'\" p .\" -*- nroff -*- .TH "ovn-northd" 8 "ovn-northd" "Open vSwitch 2\[char46]6\[char46]2" "Open vSwitch Manual" .fp 5 L CR \\" Make fixed-width font available as \\fL. .de TQ . br . ns . TP "\\$1" .. .de ST . PP . RS -0.15in . I "\\$1" . RE .. .SH "NAME" .PP ovn-northd \- Open Virtual Network central control daemon .SH "SYNOPSIS" .PP \fBovn\-northd\fR [\fIoptions\fR] .SH "DESCRIPTION" .PP \fBovn\-northd\fR is a centralized daemon responsible for translating the high-level OVN configuration into logical configuration consumable by daemons such as \fBovn\-controller\fR\[char46] It translates the logical network configuration in terms of conventional network concepts, taken from the OVN Northbound Database (see \fBovn\-nb\fR(5)), into logical datapath flows in the OVN Southbound Database (see \fBovn\-sb\fR(5)) below it\[char46] .SH "CONFIGURATION" .PP \fBovn\-northd\fR requires a connection to the Northbound and Southbound databases\[char46] The defaults are \fBovnnb_db\[char46]sock\fR and \fBovnsb_db\[char46]sock\fR respectively in the local Open vSwitch\(cqs \(dqrun\(dq directory\[char46] This may be overridden with the following commands: .RS .IP \(bu \fB\-\-ovnnb\-db=\fIdatabase\fB\fR .IP The database containing the OVN Northbound Database\[char46] .IP \(bu \fB\-\-ovnsb\-db=\fIdatabase\fB\fR .IP The database containing the OVN Southbound Database\[char46] .RE .PP The \fIdatabase\fR argument must take one of the following forms: .RS .IP \(bu \fBssl:\fIip\fB:\fIport\fB\fR .IP The specified SSL \fIport\fR on the host at the given \fIip\fR, which must be expressed as an IP address (not a DNS name) in IPv4 or IPv6 address format\[char46] If \fIip\fR is an IPv6 address, then wrap \fIip\fR with square brackets, e\[char46]g\[char46]: \fBssl:[::1]:6640\fR\[char46] The \fB\-\-private\-key\fR, \fB\-\-certificate\fR, and \fB\-\-ca\-cert\fR options are mandatory when this form is used\[char46] .IP \(bu \fBtcp:\fIip\fB:\fIport\fB\fR .IP Connect to the given TCP \fIport\fR on \fIip\fR, where \fIip\fR can be IPv4 or IPv6 address\[char46] If \fIip\fR is an IPv6 address, then wrap \fIip\fR with square brackets, e\[char46]g\[char46]: \fBtcp:[::1]:6640\fR\[char46] .IP \(bu \fBunix:\fIfile\fB\fR .IP On POSIX, connect to the Unix domain server socket named \fIfile\fR\[char46] .IP On Windows, connect to a localhost TCP port whose value is written in \fIfile\fR\[char46] .RE .SH "RUNTIME MANAGEMENT COMMANDS" .PP \fBovs\-appctl\fR can send commands to a running \fBovn\-northd\fR process\[char46] The currently supported commands are described below\[char46] .RS .TP \fBexit\fR Causes \fBovn\-northd\fR to gracefully terminate\[char46] .RE .SH "LOGICAL FLOW TABLE STRUCTURE" .PP One of the main purposes of \fBovn\-northd\fR is to populate the \fBLogical_Flow\fR table in the \fBOVN_Southbound\fR database\[char46] This section describes how \fBovn\-northd\fR does this for switch and router logical datapaths\[char46] .SS "Logical Switch Datapaths" .ST "Ingress Table 0: Admission Control and Ingress Port Security - L2" .PP Ingress table 0 contains these logical flows: .RS .IP \(bu Priority 100 flows to drop packets with VLAN tags or multicast Ethernet source addresses\[char46] .IP \(bu Priority 50 flows that implement ingress port security for each enabled logical port\[char46] For logical ports on which port security is enabled, these match the \fBinport\fR and the valid \fBeth\[char46]src\fR address(es) and advance only those packets to the next flow table\[char46] For logical ports on which port security is not enabled, these advance all packets that match the \fBinport\fR\[char46] .RE .PP There are no flows for disabled logical ports because the default-drop behavior of logical flow tables causes packets that ingress from them to be dropped\[char46] .ST "Ingress Table 1: Ingress Port Security - IP" .PP Ingress table 1 contains these logical flows: .RS .IP \(bu For each element in the port security set having one or more IPv4 or IPv6 addresses (or both), .RS .IP \(bu Priority 90 flow to allow IPv4 traffic if it has IPv4 addresses which match the \fBinport\fR, valid \fBeth\[char46]src\fR and valid \fBip4\[char46]src\fR address(es)\[char46] .IP \(bu Priority 90 flow to allow IPv4 DHCP discovery traffic if it has a valid \fBeth\[char46]src\fR\[char46] This is necessary since DHCP discovery messages are sent from the unspecified IPv4 address (0\[char46]0\[char46]0\[char46]0) since the IPv4 address has not yet been assigned\[char46] .IP \(bu Priority 90 flow to allow IPv6 traffic if it has IPv6 addresses which match the \fBinport\fR, valid \fBeth\[char46]src\fR and valid \fBip6\[char46]src\fR address(es)\[char46] .IP \(bu Priority 90 flow to allow IPv6 DAD (Duplicate Address Detection) traffic if it has a valid \fBeth\[char46]src\fR\[char46] This is is necessary since DAD include requires joining an multicast group and sending neighbor solicitations for the newly assigned address\[char46] Since no address is yet assigned, these are sent from the unspecified IPv6 address (::)\[char46] .IP \(bu Priority 80 flow to drop IP (both IPv4 and IPv6) traffic which match the \fBinport\fR and valid \fBeth\[char46]src\fR\[char46] .RE .IP \(bu One priority\-0 fallback flow that matches all packets and advances to the next table\[char46] .RE .ST "Ingress Table 2: Ingress Port Security - Neighbor discovery" .PP Ingress table 2 contains these logical flows: .RS .IP \(bu For each element in the port security set, .RS .IP \(bu Priority 90 flow to allow ARP traffic which match the \fBinport\fR and valid \fBeth\[char46]src\fR and \fBarp\[char46]sha\fR\[char46] If the element has one or more IPv4 addresses, then it also matches the valid \fBarp\[char46]spa\fR\[char46] .IP \(bu Priority 90 flow to allow IPv6 Neighbor Solicitation and Advertisement traffic which match the \fBinport\fR, valid \fBeth\[char46]src\fR and \fBnd\[char46]sll\fR/\fBnd\[char46]tll\fR\[char46] If the element has one or more IPv6 addresses, then it also matches the valid \fBnd\[char46]target\fR address(es) for Neighbor Advertisement traffic\[char46] .IP \(bu Priority 80 flow to drop ARP and IPv6 Neighbor Solicitation and Advertisement traffic which match the \fBinport\fR and valid \fBeth\[char46]src\fR\[char46] .RE .IP \(bu One priority\-0 fallback flow that matches all packets and advances to the next table\[char46] .RE .ST "Ingress Table 3: \fBfrom\-lport\fR Pre-ACLs" .PP This table prepares flows for possible stateful ACL processing in ingress table \fBACLs\fR\[char46] It contains a priority\-0 flow that simply moves traffic to the next table\[char46] If stateful ACLs are used in the logical datapath, a priority\-100 flow is added that sets a hint (with \fBreg0[0] = 1; next;\fR) for table \fBPre\-stateful\fR to send IP packets to the connection tracker before eventually advancing to ingress table \fBACLs\fR\[char46] .ST "Ingress Table 4: Pre-LB" .PP This table prepares flows for possible stateful load balancing processing in ingress table \fBLB\fR and \fBStateful\fR\[char46] It contains a priority\-0 flow that simply moves traffic to the next table\[char46] If load balancing rules with virtual IP addresses (and ports) are configured in \fBOVN_Northbound\fR database for a logical switch datapath, a priority\-100 flow is added for each configured virtual IP address \fIVIP\fR with a match \fBip && ip4\[char46]dst == \fIVIP\fB \fR that sets an action \fBreg0[0] = 1; next;\fR to act as a hint for table \fBPre\-stateful\fR to send IP packets to the connection tracker for packet de-fragmentation before eventually advancing to ingress table \fBLB\fR\[char46] .ST "Ingress Table 5: Pre-stateful" .PP This table prepares flows for all possible stateful processing in next tables\[char46] It contains a priority\-0 flow that simply moves traffic to the next table\[char46] A priority\-100 flow sends the packets to connection tracker based on a hint provided by the previous tables (with a match for \fBreg0[0] == 1\fR) by using the \fBct_next;\fR action\[char46] .ST "Ingress table 6: \fBfrom\-lport\fR ACLs" .PP Logical flows in this table closely reproduce those in the \fBACL\fR table in the \fBOVN_Northbound\fR database for the \fBfrom\-lport\fR direction\[char46] The \fBpriority\fR values from the \fBACL\fR table have a limited range and have 1000 added to them to leave room for OVN default flows at both higher and lower priorities\[char46] .RS .IP \(bu \fBallow\fR ACLs translate into logical flows with the \fBnext;\fR action\[char46] If there are any stateful ACLs on this datapath, then \fBallow\fR ACLs translate to \fBct_commit; next;\fR (which acts as a hint for the next tables to commit the connection to conntrack), .IP \(bu \fBallow\-related\fR ACLs translate into logical flows with the \fBct_commit(ct_label=0/1); next;\fR actions for new connections and \fBreg0[1] = 1; next;\fR for existing connections\[char46] .IP \(bu Other ACLs translate to \fBdrop;\fR for new or untracked connections and \fBct_commit(ct_label=1/1);\fR for known connections\[char46] Setting \fBct_label\fR marks a connection as one that was previously allowed, but should no longer be allowed due to a policy change\[char46] .RE .PP This table also contains a priority 0 flow with action \fBnext;\fR, so that ACLs allow packets by default\[char46] If the logical datapath has a statetful ACL, the following flows will also be added: .RS .IP \(bu A priority\-1 flow that sets the hint to commit IP traffic to the connection tracker (with action \fBreg0[1] = 1; next;\fR)\[char46] This is needed for the default allow policy because, while the initiator\(cqs direction may not have any stateful rules, the server\(cqs may and then its return traffic would not be known and marked as invalid\[char46] .IP \(bu A priority\-65535 flow that allows any traffic in the reply direction for a connection that has been committed to the connection tracker (i\[char46]e\[char46], established flows), as long as the committed flow does not have \fBct_label[0]\fR set\[char46] We only handle traffic in the reply direction here because we want all packets going in the request direction to still go through the flows that implement the currently defined policy based on ACLs\[char46] If a connection is no longer allowed by policy, \fBct_label[0]\fR will get set and packets in the reply direction will no longer be allowed, either\[char46] .IP \(bu A priority\-65535 flow that allows any traffic that is considered related to a committed flow in the connection tracker (e\[char46]g\[char46], an ICMP Port Unreachable from a non-listening UDP port), as long as the committed flow does not have \fBct_label[0]\fR set\[char46] .IP \(bu A priority\-65535 flow that drops all traffic marked by the connection tracker as invalid\[char46] .IP \(bu A priority\-65535 flow that drops all trafic in the reply direction with \fBct_label[0]\fR set meaning that the connection should no longer be allowed due to a policy change\[char46] Packets in the request direction are skipped here to let a newly created ACL re-allow this connection\[char46] .RE .ST "Ingress Table 7: LB" .PP It contains a priority\-0 flow that simply moves traffic to the next table\[char46] For established connections a priority 100 flow matches on \fBct\[char46]est && !ct\[char46]rel && !ct\[char46]new && !ct\[char46]inv\fR and sets an action \fBreg0[2] = 1; next;\fR to act as a hint for table \fBStateful\fR to send packets through connection tracker to NAT the packets\[char46] (The packet will automatically get DNATed to the same IP address as the first packet in that connection\[char46]) .ST "Ingress Table 8: Stateful" .RS .IP \(bu For all the configured load balancing rules for a switch in \fBOVN_Northbound\fR database that includes a L4 port \fIPORT\fR of protocol \fIP\fR and IPv4 address \fIVIP\fR, a priority\-120 flow that matches on \fBct\[char46]new && ip && ip4\[char46]dst == \fIVIP \fB&& \fIP\fB && \fIP\fB\[char46]dst == \fIPORT \fB\fR with an action of \fBct_lb(\fIargs\fB)\fR, where \fIargs\fR contains comma separated IPv4 addresses (and optional port numbers) to load balance to\[char46] .IP \(bu For all the configured load balancing rules for a switch in \fBOVN_Northbound\fR database that includes just an IP address \fIVIP\fR to match on, a priority\-110 flow that matches on \fBct\[char46]new && ip && ip4\[char46]dst == \fIVIP\fB\fR with an action of \fBct_lb(\fIargs\fB)\fR, where \fIargs\fR contains comma separated IPv4 addresses\[char46] .IP \(bu A priority\-100 flow commits packets to connection tracker using \fBct_commit; next;\fR action based on a hint provided by the previous tables (with a match for \fBreg0[1] == 1\fR)\[char46] .IP \(bu A priority\-100 flow sends the packets to connection tracker using \fBct_lb;\fR as the action based on a hint provided by the previous tables (with a match for \fBreg0[2] == 1\fR)\[char46] .IP \(bu A priority\-0 flow that simply moves traffic to the next table\[char46] .RE .ST "Ingress Table 9: ARP/ND responder" .PP This table implements ARP/ND responder for known IPs\[char46] It contains these logical flows: .RS .IP \(bu Priority\-100 flows to skip ARP responder if inport is of type \fBlocalnet\fR, and advances directly to the next table\[char46] .IP \(bu Priority\-50 flows that match ARP requests to each known IP address \fIA\fR of every logical router port, and respond with ARP replies directly with corresponding Ethernet address \fIE\fR: .IP .nf \fB .br \fBeth\[char46]dst = eth\[char46]src; .br \fBeth\[char46]src = \fIE\fB; .br \fBarp\[char46]op = 2; /* ARP reply\[char46] */ .br \fBarp\[char46]tha = arp\[char46]sha; .br \fBarp\[char46]sha = \fIE\fB; .br \fBarp\[char46]tpa = arp\[char46]spa; .br \fBarp\[char46]spa = \fIA\fB; .br \fBoutport = inport; .br \fBflags\[char46]loopback = 1; .br \fBoutput; .br \fB .fi .IP These flows are omitted for logical ports (other than router ports) that are down\[char46] .IP \(bu Priority\-50 flows that match IPv6 ND neighbor solicitations to each known IP address \fIA\fR (and \fIA\fR\(cqs solicited node address) of every logical router port, and respond with neighbor advertisements directly with corresponding Ethernet address \fIE\fR: .IP .nf \fB .br \fBnd_na { .br \fB eth\[char46]src = \fIE\fB; .br \fB ip6\[char46]src = \fIA\fB; .br \fB nd\[char46]target = \fIA\fB; .br \fB nd\[char46]tll = \fIE\fB; .br \fB outport = inport; .br \fB flags\[char46]loopback = 1; .br \fB output; .br \fB}; .br \fB .fi .IP These flows are omitted for logical ports (other than router ports) that are down\[char46] .IP \(bu Priority\-100 flows with match criteria like the ARP and ND flows above, except that they only match packets from the \fBinport\fR that owns the IP addresses in question, with action \fBnext;\fR\[char46] These flows prevent OVN from replying to, for example, an ARP request emitted by a VM for its own IP address\[char46] A VM only makes this kind of request to attempt to detect a duplicate IP address assignment, so sending a reply will prevent the VM from accepting the IP address that it owns\[char46] .IP In place of \fBnext;\fR, it would be reasonable to use \fBdrop;\fR for the flows\(cq actions\[char46] If everything is working as it is configured, then this would produce equivalent results, since no host should reply to the request\[char46] But ARPing for one\(cqs own IP address is intended to detect situations where the network is not working as configured, so dropping the request would frustrate that intent\[char46] .IP \(bu One priority\-0 fallback flow that matches all packets and advances to the next table\[char46] .RE .ST "Ingress Table 10: DHCP option processing" .PP This table adds the DHCPv4 options to a DHCPv4 packet from the logical ports configured with IPv4 address(es) and DHCPv4 options, and similarly for DHCPv6 options\[char46] .RS .IP \(bu A priority\-100 logical flow is added for these logical ports which matches the IPv4 packet with \fBudp\[char46]src\fR = 68 and \fBudp\[char46]dst\fR = 67 and applies the action \fBput_dhcp_opts\fR and advances the packet to the next table\[char46] .IP .nf \fB .br \fBreg0[3] = put_dhcp_opts(offer_ip = \fIip\fB, \fIoptions\fB\[char46]\[char46]\[char46]); .br \fBnext; .br \fB .fi .IP For DHCPDISCOVER and DHCPREQUEST, this transforms the packet into a DHCP reply, adds the DHCP offer IP \fIip\fR and options to the packet, and stores 1 into reg0[3]\[char46] For other kinds of packets, it just stores 0 into reg0[3]\[char46] Either way, it continues to the next table\[char46] .IP \(bu A priority\-100 logical flow is added for these logical ports which matches the IPv6 packet with \fBudp\[char46]src\fR = 546 and \fBudp\[char46]dst\fR = 547 and applies the action \fBput_dhcpv6_opts\fR and advances the packet to the next table\[char46] .IP .nf \fB .br \fBreg0[3] = put_dhcpv6_opts(ia_addr = \fIip\fB, \fIoptions\fB\[char46]\[char46]\[char46]); .br \fBnext; .br \fB .fi .IP For DHCPv6 Solicit/Request/Confirm packets, this transforms the packet into a DHCPv6 Advertise/Reply, adds the DHCPv6 offer IP \fIip\fR and options to the packet, and stores 1 into reg0[3]\[char46] For other kinds of packets, it just stores 0 into reg0[3]\[char46] Either way, it continues to the next table\[char46] .IP \(bu A priority\-0 flow that matches all packets to advances to table 11\[char46] .RE .ST "Ingress Table 11: DHCP responses" .PP This table implements DHCP responder for the DHCP replies generated by the previous table\[char46] .RS .IP \(bu A priority 100 logical flow is added for the logical ports configured with DHCPv4 options which matches IPv4 packets with \fBudp\[char46]src == 68 && udp\[char46]dst == 67 && reg0[3] == 1\fR and responds back to the \fBinport\fR after applying these actions\[char46] If \fBreg0[3]\fR is set to 1, it means that the action \fBput_dhcp_opts\fR was successful\[char46] .IP .nf \fB .br \fBeth\[char46]dst = eth\[char46]src; .br \fBeth\[char46]src = \fIE\fB; .br \fBip4\[char46]dst = \fIA\fB; .br \fBip4\[char46]src = \fIS\fB; .br \fBudp\[char46]src = 67; .br \fBudp\[char46]dst = 68; .br \fBoutport = \fIP\fB; .br \fBflags\[char46]loopback = 1; .br \fBoutput; .br \fB .fi .IP where \fIE\fR is the server MAC address and \fIS\fR is the server IPv4 address defined in the DHCPv4 options and \fIA\fR is the IPv4 address defined in the logical port\(cqs addresses column\[char46] .IP (This terminates ingress packet processing; the packet does not go to the next ingress table\[char46]) .IP \(bu A priority 100 logical flow is added for the logical ports configured with DHCPv6 options which matches IPv6 packets with \fBudp\[char46]src == 546 && udp\[char46]dst == 547 && reg0[3] == 1\fR and responds back to the \fBinport\fR after applying these actions\[char46] If \fBreg0[3]\fR is set to 1, it means that the action \fBput_dhcpv6_opts\fR was successful\[char46] .IP .nf \fB .br \fBeth\[char46]dst = eth\[char46]src; .br \fBeth\[char46]src = \fIE\fB; .br \fBip6\[char46]dst = \fIA\fB; .br \fBip6\[char46]src = \fIS\fB; .br \fBudp\[char46]src = 547; .br \fBudp\[char46]dst = 546; .br \fBoutport = \fIP\fB; .br \fBflags\[char46]loopback = 1; .br \fBoutput; .br \fB .fi .IP where \fIE\fR is the server MAC address and \fIS\fR is the server IPv6 LLA address generated from the \fBserver_id\fR defined in the DHCPv6 options and \fIA\fR is the IPv6 address defined in the logical port\(cqs addresses column\[char46] .IP (This terminates packet processing; the packet does not go on the next ingress table\[char46]) .IP \(bu A priority\-0 flow that matches all packets to advances to table 12\[char46] .RE .ST "Ingress Table 12: Destination Lookup" .PP This table implements switching behavior\[char46] It contains these logical flows: .RS .IP \(bu A priority\-100 flow that outputs all packets with an Ethernet broadcast or multicast \fBeth\[char46]dst\fR to the \fBMC_FLOOD\fR multicast group, which \fBovn\-northd\fR populates with all enabled logical ports\[char46] .IP \(bu One priority\-50 flow that matches each known Ethernet address against \fBeth\[char46]dst\fR and outputs the packet to the single associated output port\[char46] .IP \(bu One priority\-0 fallback flow that matches all packets and outputs them to the \fBMC_UNKNOWN\fR multicast group, which \fBovn\-northd\fR populates with all enabled logical ports that accept unknown destination packets\[char46] As a small optimization, if no logical ports accept unknown destination packets, \fBovn\-northd\fR omits this multicast group and logical flow\[char46] .RE .ST "Egress Table 0: Pre-LB" .PP This table is similar to ingress table \fBPre\-LB\fR\[char46] It contains a priority\-0 flow that simply moves traffic to the next table\[char46] If any load balancing rules exist for the datapath, a priority\-100 flow is added with a match of \fBip\fR and action of \fBreg0[0] = 1; next;\fR to act as a hint for table \fBPre\-stateful\fR to send IP packets to the connection tracker for packet de-fragmentation\[char46] .ST "Egress Table 1: \fBto\-lport\fR Pre-ACLs" .PP This is similar to ingress table \fBPre\-ACLs\fR except for \fBto\-lport\fR traffic\[char46] .ST "Egress Table 2: Pre-stateful" .PP This is similar to ingress table \fBPre\-stateful\fR\[char46] .ST "Egress Table 3: LB" .PP This is similar to ingress table \fBLB\fR\[char46] .ST "Egress Table 4: \fBto\-lport\fR ACLs" .PP This is similar to ingress table \fBACLs\fR except for \fBto\-lport\fR ACLs\[char46] .ST "Egress Table 5: Stateful" .PP This is similar to ingress table \fBStateful\fR except that there are no rules added for load balancing new connections\[char46] .PP Also a priority 34000 logical flow is added for each logical port which has DHCPv4 options defined to allow the DHCPv4 reply packet and which has DHCPv6 options defined to allow the DHCPv6 reply packet from the \fBIngress Table 11: DHCP responses\fR\[char46] .ST "Egress Table 6: Egress Port Security - IP" .PP This is similar to the port security logic in table \fBIngress Port Security \- IP\fR except that \fBoutport\fR, \fBeth\[char46]dst\fR, \fBip4\[char46]dst\fR and \fBip6\[char46]dst\fR are checked instead of \fBinport\fR, \fBeth\[char46]src\fR, \fBip4\[char46]src\fR and \fBip6\[char46]src\fR .ST "Egress Table 7: Egress Port Security - L2" .PP This is similar to the ingress port security logic in ingress table \fBAdmission Control and Ingress Port Security \- L2\fR, but with important differences\[char46] Most obviously, \fBoutport\fR and \fBeth\[char46]dst\fR are checked instead of \fBinport\fR and \fBeth\[char46]src\fR\[char46] Second, packets directed to broadcast or multicast \fBeth\[char46]dst\fR are always accepted instead of being subject to the port security rules; this is implemented through a priority\-100 flow that matches on \fBeth\[char46]mcast\fR with action \fBoutput;\fR\[char46] Finally, to ensure that even broadcast and multicast packets are not delivered to disabled logical ports, a priority\-150 flow for each disabled logical \fBoutport\fR overrides the priority\-100 flow with a \fBdrop;\fR action\[char46] .SS "Logical Router Datapaths" .PP Logical router datapaths will only exist for \fBLogical_Router\fR rows in the \fBOVN_Northbound\fR database that do not have \fBenabled\fR set to \fBfalse\fR .ST "Ingress Table 0: L2 Admission Control" .PP This table drops packets that the router shouldn\(cqt see at all based on their Ethernet headers\[char46] It contains the following flows: .RS .IP \(bu Priority\-100 flows to drop packets with VLAN tags or multicast Ethernet source addresses\[char46] .IP \(bu For each enabled router port \fIP\fR with Ethernet address \fIE\fR, a priority\-50 flow that matches \fBinport == \fIP\fB && (eth\[char46]mcast || eth\[char46]dst == \fIE\fB\fR), with action \fBnext;\fR\[char46] .RE .PP Other packets are implicitly dropped\[char46] .ST "Ingress Table 1: IP Input" .PP This table is the core of the logical router datapath functionality\[char46] It contains the following flows to implement very basic IP host functionality\[char46] .RS .IP \(bu L3 admission control: A priority\-100 flow drops packets that match any of the following: .RS .IP \(bu \fBip4\[char46]src[28\[char46]\[char46]31] == 0xe\fR (multicast source) .IP \(bu \fBip4\[char46]src == 255\[char46]255\[char46]255\[char46]255\fR (broadcast source) .IP \(bu \fBip4\[char46]src == 127\[char46]0\[char46]0\[char46]0/8 || ip4\[char46]dst == 127\[char46]0\[char46]0\[char46]0/8\fR (localhost source or destination) .IP \(bu \fBip4\[char46]src == 0\[char46]0\[char46]0\[char46]0/8 || ip4\[char46]dst == 0\[char46]0\[char46]0\[char46]0/8\fR (zero network source or destination) .IP \(bu \fBip4\[char46]src\fR or \fBip6\[char46]src\fR is any IP address owned by the router\[char46] .IP \(bu \fBip4\[char46]src\fR is the broadcast address of any IP network known to the router\[char46] .RE .IP \(bu ICMP echo reply\[char46] These flows reply to ICMP echo requests received for the router\(cqs IP address\[char46] Let \fIA\fR be an IP address owned by a router port\[char46] Then, for each \fIA\fR that is an IPv4 address, a priority\-90 flow matches on \fBip4\[char46]dst == \fIA\fB\fR and \fBicmp4\[char46]type == 8 && icmp4\[char46]code == 0\fR (ICMP echo request)\[char46] For each \fIA\fR that is an IPv6 address, a priority\-90 flow matches on \fBip6\[char46]dst == \fIA\fB\fR and \fBicmp6\[char46]type == 128 && icmp6\[char46]code == 0\fR (ICMPv6 echo request)\[char46] The port of the router that receives the echo request does not matter\[char46] Also, the \fBip\[char46]ttl\fR of the echo request packet is not checked, so it complies with RFC 1812, section 4\[char46]2\[char46]2\[char46]9\[char46] Flows for ICMPv4 echo requests use the following actions: .IP .nf \fB .br \fBip4\[char46]dst <\-> ip4\[char46]src; .br \fBip\[char46]ttl = 255; .br \fBicmp4\[char46]type = 0; .br \fBflags\[char46]loopback = 1; .br \fBnext; .br \fB .fi .IP Flows for ICMPv6 echo requests use the following actions: .IP .nf \fB .br \fBip6\[char46]dst <\-> ip6\[char46]src; .br \fBip\[char46]ttl = 255; .br \fBicmp6\[char46]type = 129; .br \fBflags\[char46]loopback = 1; .br \fBnext; .br \fB .fi .IP \(bu Reply to ARP requests\[char46] .IP These flows reply to ARP requests for the router\(cqs own IP address\[char46] For each router port \fIP\fR that owns IP address \fIA\fR and Ethernet address \fIE\fR, a priority\-90 flow matches \fBinport == \fIP\fB && arp\[char46]op == 1 && arp\[char46]tpa == \fIA\fB\fR (ARP request) with the following actions: .IP .nf \fB .br \fBeth\[char46]dst = eth\[char46]src; .br \fBeth\[char46]src = \fIE\fB; .br \fBarp\[char46]op = 2; /* ARP reply\[char46] */ .br \fBarp\[char46]tha = arp\[char46]sha; .br \fBarp\[char46]sha = \fIE\fB; .br \fBarp\[char46]tpa = arp\[char46]spa; .br \fBarp\[char46]spa = \fIA\fB; .br \fBoutport = \fIP\fB; .br \fBflags\[char46]loopback = 1; .br \fBoutput; .br \fB .fi .IP \(bu These flows reply to ARP requests for the virtual IP addresses configured in the router for DNAT or load balancing\[char46] For a configured DNAT IP address or a load balancer VIP \fIA\fR, for each router port \fIP\fR with Ethernet address \fIE\fR, a priority\-90 flow matches \fBinport == \fIP\fB && arp\[char46]op == 1 && arp\[char46]tpa == \fIA\fB\fR (ARP request) with the following actions: .IP .nf \fB .br \fBeth\[char46]dst = eth\[char46]src; .br \fBeth\[char46]src = \fIE\fB; .br \fBarp\[char46]op = 2; /* ARP reply\[char46] */ .br \fBarp\[char46]tha = arp\[char46]sha; .br \fBarp\[char46]sha = \fIE\fB; .br \fBarp\[char46]tpa = arp\[char46]spa; .br \fBarp\[char46]spa = \fIA\fB; .br \fBoutport = \fIP\fB; .br \fBflags\[char46]loopback = 1; .br \fBoutput; .br \fB .fi .IP \(bu ARP reply handling\[char46] This flow uses ARP replies to populate the logical router\(cqs ARP table\[char46] A priority\-90 flow with match \fBarp\[char46]op == 2\fR has actions \fBput_arp(inport, arp\[char46]spa, arp\[char46]sha);\fR\[char46] .IP \(bu Reply to IPv6 Neighbor Solicitations\[char46] These flows reply to Neighbor Solicitation requests for the router\(cqs own IPv6 address and populate the logical router\(cqs mac binding table\[char46] For each router port \fIP\fR that owns IPv6 address \fIA\fR, solicited node address \fIS\fR, and Ethernet address \fIE\fR, a priority\-90 flow matches \fBinport == \fIP\fB && nd_ns && ip6\[char46]dst == {\fIA\fB, \fIE\fB} && nd\[char46]target == \fIA\fB\fR with the following actions: .IP .nf \fB .br \fBput_nd(inport, ip6\[char46]src, nd\[char46]sll); .br \fBnd_na { .br \fB eth\[char46]src = \fIE\fB; .br \fB ip6\[char46]src = \fIA\fB; .br \fB nd\[char46]target = \fIA\fB; .br \fB nd\[char46]tll = \fIE\fB; .br \fB outport = inport; .br \fB flags\[char46]loopback = 1; .br \fB output; .br \fB}; .br \fB .fi .IP \(bu IPv6 neighbor advertisement handling\[char46] This flow uses neighbor advertisements to populate the logical router\(cqs mac binding table\[char46] A priority\-90 flow with match \fBnd_na\fR has actions \fBput_nd(inport, nd\[char46]target, nd\[char46]tll);\fR\[char46] .IP \(bu IPv6 neighbor solicitation for non-hosted addresses handling\[char46] This flow uses neighbor solicitations to populate the logical router\(cqs mac binding table (ones that were directed at the logical router would have matched the priority\-90 neighbor solicitation flow already)\[char46] A priority\-80 flow with match \fBnd_ns\fR has actions \fBput_nd(inport, ip6\[char46]src, nd\[char46]sll);\fR\[char46] .IP \(bu UDP port unreachable\[char46] Priority\-80 flows generate ICMP port unreachable messages in reply to UDP datagrams directed to the router\(cqs IP address\[char46] The logical router doesn\(cqt accept any UDP traffic so it always generates such a reply\[char46] .IP These flows should not match IP fragments with nonzero offset\[char46] .IP Details TBD\[char46] Not yet implemented\[char46] .IP \(bu TCP reset\[char46] Priority\-80 flows generate TCP reset messages in reply to TCP datagrams directed to the router\(cqs IP address\[char46] The logical router doesn\(cqt accept any TCP traffic so it always generates such a reply\[char46] .IP These flows should not match IP fragments with nonzero offset\[char46] .IP Details TBD\[char46] Not yet implemented\[char46] .IP \(bu Protocol unreachable\[char46] Priority\-70 flows generate ICMP protocol unreachable messages in reply to packets directed to the router\(cqs IP address on IP protocols other than UDP, TCP, and ICMP\[char46] .IP These flows should not match IP fragments with nonzero offset\[char46] .IP Details TBD\[char46] Not yet implemented\[char46] .IP \(bu Drop other IP traffic to this router\[char46] These flows drop any other traffic destined to an IP address of this router that is not already handled by one of the flows above, which amounts to ICMP (other than echo requests) and fragments with nonzero offsets\[char46] For each IP address \fIA\fR owned by the router, a priority\-60 flow matches \fBip4\[char46]dst == \fIA\fB\fR and drops the traffic\[char46] An exception is made and the above flow is not added if the router port\(cqs own IP address is used to SNAT packets passing through that router\[char46] .RE .PP The flows above handle all of the traffic that might be directed to the router itself\[char46] The following flows (with lower priorities) handle the remaining traffic, potentially for forwarding: .RS .IP \(bu Drop Ethernet local broadcast\[char46] A priority\-50 flow with match \fBeth\[char46]bcast\fR drops traffic destined to the local Ethernet broadcast address\[char46] By definition this traffic should not be forwarded\[char46] .IP \(bu ICMP time exceeded\[char46] For each router port \fIP\fR, whose IP address is \fIA\fR, a priority\-40 flow with match \fBinport == \fIP\fB && ip\[char46]ttl == {0, 1} && !ip\[char46]later_frag\fR matches packets whose TTL has expired, with the following actions to send an ICMP time exceeded reply: .IP .nf \fB .br \fBicmp4 { .br \fB icmp4\[char46]type = 11; /* Time exceeded\[char46] */ .br \fB icmp4\[char46]code = 0; /* TTL exceeded in transit\[char46] */ .br \fB ip4\[char46]dst = ip4\[char46]src; .br \fB ip4\[char46]src = \fIA\fB; .br \fB ip\[char46]ttl = 255; .br \fB next; .br \fB}; .br \fB .fi .IP Not yet implemented\[char46] .IP \(bu TTL discard\[char46] A priority\-30 flow with match \fBip\[char46]ttl == {0, 1}\fR and actions \fBdrop;\fR drops other packets whose TTL has expired, that should not receive a ICMP error reply (i\[char46]e\[char46] fragments with nonzero offset)\[char46] .IP \(bu Next table\[char46] A priority\-0 flows match all packets that aren\(cqt already handled and uses actions \fBnext;\fR to feed them to the next table\[char46] .RE .ST "Ingress Table 2: DEFRAG" .PP This is to send packets to connection tracker for tracking and defragmentation\[char46] It contains a priority\-0 flow that simply moves traffic to the next table\[char46] If load balancing rules with virtual IP addresses (and ports) are configured in \fBOVN_Northbound\fR database for a Gateway router, a priority\-100 flow is added for each configured virtual IP address \fIVIP\fR with a match \fBip && ip4\[char46]dst == \fIVIP\fB\fR that sets an action \fBct_next;\fR to send IP packets to the connection tracker for packet de-fragmentation and tracking before sending it to the next table\[char46] .ST "Ingress Table 3: UNSNAT" .PP This is for already established connections\(cq reverse traffic\[char46] i\[char46]e\[char46], SNAT has already been done in egress pipeline and now the packet has entered the ingress pipeline as part of a reply\[char46] It is unSNATted here\[char46] .RS .IP \(bu For each configuration in the OVN Northbound database, that asks to change the source IP address of a packet from \fIA\fR to \fIB\fR, a priority\-100 flow matches \fBip && ip4\[char46]dst == \fIB\fB\fR with an action \fBct_snat; next;\fR\[char46] .IP A priority\-0 logical flow with match \fB1\fR has actions \fBnext;\fR\[char46] .RE .ST "Ingress Table 4: DNAT" .PP Packets enter the pipeline with destination IP address that needs to be DNATted from a virtual IP address to a real IP address\[char46] Packets in the reverse direction needs to be unDNATed\[char46] .RS .IP \(bu For all the configured load balancing rules for Gateway router in \fBOVN_Northbound\fR database that includes a L4 port \fIPORT\fR of protocol \fIP\fR and IPv4 address \fIVIP\fR, a priority\-120 flow that matches on \fBct\[char46]new && ip && ip4\[char46]dst == \fIVIP\fB && \fIP\fB && \fIP\fB\[char46]dst == \fIPORT \fB\fR with an action of \fBct_lb(\fIargs\fB)\fR, where \fIargs\fR contains comma separated IPv4 addresses (and optional port numbers) to load balance to\[char46] .IP \(bu For all the configured load balancing rules for Gateway router in \fBOVN_Northbound\fR database that includes just an IP address \fIVIP\fR to match on, a priority\-110 flow that matches on \fBct\[char46]new && ip && ip4\[char46]dst == \fIVIP\fB\fR with an action of \fBct_lb(\fIargs\fB)\fR, where \fIargs\fR contains comma separated IPv4 addresses\[char46] .IP \(bu For each configuration in the OVN Northbound database, that asks to change the destination IP address of a packet from \fIA\fR to \fIB\fR, a priority\-100 flow matches \fBip && ip4\[char46]dst == \fIA\fB\fR with an action \fBflags\[char46]loopback = 1; ct_dnat(\fIB\fB);\fR\[char46] .IP \(bu For all IP packets of a Gateway router, a priority\-50 flow with an action \fBflags\[char46]loopback = 1; ct_dnat;\fR\[char46] .IP \(bu A priority\-0 logical flow with match \fB1\fR has actions \fBnext;\fR\[char46] .RE .ST "Ingress Table 5: IP Routing" .PP A packet that arrives at this table is an IP packet that should be routed to the address in \fBip4\[char46]dst\fR or \fBip6\[char46]dst\fR\[char46] This table implements IP routing, setting \fBreg0\fR (or \fBxxreg0\fR for IPv6) to the next-hop IP address (leaving \fBip4\[char46]dst\fR or \fBip6\[char46]dst\fR, the packet\(cqs final destination, unchanged) and advances to the next table for ARP resolution\[char46] It also sets \fBreg1\fR (or \fBxxreg1\fR) to the IP address owned by the selected router port (Table 7 will generate ARP request, if needed, with \fBreg0\fR as the target protocol address and \fBreg1\fR as the source protocol address)\[char46] .PP This table contains the following logical flows: .RS .IP \(bu IPv4 routing table\[char46] For each route to IPv4 network \fIN\fR with netmask \fIM\fR, on router port \fIP\fR with IP address \fIA\fR and Ethernet address \fIE\fR, a logical flow with match \fBip4\[char46]dst == \fIN\fB/\fIM\fB\fR, whose priority is the number of 1-bits in \fIM\fR, has the following actions: .IP .nf \fB .br \fBip\[char46]ttl\-\-; .br \fBreg0 = \fIG\fB; .br \fBreg1 = \fIA\fB; .br \fBeth\[char46]src = \fIE\fB; .br \fBoutport = \fIP\fB; .br \fBflags\[char46]loopback = 1; .br \fBnext; .br \fB .fi .IP (Ingress table 1 already verified that \fBip\[char46]ttl\-\-;\fR will not yield a TTL exceeded error\[char46]) .IP If the route has a gateway, \fIG\fR is the gateway IP address\[char46] Instead, if the route is from a configured static route, \fIG\fR is the next hop IP address\[char46] Else it is \fBip4\[char46]dst\fR\[char46] .IP \(bu IPv6 routing table\[char46] For each route to IPv6 network \fIN\fR with netmask \fIM\fR, on router port \fIP\fR with IP address \fIA\fR and Ethernet address \fIE\fR, a logical flow with match in CIDR notation \fBip6\[char46]dst == \fIN\fB/\fIM\fB\fR, whose priority is the integer value of \fIM\fR, has the following actions: .IP .nf \fB .br \fBip\[char46]ttl\-\-; .br \fBxxreg0 = \fIG\fB; .br \fBxxreg1 = \fIA\fB; .br \fBeth\[char46]src = \fIE\fB; .br \fBoutport = \fIP\fB; .br \fBflags\[char46]loopback = 1; .br \fBnext; .br \fB .fi .IP (Ingress table 1 already verified that \fBip\[char46]ttl\-\-;\fR will not yield a TTL exceeded error\[char46]) .IP If the route has a gateway, \fIG\fR is the gateway IP address\[char46] Instead, if the route is from a configured static route, \fIG\fR is the next hop IP address\[char46] Else it is \fBip6\[char46]dst\fR\[char46] .IP If the address \fIA\fR is in the link-local scope, the route will be limited to sending on the ingress port\[char46] .RE .ST "Ingress Table 6: ARP/ND Resolution" .PP Any packet that reaches this table is an IP packet whose next-hop IPv4 address is in \fBreg0\fR or IPv6 address is in \fBxxreg0\fR\[char46] (\fBip4\[char46]dst\fR or \fBip6\[char46]dst\fR contains the final destination\[char46]) This table resolves the IP address in \fBreg0\fR (or \fBxxreg0\fR) into an output port in \fBoutport\fR and an Ethernet address in \fBeth\[char46]dst\fR, using the following flows: .RS .IP \(bu Static MAC bindings\[char46] MAC bindings can be known statically based on data in the \fBOVN_Northbound\fR database\[char46] For router ports connected to logical switches, MAC bindings can be known statically from the \fBaddresses\fR column in the \fBLogical_Switch_Port\fR table\[char46] For router ports connected to other logical routers, MAC bindings can be known statically from the \fBmac\fR and \fBnetworks\fR column in the \fBLogical_Router_Port\fR table\[char46] .IP For each IPv4 address \fIA\fR whose host is known to have Ethernet address \fIE\fR on router port \fIP\fR, a priority\-100 flow with match \fBoutport === \fIP\fB && reg0 == \fIA\fB\fR has actions \fBeth\[char46]dst = \fIE\fB; next;\fR\[char46] .IP For each IPv6 address \fIA\fR whose host is known to have Ethernet address \fIE\fR on router port \fIP\fR, a priority\-100 flow with match \fBoutport === \fIP\fB && xxreg0 == \fIA\fB\fR has actions \fBeth\[char46]dst = \fIE\fB; next;\fR\[char46] .IP For each logical router port with an IPv4 address \fIA\fR and a mac address of \fIE\fR that is reachable via a different logical router port \fIP\fR, a priority\-100 flow with match \fBoutport === \fIP\fB && reg0 == \fIA\fB\fR has actions \fBeth\[char46]dst = \fIE\fB; next;\fR\[char46] .IP For each logical router port with an IPv6 address \fIA\fR and a mac address of \fIE\fR that is reachable via a different logical router port \fIP\fR, a priority\-100 flow with match \fBoutport === \fIP\fB && xxreg0 == \fIA\fB\fR has actions \fBeth\[char46]dst = \fIE\fB; next;\fR\[char46] .IP \(bu Dynamic MAC bindings\[char46] These flows resolve MAC-to-IP bindings that have become known dynamically through ARP or neighbor discovery\[char46] (The next table will issue an ARP or neighbor solicitation request for cases where the binding is not yet known\[char46]) .IP A priority\-0 logical flow with match \fBip4\fR has actions \fBget_arp(outport, reg0); next;\fR\[char46] .IP A priority\-0 logical flow with match \fBip6\fR has actions \fBget_nd(outport, xxreg0); next;\fR\[char46] .RE .ST "Ingress Table 7: ARP Request" .PP In the common case where the Ethernet destination has been resolved, this table outputs the packet\[char46] Otherwise, it composes and sends an ARP request\[char46] It holds the following flows: .RS .IP \(bu Unknown MAC address\[char46] A priority\-100 flow with match \fBeth\[char46]dst == 00:00:00:00:00:00\fR has the following actions: .IP .nf \fB .br \fBarp { .br \fB eth\[char46]dst = ff:ff:ff:ff:ff:ff; .br \fB arp\[char46]spa = reg1; .br \fB arp\[char46]tpa = reg0; .br \fB arp\[char46]op = 1; /* ARP request\[char46] */ .br \fB output; .br \fB}; .br \fB .fi .IP (Ingress table 4 initialized \fBreg1\fR with the IP address owned by \fBoutport\fR and \fBreg0\fR with the next-hop IP address) .IP The IP packet that triggers the ARP request is dropped\[char46] .IP \(bu Known MAC address\[char46] A priority\-0 flow with match \fB1\fR has actions \fBoutput;\fR\[char46] .RE .ST "Egress Table 0: SNAT" .PP Packets that are configured to be SNATed get their source IP address changed based on the configuration in the OVN Northbound database\[char46] .RS .IP \(bu For each configuration in the OVN Northbound database, that asks to change the source IP address of a packet from an IP address of \fIA\fR or to change the source IP address of a packet that belongs to network \fIA\fR to \fIB\fR, a flow matches \fBip && ip4\[char46]src == \fIA\fB\fR with an action \fBct_snat(\fIB\fB);\fR\[char46] The priority of the flow is calculated based on the mask of \fIA\fR, with matches having larger masks getting higher priorities\[char46] .IP A priority\-0 logical flow with match \fB1\fR has actions \fBnext;\fR\[char46] .RE .ST "Egress Table 1: Delivery" .PP Packets that reach this table are ready for delivery\[char46] It contains priority\-100 logical flows that match packets on each enabled logical router port, with action \fBoutput;\fR\[char46]