error has occurred.
2565 </column>
2566
2567 <column name="status" key="state"
2568 type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
2569 <p>
2570 The state of the connection to the manager:
2571 </p>
2572 <dl>
2573 <dt><code>VOID</code></dt>
2574 <dd>Connection is disabled.</dd>
2575
2576 <dt><code>BACKOFF</code></dt>
2577 <dd>Attempting to reconnect at an increasing period.</dd>
2578
2579 <dt><code>CONNECTING</code></dt>
2580 <dd>Attempting to connect.</dd>
2581
2582 <dt><code>ACTIVE</code></dt>
2583 <dd>Connected, remote host responsive.</dd>
2584
2585 <dt><code>IDLE</code></dt>
2586 <dd>Connection is idle. Waiting for response to keep-alive.</dd>
2587 </dl>
2588 <p>
2589 These values may change in the future. They are provided only for
2590 human consumption.
2591 </p>
2592 </column>
2593
2594 <column name="status" key="sec_since_connect"
2595 type='{"type": "integer", "minInteger": 0}'>
2596 The amount of time since this client last successfully connected
2597 to the database (in seconds). Value is empty if client has never
2598 successfully been connected.
2599 </column>
2600
2601 <column name="status" key="sec_since_disconnect"
2602 type='{"type": "integer", "minInteger": 0}'>
2603 The amount of time since this client last disconnected from the
2604 database (in seconds). Value is empty if client has never
2605 disconnected.
2606 </column>
2607
2608 <column name="status" key="locks_held">
2609 Space-separated list of the names of OVSDB locks that the connection
2610 holds. Omitted if the connection does not hold any locks.
2611 </column>
2612
2613 <column name="status" key="locks_waiting">
2614 Space-separated list of the names of OVSDB locks that the connection is
2615 currently waiting to acquire. Omitted if the connection is not waiting
2616 for any locks.
2617 </column>
2618
2619 <column name="status" key="locks_lost">
2620 Space-separated list of the names of OVSDB locks that the connection
2621 has had stolen by another OVSDB client. Omitted if no locks have been
2622 stolen from this connection.
2623 </column>
2624
2625 <column name="status" key="n_connections"
2626 type='{"type": "integer", "minInteger": 2}'>
2627 When <ref column="target"/> specifies a connection method that
2628 listens for inbound connections (e.g. <code>ptcp:</code> or
2629 <code>pssl:</code>) and more than one connection is actually active,
2630 the value is the number of active connections. Otherwise, this
2631 key-value pair is omitted.
2632 </column>
2633
2634 <column name="status" key="bound_port" type='{"type": "integer"}'>
2635 When <ref column="target"/> is <code>ptcp:</code> or
2636 <code>pssl:</code>, this is the TCP port on which the OVSDB server is
2637 listening. (This is particularly useful when <ref
2638 column="target"/> specifies a port of 0, allowing the kernel to
2639 choose any available port.)
2640 </column>
2641 </group>
2642
2643 <group title="Common Columns">
2644 The overall purpose of these columns is described under <code>Common
2645 Columns</code> at the beginning of this document.
2646
2647 <column name="external_ids"/>
2648 <column name="other_config"/>
2649 </group>
2650 </table>
10471820
LR		 2651 <table name="SSL">
2652 SSL configuration for ovn-sb database access.
2653
2654 <column name="private_key">
2655 Name of a PEM file containing the private key used as the switch's
2656 identity for SSL connections to the controller.
2657 </column>
2658
2659 <column name="certificate">
2660 Name of a PEM file containing a certificate, signed by the
2661 certificate authority (CA) used by the controller and manager,
2662 that certifies the switch's private key, identifying a trustworthy
2663 switch.
2664 </column>
2665
2666 <column name="ca_cert">
2667 Name of a PEM file containing the CA certificate used to verify
2668 that the switch is connected to a trustworthy controller.
2669 </column>
2670
2671 <column name="bootstrap_ca_cert">
2672 If set to <code>true</code>, then Open vSwitch will attempt to
2673 obtain the CA certificate from the controller on its first SSL
2674 connection and save it to the named PEM file. If it is successful,
2675 it will immediately drop the connection and reconnect, and from then
2676 on all SSL connections must be authenticated by a certificate signed
2677 by the CA certificate thus obtained. <em>This option exposes the
2678 SSL connection to a man-in-the-middle attack obtaining the initial
2679 CA certificate.</em> It may still be useful for bootstrapping.
2680 </column>
2681
2682 <group title="Common Columns">
2683 The overall purpose of these columns is described under <code>Common
2684 Columns</code> at the beginning of this document.
2685
2686 <column name="external_ids"/>
2687 </group>
2688 </table>
fe36184b 2689</database>
openvswitch packages for PVE