]> git.proxmox.com Git - ovs.git/blame - vtep/vtep.xml
projects / ovs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
flow: Avoid buffer overread in parse_nsh() for malformed packet.
[ovs.git] / vtep / vtep.xml
CommitLineData
add17b69 1<?xml version="1.0" encoding="utf-8"?>
57ba0a77 2<database name="vtep" title="Hardware VTEP Database">
add17b69
BD		 3 <p>
4 This schema specifies relations that a VTEP can use to integrate
5 physical ports into logical switches maintained by a network
6 virtualization controller such as NSX.
7 </p>
f86f54a9 8
add17b69
BD		 9 <p>Glossary:</p>
10
11 <dl>
12 <dt>VTEP</dt>
13 <dd>
14 VXLAN Tunnel End Point, an entity which originates and/or terminates
15 VXLAN tunnels.
16 </dd>
17
18 <dt>HSC</dt>
19 <dd>
20 Hardware Switch Controller.
21 </dd>
22
23 <dt>NVC</dt>
24 <dd>
25 Network Virtualization Controller, e.g. NSX.
26 </dd>
27
28 <dt>VRF</dt>
29 <dd>
30 Virtual Routing and Forwarding instance.
31 </dd>
f86f54a9 32 </dl>
add17b69 33
3e769995
SS		 34 <h2>Common Column</h2>
35
36 <p>
37 Some tables contain a column, named <code>other_config</code>.
38 This column has the same form and purpose each place that it appears,
39 so we describe it here to save space later.
40 </p>
41
42 <dl>
43 <dt><code>other_config</code>: map of string-string pairs</dt>
44 <dd>
45 <p>
46 Key-value pairs for configuring rarely used or proprietary features.
47 </p>
48 <p>
49 Some tables do not have <code>other_config</code> column because no
50 key-value pairs have yet been defined for them.
51 </p>
52 </dd>
53 </dl>
54
add17b69
BD		 55 <table name="Global" title="Top-level configuration.">
56 Top-level configuration for a hardware VTEP. There must be
57 exactly one record in the <ref table="Global"/> table.
58
59 <column name="switches">
849222dd
BP		 60 <p>
61 The physical switch or switches managed by the VTEP.
62 </p>
63
64 <p>
65 When a physical switch integrates support for this VTEP schema, which
66 is expected to be the most common case, this column should point to one
67 <ref table="Physical_Switch"/> record that represents the switch
68 itself. In another possible implementation, a server or a VM presents
69 a VTEP schema front-end interface to one or more physical switches,
70 presumably communicating with those physical switches over a
71 proprietary protocol. In that case, this column would point to one
72 <ref table="Physical_Switch"/> for each physical switch, and the set
73 might change over time as the front-end server comes to represent a
74 differing set of switches.
75 </p>
add17b69
BD		 76 </column>
77
78 <group title="Database Configuration">
79 <p>
80 These columns primarily configure the database server
81 (<code>ovsdb-server</code>), not the hardware VTEP itself.
82 </p>
83
84 <column name="managers">
85 Database clients to which the database server should connect or
86 to which it should listen, along with options for how these
87 connection should be configured. See the <ref table="Manager"/>
88 table for more information.
89 </column>
90 </group>
ff35498b
DS		 91
92 <group title="Common Column">
93 The overall purpose of this column is described under <code>Common
94 Column</code> at the beginning of this document.
95
96 <column name="other_config"/>
97 </group>
98
add17b69
BD		 99 </table>
100
101 <table name="Manager" title="OVSDB management connection.">
102 <p>
103 Configuration for a database connection to an Open vSwitch Database
104 (OVSDB) client.
105 </p>
106
107 <p>
108 The database server can initiate and maintain active connections
109 to remote clients. It can also listen for database connections.
110 </p>
111
112 <group title="Core Features">
113 <column name="target">
114 <p>Connection method for managers.</p>
115 <p>
116 The following connection methods are currently supported:
117 </p>
118 <dl>
119 <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
120 <dd>
121 <p>
d4763d1d 122 The specified SSL <var>port</var> (default: 6640) on the host at
add17b69
BD		 123 the given <var>ip</var>, which must be expressed as an IP address
124 (not a DNS name).
125 </p>
126 <p>
fdf059ff
BD		 127 SSL key and certificate configuration happens outside the
128 database.
add17b69
BD		 129 </p>
130 </dd>
131
132 <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
133 <dd>
d4763d1d 134 The specified TCP <var>port</var> (default: 6640) on the host at
add17b69
BD		 135 the given <var>ip</var>, which must be expressed as an IP address
136 (not a DNS name).
137 </dd>
138 <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
139 <dd>
140 <p>
141 Listens for SSL connections on the specified TCP <var>port</var>
d4763d1d 142 (default: 6640). If <var>ip</var>, which must be expressed as an
add17b69
BD		 143 IP address (not a DNS name), is specified, then connections are
144 restricted to the specified local IP address.
145 </p>
146 </dd>
147 <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
148 <dd>
149 Listens for connections on the specified TCP <var>port</var>
d4763d1d 150 (default: 6640). If <var>ip</var>, which must be expressed as an
add17b69
BD		 151 IP address (not a DNS name), is specified, then connections are
152 restricted to the specified local IP address.
153 </dd>
154 </dl>
155 </column>
156 </group>
157
158 <group title="Client Failure Detection and Handling">
159 <column name="max_backoff">
160 Maximum number of milliseconds to wait between connection attempts.
161 Default is implementation-specific.
162 </column>
163
164 <column name="inactivity_probe">
165 Maximum number of milliseconds of idle time on connection to the
166 client before sending an inactivity probe message. If the Open
167 vSwitch database does not communicate with the client for the
168 specified number of seconds, it will send a probe. If a
169 response is not received for the same additional amount of time,
170 the database server assumes the connection has been broken
171 and attempts to reconnect. Default is implementation-specific.
172 A value of 0 disables inactivity probes.
173 </column>
174 </group>
175
176 <group title="Status">
177 <column name="is_connected">
178 <code>true</code> if currently connected to this manager,
179 <code>false</code> otherwise.
180 </column>
181
182 <column name="status" key="last_error">
183 A human-readable description of the last error on the connection
184 to the manager; i.e. <code>strerror(errno)</code>. This key
185 will exist only if an error has occurred.
186 </column>
187
188 <column name="status" key="state"
189 type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
190 <p>
191 The state of the connection to the manager:
192 </p>
193 <dl>
194 <dt><code>VOID</code></dt>
195 <dd>Connection is disabled.</dd>
196
197 <dt><code>BACKOFF</code></dt>
198 <dd>Attempting to reconnect at an increasing period.</dd>
199
200 <dt><code>CONNECTING</code></dt>
201 <dd>Attempting to connect.</dd>
202
203 <dt><code>ACTIVE</code></dt>
204 <dd>Connected, remote host responsive.</dd>
205
206 <dt><code>IDLE</code></dt>
207 <dd>Connection is idle. Waiting for response to keep-alive.</dd>
208 </dl>
209 <p>
210 These values may change in the future. They are provided only for
211 human consumption.
212 </p>
213 </column>
214
215 <column name="status" key="sec_since_connect"
216 type='{"type": "integer", "minInteger": 0}'>
217 The amount of time since this manager last successfully connected
218 to the database (in seconds). Value is empty if manager has never
219 successfully connected.
220 </column>
221
222 <column name="status" key="sec_since_disconnect"
223 type='{"type": "integer", "minInteger": 0}'>
224 The amount of time since this manager last disconnected from the
225 database (in seconds). Value is empty if manager has never
226 disconnected.
227 </column>
228
229 <column name="status" key="locks_held">
230 Space-separated list of the names of OVSDB locks that the connection
231 holds. Omitted if the connection does not hold any locks.
232 </column>
233
234 <column name="status" key="locks_waiting">
235 Space-separated list of the names of OVSDB locks that the connection is
236 currently waiting to acquire. Omitted if the connection is not waiting
237 for any locks.
238 </column>
239
240 <column name="status" key="locks_lost">
241 Space-separated list of the names of OVSDB locks that the connection
242 has had stolen by another OVSDB client. Omitted if no locks have been
243 stolen from this connection.
244 </column>
245
246 <column name="status" key="n_connections"
247 type='{"type": "integer", "minInteger": 2}'>
248 <p>
249 When <ref column="target"/> specifies a connection method that
250 listens for inbound connections (e.g. <code>ptcp:</code> or
251 <code>pssl:</code>) and more than one connection is actually active,
252 the value is the number of active connections. Otherwise, this
253 key-value pair is omitted.
254 </p>
255 <p>
256 When multiple connections are active, status columns and key-value
257 pairs (other than this one) report the status of one arbitrarily
258 chosen connection.
259 </p>
260 </column>
261 </group>
262
263 <group title="Connection Parameters">
264 <p>
265 Additional configuration for a connection between the manager
266 and the database server.
267 </p>
268
269 <column name="other_config" key="dscp"
f86f54a9 270 type='{"type": "integer"}'>
add17b69
BD		 271 The Differentiated Service Code Point (DSCP) is specified using 6 bits
272 in the Type of Service (TOS) field in the IP header. DSCP provides a
273 mechanism to classify the network traffic and provide Quality of
274 Service (QoS) on IP networks.
275
276 The DSCP value specified here is used when establishing the
277 connection between the manager and the database server. If no
278 value is specified, a default value of 48 is chosen. Valid DSCP
279 values must be in the range 0 to 63.
280 </column>
281 </group>
282 </table>
283
284 <table name="Physical_Switch" title="A physical switch.">
285 A physical switch that implements a VTEP.
286
287 <column name="ports">
288 The physical ports within the switch.
289 </column>
290
c8f4eed5
AS		 291 <column name="tunnels">
292 Tunnels created by this switch as instructed by the NVC.
293 </column>
294
add17b69
BD		 295 <group title="Network Status">
296 <column name="management_ips">
297 IPv4 or IPv6 addresses at which the switch may be contacted
298 for management purposes.
299 </column>
300
301 <column name="tunnel_ips">
302 <p>
303 IPv4 or IPv6 addresses on which the switch may originate or
304 terminate tunnels.
305 </p>
306
307 <p>
308 This column is intended to allow a <ref table="Manager"/> to
309 determine the <ref table="Physical_Switch"/> that terminates
310 the tunnel represented by a <ref table="Physical_Locator"/>.
311 </p>
312 </column>
313 </group>
314
315 <group title="Identification">
316 <column name="name">
fdf059ff 317 Symbolic name for the switch, such as its hostname.
add17b69 318 </column>
f86f54a9 319
add17b69 320 <column name="description">
fdf059ff
BD		 321 An extended description for the switch, such as its switch login
322 banner.
add17b69
BD		 323 </column>
324 </group>
255842d9
BD		 325 <group title="Error Notification">
326 <p>
fdf059ff
BD		 327 An entry in this column indicates to the NVC that this switch
328 has encountered a fault. The switch must clear this column
329 when the fault has been cleared.
255842d9
BD		 330 </p>
331
332 <column name="switch_fault_status" key="mac_table_exhaustion">
333 Indicates that the switch has been unable to process MAC
334 entries requested by the NVC due to lack of table resources.
335 </column>
336
337 <column name="switch_fault_status" key="tunnel_exhaustion">
338 Indicates that the switch has been unable to create tunnels
339 requested by the NVC due to lack of resources.
340 </column>
341
1f661ac7
DS		 342 <column name="switch_fault_status" key="lr_switch_bindings_fault">
343 Indicates that the switch has been unable to create the logical router
344 interfaces requested by the NVC due to conflicting configurations or a
345 lack of hardware resources.
346 </column>
347
348 <column name="switch_fault_status" key="lr_static_routes_fault">
349 Indicates that the switch has been unable to create the static routes
350 requested by the NVC due to conflicting configurations or a lack of
351 hardware resources.
352 </column>
353
354 <column name="switch_fault_status" key="lr_creation_fault">
355 Indicates that the switch has been unable to create the logical router
356 requested by the NVC due to conflicting configurations or a lack of
357 hardware resources.
358 </column>
359
360 <column name="switch_fault_status" key="lr_support_fault">
361 Indicates that the switch does not support logical routing.
362 </column>
363
255842d9
BD		 364 <column name="switch_fault_status" key="unspecified_fault">
365 Indicates that an error has occurred in the switch but that no
366 more specific information is available.
367 </column>
b351ac0c
DB		 368
369 <column name="switch_fault_status"
370 key="unsupported_source_node_replication">
371 Indicates that the requested source node replication mode cannot be
372 supported by the physical switch; this specifically means in this
373 context that the physical switch lacks the capability to support
374 source node replication mode. This error occurs when a controller
375 attempts to set source node replication mode for one of the logical
376 switches that the physical switch is keeping context for. An NVC
377 that observes this error should take appropriate action (for example
378 reverting the logical switch to service node replication mode).
379 It is recommended that an NVC be proactive and test for support of
380 source node replication by using a test logical switch on vtep
381 physical switch nodes and then trying to change the replication mode
382 to source node on this logical switch, checking for error. The NVC
383 could remember this capability per vtep physical switch. Using
384 mixed replication modes on a given logical switch is not recommended.
385 Service node replication mode is considered a basic requirement
386 since it only requires sending a packet to a single transport node,
387 hence it is not expected that a switch should report that service
388 node mode cannot be supported.
389 </column>
3e769995
SS		 390 </group>
391
392 <group title="Common Column">
393 The overall purpose of this column is described under <code>Common
394 Column</code> at the beginning of this document.
255842d9 395
3e769995 396 <column name="other_config"/>
255842d9 397 </group>
3e769995 398
add17b69
BD		 399 </table>
400
c8f4eed5
AS		 401 <table name="Tunnel" title="A tunnel created by a physical switch.">
402 A tunnel created by a <ref table="Physical_Switch"/>.
403
404 <column name="local">
405 Tunnel end-point local to the physical switch.
406 </column>
407
408 <column name="remote">
409 Tunnel end-point remote to the physical switch.
410 </column>
411
412 <group title="Bidirectional Forwarding Detection (BFD)">
413 <p>
414 BFD, defined in RFC 5880, allows point to point detection of
415 connectivity failures by occasional transmission of BFD control
416 messages. VTEPs are expected to implement BFD.
417 </p>
418
419 <p>
420 BFD operates by regularly transmitting BFD control messages at a
421 rate negotiated independently in each direction. Each endpoint
422 specifies the rate at which it expects to receive control messages,
423 and the rate at which it's willing to transmit them. An endpoint
424 which fails to receive BFD control messages for a period of three
425 times the expected reception rate will signal a connectivity
426 fault. In the case of a unidirectional connectivity issue, the
427 system not receiving BFD control messages will signal the problem
428 to its peer in the messages it transmits.
429 </p>
430
431 <p>
432 A hardware VTEP is expected to use BFD to determine reachability of
433 devices at the end of the tunnels with which it exchanges data. This
434 can enable the VTEP to choose a functioning service node among a set of
435 service nodes providing high availability. It also enables the NVC to
436 report the health status of tunnels.
437 </p>
438
439 <p>
19289787 440 In many cases the BFD peer of a hardware VTEP will be an Open vSwitch
c8f4eed5
AS		 441 instance. The Open vSwitch implementation of BFD aims to comply
442 faithfully with the requirements put forth in RFC 5880. Open vSwitch
443 does not implement the optional Authentication or ``Echo Mode''
444 features.
445 </p>
446
447 <group title="BFD Local Configuration">
448 <p>
449 The HSC writes the key-value pairs in the
07bb41a9 450 <ref column="bfd_config_local"/> column to specify the local
c8f4eed5
AS		 451 configurations to be used for BFD sessions on this tunnel.
452 </p>
453
454 <column name="bfd_config_local" key="bfd_dst_mac">
455 Set to an Ethernet address in the form
456 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
457 to set the MAC expected as destination for received BFD packets.
16ee1400 458 The default is <code>00:23:20:00:00:01</code>.
c8f4eed5
AS		 459 </column>
460
461 <column name="bfd_config_local" key="bfd_dst_ip">
462 Set to an IPv4 address to set the IP address that is expected as destination
463 for received BFD packets. The default is <code>169.254.1.0</code>.
464 </column>
465
466 </group>
467
468 <group title="BFD Remote Configuration">
469 <p>
470 The <ref column="bfd_config_remote"/> column is the remote
471 counterpart of the <ref column="bfd_config_local"/> column.
472 The NVC writes the key-value pairs in this column.
473 </p>
474
475 <column name="bfd_config_remote" key="bfd_dst_mac">
476 Set to an Ethernet address in the form
477 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
478 to set the destination MAC to be used for transmitted BFD packets.
479 The default is <code>00:23:20:00:00:01</code>.
480 </column>
481
482 <column name="bfd_config_remote" key="bfd_dst_ip">
483 Set to an IPv4 address to set the IP address used as destination
484 for transmitted BFD packets. The default is <code>169.254.1.1</code>.
485 </column>
486
487 </group>
488
489 <group title="BFD Parameters">
490 <p>
491 The NVC sets up key-value pairs in the <ref column="bfd_params"/>
492 column to enable and configure BFD.
493 </p>
494
495 <column name="bfd_params" key="enable" type='{"type": "boolean"}'>
19289787
AT		 496 True to enable BFD on this <ref table="Tunnel"/>. If not
497 specified, BFD will not be enabled by default.
c8f4eed5
AS		 498 </column>
499
500 <column name="bfd_params" key="min_rx"
501 type='{"type": "integer", "minInteger": 1}'>
502 The shortest interval, in milliseconds, at which this BFD session
503 offers to receive BFD control messages. The remote endpoint may
504 choose to send messages at a slower rate. Defaults to
505 <code>1000</code>.
506 </column>
507
508 <column name="bfd_params" key="min_tx"
509 type='{"type": "integer", "minInteger": 1}'>
510 The shortest interval, in milliseconds, at which this BFD session is
511 willing to transmit BFD control messages. Messages will actually be
512 transmitted at a slower rate if the remote endpoint is not willing to
513 receive as quickly as specified. Defaults to <code>100</code>.
514 </column>
515
516 <column name="bfd_params" key="decay_min_rx" type='{"type": "integer"}'>
517 An alternate receive interval, in milliseconds, that must be greater
19289787
AT		 518 than or equal to <ref column="bfd_params" key="min_rx"/>. The
519 implementation should switch from <ref column="bfd_params" key="min_rx"/>
520 to <ref column="bfd_params" key="decay_min_rx"/> when there is no obvious
521 incoming data traffic at the tunnel, to reduce the CPU and bandwidth
522 cost of monitoring an idle tunnel. This feature may be disabled by
523 setting a value of 0. This feature is reset whenever
524 <ref column="bfd_params" key="decay_min_rx"/> or
525 <ref column="bfd_params" key="min_rx"/> changes.
c8f4eed5
AS		 526 </column>
527
528 <column name="bfd_params" key="forwarding_if_rx" type='{"type": "boolean"}'>
19289787
AT		 529 When <code>true</code>, traffic received on the <ref table="Tunnel"/>
530 is used to indicate the capability of packet I/O.
531 BFD control packets are still transmitted and received. At least one
532 BFD control packet must be received every
533 100 * <ref column="bfd_params" key="min_rx"/> amount of time.
534 Otherwise, even if traffic is received, the
535 <ref column="bfd_params" key="forwarding"/> will be <code>false</code>.
c8f4eed5
AS		 536 </column>
537
538 <column name="bfd_params" key="cpath_down" type='{"type": "boolean"}'>
539 Set to true to notify the remote endpoint that traffic should not be
07bb41a9 540 forwarded to this system for some reason other than a connectivity
c8f4eed5
AS		 541 failure on the interface being monitored. The typical underlying
542 reason is ``concatenated path down,'' that is, that connectivity
543 beyond the local system is down. Defaults to false.
544 </column>
545
546 <column name="bfd_params" key="check_tnl_key" type='{"type": "boolean"}'>
547 Set to true to make BFD accept only control messages with a tunnel
548 key of zero. By default, BFD accepts control messages with any
549 tunnel key.
550 </column>
551
552 </group>
553
19289787
AT		 554 <group title="BFD Status">
555 <p>
556 The VTEP sets key-value pairs in the <ref column="bfd_status"/>
557 column to report the status of BFD on this tunnel. When BFD is
558 not enabled, with <ref column="bfd_params" key="enable"/>, the
559 HSC clears all key-value pairs from <ref column="bfd_status"/>.
560 </p>
c8f4eed5 561
19289787
AT		 562 <column name="bfd_status" key="enabled" type='{"type": "boolean"}'>
563 Set to true if the BFD session has been successfully enabled.
564 Set to false if the VTEP cannot support BFD or has insufficient
565 resources to enable BFD on this tunnel. The NVC will disable
566 the BFD monitoring on the other side of the tunnel once this
567 value is set to false.
568 </column>
16ee1400 569
19289787
AT		 570 <column name="bfd_status" key="state"
571 type='{"type": "string",
c8f4eed5 572 "enum": ["set", ["admin_down", "down", "init", "up"]]}'>
19289787
AT		 573 Reports the state of the BFD session. The BFD session is fully
574 healthy and negotiated if <code>UP</code>.
575 </column>
c8f4eed5 576
19289787
AT		 577 <column name="bfd_status" key="forwarding" type='{"type": "boolean"}'>
578 Reports whether the BFD session believes this <ref table="Tunnel"/>
579 may be used to forward traffic. Typically this means the local session
580 is signaling <code>UP</code>, and the remote system isn't signaling a
581 problem such as concatenated path down.
582 </column>
c8f4eed5 583
19289787
AT		 584 <column name="bfd_status" key="diagnostic">
585 A diagnostic code specifying the local system's reason for the
586 last change in session state. The error messages are defined in
587 section 4.1 of [RFC 5880].
588 </column>
c8f4eed5 589
19289787
AT		 590 <column name="bfd_status" key="remote_state"
591 type='{"type": "string",
c8f4eed5 592 "enum": ["set", ["admin_down", "down", "init", "up"]]}'>
19289787
AT		 593 Reports the state of the remote endpoint's BFD session.
594 </column>
c8f4eed5 595
19289787
AT		 596 <column name="bfd_status" key="remote_diagnostic">
597 A diagnostic code specifying the remote system's reason for the
598 last change in session state. The error messages are defined in
599 section 4.1 of [RFC 5880].
600 </column>
16ee1400 601
19289787
AT		 602 <column name="bfd_status" key="info">
603 A short message providing further information about the BFD status
604 (possibly including reasons why BFD could not be enabled).
605 </column>
c8f4eed5
AS		 606 </group>
607 </group>
608 </table>
609
add17b69
BD		 610 <table name="Physical_Port" title="A port within a physical switch.">
611 A port within a <ref table="Physical_Switch"/>.
612
613 <column name="vlan_bindings">
614 Identifies how VLANs on the physical port are bound to logical switches.
615 If, for example, the map contains a (VLAN, logical switch) pair, a packet
616 that arrives on the port in the VLAN is considered to belong to the
b49f5f7a
BD		 617 paired logical switch. A value of zero in the VLAN field means
618 that untagged traffic on the physical port is mapped to the
619 logical switch.
add17b69
BD		 620 </column>
621
c0c1dccb
BD		 622 <column name="acl_bindings">
623 <p>
624 Attach Access Control Lists (ACLs) to the physical port. The
625 column consists of a map of VLAN tags to <ref table="ACL"/>s. If the value of
626 the VLAN tag in the map is 0, this means that the ACL is
627 associated with the entire physical port. Non-zero values mean
628 that the ACL is to be applied only on packets carrying that VLAN
629 tag value. Switches will not necessarily support matching on the
630 VLAN tag for all ACLs, and unsupported ACL bindings will cause
631 errors to be reported. The binding of an ACL to a specific
632 VLAN and the binding of an ACL to the entire physical port
633 should not be combined on a single physical port. That is, a
634 mix of zero and non-zero keys in the map is not recommended.
635 </p>
636 </column>
637
add17b69
BD		 638 <column name="vlan_stats">
639 Statistics for VLANs bound to logical switches on the physical port. An
640 implementation that fully supports such statistics would populate this
641 column with a mapping for every VLAN that is bound in <ref
642 column="vlan_bindings"/>. An implementation that does not support such
643 statistics or only partially supports them would not populate this column
b49f5f7a
BD		 644 or partially populate it, respectively. A value of zero in the
645 VLAN field refers to untagged traffic on the physical port.
add17b69
BD		 646 </column>
647
648 <group title="Identification">
649 <column name="name">
fdf059ff
BD		 650 Symbolic name for the port. The name ought to be unique within a given
651 <ref table="Physical_Switch"/>, but the database is not capable of
652 enforcing this.
add17b69
BD		 653 </column>
654
655 <column name="description">
fdf059ff 656 An extended description for the port.
add17b69
BD		 657 </column>
658 </group>
255842d9
BD		 659 <group title="Error Notification">
660 <p>
fdf059ff 661 An entry in this column indicates to the NVC that the physical port has
07bb41a9 662 encountered a fault. The switch must clear this column when the error
fdf059ff 663 has been cleared.
255842d9
BD		 664 </p>
665 <column name="port_fault_status" key="invalid_vlan_map">
fdf059ff
BD		 666 <p>
667 Indicates that a VLAN-to-logical-switch mapping requested by
668 the controller could not be instantiated by the switch
669 because of a conflict with local configuration.
670 </p>
255842d9 671 </column>
c0c1dccb
BD		 672 <column name="port_fault_status" key="invalid_ACL_binding">
673 <p>
674 Indicates that an error has occurred in associating an ACL
675 with a port.
676 </p>
677 </column>
255842d9 678 <column name="port_fault_status" key="unspecified_fault">
fdf059ff
BD		 679 <p>
680 Indicates that an error has occurred on the port but that no
681 more specific information is available.
682 </p>
255842d9
BD		 683 </column>
684 </group>
685
3e769995
SS		 686 <group title="Common Column">
687 The overall purpose of this column is described under <code>Common
688 Column</code> at the beginning of this document.
689
690 <column name="other_config"/>
691 </group>
692
add17b69
BD		 693 </table>
694
695 <table name="Logical_Binding_Stats" title="Statistics for a VLAN on a physical port bound to a logical network.">
696 Reports statistics for the <ref table="Logical_Switch"/> with which a VLAN
697 on a <ref table="Physical_Port"/> is associated.
698
699 <group title="Statistics">
700 These statistics count only packets to which the binding applies.
701
702 <column name="packets_from_local">
703 Number of packets sent by the <ref table="Physical_Switch"/>.
704 </column>
705
706 <column name="bytes_from_local">
707 Number of bytes in packets sent by the <ref table="Physical_Switch"/>.
708 </column>
709
710 <column name="packets_to_local">
711 Number of packets received by the <ref table="Physical_Switch"/>.
712 </column>
713
714 <column name="bytes_to_local">
715 Number of bytes in packets received by the <ref
716 table="Physical_Switch"/>.
717 </column>
718 </group>
719 </table>
720
721 <table name="Logical_Switch" title="A layer-2 domain.">
722 A logical Ethernet switch, whose implementation may span physical and
723 virtual media, possibly crossing L3 domains via tunnels; a logical layer-2
724 domain; an Ethernet broadcast domain.
725
726
727
728 <group title="Per Logical-Switch Tunnel Key">
729 <p>
730 Tunnel protocols tend to have a field that allows the tunnel
731 to be partitioned into sub-tunnels: VXLAN has a VNI, GRE and
732 STT have a key, CAPWAP has a WSI, and so on. We call these
733 generically ``tunnel keys.'' Given that one needs to use a
734 tunnel key at all, there are at least two reasonable ways to
735 assign their values:
736 </p>
737
738 <ul>
739 <li>
740 <p>
741 Per <ref table="Logical_Switch"/>+<ref table="Physical_Locator"/>
742 pair. That is, each logical switch may be assigned a different
743 tunnel key on every <ref table="Physical_Locator"/>. This model is
744 especially flexible.
745 </p>
746
747 <p>
748 In this model, <ref table="Physical_Locator"/> carries the tunnel
749 key. Therefore, one <ref table="Physical_Locator"/> record will
750 exist for each logical switch carried at a given IP destination.
751 </p>
752 </li>
753
754 <li>
755 <p>
756 Per <ref table="Logical_Switch"/>. That is, every tunnel
757 associated with a particular logical switch carries the same tunnel
758 key, regardless of the <ref table="Physical_Locator"/> to which the
759 tunnel is addressed. This model may ease switch implementation
760 because it imposes fewer requirements on the hardware datapath.
761 </p>
762
763 <p>
764 In this model, <ref table="Logical_Switch"/> carries the tunnel
765 key. Therefore, one <ref table="Physical_Locator"/> record will
766 exist for each IP destination.
767 </p>
768 </li>
769 </ul>
770
771 <column name="tunnel_key">
772 <p>
773 This column is used only in the tunnel key per <ref
774 table="Logical_Switch"/> model (see above), because only in that
775 model is there a tunnel key associated with a logical switch.
776 </p>
777
778 <p>
c2cd1902
OBY		 779 For <code>vxlan_over_ipv4</code> encapsulation, when the tunnel key
780 per <ref table="Logical_Switch"/> model is in use, this column is the
781 VXLAN VNI that identifies a logical switch. It must be in the range
782 0 to 16,777,215.
add17b69
BD		 783 </p>
784 </column>
785 </group>
786
b351ac0c
DB		 787 <group title="Replication Mode">
788 <p>
789 For handling L2 broadcast, multicast and unknown unicast traffic,
790 packets can be sent to all members of a logical switch referenced by
791 a physical switch. There are different modes to replicate the
792 packets. The default mode of replication is to send the traffic to
793 a service node, which can be a hypervisor, server or appliance, and
794 let the service node handle replication to other transport nodes
795 (hypervisors or other VTEP physical switches). This mode is called
796 service node replication. An alternate mode of replication, called
797 source node replication involves the source node sending to all
798 other transport nodes. Hypervisors are always responsible for doing
799 their own replication for locally attached VMs in both modes.
800 Service node replication mode is the default and considered a
801 basic requirement because it only requires sending the packet to
802 a single transport node.
803 </p>
804
805 <column name="replication_mode">
806 <p>
807 This optional column defines the replication mode per
808 <ref table="Logical_Switch"/>. There are 2 valid values,
809 <code>service_node</code> and <code>source_node</code>. If the
810 column is not set, the replication mode defaults to service_node.
811 </p>
812
813 </column>
814 </group>
815
add17b69
BD		 816 <group title="Identification">
817 <column name="name">
fdf059ff 818 Symbolic name for the logical switch.
add17b69 819 </column>
f86f54a9 820
add17b69 821 <column name="description">
fdf059ff
BD		 822 An extended description for the logical switch, such as its switch
823 login banner.
add17b69
BD		 824 </column>
825 </group>
3e769995
SS		 826
827 <group title="Common Column">
828 The overall purpose of this column is described under <code>Common
829 Column</code> at the beginning of this document.
830
831 <column name="other_config"/>
832 </group>
833
add17b69
BD		 834 </table>
835
836 <table name="Ucast_Macs_Local" title="Unicast MACs (local)">
837 <p>
838 Mapping of unicast MAC addresses to tunnels (physical
839 locators). This table is written by the HSC, so it contains the
840 MAC addresses that have been learned on physical ports by a
841 VTEP.
842 </p>
843
844 <column name="MAC">
845 A MAC address that has been learned by the VTEP.
846 </column>
847
848 <column name="logical_switch">
849 The Logical switch to which this mapping applies.
850 </column>
851
852 <column name="locator">
853 The physical locator to be used to reach this MAC address. In
854 this table, the physical locator will be one of the tunnel IP
855 addresses of the appropriate VTEP.
856 </column>
857
858 <column name="ipaddr">
859 The IP address to which this MAC corresponds. Optional field for
860 the purpose of ARP supression.
861 </column>
862
863 </table>
864
f86f54a9 865 <table name="Ucast_Macs_Remote" title="Unicast MACs (remote)">
add17b69
BD		 866 <p>
867 Mapping of unicast MAC addresses to tunnels (physical
868 locators). This table is written by the NVC, so it contains the
869 MAC addresses that the NVC has learned. These include VM MAC
870 addresses, in which case the physical locators will be
871 hypervisor IP addresses. The NVC will also report MACs that it
872 has learned from other HSCs in the network, in which case the
873 physical locators will be tunnel IP addresses of the
874 corresponding VTEPs.
875 </p>
876
877 <column name="MAC">
255842d9 878 A MAC address that has been learned by the NVC.
add17b69
BD		 879 </column>
880
881 <column name="logical_switch">
882 The Logical switch to which this mapping applies.
883 </column>
884
885 <column name="locator">
886 The physical locator to be used to reach this MAC address. In
887 this table, the physical locator will be either a hypervisor IP
888 address or a tunnel IP addresses of another VTEP.
889 </column>
890
891 <column name="ipaddr">
892 The IP address to which this MAC corresponds. Optional field for
893 the purpose of ARP supression.
894 </column>
895
896 </table>
897
898 <table name="Mcast_Macs_Local" title="Multicast MACs (local)">
899 <p>
900 Mapping of multicast MAC addresses to tunnels (physical
901 locators). This table is written by the HSC, so it contains the
902 MAC addresses that have been learned on physical ports by a
903 VTEP. These may be learned by IGMP snooping, for example. This
904 table also specifies how to handle unknown unicast and broadcast packets.
905 </p>
906
907 <column name="MAC">
908 <p>
f86f54a9 909 A MAC address that has been learned by the VTEP.
add17b69
BD		 910 </p>
911 <p>
fdf059ff
BD		 912 The keyword <code>unknown-dst</code> is used as a special
913 ``Ethernet address'' that indicates the locations to which
914 packets in a logical switch whose destination addresses do not
915 otherwise appear in <ref table="Ucast_Macs_Local"/> (for
916 unicast addresses) or <ref table="Mcast_Macs_Local"/> (for
917 multicast addresses) should be sent.
add17b69
BD		 918 </p>
919 </column>
920
921 <column name="logical_switch">
922 The Logical switch to which this mapping applies.
923 </column>
924
925 <column name="locator_set">
926 The physical locator set to be used to reach this MAC address. In
927 this table, the physical locator set will be contain one or more tunnel IP
928 addresses of the appropriate VTEP(s).
929 </column>
930
19368978
BP		 931 <column name="ipaddr">
932 The IP address to which this MAC corresponds. Optional field for
933 the purpose of ARP supression.
934 </column>
add17b69
BD		 935 </table>
936
937 <table name="Mcast_Macs_Remote" title="Multicast MACs (remote)">
938 <p>
939 Mapping of multicast MAC addresses to tunnels (physical
940 locators). This table is written by the NVC, so it contains the
941 MAC addresses that the NVC has learned. This
942 table also specifies how to handle unknown unicast and broadcast
943 packets.
944 </p>
945 <p>
946 Multicast packet replication may be handled by a service node,
947 in which case the physical locators will be IP addresses of
948 service nodes. If the VTEP supports replication onto multiple
b351ac0c
DB		 949 tunnels, using source node replication, then this may be used to
950 replicate directly onto VTEP-hypervisor or VTEP-VTEP tunnels.
add17b69
BD		 951 </p>
952
953 <column name="MAC">
954 <p>
fdf059ff 955 A MAC address that has been learned by the NVC.
add17b69
BD		 956 </p>
957 <p>
fdf059ff
BD		 958 The keyword <code>unknown-dst</code> is used as a special
959 ``Ethernet address'' that indicates the locations to which
960 packets in a logical switch whose destination addresses do not
961 otherwise appear in <ref table="Ucast_Macs_Remote"/> (for
962 unicast addresses) or <ref table="Mcast_Macs_Remote"/> (for
963 multicast addresses) should be sent.
add17b69
BD		 964 </p>
965 </column>
966
967 <column name="logical_switch">
968 The Logical switch to which this mapping applies.
969 </column>
970
971 <column name="locator_set">
972 The physical locator set to be used to reach this MAC address. In
b351ac0c
DB		 973 this table, the physical locator set will be either a set of service
974 nodes when service node replication is used or the set of transport
975 nodes (defined as hypervisors or VTEPs) participating in the associated
976 logical switch, when source node replication is used. When service node
977 replication is used, the VTEP should send packets to one member of the
978 locator set that is known to be healthy and reachable, which could be
979 determined by BFD. When source node replication is used, the VTEP
980 should send packets to all members of the locator set.
add17b69
BD		 981 </column>
982
983 <column name="ipaddr">
984 The IP address to which this MAC corresponds. Optional field for
985 the purpose of ARP supression.
986 </column>
987
988 </table>
989
990 <table name="Logical_Router" title="A logical L3 router.">
991 <p>
992 A logical router, or VRF. A logical router may be connected to one or more
f86f54a9 993 logical switches. Subnet addresses and interface addresses may be configured on the
add17b69
BD		 994 interfaces.
995 </p>
f86f54a9 996
add17b69
BD		 997 <column name="switch_binding">
998 Maps from an IPv4 or IPv6 address prefix in CIDR notation to a
999 logical switch. Multiple prefixes may map to the same switch. By
1000 writing a 32-bit (or 128-bit for v6) address with a /N prefix
1001 length, both the router's interface address and the subnet
1002 prefix can be configured. For example, 192.68.1.1/24 creates a
1003 /24 subnet for the logical switch attached to the interface and
1004 assigns the address 192.68.1.1 to the router interface.
1005 </column>
1006
1007 <column name="static_routes">
1008 One or more static routes, mapping IP prefixes to next hop IP addresses.
1009 </column>
1010
c0c1dccb
BD		 1011 <column name="acl_binding">
1012 Maps ACLs to logical router interfaces. The router interfaces
1013 are indicated using IP address notation, and must be the same
1014 interfaces created in the <ref column="switch_binding"/>
1015 column. For example, an ACL could be associated with the logical
1016 router interface with an address of 192.68.1.1 as defined in the
1017 example above.
1018 </column>
1019
add17b69
BD		 1020 <group title="Identification">
1021 <column name="name">
fdf059ff 1022 Symbolic name for the logical router.
add17b69
BD		 1023 </column>
1024
1025 <column name="description">
fdf059ff 1026 An extended description for the logical router.
add17b69
BD		 1027 </column>
1028 </group>
c0c1dccb
BD		 1029
1030 <group title="Error Notification">
1031 <p>
1032 An entry in this column indicates to the NVC that the HSC has
1033 encountered a fault in configuring state related to the
1034 logical router.
1035 </p>
1036 <column name="LR_fault_status" key="invalid_ACL_binding">
1037 <p>
1038 Indicates that an error has occurred in associating an ACL
1039 with a logical router port.
1040 </p>
1041 </column>
1042 <column name="LR_fault_status" key="unspecified_fault">
1043 <p>
1044 Indicates that an error has occurred in configuring the
1045 logical router but that no
1046 more specific information is available.
1047 </p>
1048 </column>
1049 </group>
1050
3e769995
SS		 1051 <group title="Common Column">
1052 The overall purpose of this column is described under <code>Common
1053 Column</code> at the beginning of this document.
1054
1055 <column name="other_config"/>
1056 </group>
1057
add17b69
BD		 1058 </table>
1059
7ae92590
BD		 1060 <table name="Arp_Sources_Local" title="ARP source addresses for logical routers">
1061 <p>
1062 MAC address to be used when a VTEP issues ARP requests on behalf
1063 of a logical router.
1064 </p>
1065
1066 <p>
1067 A distributed logical router is implemented by a set of VTEPs
1068 (both hardware VTEPs and vswitches). In order for a given VTEP
1069 to populate the local ARP cache for a logical router, it issues
1070 ARP requests with a source MAC address that is unique to the VTEP. A
1071 single per-VTEP MAC can be re-used across all logical
1072 networks. This table contains the MACs that are used by the
1073 VTEPs of a given HSC. The table provides the mapping from MAC to
1074 physical locator for each VTEP so that replies to the ARP
1075 requests can be sent back to the correct VTEP using the
1076 appropriate physical locator.
1077 </p>
1078
1079 <column name="src_mac">
1080 The source MAC to be used by a given VTEP.
1081 </column>
1082
1083 <column name="locator">
1084 The <ref table="Physical_Locator"/> to use for replies to ARP
1085 requests from this MAC address.
1086 </column>
1087 </table>
1088
1089 <table name="Arp_Sources_Remote" title="ARP source addresses for logical routers">
1090 <p>
1091 MAC address to be used when a remote VTEP issues ARP requests on behalf
1092 of a logical router.
1093 </p>
1094
1095 <p>
1096 This table is the remote counterpart of <ref
1097 table="Arp_sources_local"/>. The NVC writes this table to notify
1098 the HSC of the MACs that will be used by remote VTEPs when they
1099 issue ARP requests on behalf of a distributed logical router.
1100 </p>
1101
1102 <column name="src_mac">
1103 The source MAC to be used by a given VTEP.
1104 </column>
1105
1106 <column name="locator">
1107 The <ref table="Physical_Locator"/> to use for replies to ARP
1108 requests from this MAC address.
1109 </column>
1110 </table>
1111
add17b69
BD		 1112 <table name="Physical_Locator_Set">
1113 <p>
1114 A set of one or more <ref table="Physical_Locator"/>s.
1115 </p>
1116
1117 <p>
1118 This table exists only because OVSDB does not have a way to
1119 express the type ``map from string to one or more <ref
1120 table="Physical_Locator"/> records.''
1121 </p>
1122
f86f54a9 1123 <column name="locators"/>
add17b69
BD		 1124 </table>
1125
1126 <table name="Physical_Locator">
1127 <p>
1128 Identifies an endpoint to which logical switch traffic may be
1129 encapsulated and forwarded.
1130 </p>
1131
1132 <p>
c2cd1902
OBY		 1133 The <code>vxlan_over_ipv4</code> encapsulation, the only encapsulation
1134 defined so far, can use either tunnel key model described in the ``Per
1135 Logical-Switch Tunnel Key'' section in the <ref table="Logical_Switch"/>
1136 table. When the tunnel key per <ref table="Logical_Switch"/> model is in
1137 use, the <ref table="Logical_Switch" column="tunnel_key"/> column in the
1138 <ref table="Logical_Switch"/> table is filled with a VNI and the <ref
1139 column="tunnel_key"/> column in this table is empty; in the
1140 key-per-tunnel model, the opposite is true. The former model is older,
1141 and thus likely to be more widely supported. See the ``Per
1142 Logical-Switch Tunnel Key'' section in the <ref table="Logical_Switch"/>
1143 table for further discussion of the model.
add17b69
BD		 1144 </p>
1145
1146 <column name="encapsulation_type">
1147 The type of tunneling encapsulation.
1148 </column>
1149
1150 <column name="dst_ip">
1151 <p>
1152 For <code>vxlan_over_ipv4</code> encapsulation, the IPv4 address of the
1153 VXLAN tunnel endpoint.
1154 </p>
1155
1156 <p>
1157 We expect that this column could be used for IPv4 or IPv6 addresses in
1158 encapsulations to be introduced later.
1159 </p>
1160 </column>
23f781e4 1161
c2cd1902
OBY		 1162 <column name="tunnel_key">
1163 <p>
1164 This column is used only in the tunnel key per <ref
1165 table="Logical_Switch"/>+<ref table="Physical_Locator"/> model (see
1166 above).
1167 </p>
1168
1169 <p>
1170 For <code>vxlan_over_ipv4</code> encapsulation, when the <ref
1171 table="Logical_Switch"/>+<ref table="Physical_Locator"/> model is in
1172 use, this column is the VXLAN VNI. It must be in the range 0 to
1173 16,777,215.
1174 </p>
1175 </column>
1176
add17b69 1177 </table>
c0c1dccb
BD		 1178 <table name="ACL_entry">
1179 <p>
1180 Describes the individual entries that comprise an Access Control List.
1181 </p>
1182 <p>
1183 Each entry in the table is a single rule to match on certain
1184 header fields. While there are a large number of fields that can
1185 be matched on, most hardware cannot match on arbitrary
1186 combinations of fields. It is common to match on either L2
1187 fields (described below in the L2 group of columns) or L3/L4 fields
1188 (the L3/L4 group of columns) but not both. The hardware switch
1189 controller may log an error if an ACL entry requires it to match
1190 on an incompatible mixture of fields.
1191 </p>
1192 <column name="sequence">
1193 <p>
1194 The sequence number for the ACL entry for the purpose of
1195 ordering entries in an ACL. Lower numbered entries are matched
1196 before higher numbered entries.
1197 </p>
1198 </column>
1199 <group title="L2 fields">
1200 <column name="source_mac">
1201 <p>
1202 Source MAC address, in the form
1203 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
1204 </p>
1205 </column>
1206 <column name="dest_mac">
1207 <p>
1208 Destination MAC address, in the form
1209 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
1210 </p>
1211 </column>
f86f54a9 1212 <column name="ethertype">
c0c1dccb
BD		 1213 <p>
1214 Ethertype in hexadecimal, in the form
1215 <var>0xAAAA</var>
1216 </p>
1217 </column>
1218 </group>
1219 <group title="L3/L4 fields">
1220 <column name="source_ip">
1221 <p>
1222 Source IP address, in the form
1223 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1224 colon-separated hexadecimal notation for IPv6.
1225 </p>
1226 </column>
1227 <column name="source_mask">
1228 <p>
1229 Mask that determines which bits of source_ip to match on, in the form
1230 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1231 colon-separated hexadecimal notation for IPv6.
1232 </p>
1233 </column>
1234 <column name="dest_ip">
1235 <p>
1236 Destination IP address, in the form
1237 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1238 colon-separated hexadecimal notation for IPv6.
1239 </p>
1240 </column>
1241 <column name="dest_mask">
1242 <p>
1243 Mask that determines which bits of dest_ip to match on, in the form
1244 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1245 colon-separated hexadecimal notation for IPv6.
1246 </p>
1247 </column>
1248 <column name="protocol">
1249 <p>
1250 Protocol number in the IPv4 header, or value of the "next
1251 header" field in the IPv6 header.
1252 </p>
1253 </column>
1254 <column name="source_port_min">
1255 <p>
1256 Lower end of the range of source port values. The value
1257 specified is included in the range.
1258 </p>
1259 </column>
1260 <column name="source_port_max">
1261 <p>
1262 Upper end of the range of source port values. The value
1263 specified is included in the range.
1264 </p>
1265 </column>
1266 <column name="dest_port_min">
1267 <p>
1268 Lower end of the range of destination port values. The value
1269 specified is included in the range.
1270 </p>
1271 </column>
1272 <column name="dest_port_max">
1273 <p>
1274 Upper end of the range of destination port values. The value
1275 specified is included in the range.
1276 </p>
1277 </column>
1278 <column name="tcp_flags">
1279 <p>
1280 Integer representing the value of TCP flags to match. For
1281 example, the SYN flag is the second least significant bit in
1282 the TCP flags. Hence a value of 2 would indicate that the "SYN"
1283 flag should be set (assuming an appropriate mask).
1284 </p>
1285 </column>
1286 <column name="tcp_flags_mask">
1287 <p>
1288 Integer representing the mask to apply when matching TCP
1289 flags. For example, a value of 2 would imply that the "SYN"
1290 flag should be matched and all other flags ignored.
1291 </p>
1292 </column>
1293 <column name="icmp_type">
1294 <p>
1295 ICMP type to be matched.
1296 </p>
1297 </column>
1298 <column name="icmp_code">
1299 <p>
1300 ICMP code to be matched.
1301 </p>
1302 </column>
1303 </group>
1304 <column name="direction">
1305 <p>
1306 Direction of traffic to match on the specified port, either
1307 "ingress" (toward the logical switch or router) or "egress"
1308 (leaving the logical switch or router).
1309 </p>
1310 </column>
1311 <column name="action">
1312 <p>
1313 Action to take for this rule, either "permit" or "deny".
1314 </p>
1315 </column>
1316 <group title="Error Notification">
1317 <p>
1318 An entry in this column indicates to the NVC that the ACL
1319 could not be configured as requested. The switch must clear this column when the error
1320 has been cleared.
1321 </p>
1322 <column name="acle_fault_status" key="invalid_acl_entry">
1323 <p>
1324 Indicates that an ACL entry requested by
1325 the controller could not be instantiated by the switch,
1326 e.g. because it requires an unsupported combination of
1327 fields to be matched.
1328 </p>
1329 </column>
1330 <column name="acle_fault_status" key="unspecified_fault">
1331 <p>
1332 Indicates that an error has occurred in configuring the ACL
1333 entry but no
1334 more specific information is available.
1335 </p>
1336 </column>
1337 </group>
1338 </table>
1339 <table name="ACL">
1340 <p>
1341 Access Control List table. Each ACL is constructed as a set of
1342 entries from the <ref table="ACL_entry"/> table. Packets that
1343 are not matched by any entry in the ACL are allowed by default.
1344 </p>
1345 <column name="acl_entries">
1346 <p>
1347 A set of references to entries in the <ref table="ACL_entry"/> table.
1348 </p>
1349 </column>
1350 <column name="acl_name">
1351 <p>
1352 A human readable name for the ACL, which may (for example) be displayed on
1353 the switch CLI.
1354 </p>
1355 </column>
1356 <group title="Error Notification">
1357 <p>
1358 An entry in this column indicates to the NVC that the ACL
1359 could not be configured as requested. The switch must clear this column when the error
1360 has been cleared.
1361 </p>
1362 <column name="acl_fault_status" key="invalid_acl">
1363 <p>
1364 Indicates that an ACL requested by
1365 the controller could not be instantiated by the switch,
1366 e.g., because it requires an unsupported combination of
1367 fields to be matched.
1368 </p>
1369 </column>
1370 <column name="acl_fault_status" key="resource_shortage">
1371 <p>
1372 Indicates that an ACL requested by
1373 the controller could not be instantiated by the switch due
1374 to a shortage of resources (e.g. TCAM space).
1375 </p>
1376 </column>
1377 <column name="acl_fault_status" key="unspecified_fault">
1378 <p>
1379 Indicates that an error has occurred in configuring the ACL
1380 but no
1381 more specific information is available.
1382 </p>
1383 </column>
1384 </group>
1385 </table>
add17b69 1386</database>
openvswitch packages for PVE