1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <database name=
"ovn-sb" title=
"OVN Southbound Database">
4 This database holds logical and physical configuration and state for the
5 Open Virtual Network (OVN) system to support virtual network abstraction.
6 For an introduction to OVN, please see
<code>ovn-architecture
</code>(
7).
10 The OVN Southbound database sits at the center of the OVN
11 architecture. It is the one component that speaks both southbound
12 directly to all the hypervisors and gateways, via
13 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>, and
14 northbound to the Cloud Management System, via
<code>ovn-northd
</code>:
17 <h2>Database Structure
</h2>
20 The OVN Southbound database contains classes of data with
21 different properties, as described in the sections below.
24 <h3>Physical Network (PN) data
</h3>
27 PN tables contain information about the chassis nodes in the system. This
28 contains all the information necessary to wire the overlay, such as IP
29 addresses, supported tunnel types, and security keys.
33 The amount of PN data is small (O(n) in the number of chassis) and it
34 changes infrequently, so it can be replicated to every chassis.
38 The
<ref table=
"Chassis"/> table comprises the PN tables.
41 <h3>Logical Network (LN) data
</h3>
44 LN tables contain the topology of logical switches and routers, ACLs,
45 firewall rules, and everything needed to describe how packets traverse a
46 logical network, represented as logical datapath flows (see Logical
47 Datapath Flows, below).
51 LN data may be large (O(n) in the number of logical ports, ACL rules,
52 etc.). Thus, to improve scaling, each chassis should receive only data
53 related to logical networks in which that chassis participates. Past
54 experience shows that in the presence of large logical networks, even
55 finer-grained partitioning of data, e.g. designing logical flows so that
56 only the chassis hosting a logical port needs related flows, pays off
57 scale-wise. (This is not necessary initially but it is worth bearing in
62 The LN is a slave of the cloud management system running northbound of OVN.
63 That CMS determines the entire OVN logical configuration and therefore the
64 LN's content at any given time is a deterministic function of the CMS's
65 configuration, although that happens indirectly via the
66 <ref db=
"OVN_Northbound"/> database and
<code>ovn-northd
</code>.
70 LN data is likely to change more quickly than PN data. This is especially
71 true in a container environment where VMs are created and destroyed (and
72 therefore added to and deleted from logical switches) quickly.
76 <ref table=
"Logical_Flow"/> and
<ref table=
"Multicast_Group"/> contain LN
80 <h3>Logical-physical bindings
</h3>
83 These tables link logical and physical components. They show the current
84 placement of logical components (such as VMs and VIFs) onto chassis, and
85 map logical entities to the values that represent them in tunnel
90 These tables change frequently, at least every time a VM powers up or down
91 or migrates, and especially quickly in a container environment. The
92 amount of data per VM (or VIF) is small.
96 Each chassis is authoritative about the VMs and VIFs that it hosts at any
97 given time and can efficiently flood that state to a central location, so
98 the consistency needs are minimal.
102 The
<ref table=
"Port_Binding"/> and
<ref table=
"Datapath_Binding"/> tables
103 contain binding data.
106 <h3>MAC bindings
</h3>
109 The
<ref table=
"MAC_Binding"/> table tracks the bindings from IP addresses
110 to Ethernet addresses that are dynamically discovered using ARP (for IPv4)
111 and neighbor discovery (for IPv6). Usually, IP-to-MAC bindings for virtual
112 machines are statically populated into the
<ref table=
"Port_Binding"/>
113 table, so
<ref table=
"MAC_Binding"/> is primarily used to discover bindings
114 on physical networks.
117 <h2>Common Columns
</h2>
120 Some tables contain a special column named
<code>external_ids
</code>. This
121 column has the same form and purpose each place that it appears, so we
122 describe it here to save space later.
126 <dt><code>external_ids
</code>: map of string-string pairs
</dt>
128 Key-value pairs for use by the software that manages the OVN Southbound
129 database rather than by
130 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>. In
131 particular,
<code>ovn-northd
</code> can use key-value pairs in this
132 column to relate entities in the southbound database to higher-level
133 entities (such as entities in the OVN Northbound database). Individual
134 key-value pairs in this column may be documented in some cases to aid
135 in understanding and troubleshooting, but the reader should not mistake
136 such documentation as comprehensive.
140 <table name=
"SB_Global" title=
"Southbound configuration">
142 Southbound configuration for an OVN system. This table must have exactly
146 <group title=
"Status">
147 This column allow a client to track the overall configuration state of
150 <column name=
"nb_cfg">
151 Sequence number for the configuration. When a CMS or
152 <code>ovn-nbctl
</code> updates the northbound database, it increments
153 the
<code>nb_cfg
</code> column in the
<code>NB_Global
</code> table in
154 the northbound database. In turn, when
<code>ovn-northd
</code> updates
155 the southbound database to bring it up to date with these changes, it
156 updates this column to the same value.
160 <group title=
"Common Columns">
161 <column name=
"external_ids">
162 See
<em>External IDs
</em> at the beginning of this document.
165 <group title=
"Connection Options">
166 <column name=
"connections">
167 Database clients to which the Open vSwitch database server should
168 connect or on which it should listen, along with options for how these
169 connections should be configured. See the
<ref table=
"Connection"/>
170 table for more information.
173 Global SSL configuration.
178 <table name=
"Chassis" title=
"Physical Network Hypervisor and Gateway Information">
180 Each row in this table represents a hypervisor or gateway (a chassis) in
181 the physical network (PN). Each chassis, via
182 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>, adds
183 and updates its own row, and keeps a copy of the remaining rows to
184 determine how to reach other hypervisors.
188 When a chassis shuts down gracefully, it should remove its own row.
189 (This is not critical because resources hosted on the chassis are equally
190 unreachable regardless of whether the row is present.) If a chassis
191 shuts down permanently without removing its row, some kind of manual or
192 automatic cleanup is eventually needed; we can devise a process for that
197 OVN does not prescribe a particular format for chassis names.
198 ovn-controller populates this column using
<ref key=
"system-id"
199 table=
"Open_vSwitch" column=
"external_ids" db=
"Open_vSwitch"/>
200 in the Open_vSwitch database's
<ref table=
"Open_vSwitch"
201 db=
"Open_vSwitch"/> table. ovn-controller-vtep populates this
202 column with
<ref table=
"Physical_Switch" column=
"name"
203 db=
"hardware_vtep"/> in the hardware_vtep database's
204 <ref table=
"Physical_Switch" db=
"hardware_vtep"/> table.
207 <column name=
"hostname">
208 The hostname of the chassis, if applicable. ovn-controller will populate
209 this column with the hostname of the host it is running on.
210 ovn-controller-vtep will leave this column empty.
213 <column name=
"nb_cfg">
214 Sequence number for the configuration. When
<code>ovn-controller
</code>
215 updates the configuration of a chassis from the contents of the
216 southbound database, it copies
<ref table=
"SB_Global" column=
"nb_cfg"/>
217 from the
<ref table=
"SB_Global"/> table into this column.
220 <column name=
"external_ids" key=
"ovn-bridge-mappings">
221 <code>ovn-controller
</code> populates this key with the set of bridge
222 mappings it has been configured to use. Other applications should treat
223 this key as read-only. See
<code>ovn-controller
</code>(
8) for more
227 <column name=
"external_ids" key=
"datapath-type">
228 <code>ovn-controller
</code> populates this key with the datapath type
229 configured in the
<ref table=
"Bridge" column=
"datapath_type"/> column of
230 the Open_vSwitch database's
<ref table=
"Bridge" db=
"Open_vSwitch"/>
231 table. Other applications should treat this key as read-only. See
232 <code>ovn-controller
</code>(
8) for more information.
235 <column name=
"external_ids" key=
"iface-types">
236 <code>ovn-controller
</code> populates this key with the interface types
237 configured in the
<ref table=
"Open_vSwitch" column=
"iface_types"/> column
238 of the Open_vSwitch database's
<ref table=
"Open_vSwitch"
239 db=
"Open_vSwitch"/> table. Other applications should treat this key as
240 read-only. See
<code>ovn-controller
</code>(
8) for more information.
243 <group title=
"Common Columns">
244 The overall purpose of these columns is described under
<code>Common
245 Columns
</code> at the beginning of this document.
247 <column name=
"external_ids"/>
250 <group title=
"Encapsulation Configuration">
252 OVN uses encapsulation to transmit logical dataplane packets
256 <column name=
"encaps">
257 Points to supported encapsulation configurations to transmit
258 logical dataplane packets to this chassis. Each entry is a
<ref
259 table=
"Encap"/> record that describes the configuration.
263 <group title=
"Gateway Configuration">
265 A
<dfn>gateway
</dfn> is a chassis that forwards traffic between the
266 OVN-managed part of a logical network and a physical VLAN, extending a
267 tunnel-based logical network into a physical network. Gateways are
268 typically dedicated nodes that do not host VMs and will be controlled
269 by
<code>ovn-controller-vtep
</code>.
272 <column name=
"vtep_logical_switches">
273 Stores all VTEP logical switch names connected by this gateway
274 chassis. The
<ref table=
"Port_Binding"/> table entry with
275 <ref column=
"options" table=
"Port_Binding"/>:
<code>vtep-physical-switch
</code>
276 equal
<ref table=
"Chassis"/> <ref column=
"name" table=
"Chassis"/>, and
277 <ref column=
"options" table=
"Port_Binding"/>:
<code>vtep-logical-switch
</code>
278 value in
<ref table=
"Chassis"/>
279 <ref column=
"vtep_logical_switches" table=
"Chassis"/>, will be
280 associated with this
<ref table=
"Chassis"/>.
285 <table name=
"Encap" title=
"Encapsulation Types">
287 The
<ref column=
"encaps" table=
"Chassis"/> column in the
<ref
288 table=
"Chassis"/> table refers to rows in this table to identify
289 how OVN may transmit logical dataplane packets to this chassis.
290 Each chassis, via
<code>ovn-controller
</code>(
8) or
291 <code>ovn-controller-vtep
</code>(
8), adds and updates its own rows
292 and keeps a copy of the remaining rows to determine how to reach
297 The encapsulation to use to transmit packets to this chassis.
298 Hypervisors must use either
<code>geneve
</code> or
299 <code>stt
</code>. Gateways may use
<code>vxlan
</code>,
300 <code>geneve
</code>, or
<code>stt
</code>.
303 <column name=
"options">
305 Options for configuring the encapsulation. Currently, the only
306 option that has been defined is
<code>csum
</code>.
310 <code>csum
</code> indicates that encapsulation checksums can be
311 transmitted and received with reasonable performance. It is a hint
312 to senders transmitting data to this chassis that they should use
313 checksums to protect OVN metadata.
<code>ovn-controller
</code>
314 populates this key with the value defined in
315 <ref table=
"Open_vSwitch" column=
"external_ids:ovn-encap-csum"/> column
316 of the Open_vSwitch database's
<ref table=
"Open_vSwitch"
317 db=
"Open_vSwitch"/> table. Other applications should treat this key as
318 read-only. See
<code>ovn-controller
</code>(
8) for more information.
322 In terms of performance, this actually significantly increases
323 throughput in most common cases when running on Linux based hosts
324 without NICs supporting encapsulation hardware offload (around
60% for
325 bulk traffic). The reason is that generally all NICs are capable of
326 offloading transmitted and received TCP/UDP checksums (viewed as
327 ordinary data packets and not as tunnels). The benefit comes on the
328 receive side where the validated outer checksum can be used to
329 additionally validate an inner checksum (such as TCP), which in turn
330 allows aggregation of packets to be more efficiently handled by the
335 Not all devices see such a benefit. The most notable exception is
336 hardware VTEPs. These devices are designed to not buffer entire
337 packets in their switching engines and are therefore unable to
338 efficiently compute or validate full packet checksums. In addition
339 certain versions of the Linux kernel are not able to fully take
340 advantage of encapsulation NIC offloads in the presence of checksums.
341 (This is actually a pretty narrow corner case though - earlier
342 versions of Linux don't support encapsulation offloads at all and
343 later versions support both offloads and checksums well.)
347 <code>csum
</code> defaults to
<code>false
</code> for hardware VTEPs and
348 <code>true
</code> for all other cases.
353 The IPv4 address of the encapsulation tunnel endpoint.
357 <table name=
"Address_Set" title=
"Address Sets">
359 See the documentation for the
<ref table=
"Address_Set"
360 db=
"OVN_Northbound"/> table in the
<ref db=
"OVN_Northbound"/> database
364 <column name=
"name"/>
365 <column name=
"addresses"/>
368 <table name=
"Logical_Flow" title=
"Logical Network Flows">
370 Each row in this table represents one logical flow.
371 <code>ovn-northd
</code> populates this table with logical flows
372 that implement the L2 and L3 topologies specified in the
373 <ref db=
"OVN_Northbound"/> database. Each hypervisor, via
374 <code>ovn-controller
</code>, translates the logical flows into
375 OpenFlow flows specific to its hypervisor and installs them into
380 Logical flows are expressed in an OVN-specific format, described here. A
381 logical datapath flow is much like an OpenFlow flow, except that the
382 flows are written in terms of logical ports and logical datapaths instead
383 of physical ports and physical datapaths. Translation between logical
384 and physical flows helps to ensure isolation between logical datapaths.
385 (The logical flow abstraction also allows the OVN centralized
386 components to do less work, since they do not have to separately
387 compute and push out physical flows to each chassis.)
391 The default action when no flow matches is to drop packets.
394 <p><em>Architectural Logical Life Cycle of a Packet
</em></p>
397 This following description focuses on the life cycle of a packet through
398 a logical datapath, ignoring physical details of the implementation.
399 Please refer to
<em>Architectural Physical Life Cycle of a Packet
</em> in
400 <code>ovn-architecture
</code>(
7) for the physical information.
404 The description here is written as if OVN itself executes these steps,
405 but in fact OVN (that is,
<code>ovn-controller
</code>) programs Open
406 vSwitch, via OpenFlow and OVSDB, to execute them on its behalf.
410 At a high level, OVN passes each packet through the logical datapath's
411 logical ingress pipeline, which may output the packet to one or more
412 logical port or logical multicast groups. For each such logical output
413 port, OVN passes the packet through the datapath's logical egress
414 pipeline, which may either drop the packet or deliver it to the
415 destination. Between the two pipelines, outputs to logical multicast
416 groups are expanded into logical ports, so that the egress pipeline only
417 processes a single logical output port at a time. Between the two
418 pipelines is also where, when necessary, OVN encapsulates a packet in a
419 tunnel (or tunnels) to transmit to remote hypervisors.
423 In more detail, to start, OVN searches the
<ref table=
"Logical_Flow"/>
424 table for a row with correct
<ref column=
"logical_datapath"/>, a
<ref
425 column=
"pipeline"/> of
<code>ingress
</code>, a
<ref column=
"table_id"/>
426 of
0, and a
<ref column=
"match"/> that is true for the packet. If none
427 is found, OVN drops the packet. If OVN finds more than one, it chooses
428 the match with the highest
<ref column=
"priority"/>. Then OVN executes
429 each of the actions specified in the row's
<ref table=
"actions"/> column,
430 in the order specified. Some actions, such as those to modify packet
431 headers, require no further details. The
<code>next
</code> and
432 <code>output
</code> actions are special.
436 The
<code>next
</code> action causes the above process to be repeated
437 recursively, except that OVN searches for
<ref column=
"table_id"/> of
1
438 instead of
0. Similarly, any
<code>next
</code> action in a row found in
439 that table would cause a further search for a
<ref column=
"table_id"/> of
440 2, and so on. When recursive processing completes, flow control returns
441 to the action following
<code>next
</code>.
445 The
<code>output
</code> action also introduces recursion. Its effect
446 depends on the current value of the
<code>outport
</code> field. Suppose
447 <code>outport
</code> designates a logical port. First, OVN compares
448 <code>inport
</code> to
<code>outport
</code>; if they are equal, it treats
449 the
<code>output
</code> as a no-op by default. In the common
450 case, where they are different, the packet enters the egress
451 pipeline. This transition to the egress pipeline discards
452 register data, e.g.
<code>reg0
</code> ...
<code>reg9
</code> and
453 connection tracking state, to achieve uniform behavior regardless
454 of whether the egress pipeline is on a different hypervisor
455 (because registers aren't preserve across tunnel encapsulation).
459 To execute the egress pipeline, OVN again searches the
<ref
460 table=
"Logical_Flow"/> table for a row with correct
<ref
461 column=
"logical_datapath"/>, a
<ref column=
"table_id"/> of
0, a
<ref
462 column=
"match"/> that is true for the packet, but now looking for a
<ref
463 column=
"pipeline"/> of
<code>egress
</code>. If no matching row is found,
464 the output becomes a no-op. Otherwise, OVN executes the actions for the
465 matching flow (which is chosen from multiple, if necessary, as already
470 In the
<code>egress
</code> pipeline, the
<code>next
</code> action acts as
471 already described, except that it, of course, searches for
472 <code>egress
</code> flows. The
<code>output
</code> action, however, now
473 directly outputs the packet to the output port (which is now fixed,
474 because
<code>outport
</code> is read-only within the egress pipeline).
478 The description earlier assumed that
<code>outport
</code> referred to a
479 logical port. If it instead designates a logical multicast group, then
480 the description above still applies, with the addition of fan-out from
481 the logical multicast group to each logical port in the group. For each
482 member of the group, OVN executes the logical pipeline as described, with
483 the logical output port replaced by the group member.
486 <p><em>Pipeline Stages
</em></p>
489 <code>ovn-northd
</code> populates the
<ref table=
"Logical_Flow"/> table
490 with the logical flows described in detail in
<code>ovn-northd
</code>(
8).
493 <column name=
"logical_datapath">
494 The logical datapath to which the logical flow belongs.
497 <column name=
"pipeline">
499 The primary flows used for deciding on a packet's destination are the
500 <code>ingress
</code> flows. The
<code>egress
</code> flows implement
501 ACLs. See
<em>Logical Life Cycle of a Packet
</em>, above, for details.
505 <column name=
"table_id">
506 The stage in the logical pipeline, analogous to an OpenFlow table number.
509 <column name=
"priority">
510 The flow's priority. Flows with numerically higher priority take
511 precedence over those with lower. If two logical datapath flows with the
512 same priority both match, then the one actually applied to the packet is
516 <column name=
"match">
518 A matching expression. OVN provides a superset of OpenFlow matching
519 capabilities, using a syntax similar to Boolean expressions in a
520 programming language.
524 The most important components of match expression are
525 <dfn>comparisons
</dfn> between
<dfn>symbols
</dfn> and
526 <dfn>constants
</dfn>, e.g.
<code>ip4.dst ==
192.168.0.1</code>,
527 <code>ip.proto ==
6</code>,
<code>arp.op ==
1</code>,
<code>eth.type ==
528 0x800</code>. The logical AND operator
<code>&&</code> and
529 logical OR operator
<code>||
</code> can combine comparisons into a
534 Matching expressions also support parentheses for grouping, the logical
535 NOT prefix operator
<code>!
</code>, and literals
<code>0</code> and
536 <code>1</code> to express ``false'' or ``true,'' respectively. The
537 latter is useful by itself as a catch-all expression that matches every
542 Match expressions also support a kind of function syntax. The
543 following functions are supported:
547 <dt><code>is_chassis_resident(
<var>lport
</var>)
</code></dt>
549 Evaluates to true on a chassis on which logical port
<var>lport
</var>
550 (a quoted string) resides, and to false elsewhere. This function was
551 introduced in OVN
2.7.
555 <p><em>Symbols
</em></p>
558 <em>Type
</em>. Symbols have
<dfn>integer
</dfn> or
<dfn>string
</dfn>
559 type. Integer symbols have a
<dfn>width
</dfn> in bits.
563 <em>Kinds
</em>. There are three kinds of symbols:
569 <dfn>Fields
</dfn>. A field symbol represents a packet header or
570 metadata field. For example, a field
571 named
<code>vlan.tci
</code> might represent the VLAN TCI field in a
576 A field symbol can have integer or string type. Integer fields can
577 be nominal or ordinal (see
<em>Level of Measurement
</em>,
584 <dfn>Subfields
</dfn>. A subfield represents a subset of bits from
585 a larger field. For example, a field
<code>vlan.vid
</code> might
586 be defined as an alias for
<code>vlan.tci[
0.
.11]
</code>. Subfields
587 are provided for syntactic convenience, because it is always
588 possible to instead refer to a subset of bits from a field
593 Only ordinal fields (see
<em>Level of Measurement
</em>,
594 below) may have subfields. Subfields are always ordinal.
600 <dfn>Predicates
</dfn>. A predicate is shorthand for a Boolean
601 expression. Predicates may be used much like
1-bit fields. For
602 example,
<code>ip4
</code> might expand to
<code>eth.type ==
603 0x800</code>. Predicates are provided for syntactic convenience,
604 because it is always possible to instead specify the underlying
609 A predicate whose expansion refers to any nominal field or
610 predicate (see
<em>Level of Measurement
</em>, below) is nominal;
611 other predicates have Boolean level of measurement.
617 <em>Level of Measurement
</em>. See
618 http://en.wikipedia.org/wiki/Level_of_measurement for the statistical
619 concept on which this classification is based. There are three
626 <dfn>Ordinal
</dfn>. In statistics, ordinal values can be ordered
627 on a scale. OVN considers a field (or subfield) to be ordinal if
628 its bits can be examined individually. This is true for the
629 OpenFlow fields that OpenFlow or Open vSwitch makes ``maskable.''
633 Any use of a nominal field may specify a single bit or a range of
634 bits, e.g.
<code>vlan.tci[
13.
.15]
</code> refers to the PCP field
635 within the VLAN TCI, and
<code>eth.dst[
40]
</code> refers to the
636 multicast bit in the Ethernet destination address.
640 OVN supports all the usual arithmetic relations (
<code>==
</code>,
641 <code>!=
</code>,
<code><</code>,
<code><=
</code>,
642 <code>></code>, and
<code>>=
</code>) on ordinal fields and
643 their subfields, because OVN can implement these in OpenFlow and
644 Open vSwitch as collections of bitwise tests.
650 <dfn>Nominal
</dfn>. In statistics, nominal values cannot be
651 usefully compared except for equality. This is true of OpenFlow
652 port numbers, Ethernet types, and IP protocols are examples: all of
653 these are just identifiers assigned arbitrarily with no deeper
654 meaning. In OpenFlow and Open vSwitch, bits in these fields
655 generally aren't individually addressable.
659 OVN only supports arithmetic tests for equality on nominal fields,
660 because OpenFlow and Open vSwitch provide no way for a flow to
661 efficiently implement other comparisons on them. (A test for
662 inequality can be sort of built out of two flows with different
663 priorities, but OVN matching expressions always generate flows with
668 String fields are always nominal.
674 <dfn>Boolean
</dfn>. A nominal field that has only two values,
0
675 and
1, is somewhat exceptional, since it is easy to support both
676 equality and inequality tests on such a field: either one can be
677 implemented as a test for
0 or
1.
681 Only predicates (see above) have a Boolean level of measurement.
685 This isn't a standard level of measurement.
691 <em>Prerequisites
</em>. Any symbol can have prerequisites, which are
692 additional condition implied by the use of the symbol. For example,
693 For example,
<code>icmp4.type
</code> symbol might have prerequisite
694 <code>icmp4
</code>, which would cause an expression
<code>icmp4.type ==
695 0</code> to be interpreted as
<code>icmp4.type ==
0 &&
696 icmp4
</code>, which would in turn expand to
<code>icmp4.type ==
0
697 && eth.type ==
0x800 && ip4.proto ==
1</code> (assuming
698 <code>icmp4
</code> is a predicate defined as suggested under
699 <em>Types
</em> above).
702 <p><em>Relational operators
</em></p>
705 All of the standard relational operators
<code>==
</code>,
706 <code>!=
</code>,
<code><</code>,
<code><=
</code>,
707 <code>></code>, and
<code>>=
</code> are supported. Nominal
708 fields support only
<code>==
</code> and
<code>!=
</code>, and only in a
709 positive sense when outer
<code>!
</code> are taken into account,
710 e.g. given string field
<code>inport
</code>,
<code>inport ==
711 "eth0"</code> and
<code>!(inport !=
"eth0")
</code> are acceptable, but
712 not
<code>inport !=
"eth0"</code>.
716 The implementation of
<code>==
</code> (or
<code>!=
</code> when it is
717 negated), is more efficient than that of the other relational
721 <p><em>Constants
</em></p>
724 Integer constants may be expressed in decimal, hexadecimal prefixed by
725 <code>0x
</code>, or as dotted-quad IPv4 addresses, IPv6 addresses in
726 their standard forms, or Ethernet addresses as colon-separated hex
727 digits. A constant in any of these forms may be followed by a slash
728 and a second constant (the mask) in the same form, to form a masked
729 constant. IPv4 and IPv6 masks may be given as integers, to express
734 String constants have the same syntax as quoted strings in JSON (thus,
735 they are Unicode strings).
739 Some operators support sets of constants written inside curly braces
740 <code>{
</code> ...
<code>}
</code>. Commas between elements of a set,
741 and after the last elements, are optional. With
<code>==
</code>,
742 ``
<code><var>field
</var> == {
<var>constant1
</var>,
743 <var>constant2
</var>,
</code> ...
<code>}
</code>'' is syntactic sugar
744 for ``
<code><var>field
</var> ==
<var>constant1
</var> ||
745 <var>field
</var> ==
<var>constant2
</var> ||
</code>...
<code></code>.
746 Similarly, ``
<code><var>field
</var> != {
<var>constant1
</var>,
747 <var>constant2
</var>,
</code>...
<code> }
</code>'' is equivalent to
748 ``
<code><var>field
</var> !=
<var>constant1
</var> &&
749 <var>field
</var> !=
<var>constant2
</var> &&
750 </code>...
<code></code>''.
754 You may refer to a set of IPv4, IPv6, or MAC addresses stored in the
755 <ref table=
"Address_Set"/> table by its
<ref column=
"name"
756 table=
"Address_Set"/>. An
<ref table=
"Address_Set"/> with a name
757 of
<code>set1
</code> can be referred to as
761 <p><em>Miscellaneous
</em></p>
764 Comparisons may name the symbol or the constant first,
765 e.g.
<code>tcp.src ==
80</code> and
<code>80 == tcp.src
</code> are both
770 Tests for a range may be expressed using a syntax like
<code>1024 <=
771 tcp.src
<=
49151</code>, which is equivalent to
<code>1024 <=
772 tcp.src
&& tcp.src
<=
49151</code>.
776 For a one-bit field or predicate, a mention of its name is equivalent
777 to
<code><var>symobl
</var> ==
1</code>, e.g.
<code>vlan.present
</code>
778 is equivalent to
<code>vlan.present ==
1</code>. The same is true for
779 one-bit subfields, e.g.
<code>vlan.tci[
12]
</code>. There is no
780 technical limitation to implementing the same for ordinal fields of all
781 widths, but the implementation is expensive enough that the syntax
782 parser requires writing an explicit comparison against zero to make
783 mistakes less likely, e.g. in
<code>tcp.src !=
0</code> the comparison
784 against
0 is required.
788 <em>Operator precedence
</em> is as shown below, from highest to lowest.
789 There are two exceptions where parentheses are required even though the
790 table would suggest that they are not:
<code>&&</code> and
791 <code>||
</code> require parentheses when used together, and
792 <code>!
</code> requires parentheses when applied to a relational
793 expression. Thus, in
<code>(eth.type ==
0x800 || eth.type ==
0x86dd)
794 && ip.proto ==
6</code> or
<code>!(arp.op ==
1)
</code>, the
795 parentheses are mandatory.
799 <li><code>()
</code></li>
800 <li><code>== !=
< <=
> >=
</code></li>
801 <li><code>!
</code></li>
802 <li><code>&& ||
</code></li>
806 <em>Comments
</em> may be introduced by
<code>//
</code>, which extends
807 to the next new-line. Comments within a line may be bracketed by
808 <code>/*
</code> and
<code>*/
</code>. Multiline comments are not
812 <p><em>Symbols
</em></p>
815 Most of the symbols below have integer type. Only
<code>inport
</code>
816 and
<code>outport
</code> have string type.
<code>inport
</code> names a
817 logical port. Thus, its value is a
<ref column=
"logical_port"/> name
818 from the
<ref table=
"Port_Binding"/> table.
<code>outport
</code> may
819 name a logical port, as
<code>inport
</code>, or a logical multicast
820 group defined in the
<ref table=
"Multicast_Group"/> table. For both
821 symbols, only names within the flow's logical datapath may be used.
825 The
<code>reg
</code><var>X
</var> symbols are
32-bit integers.
826 The
<code>xxreg
</code><var>X
</var> symbols are
128-bit integers,
827 which overlay four of the
32-bit registers:
<code>xxreg0
</code>
828 overlays
<code>reg0
</code> through
<code>reg3
</code>, with
829 <code>reg0
</code> supplying the most-significant bits of
830 <code>xxreg0
</code> and
<code>reg3
</code> the least-signficant.
831 <code>xxreg1
</code> similarly overlays
<code>reg4
</code> through
836 <li><code>reg0
</code>...
<code>reg9
</code></li>
837 <li><code>xxreg0
</code> <code>xxreg1
</code></li>
838 <li><code>inport
</code> <code>outport
</code></li>
839 <li><code>flags.loopback
</code></li>
840 <li><code>eth.src
</code> <code>eth.dst
</code> <code>eth.type
</code></li>
841 <li><code>vlan.tci
</code> <code>vlan.vid
</code> <code>vlan.pcp
</code> <code>vlan.present
</code></li>
842 <li><code>ip.proto
</code> <code>ip.dscp
</code> <code>ip.ecn
</code> <code>ip.ttl
</code> <code>ip.frag
</code></li>
843 <li><code>ip4.src
</code> <code>ip4.dst
</code></li>
844 <li><code>ip6.src
</code> <code>ip6.dst
</code> <code>ip6.label
</code></li>
845 <li><code>arp.op
</code> <code>arp.spa
</code> <code>arp.tpa
</code> <code>arp.sha
</code> <code>arp.tha
</code></li>
846 <li><code>tcp.src
</code> <code>tcp.dst
</code> <code>tcp.flags
</code></li>
847 <li><code>udp.src
</code> <code>udp.dst
</code></li>
848 <li><code>sctp.src
</code> <code>sctp.dst
</code></li>
849 <li><code>icmp4.type
</code> <code>icmp4.code
</code></li>
850 <li><code>icmp6.type
</code> <code>icmp6.code
</code></li>
851 <li><code>nd.target
</code> <code>nd.sll
</code> <code>nd.tll
</code></li>
852 <li><code>ct_mark
</code> <code>ct_label
</code></li>
855 <code>ct_state
</code>, which has the following Boolean subfields:
858 <li><code>ct.new
</code>: True for a new flow
</li>
859 <li><code>ct.est
</code>: True for an established flow
</li>
860 <li><code>ct.rel
</code>: True for a related flow
</li>
861 <li><code>ct.rpl
</code>: True for a reply flow
</li>
862 <li><code>ct.inv
</code>: True for a connection entry in a bad state
</li>
865 The above subfields of
<code>ct_state
</code> are initialized by
866 the
<code>ct_next
</code> action, described later.
870 <code>ct.dnat
</code>: True for a packet whose destination IP
871 address has been changed.
874 <code>ct.snat
</code>: True for a packet whose source IP
875 address has been changed.
879 The above subfields of
<code>ct_state
</code> are initialized by
880 the actions like
<code>ct_dnat
</code>,
<code>ct_snat
</code> and
881 <code>ct_lb
</code> described later.
887 The following predicates are supported:
891 <li><code>eth.bcast
</code> expands to
<code>eth.dst == ff:ff:ff:ff:ff:ff
</code></li>
892 <li><code>eth.mcast
</code> expands to
<code>eth.dst[
40]
</code></li>
893 <li><code>vlan.present
</code> expands to
<code>vlan.tci[
12]
</code></li>
894 <li><code>ip4
</code> expands to
<code>eth.type ==
0x800</code></li>
895 <li><code>ip4.mcast
</code> expands to
<code>ip4.dst[
28.
.31] ==
0xe</code></li>
896 <li><code>ip6
</code> expands to
<code>eth.type ==
0x86dd</code></li>
897 <li><code>ip
</code> expands to
<code>ip4 || ip6
</code></li>
898 <li><code>icmp4
</code> expands to
<code>ip4
&& ip.proto ==
1</code></li>
899 <li><code>icmp6
</code> expands to
<code>ip6
&& ip.proto ==
58</code></li>
900 <li><code>icmp
</code> expands to
<code>icmp4 || icmp6
</code></li>
901 <li><code>ip.is_frag
</code> expands to
<code>ip.frag[
0]
</code></li>
902 <li><code>ip.later_frag
</code> expands to
<code>ip.frag[
1]
</code></li>
903 <li><code>ip.first_frag
</code> expands to
<code>ip.is_frag
&& !ip.later_frag
</code></li>
904 <li><code>arp
</code> expands to
<code>eth.type ==
0x806</code></li>
905 <li><code>nd
</code> expands to
<code>icmp6.type == {
135,
136}
&& icmp6.code ==
0 && ip.ttl ==
255</code></li>
906 <li><code>nd_ns
</code> expands to
<code>icmp6.type ==
135 && icmp6.code ==
0 && ip.ttl ==
255</code></li>
907 <li><code>nd_na
</code> expands to
<code>icmp6.type ==
136 && icmp6.code ==
0 && ip.ttl ==
255</code></li>
908 <li><code>tcp
</code> expands to
<code>ip.proto ==
6</code></li>
909 <li><code>udp
</code> expands to
<code>ip.proto ==
17</code></li>
910 <li><code>sctp
</code> expands to
<code>ip.proto ==
132</code></li>
914 <column name=
"actions">
916 Logical datapath actions, to be executed when the logical flow
917 represented by this row is the highest-priority match.
921 Actions share lexical syntax with the
<ref column=
"match"/> column. An
922 empty set of actions (or one that contains just white space or
923 comments), or a set of actions that consists of just
924 <code>drop;
</code>, causes the matched packets to be dropped.
925 Otherwise, the column should contain a sequence of actions, each
926 terminated by a semicolon.
930 The following actions are defined:
934 <dt><code>output;
</code></dt>
937 In the ingress pipeline, this action executes the
938 <code>egress
</code> pipeline as a subroutine. If
939 <code>outport
</code> names a logical port, the egress pipeline
940 executes once; if it is a multicast group, the egress pipeline runs
941 once for each logical port in the group.
945 In the egress pipeline, this action performs the actual
946 output to the
<code>outport
</code> logical port. (In the egress
947 pipeline,
<code>outport
</code> never names a multicast group.)
951 By default, output to the input port is implicitly dropped,
952 that is,
<code>output
</code> becomes a no-op if
953 <code>outport
</code> ==
<code>inport
</code>. Occasionally
954 it may be useful to override this behavior, e.g. to send an
955 ARP reply to an ARP request; to do so, use
956 <code>flags.loopback =
1</code> to allow the packet to
957 "hair-pin" back to the input port.
961 <dt><code>next;
</code></dt>
962 <dt><code>next(
<var>table
</var>);
</code></dt>
963 <dt><code>next(pipeline=
<var>pipeline
</var>, table=
<var>table
</var>);
</code></dt>
965 Executes the given logical datapath
<var>table
</var> in
966 <var>pipeline
</var> as a subroutine. The default
<var>table
</var> is
967 just after the current one. If
<var>pipeline
</var> is specified, it
968 may be
<code>ingress
</code> or
<code>egress
</code>; the default
969 <var>pipeline
</var> is the one currently executing. Actions in the
970 ingress pipeline may not use
<code>next
</code> to jump into the
971 egress pipeline (use the
<code>output
</code> instead), but
972 transitions in the opposite direction are allowed.
975 <dt><code><var>field
</var> =
<var>constant
</var>;
</code></dt>
978 Sets data or metadata field
<var>field
</var> to constant value
979 <var>constant
</var>, e.g.
<code>outport =
"vif0";
</code> to set the
980 logical output port. To set only a subset of bits in a field,
981 specify a subfield for
<var>field
</var> or a masked
982 <var>constant
</var>, e.g. one may use
<code>vlan.pcp[
2] =
1;
</code>
983 or
<code>vlan.pcp =
4/
4;
</code> to set the most sigificant bit of
988 Assigning to a field with prerequisites implicitly adds those
989 prerequisites to
<ref column=
"match"/>; thus, for example, a flow
990 that sets
<code>tcp.dst
</code> applies only to TCP flows,
991 regardless of whether its
<ref column=
"match"/> mentions any TCP
996 Not all fields are modifiable (e.g.
<code>eth.type
</code> and
997 <code>ip.proto
</code> are read-only), and not all modifiable fields
998 may be partially modified (e.g.
<code>ip.ttl
</code> must assigned
999 as a whole). The
<code>outport
</code> field is modifiable in the
1000 <code>ingress
</code> pipeline but not in the
<code>egress
</code>
1005 <dt><code><var>field1
</var> =
<var>field2
</var>;
</code></dt>
1008 Sets data or metadata field
<var>field1
</var> to the value of data
1009 or metadata field
<var>field2
</var>, e.g.
<code>reg0 =
1010 ip4.src;
</code> copies
<code>ip4.src
</code> into
<code>reg0
</code>.
1011 To modify only a subset of a field's bits, specify a subfield for
1012 <var>field1
</var> or
<var>field2
</var> or both, e.g.
<code>vlan.pcp
1013 = reg0[
0.
.2];
</code> copies the least-significant bits of
1014 <code>reg0
</code> into the VLAN PCP.
1018 <var>field1
</var> and
<var>field2
</var> must be the same type,
1019 either both string or both integer fields. If they are both
1020 integer fields, they must have the same width.
1024 If
<var>field1
</var> or
<var>field2
</var> has prerequisites, they
1025 are added implicitly to
<ref column=
"match"/>. It is possible to
1026 write an assignment with contradictory prerequisites, such as
1027 <code>ip4.src = ip6.src[
0.
.31];
</code>, but the contradiction means
1028 that a logical flow with such an assignment will never be matched.
1032 <dt><code><var>field1
</var> <-
> <var>field2
</var>;
</code></dt>
1035 Similar to
<code><var>field1
</var> =
<var>field2
</var>;
</code>
1036 except that the two values are exchanged instead of copied. Both
1037 <var>field1
</var> and
<var>field2
</var> must modifiable.
1041 <dt><code>ip.ttl--;
</code></dt>
1044 Decrements the IPv4 or IPv6 TTL. If this would make the TTL zero
1045 or negative, then processing of the packet halts; no further
1046 actions are processed. (To properly handle such cases, a
1047 higher-priority flow should match on
1048 <code>ip.ttl == {
0,
1};
</code>.)
1051 <p><b>Prerequisite:
</b> <code>ip
</code></p>
1054 <dt><code>ct_next;
</code></dt>
1057 Apply connection tracking to the flow, initializing
1058 <code>ct_state
</code> for matching in later tables.
1059 Automatically moves on to the next table, as if followed by
1064 As a side effect, IP fragments will be reassembled for matching.
1065 If a fragmented packet is output, then it will be sent with any
1066 overlapping fragments squashed. The connection tracking state is
1067 scoped by the logical port when the action is used in a flow for
1068 a logical switch, so overlapping addresses may be used. To allow
1069 traffic related to the matched flow, execute
<code>ct_commit
1070 </code>. Connection tracking state is scoped by the logical
1071 topology when the action is used in a flow for a router.
1075 It is possible to have actions follow
<code>ct_next
</code>,
1076 but they will not have access to any of its side-effects and
1077 is not generally useful.
1081 <dt><code>ct_commit;
</code></dt>
1082 <dt><code>ct_commit(ct_mark=
<var>value[/mask]
</var>);
</code></dt>
1083 <dt><code>ct_commit(ct_label=
<var>value[/mask]
</var>);
</code></dt>
1084 <dt><code>ct_commit(ct_mark=
<var>value[/mask]
</var>, ct_label=
<var>value[/mask]
</var>);
</code></dt>
1087 Commit the flow to the connection tracking entry associated with it
1088 by a previous call to
<code>ct_next
</code>. When
1089 <code>ct_mark=
<var>value[/mask]
</var></code> and/or
1090 <code>ct_label=
<var>value[/mask]
</var></code> are supplied,
1091 <code>ct_mark
</code> and/or
<code>ct_label
</code> will be set to the
1092 values indicated by
<var>value[/mask]
</var> on the connection
1093 tracking entry.
<code>ct_mark
</code> is a
32-bit field.
1094 <code>ct_label
</code> is a
128-bit field. The
<var>value[/mask]
</var>
1095 should be specified in hex string if more than
64bits are to be used.
1099 Note that if you want processing to continue in the next table,
1100 you must execute the
<code>next
</code> action after
1101 <code>ct_commit
</code>. You may also leave out
<code>next
</code>
1102 which will commit connection tracking state, and then drop the
1103 packet. This could be useful for setting
<code>ct_mark
</code>
1104 on a connection tracking entry before dropping a packet,
1109 <dt><code>ct_dnat;
</code></dt>
1110 <dt><code>ct_dnat(
<var>IP
</var>);
</code></dt>
1113 <code>ct_dnat
</code> sends the packet through the DNAT zone in
1114 connection tracking table to unDNAT any packet that was DNATed in
1115 the opposite direction. The packet is then automatically sent to
1116 to the next tables as if followed by
<code>next;
</code> action.
1117 The next tables will see the changes in the packet caused by
1118 the connection tracker.
1121 <code>ct_dnat(
<var>IP
</var>)
</code> sends the packet through the
1122 DNAT zone to change the destination IP address of the packet to
1123 the one provided inside the parentheses and commits the connection.
1124 The packet is then automatically sent to the next tables as if
1125 followed by
<code>next;
</code> action. The next tables will see
1126 the changes in the packet caused by the connection tracker.
1130 <dt><code>ct_snat;
</code></dt>
1131 <dt><code>ct_snat(
<var>IP
</var>);
</code></dt>
1134 <code>ct_snat
</code> sends the packet through the SNAT zone to
1135 unSNAT any packet that was SNATed in the opposite direction. The
1136 behavior on gateway routers differs from the behavior on a
1141 On a gateway router, if the packet needs to be sent to the next
1142 tables, then it should be followed by a
<code>next;
</code>
1143 action. The next tables will not see the changes in the packet
1144 caused by the connection tracker.
1147 On a distributed router, if the connection tracker finds a
1148 connection that was SNATed in the opposite direction, then the
1149 destination IP address of the packet is UNSNATed. The packet is
1150 automatically sent to the next tables as if followed by the
1151 <code>next;
</code> action. The next tables will see the changes
1152 in the packet caused by the connection tracker.
1156 <code>ct_snat(
<var>IP
</var>)
</code> sends the packet through the
1157 SNAT zone to change the source IP address of the packet to
1158 the one provided inside the parenthesis and commits the connection.
1159 The packet is then automatically sent to the next tables as if
1160 followed by
<code>next;
</code> action. The next tables will see the
1161 changes in the packet caused by the connection tracker.
1165 <dt><code>ct_clear;
</code></dt>
1167 Clears connection tracking state.
1170 <dt><code>clone {
<var>action
</var>;
</code>...
<code> };
</code></dt>
1172 Makes a copy of the packet being processed and executes each
1173 <code>action
</code> on the copy. Actions following the
1174 <var>clone
</var> action, if any, apply to the original, unmodified
1175 packet. This can be used as a way to ``save and restore'' the packet
1176 around a set of actions that may modify it and should not persist.
1179 <dt><code>arp {
<var>action
</var>;
</code>...
<code> };
</code></dt>
1182 Temporarily replaces the IPv4 packet being processed by an ARP
1183 packet and executes each nested
<var>action
</var> on the ARP
1184 packet. Actions following the
<var>arp
</var> action, if any, apply
1185 to the original, unmodified packet.
1189 The ARP packet that this action operates on is initialized based on
1190 the IPv4 packet being processed, as follows. These are default
1191 values that the nested actions will probably want to change:
1195 <li><code>eth.src
</code> unchanged
</li>
1196 <li><code>eth.dst
</code> unchanged
</li>
1197 <li><code>eth.type =
0x0806</code></li>
1198 <li><code>arp.op =
1</code> (ARP request)
</li>
1199 <li><code>arp.sha
</code> copied from
<code>eth.src
</code></li>
1200 <li><code>arp.spa
</code> copied from
<code>ip4.src
</code></li>
1201 <li><code>arp.tha =
00:
00:
00:
00:
00:
00</code></li>
1202 <li><code>arp.tpa
</code> copied from
<code>ip4.dst
</code></li>
1206 The ARP packet has the same VLAN header, if any, as the IP packet
1210 <p><b>Prerequisite:
</b> <code>ip4
</code></p>
1213 <dt><code>get_arp(
<var>P
</var>,
<var>A
</var>);
</code></dt>
1217 <b>Parameters
</b>: logical port string field
<var>P
</var>,
32-bit
1218 IP address field
<var>A
</var>.
1222 Looks up
<var>A
</var> in
<var>P
</var>'s mac binding table.
1223 If an entry is found, stores its Ethernet address in
1224 <code>eth.dst
</code>, otherwise stores
1225 <code>00:
00:
00:
00:
00:
00</code> in
<code>eth.dst
</code>.
1228 <p><b>Example:
</b> <code>get_arp(outport, ip4.dst);
</code></p>
1232 <code>put_arp(
<var>P
</var>,
<var>A
</var>,
<var>E
</var>);
</code>
1237 <b>Parameters
</b>: logical port string field
<var>P
</var>,
32-bit
1238 IP address field
<var>A
</var>,
48-bit Ethernet address field
1243 Adds or updates the entry for IP address
<var>A
</var> in
1244 logical port
<var>P
</var>'s mac binding table, setting its
1245 Ethernet address to
<var>E
</var>.
1248 <p><b>Example:
</b> <code>put_arp(inport, arp.spa, arp.sha);
</code></p>
1252 <code>nd_na {
<var>action
</var>;
</code>...
<code> };
</code>
1257 Temporarily replaces the IPv6 neighbor solicitation packet
1258 being processed by an IPv6 neighbor advertisement (NA)
1259 packet and executes each nested
<var>action
</var> on the NA
1260 packet. Actions following the
<code>nd_na
</code> action,
1261 if any, apply to the original, unmodified packet.
1265 The NA packet that this action operates on is initialized based on
1266 the IPv6 packet being processed, as follows. These are default
1267 values that the nested actions will probably want to change:
1271 <li><code>eth.dst
</code> exchanged with
<code>eth.src
</code></li>
1272 <li><code>eth.type =
0x86dd</code></li>
1273 <li><code>ip6.dst
</code> copied from
<code>ip6.src
</code></li>
1274 <li><code>ip6.src
</code> copied from
<code>nd.target
</code></li>
1275 <li><code>icmp6.type =
136</code> (Neighbor Advertisement)
</li>
1276 <li><code>nd.target
</code> unchanged
</li>
1277 <li><code>nd.sll =
00:
00:
00:
00:
00:
00</code></li>
1278 <li><code>nd.tll
</code> copied from
<code>eth.dst
</code></li>
1282 The ND packet has the same VLAN header, if any, as the IPv6 packet
1287 <b>Prerequisite:
</b> <code>nd_ns
</code>
1291 <dt><code>get_nd(
<var>P
</var>,
<var>A
</var>);
</code></dt>
1295 <b>Parameters
</b>: logical port string field
<var>P
</var>,
128-bit
1296 IPv6 address field
<var>A
</var>.
1300 Looks up
<var>A
</var> in
<var>P
</var>'s mac binding table.
1301 If an entry is found, stores its Ethernet address in
1302 <code>eth.dst
</code>, otherwise stores
1303 <code>00:
00:
00:
00:
00:
00</code> in
<code>eth.dst
</code>.
1306 <p><b>Example:
</b> <code>get_nd(outport, ip6.dst);
</code></p>
1310 <code>put_nd(
<var>P
</var>,
<var>A
</var>,
<var>E
</var>);
</code>
1315 <b>Parameters
</b>: logical port string field
<var>P
</var>,
1316 128-bit IPv6 address field
<var>A
</var>,
48-bit Ethernet
1317 address field
<var>E
</var>.
1321 Adds or updates the entry for IPv6 address
<var>A
</var> in
1322 logical port
<var>P
</var>'s mac binding table, setting its
1323 Ethernet address to
<var>E
</var>.
1326 <p><b>Example:
</b> <code>put_nd(inport, nd.target, nd.tll);
</code></p>
1330 <code><var>R
</var> = put_dhcp_opts(
<var>D1
</var> =
<var>V1
</var>,
<var>D2
</var> =
<var>V2
</var>, ...,
<var>Dn
</var> =
<var>Vn
</var>);
</code>
1335 <b>Parameters
</b>: one or more DHCP option/value pairs, which must
1336 include an
<code>offerip
</code> option (with code
0).
1340 <b>Result
</b>: stored to a
1-bit subfield
<var>R
</var>.
1344 Valid only in the ingress pipeline.
1348 When this action is applied to a DHCP request packet (DHCPDISCOVER
1349 or DHCPREQUEST), it changes the packet into a DHCP reply (DHCPOFFER
1350 or DHCPACK, respectively), replaces the options by those specified
1351 as parameters, and stores
1 in
<var>R
</var>.
1355 When this action is applied to a non-DHCP packet or a DHCP packet
1356 that is not DHCPDISCOVER or DHCPREQUEST, it leaves the packet
1357 unchanged and stores
0 in
<var>R
</var>.
1361 The contents of the
<ref table=
"DHCP_Option"/> table control the
1362 DHCP option names and values that this action supports.
1368 reg0[
0] = put_dhcp_opts(offerip =
10.0.0.2, router =
10.0.0.1,
1369 netmask =
255.255.255.0, dns_server = {
8.8.8.8,
7.7.7.7});
1375 <code><var>R
</var> = put_dhcpv6_opts(
<var>D1
</var> =
<var>V1
</var>,
<var>D2
</var> =
<var>V2
</var>, ...,
<var>Dn
</var> =
<var>Vn
</var>);
</code>
1380 <b>Parameters
</b>: one or more DHCPv6 option/value pairs.
1384 <b>Result
</b>: stored to a
1-bit subfield
<var>R
</var>.
1388 Valid only in the ingress pipeline.
1392 When this action is applied to a DHCPv6 request packet, it changes
1393 the packet into a DHCPv6 reply, replaces the options by those
1394 specified as parameters, and stores
1 in
<var>R
</var>.
1398 When this action is applied to a non-DHCPv6 packet or an invalid
1399 DHCPv6 request packet , it leaves the packet unchanged and stores
1404 The contents of the
<ref table=
"DHCPv6_Options"/> table control the
1405 DHCPv6 option names and values that this action supports.
1411 reg0[
3] = put_dhcpv6_opts(ia_addr = aef0::
4, server_id =
00:
00:
00:
00:
10:
02,
1412 dns_server={ae70::
1,ae70::
2});
1418 <code>set_queue(
<var>queue_number
</var>);
</code>
1423 <b>Parameters
</b>: Queue number
<var>queue_number
</var>, in the range
0 to
61440.
1427 This is a logical equivalent of the OpenFlow
<code>set_queue
</code>
1428 action. It affects packets that egress a hypervisor through a
1429 physical interface. For nonzero
<var>queue_number
</var>, it
1430 configures packet queuing to match the settings configured for the
1431 <ref table=
"Port_Binding"/> with
1432 <code>options:qdisc_queue_id
</code> matching
1433 <var>queue_number
</var>. When
<var>queue_number
</var> is zero, it
1434 resets queuing to the default strategy.
1437 <p><b>Example:
</b> <code>set_queue(
10);
</code></p>
1440 <dt><code>ct_lb;
</code></dt>
1441 <dt><code>ct_lb(
</code><var>ip
</var>[
<code>:
</code><var>port
</var>]...
<code>);
</code></dt>
1444 With one or more arguments,
<code>ct_lb
</code> commits the packet
1445 to the connection tracking table and DNATs the packet's destination
1446 IP address (and port) to the IP address or addresses (and optional
1447 ports) specified in the string. If multiple comma-separated IP
1448 addresses are specified, each is given equal weight for picking the
1449 DNAT address. Processing automatically moves on to the next table,
1450 as if
<code>next;
</code> were specified, and later tables act on
1451 the packet as modified by the connection tracker. Connection
1452 tracking state is scoped by the logical port when the action is
1453 used in a flow for a logical switch, so overlapping
1454 addresses may be used. Connection tracking state is scoped by the
1455 logical topology when the action is used in a flow for a router.
1458 Without arguments,
<code>ct_lb
</code> sends the packet to the
1459 connection tracking table to NAT the packets. If the packet is
1460 part of an established connection that was previously committed to
1461 the connection tracker via
<code>ct_lb(
</code>...
<code>)
</code>, it
1462 will automatically get DNATed to the same IP address as the first
1463 packet in that connection.
1469 The following actions will likely be useful later, but they have not
1470 been thought out carefully.
1474 <dt><code>icmp4 {
<var>action
</var>;
</code>...
<code> };
</code></dt>
1477 Temporarily replaces the IPv4 packet being processed by an ICMPv4
1478 packet and executes each nested
<var>action
</var> on the ICMPv4
1479 packet. Actions following the
<var>icmp4
</var> action, if any,
1480 apply to the original, unmodified packet.
1484 The ICMPv4 packet that this action operates on is initialized based
1485 on the IPv4 packet being processed, as follows. These are default
1486 values that the nested actions will probably want to change.
1487 Ethernet and IPv4 fields not listed here are not changed:
1491 <li><code>ip.proto =
1</code> (ICMPv4)
</li>
1492 <li><code>ip.frag =
0</code> (not a fragment)
</li>
1493 <li><code>icmp4.type =
3</code> (destination unreachable)
</li>
1494 <li><code>icmp4.code =
1</code> (host unreachable)
</li>
1501 <p><b>Prerequisite:
</b> <code>ip4
</code></p>
1504 <dt><code>tcp_reset;
</code></dt>
1507 This action transforms the current TCP packet according to the
1508 following pseudocode:
1515 tcp.ack = tcp.seq + length(tcp.payload);
1522 Then, the action drops all TCP options and payload data, and
1523 updates the TCP checksum.
1530 <p><b>Prerequisite:
</b> <code>tcp
</code></p>
1535 <column name=
"external_ids" key=
"stage-name">
1536 Human-readable name for this flow's stage in the pipeline.
1539 <column name=
"external_ids" key=
"source">
1540 Source file and line number of the code that added this flow to the
1544 <group title=
"Common Columns">
1545 The overall purpose of these columns is described under
<code>Common
1546 Columns
</code> at the beginning of this document.
1548 <column name=
"external_ids"/>
1552 <table name=
"Multicast_Group" title=
"Logical Port Multicast Groups">
1554 The rows in this table define multicast groups of logical ports.
1555 Multicast groups allow a single packet transmitted over a tunnel to a
1556 hypervisor to be delivered to multiple VMs on that hypervisor, which
1557 uses bandwidth more efficiently.
1561 Each row in this table defines a logical multicast group numbered
<ref
1562 column=
"tunnel_key"/> within
<ref column=
"datapath"/>, whose logical
1563 ports are listed in the
<ref column=
"ports"/> column.
1566 <column name=
"datapath">
1567 The logical datapath in which the multicast group resides.
1570 <column name=
"tunnel_key">
1571 The value used to designate this logical egress port in tunnel
1572 encapsulations. An index forces the key to be unique within the
<ref
1573 column=
"datapath"/>. The unusual range ensures that multicast group IDs
1574 do not overlap with logical port IDs.
1577 <column name=
"name">
1579 The logical multicast group's name. An index forces the name to be
1580 unique within the
<ref column=
"datapath"/>. Logical flows in the
1581 ingress pipeline may output to the group just as for individual logical
1582 ports, by assigning the group's name to
<code>outport
</code> and
1583 executing an
<code>output
</code> action.
1587 Multicast group names and logical port names share a single namespace
1588 and thus should not overlap (but the database schema cannot enforce
1589 this). To try to avoid conflicts,
<code>ovn-northd
</code> uses names
1590 that begin with
<code>_MC_
</code>.
1594 <column name=
"ports">
1595 The logical ports included in the multicast group. All of these ports
1596 must be in the
<ref column=
"datapath"/> logical datapath (but the
1597 database schema cannot enforce this).
1601 <table name=
"Datapath_Binding" title=
"Physical-Logical Datapath Bindings">
1603 Each row in this table identifies physical bindings of a logical
1604 datapath. A logical datapath implements a logical pipeline among the
1605 ports in the
<ref table=
"Port_Binding"/> table associated with it. In
1606 practice, the pipeline in a given logical datapath implements either a
1607 logical switch or a logical router.
1610 <column name=
"tunnel_key">
1611 The tunnel key value to which the logical datapath is bound.
1612 The
<code>Tunnel Encapsulation
</code> section in
1613 <code>ovn-architecture
</code>(
7) describes how tunnel keys are
1614 constructed for each supported encapsulation.
1617 <group title=
"OVN_Northbound Relationship">
1619 Each row in
<ref table=
"Datapath_Binding"/> is associated with some
1620 logical datapath.
<code>ovn-northd
</code> uses these keys to track the
1621 association of a logical datapath with concepts in the
<ref
1622 db=
"OVN_Northbound"/> database.
1625 <column name=
"external_ids" key=
"logical-switch" type='{
"type":
"uuid"}'
>
1626 For a logical datapath that represents a logical switch,
1627 <code>ovn-northd
</code> stores in this key the UUID of the
1628 corresponding
<ref table=
"Logical_Switch" db=
"OVN_Northbound"/> row in
1629 the
<ref db=
"OVN_Northbound"/> database.
1632 <column name=
"external_ids" key=
"logical-router" type='{
"type":
"uuid"}'
>
1633 For a logical datapath that represents a logical router,
1634 <code>ovn-northd
</code> stores in this key the UUID of the
1635 corresponding
<ref table=
"Logical_Router" db=
"OVN_Northbound"/> row in
1636 the
<ref db=
"OVN_Northbound"/> database.
1639 <column name=
"external_ids" key=
"name">
1640 <code>ovn-northd
</code> copies this from the
<ref
1641 table=
"Logical_Router" db=
"OVN_Northbound"/> or
<ref
1642 table=
"Logical_Switch" db=
"OVN_Northbound"/> table in the
<ref
1643 db=
"OVN_Northbound"/> database, when that column is nonempty.
1647 <group title=
"Common Columns">
1648 The overall purpose of these columns is described under
<code>Common
1649 Columns
</code> at the beginning of this document.
1651 <column name=
"external_ids"/>
1655 <table name=
"Port_Binding" title=
"Physical-Logical Port Bindings">
1657 Most rows in this table identify the physical location of a logical port.
1658 (The exceptions are logical patch ports, which do not have any physical
1663 For every
<code>Logical_Switch_Port
</code> record in
1664 <code>OVN_Northbound
</code> database,
<code>ovn-northd
</code>
1665 creates a record in this table.
<code>ovn-northd
</code> populates
1666 and maintains every column except the
<code>chassis
</code> column,
1667 which it leaves empty in new records.
1671 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>
1672 populates the
<code>chassis
</code> column for the records that
1673 identify the logical ports that are located on its hypervisor/gateway,
1674 which
<code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code> in
1675 turn finds out by monitoring the local hypervisor's Open_vSwitch
1676 database, which identifies logical ports via the conventions described
1677 in
<code>IntegrationGuide.rst
</code>. (The exceptions are for
1678 <code>Port_Binding
</code> records with
<code>type
</code> of
1679 <code>l3gateway
</code>, whose locations are identified by
1680 <code>ovn-northd
</code> via the
<code>options:l3gateway-chassis
</code>
1681 column in this table.
<code>ovn-controller
</code> is still responsible
1682 to populate the
<code>chassis
</code> column.)
1686 When a chassis shuts down gracefully, it should clean up the
1687 <code>chassis
</code> column that it previously had populated.
1688 (This is not critical because resources hosted on the chassis are equally
1689 unreachable regardless of whether their rows are present.) To handle the
1690 case where a VM is shut down abruptly on one chassis, then brought up
1691 again on a different one,
1692 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code> must
1693 overwrite the
<code>chassis
</code> column with new information.
1696 <group title=
"Core Features">
1697 <column name=
"datapath">
1698 The logical datapath to which the logical port belongs.
1701 <column name=
"logical_port">
1702 A logical port, taken from
<ref table=
"Logical_Switch_Port"
1703 column=
"name" db=
"OVN_Northbound"/> in the OVN_Northbound
1704 database's
<ref table=
"Logical_Switch_Port" db=
"OVN_Northbound"/>
1705 table. OVN does not prescribe a particular format for the
1709 <column name=
"chassis">
1710 The meaning of this column depends on the value of the
<ref column=
"type"/>
1711 column. This is the meaning for each
<ref column=
"type"/>
1714 <dt>(empty string)
</dt>
1716 The physical location of the logical port. To successfully identify a
1717 chassis, this column must be a
<ref table=
"Chassis"/> record. This is
1718 populated by
<code>ovn-controller
</code>.
1723 The physical location of the hardware_vtep gateway. To successfully
1724 identify a chassis, this column must be a
<ref table=
"Chassis"/> record.
1725 This is populated by
<code>ovn-controller-vtep
</code>.
1730 Always empty. A localnet port is realized on every chassis that has
1731 connectivity to the corresponding physical network.
1736 The physical location of the L3 gateway. To successfully identify a
1737 chassis, this column must be a
<ref table=
"Chassis"/> record. This is
1738 populated by
<code>ovn-controller
</code> based on the value of
1739 the
<code>options:l3gateway-chassis
</code> column in this table.
1744 The physical location of this L2 gateway. To successfully identify a
1745 chassis, this column must be a
<ref table=
"Chassis"/> record.
1746 This is populated by
<code>ovn-controller
</code> based on the value
1747 of the
<code>options:l2gateway-chassis
</code> column in this table.
1753 <column name=
"tunnel_key">
1755 A number that represents the logical port in the key (e.g. STT key or
1756 Geneve TLV) field carried within tunnel protocol packets.
1760 The tunnel ID must be unique within the scope of a logical datapath.
1766 The Ethernet address or addresses used as a source address on the
1767 logical port, each in the form
1768 <var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>.
1769 The string
<code>unknown
</code> is also allowed to indicate that the
1770 logical port has an unknown set of (additional) source addresses.
1774 A VM interface would ordinarily have a single Ethernet address. A
1775 gateway port might initially only have
<code>unknown
</code>, and then
1776 add MAC addresses to the set as it learns new source addresses.
1780 <column name=
"type">
1782 A type for this logical port. Logical ports can be used to model other
1783 types of connectivity into an OVN logical switch. The following types
1788 <dt>(empty string)
</dt>
1789 <dd>VM (or VIF) interface.
</dd>
1791 <dt><code>patch
</code></dt>
1793 One of a pair of logical ports that act as if connected by a patch
1794 cable. Useful for connecting two logical datapaths, e.g. to connect
1795 a logical router to a logical switch or to another logical router.
1798 <dt><code>l3gateway
</code></dt>
1800 One of a pair of logical ports that act as if connected by a patch
1801 cable across multiple chassis. Useful for connecting a logical
1802 switch with a Gateway router (which is only resident on a
1803 particular chassis).
1806 <dt><code>localnet
</code></dt>
1808 A connection to a locally accessible network from each
1809 <code>ovn-controller
</code> instance. A logical switch can only
1810 have a single
<code>localnet
</code> port attached. This is used
1811 to model direct connectivity to an existing network.
1814 <dt><code>l2gateway
</code></dt>
1816 An L2 connection to a physical network. The chassis this
1817 <ref table=
"Port_Binding"/> is bound to will serve as
1818 an L2 gateway to the network named by
1819 <ref column=
"options" table=
"Port_Binding"/>:
<code>network_name
</code>.
1822 <dt><code>vtep
</code></dt>
1824 A port to a logical switch on a VTEP gateway chassis. In order to
1825 get this port correctly recognized by the OVN controller, the
<ref
1827 table=
"Port_Binding"/>:
<code>vtep-physical-switch
</code> and
<ref
1829 table=
"Port_Binding"/>:
<code>vtep-logical-switch
</code> must also
1833 <dt><code>chassisredirect
</code></dt>
1835 A logical port that represents a particular instance, bound
1836 to a specific chassis, of an otherwise distributed parent
1837 port (e.g. of type
<code>patch
</code>). A
1838 <code>chassisredirect
</code> port should never be used as an
1839 <code>inport
</code>. When an ingress pipeline sets the
1840 <code>outport
</code>, it may set the value to a logical port
1841 of type
<code>chassisredirect
</code>. This will cause the
1842 packet to be directed to a specific chassis to carry out the
1843 egress pipeline. At the beginning of the egress pipeline,
1844 the
<code>outport
</code> will be reset to the value of the
1851 <group title=
"Patch Options">
1853 These options apply to logical ports with
<ref column=
"type"/> of
1857 <column name=
"options" key=
"peer">
1858 The
<ref column=
"logical_port"/> in the
<ref table=
"Port_Binding"/>
1859 record for the other side of the patch. The named
<ref
1860 column=
"logical_port"/> must specify this
<ref column=
"logical_port"/>
1861 in its own
<code>peer
</code> option. That is, the two patch logical
1862 ports must have reversed
<ref column=
"logical_port"/> and
1863 <code>peer
</code> values.
1866 <column name=
"options" key=
"nat-addresses">
1867 MAC address of the
<code>patch
</code> port followed by a list of
1868 SNAT and DNAT external IP addresses, followed by
1869 <code>is_chassis_resident(
"<var>lport</var>")
</code>, where
1870 <var>lport
</var> is the name of a logical port on the same chassis
1871 where the corresponding NAT rules are applied. This is used to
1872 send gratuitous ARPs for SNAT and DNAT external IP addresses via
1873 <code>localnet
</code>, from the chassis where
<var>lport
</var>
1874 resides. Example:
<code>80:fa:
5b:
06:
72:b7
158.36.44.22
1875 158.36.44.24 is_chassis_resident(
"foo1")
</code>. This would result
1876 in generation of gratuitous ARPs for IP addresses
158.36.44.22 and
1877 158.36.44.24 with a MAC address of
80:fa:
5b:
06:
72:b7 from the chassis
1878 where the logical port
"foo1" resides.
1882 <group title=
"L3 Gateway Options">
1884 These options apply to logical ports with
<ref column=
"type"/> of
1885 <code>l3gateway
</code>.
1888 <column name=
"options" key=
"peer">
1889 The
<ref column=
"logical_port"/> in the
<ref table=
"Port_Binding"/>
1890 record for the other side of the 'l3gateway' port. The named
<ref
1891 column=
"logical_port"/> must specify this
<ref column=
"logical_port"/>
1892 in its own
<code>peer
</code> option. That is, the two 'l3gateway'
1893 logical ports must have reversed
<ref column=
"logical_port"/> and
1894 <code>peer
</code> values.
1897 <column name=
"options" key=
"l3gateway-chassis">
1898 The
<code>chassis
</code> in which the port resides.
1901 <column name=
"options" key=
"nat-addresses">
1902 MAC address of the
<code>l3gateway
</code> port followed by a list of
1903 SNAT and DNAT external IP addresses. This is used to send gratuitous
1904 ARPs for SNAT and DNAT external IP addresses via
<code>localnet
</code>.
1905 Example:
<code>80:fa:
5b:
06:
72:b7
158.36.44.22 158.36.44.24</code>.
1906 This would result in generation of gratuitous ARPs for IP addresses
1907 158.36.44.22 and
158.36.44.24 with a MAC address of
80:fa:
5b:
06:
72:b7.
1911 <group title=
"Localnet Options">
1913 These options apply to logical ports with
<ref column=
"type"/> of
1914 <code>localnet
</code>.
1917 <column name=
"options" key=
"network_name">
1918 Required.
<code>ovn-controller
</code> uses the configuration entry
1919 <code>ovn-bridge-mappings
</code> to determine how to connect to this
1920 network.
<code>ovn-bridge-mappings
</code> is a list of network names
1921 mapped to a local OVS bridge that provides access to that network. An
1922 example of configuring
<code>ovn-bridge-mappings
</code> would be:
1924 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1
</pre>
1927 When a logical switch has a
<code>localnet
</code> port attached,
1928 every chassis that may have a local vif attached to that logical
1929 switch must have a bridge mapping configured to reach that
1930 <code>localnet
</code>. Traffic that arrives on a
1931 <code>localnet
</code> port is never forwarded over a tunnel to
1937 If set, indicates that the port represents a connection to a specific
1938 VLAN on a locally accessible network. The VLAN ID is used to match
1939 incoming traffic and is also added to outgoing traffic.
1943 <group title=
"L2 Gateway Options">
1945 These options apply to logical ports with
<ref column=
"type"/> of
1946 <code>l2gateway
</code>.
1949 <column name=
"options" key=
"network_name">
1950 Required.
<code>ovn-controller
</code> uses the configuration entry
1951 <code>ovn-bridge-mappings
</code> to determine how to connect to this
1952 network.
<code>ovn-bridge-mappings
</code> is a list of network names
1953 mapped to a local OVS bridge that provides access to that network. An
1954 example of configuring
<code>ovn-bridge-mappings
</code> would be:
1956 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1
</pre>
1959 When a logical switch has a
<code>l2gateway
</code> port attached,
1960 the chassis that the
<code>l2gateway
</code> port is bound to
1961 must have a bridge mapping configured to reach the network
1962 identified by
<code>network_name
</code>.
1966 <column name=
"options" key=
"l2gateway-chassis">
1967 Required. The
<code>chassis
</code> in which the port resides.
1971 If set, indicates that the gateway is connected to a specific
1972 VLAN on the physical network. The VLAN ID is used to match
1973 incoming traffic and is also added to outgoing traffic.
1977 <group title=
"VTEP Options">
1979 These options apply to logical ports with
<ref column=
"type"/> of
1983 <column name=
"options" key=
"vtep-physical-switch">
1984 Required. The name of the VTEP gateway.
1987 <column name=
"options" key=
"vtep-logical-switch">
1988 Required. A logical switch name connected by the VTEP gateway. Must
1989 be set when
<ref column=
"type"/> is
<code>vtep
</code>.
1993 <group title=
"VMI (or VIF) Options">
1995 These options apply to logical ports with
<ref column=
"type"/> having
1999 <column name=
"options" key=
"qos_max_rate">
2000 If set, indicates the maximum rate for data sent from this interface,
2001 in bit/s. The traffic will be shaped according to this limit.
2004 <column name=
"options" key=
"qos_burst">
2005 If set, indicates the maximum burst size for data sent from this
2009 <column name=
"options" key=
"qdisc_queue_id"
2010 type='{
"type":
"integer",
"minInteger":
1,
"maxInteger":
61440}'
>
2011 Indicates the queue number on the physical device. This is same as the
2012 <code>queue_id
</code> used in OpenFlow in
<code>struct
2013 ofp_action_enqueue
</code>.
2017 <group title=
"Chassis Redirect Options">
2019 These options apply to logical ports with
<ref column=
"type"/>
2020 of
<code>chassisredirect
</code>.
2023 <column name=
"options" key=
"distributed-port">
2024 The name of the distributed port for which this
2025 <code>chassisredirect
</code> port represents a particular instance.
2028 <column name=
"options" key=
"redirect-chassis">
2029 The
<code>chassis
</code> that this
<code>chassisredirect
</code> port
2030 is bound to. This is taken from
<ref table=
"Logical_Router_Port"
2031 column=
"options" key=
"redirect-chassis" db=
"OVN_Northbound"/>
2032 in the OVN_Northbound database's
<ref table=
"Logical_Router_Port"
2033 db=
"OVN_Northbound"/> table.
2037 <group title=
"Nested Containers">
2039 These columns support containers nested within a VM. Specifically,
2040 they are used when
<ref column=
"type"/> is empty and
<ref
2041 column=
"logical_port"/> identifies the interface of a container spawned
2042 inside a VM. They are empty for containers or VMs that run directly on
2046 <column name=
"parent_port">
2048 <ref table=
"Logical_Switch_Port" column=
"parent_name"
2049 db=
"OVN_Northbound"/> in the OVN_Northbound database's
2050 <ref table=
"Logical_Switch_Port" db=
"OVN_Northbound"/> table.
2055 Identifies the VLAN tag in the network traffic associated with that
2056 container's network interface.
2060 This column is used for a different purpose when
<ref column=
"type"/>
2061 is
<code>localnet
</code> (see
<code>Localnet Options
</code>, above)
2062 or
<code>l2gateway
</code> (see
<code>L2 Gateway Options
</code>, above).
2068 <table name=
"MAC_Binding" title=
"IP to MAC bindings">
2070 Each row in this table specifies a binding from an IP address to an
2071 Ethernet address that has been discovered through ARP (for IPv4) or
2072 neighbor discovery (for IPv6). This table is primarily used to discover
2073 bindings on physical networks, because IP-to-MAC bindings for virtual
2074 machines are usually populated statically into the
<ref
2075 table=
"Port_Binding"/> table.
2079 This table expresses a functional relationship:
<ref
2080 table=
"MAC_Binding"/>(
<ref column=
"logical_port"/>,
<ref column=
"ip"/>) =
2081 <ref column=
"mac"/>.
2085 In outline, the lifetime of a logical router's MAC binding looks like
2091 On hypervisor
1, a logical router determines that a packet should be
2092 forwarded to IP address
<var>A
</var> on one of its router ports. It
2093 uses its logical flow table to determine that
<var>A
</var> lacks a
2094 static IP-to-MAC binding and the
<code>get_arp
</code> action to
2095 determine that it lacks a dynamic IP-to-MAC binding.
2099 Using an OVN logical
<code>arp
</code> action, the logical router
2100 generates and sends a broadcast ARP request to the router port. It
2101 drops the IP packet.
2105 The logical switch attached to the router port delivers the ARP request
2106 to all of its ports. (It might make sense to deliver it only to ports
2107 that have no static IP-to-MAC bindings, but this could also be
2108 surprising behavior.)
2112 A host or VM on hypervisor
2 (which might be the same as hypervisor
1)
2113 attached to the logical switch owns the IP address in question. It
2114 composes an ARP reply and unicasts it to the logical router port's
2119 The logical switch delivers the ARP reply to the logical router port.
2123 The logical router flow table executes a
<code>put_arp
</code> action.
2124 To record the IP-to-MAC binding,
<code>ovn-controller
</code> adds a row
2125 to the
<ref table=
"MAC_Binding"/> table.
2129 On hypervisor
1,
<code>ovn-controller
</code> receives the updated
<ref
2130 table=
"MAC_Binding"/> table from the OVN southbound database. The next
2131 packet destined to
<var>A
</var> through the logical router is sent
2132 directly to the bound Ethernet address.
2136 <column name=
"logical_port">
2137 The logical port on which the binding was discovered.
2141 The bound IP address.
2145 The Ethernet address to which the IP is bound.
2147 <column name=
"datapath">
2148 The logical datapath to which the logical port belongs.
2152 <table name=
"DHCP_Options" title=
"DHCP Options supported by native OVN DHCP">
2154 Each row in this table stores the DHCP Options supported by native OVN
2155 DHCP.
<code>ovn-northd
</code> populates this table with the supported
2156 DHCP options.
<code>ovn-controller
</code> looks up this table to get the
2157 DHCP codes of the DHCP options defined in the
"put_dhcp_opts" action.
2158 Please refer to the RFC
2132 <code>"https://tools.ietf.org/html/rfc2132"</code>
2159 for the possible list of DHCP options that can be defined here.
2162 <column name=
"name">
2164 Name of the DHCP option.
2168 Example.
name=
"router"
2172 <column name=
"code">
2174 DHCP option code for the DHCP option as defined in the RFC
2132.
2182 <column name=
"type">
2184 Data type of the DHCP option code.
2188 <dt><code>value: bool
</code></dt>
2191 This indicates that the value of the DHCP option is a bool.
2195 Example.
"name=ip_forward_enable",
"code=19",
"type=bool".
2199 put_dhcp_opts(..., ip_forward_enable =
1,...)
2203 <dt><code>value: uint8
</code></dt>
2206 This indicates that the value of the DHCP option is an unsigned
2211 Example.
"name=default_ttl",
"code=23",
"type=uint8".
2215 put_dhcp_opts(..., default_ttl =
50,...)
2219 <dt><code>value: uint16
</code></dt>
2222 This indicates that the value of the DHCP option is an unsigned
2227 Example.
"name=mtu",
"code=26",
"type=uint16".
2231 put_dhcp_opts(..., mtu =
1450,...)
2235 <dt><code>value: uint32
</code></dt>
2238 This indicates that the value of the DHCP option is an unsigned
2243 Example.
"name=lease_time",
"code=51",
"type=uint32".
2247 put_dhcp_opts(..., lease_time =
86400,...)
2251 <dt><code>value: ipv4
</code></dt>
2254 This indicates that the value of the DHCP option is an IPv4
2255 address or addresses.
2259 Example.
"name=router",
"code=3",
"type=ipv4".
2263 put_dhcp_opts(..., router =
10.0.0.1,...)
2267 Example.
"name=dns_server",
"code=6",
"type=ipv4".
2271 put_dhcp_opts(..., dns_server = {
8.8.8.8 7.7.7.7},...)
2275 <dt><code>value: static_routes
</code></dt>
2278 This indicates that the value of the DHCP option contains a pair of
2279 IPv4 route and next hop addresses.
2283 Example.
"name=classless_static_route",
"code=121",
"type=static_routes".
2287 put_dhcp_opts(..., classless_static_route = {
30.0.0.0/
24,
10.0.0.4,
0.0.0.0/
0,
10.0.0.1}...)
2291 <dt><code>value: str
</code></dt>
2294 This indicates that the value of the DHCP option is a string.
2298 Example.
"name=host_name",
"code=12",
"type=str".
2305 <table name=
"DHCPv6_Options" title=
"DHCPv6 Options supported by native OVN DHCPv6">
2307 Each row in this table stores the DHCPv6 Options supported by native OVN
2308 DHCPv6.
<code>ovn-northd
</code> populates this table with the supported
2309 DHCPv6 options.
<code>ovn-controller
</code> looks up this table to get
2310 the DHCPv6 codes of the DHCPv6 options defined in the
2311 <code>put_dhcpv6_opts
</code> action. Please refer to RFC
3315 and RFC
2312 3646 for the list of DHCPv6 options that can be defined here.
2315 <column name=
"name">
2317 Name of the DHCPv6 option.
2321 Example.
name=
"ia_addr"
2325 <column name=
"code">
2327 DHCPv6 option code for the DHCPv6 option as defined in the appropriate
2336 <column name=
"type">
2338 Data type of the DHCPv6 option code.
2342 <dt><code>value: ipv6
</code></dt>
2345 This indicates that the value of the DHCPv6 option is an IPv6
2350 Example.
"name=ia_addr",
"code=5",
"type=ipv6".
2354 put_dhcpv6_opts(..., ia_addr = ae70::
4,...)
2358 <dt><code>value: str
</code></dt>
2361 This indicates that the value of the DHCPv6 option is a string.
2365 Example.
"name=domain_search",
"code=24",
"type=str".
2369 put_dhcpv6_opts(..., domain_search = ovn.domain,...)
2373 <dt><code>value: mac
</code></dt>
2376 This indicates that the value of the DHCPv6 option is a MAC address.
2380 Example.
"name=server_id",
"code=2",
"type=mac".
2384 put_dhcpv6_opts(..., server_id =
01:
02:
03:
04L05:
06,...)
2390 <table name=
"Connection" title=
"OVSDB client connections.">
2392 Configuration for a database connection to an Open vSwitch database
2397 This table primarily configures the Open vSwitch database server
2398 (
<code>ovsdb-server
</code>).
2402 The Open vSwitch database server can initiate and maintain active
2403 connections to remote clients. It can also listen for database
2407 <group title=
"Core Features">
2408 <column name=
"target">
2409 <p>Connection methods for clients.
</p>
2411 The following connection methods are currently supported:
2414 <dt><code>ssl:
<var>ip
</var></code>[
<code>:
<var>port
</var></code>]
</dt>
2417 The specified SSL
<var>port
</var> on the host at the given
2418 <var>ip
</var>, which must be expressed as an IP address
2419 (not a DNS name). A valid SSL configuration must be provided
2420 when this form is used, this configuration can be specified
2421 via command-line options or the
<ref table=
"SSL"/> table.
2424 If
<var>port
</var> is not specified, it defaults to
6640.
2427 SSL support is an optional feature that is not always
2428 built as part of Open vSwitch.
2432 <dt><code>tcp:
<var>ip
</var></code>[
<code>:
<var>port
</var></code>]
</dt>
2435 The specified TCP
<var>port
</var> on the host at the given
2436 <var>ip
</var>, which must be expressed as an IP address (not a
2437 DNS name), where
<var>ip
</var> can be IPv4 or IPv6 address. If
2438 <var>ip
</var> is an IPv6 address, wrap it in square brackets,
2439 e.g.
<code>tcp:[::
1]:
6640</code>.
2442 If
<var>port
</var> is not specified, it defaults to
6640.
2445 <dt><code>pssl:
</code>[
<var>port
</var>][
<code>:
<var>ip
</var></code>]
</dt>
2448 Listens for SSL connections on the specified TCP
<var>port
</var>.
2449 Specify
0 for
<var>port
</var> to have the kernel automatically
2450 choose an available port. If
<var>ip
</var>, which must be
2451 expressed as an IP address (not a DNS name), is specified, then
2452 connections are restricted to the specified local IP address
2453 (either IPv4 or IPv6 address). If
<var>ip
</var> is an IPv6
2454 address, wrap in square brackets,
2455 e.g.
<code>pssl:
6640:[::
1]
</code>. If
<var>ip
</var> is not
2456 specified then it listens only on IPv4 (but not IPv6) addresses.
2457 A valid SSL configuration must be provided when this form is used,
2458 this can be specified either via command-line options or the
2459 <ref table=
"SSL"/> table.
2462 If
<var>port
</var> is not specified, it defaults to
6640.
2465 SSL support is an optional feature that is not always built as
2466 part of Open vSwitch.
2469 <dt><code>ptcp:
</code>[
<var>port
</var>][
<code>:
<var>ip
</var></code>]
</dt>
2472 Listens for connections on the specified TCP
<var>port
</var>.
2473 Specify
0 for
<var>port
</var> to have the kernel automatically
2474 choose an available port. If
<var>ip
</var>, which must be
2475 expressed as an IP address (not a DNS name), is specified, then
2476 connections are restricted to the specified local IP address
2477 (either IPv4 or IPv6 address). If
<var>ip
</var> is an IPv6
2478 address, wrap it in square brackets,
2479 e.g.
<code>ptcp:
6640:[::
1]
</code>. If
<var>ip
</var> is not
2480 specified then it listens only on IPv4 addresses.
2483 If
<var>port
</var> is not specified, it defaults to
6640.
2487 <p>When multiple clients are configured, the
<ref column=
"target"/>
2488 values must be unique. Duplicate
<ref column=
"target"/> values yield
2489 unspecified results.
</p>
2492 <column name=
"read_only">
2493 <code>true
</code> to restrict these connections to read-only
2494 transactions,
<code>false
</code> to allow them to modify the database.
2498 <group title=
"Client Failure Detection and Handling">
2499 <column name=
"max_backoff">
2500 Maximum number of milliseconds to wait between connection attempts.
2501 Default is implementation-specific.
2504 <column name=
"inactivity_probe">
2505 Maximum number of milliseconds of idle time on connection to the client
2506 before sending an inactivity probe message. If Open vSwitch does not
2507 communicate with the client for the specified number of seconds, it
2508 will send a probe. If a response is not received for the same
2509 additional amount of time, Open vSwitch assumes the connection has been
2510 broken and attempts to reconnect. Default is implementation-specific.
2511 A value of
0 disables inactivity probes.
2515 <group title=
"Status">
2517 Key-value pair of
<ref column=
"is_connected"/> is always updated.
2518 Other key-value pairs in the status columns may be updated depends
2519 on the
<ref column=
"target"/> type.
2523 When
<ref column=
"target"/> specifies a connection method that
2524 listens for inbound connections (e.g.
<code>ptcp:
</code> or
2525 <code>punix:
</code>), both
<ref column=
"n_connections"/> and
2526 <ref column=
"is_connected"/> may also be updated while the
2527 remaining key-value pairs are omitted.
2531 On the other hand, when
<ref column=
"target"/> specifies an
2532 outbound connection, all key-value pairs may be updated, except
2533 the above-mentioned two key-value pairs associated with inbound
2534 connection targets. They are omitted.
2537 <column name=
"is_connected">
2538 <code>true
</code> if currently connected to this client,
2539 <code>false
</code> otherwise.
2542 <column name=
"status" key=
"last_error">
2543 A human-readable description of the last error on the connection
2544 to the manager; i.e.
<code>strerror(errno)
</code>. This key
2545 will exist only if an error has occurred.
2548 <column name=
"status" key=
"state"
2549 type='{
"type":
"string",
"enum": [
"set", [
"VOID",
"BACKOFF",
"CONNECTING",
"ACTIVE",
"IDLE"]]}'
>
2551 The state of the connection to the manager:
2554 <dt><code>VOID
</code></dt>
2555 <dd>Connection is disabled.
</dd>
2557 <dt><code>BACKOFF
</code></dt>
2558 <dd>Attempting to reconnect at an increasing period.
</dd>
2560 <dt><code>CONNECTING
</code></dt>
2561 <dd>Attempting to connect.
</dd>
2563 <dt><code>ACTIVE
</code></dt>
2564 <dd>Connected, remote host responsive.
</dd>
2566 <dt><code>IDLE
</code></dt>
2567 <dd>Connection is idle. Waiting for response to keep-alive.
</dd>
2570 These values may change in the future. They are provided only for
2575 <column name=
"status" key=
"sec_since_connect"
2576 type='{
"type":
"integer",
"minInteger":
0}'
>
2577 The amount of time since this client last successfully connected
2578 to the database (in seconds). Value is empty if client has never
2579 successfully been connected.
2582 <column name=
"status" key=
"sec_since_disconnect"
2583 type='{
"type":
"integer",
"minInteger":
0}'
>
2584 The amount of time since this client last disconnected from the
2585 database (in seconds). Value is empty if client has never
2589 <column name=
"status" key=
"locks_held">
2590 Space-separated list of the names of OVSDB locks that the connection
2591 holds. Omitted if the connection does not hold any locks.
2594 <column name=
"status" key=
"locks_waiting">
2595 Space-separated list of the names of OVSDB locks that the connection is
2596 currently waiting to acquire. Omitted if the connection is not waiting
2600 <column name=
"status" key=
"locks_lost">
2601 Space-separated list of the names of OVSDB locks that the connection
2602 has had stolen by another OVSDB client. Omitted if no locks have been
2603 stolen from this connection.
2606 <column name=
"status" key=
"n_connections"
2607 type='{
"type":
"integer",
"minInteger":
2}'
>
2608 When
<ref column=
"target"/> specifies a connection method that
2609 listens for inbound connections (e.g.
<code>ptcp:
</code> or
2610 <code>pssl:
</code>) and more than one connection is actually active,
2611 the value is the number of active connections. Otherwise, this
2612 key-value pair is omitted.
2615 <column name=
"status" key=
"bound_port" type='{
"type":
"integer"}'
>
2616 When
<ref column=
"target"/> is
<code>ptcp:
</code> or
2617 <code>pssl:
</code>, this is the TCP port on which the OVSDB server is
2618 listening. (This is particularly useful when
<ref
2619 column=
"target"/> specifies a port of
0, allowing the kernel to
2620 choose any available port.)
2624 <group title=
"Common Columns">
2625 The overall purpose of these columns is described under
<code>Common
2626 Columns
</code> at the beginning of this document.
2628 <column name=
"external_ids"/>
2629 <column name=
"other_config"/>
2633 SSL configuration for ovn-sb database access.
2635 <column name=
"private_key">
2636 Name of a PEM file containing the private key used as the switch's
2637 identity for SSL connections to the controller.
2640 <column name=
"certificate">
2641 Name of a PEM file containing a certificate, signed by the
2642 certificate authority (CA) used by the controller and manager,
2643 that certifies the switch's private key, identifying a trustworthy
2647 <column name=
"ca_cert">
2648 Name of a PEM file containing the CA certificate used to verify
2649 that the switch is connected to a trustworthy controller.
2652 <column name=
"bootstrap_ca_cert">
2653 If set to
<code>true
</code>, then Open vSwitch will attempt to
2654 obtain the CA certificate from the controller on its first SSL
2655 connection and save it to the named PEM file. If it is successful,
2656 it will immediately drop the connection and reconnect, and from then
2657 on all SSL connections must be authenticated by a certificate signed
2658 by the CA certificate thus obtained.
<em>This option exposes the
2659 SSL connection to a man-in-the-middle attack obtaining the initial
2660 CA certificate.
</em> It may still be useful for bootstrapping.
2663 <group title=
"Common Columns">
2664 The overall purpose of these columns is described under
<code>Common
2665 Columns
</code> at the beginning of this document.
2667 <column name=
"external_ids"/>
projects / ovs.git / blob