Each row represents one L2 logical switch.
</p>
+ <p>
+ There are two kinds of logical switches, that is, ones that fully
+ virtualize the network (overlay logical switches) and ones that provide
+ simple connectivity to a physical network (bridged logical switches).
+ They work in the same way when providing connectivity between logical
+ ports on same chasis, but differently when connecting remote logical
+ ports. Overlay logical switches connect remote logical ports by tunnels,
+ while bridged logical switches provide connectivity to remote ports by
+ bridging the packets to directly connected physical L2 segment with the
+ help of <code>localnet</code> ports. Each bridged logical switch has
+ one and only one <code>localnet</code> port, which has only one special
+ address <code>unknown</code>.
+ </p>
+
<column name="name">
<p>
A name for the logical switch. This name has no special meaning or purpose
<dd>
A connection to a locally accessible network from each
<code>ovn-controller</code> instance. A logical switch can only
- have a single <code>localnet</code> port attached and at most one
- regular logical port. This is used to model direct connectivity to
- an existing network.
+ have a single <code>localnet</code> port attached. This is used
+ to model direct connectivity to an existing network.
</dd>
<dt><code>vtep</code></dt>
Required. A logical switch name connected by the VTEP gateway.
</column>
</group>
+
+ <group title="VMI (or VIF) Options">
+ <p>
+ These options apply to logical ports with <ref column="type"/> having
+ (empty string)
+ </p>
+
+ <column name="options" key="policing_rate">
+ If set, indicates the maximum rate for data sent from this interface,
+ in kbps. Data exceeding this rate is dropped.
+ </column>
+
+ <column name="options" key="policing_burst">
+ If set, indicates the maximum burst size for data sent from this
+ interface, in kb.
+ </column>
+ </group>
</group>
<group title="Containers">
</p>
<dl>
- <dt><code><var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var></code></dt>
+ <dt><code>Ethernet address followed by zero or more IPv4 or IPv6 addresses (or both)</code></dt>
<dd>
<p>
- An Ethernet address owned by the logical port. Like a physical
- Ethernet NIC, a logical port ordinarily has a single fixed
- Ethernet address.
+ An Ethernet address defined is owned by the logical port.
+ Like a physical Ethernet NIC, a logical port ordinarily has
+ a single fixed Ethernet address.
</p>
<p>
if a MAC learning process had learned that MAC address on the
port.
</p>
- </dd>
- <dt><code><var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var> <var>a</var>.<var>b</var>.<var>c</var>.<var>d</var></code></dt>
- <dd>
<p>
- This form has all the effects of the previous form. It also
- indicates that the logical port owns the given IPv4 address.
+ If IPv4 or IPv6 address(es) (or both) are defined, it indicates
+ that the logical port owns the given IP addresses.
</p>
<p>
- The OVN logical switch uses this information to synthesize
- responses to ARP requests without traversing the physical
- network. The OVN logical router connected to the logical switch,
- if any, uses this information to avoid issuing ARP requests for
- logical switch ports.
+ If IPv4 address(es) are defined, the OVN logical switch uses this
+ information to synthesize responses to ARP requests without
+ traversing the physical network. The OVN logical router connected
+ to the logical switch, if any, uses this information to avoid
+ issuing ARP requests for logical switch ports.
</p>
<p>
Note that the order here is important. The Ethernet address must
- be listed before the IP address.
+ be listed before the IP address(es) if defined.
+ </p>
+
+ <p>
+ Examples:
</p>
+
+ <dl>
+ <dt><code>80:fa:5b:06:72:b7</code></dt>
+ <dd>
+ This indicates that the logical port owns the above mac address.
+ </dd>
+
+ <dt><code>80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4</code></dt>
+ <dd>
+ This indicates that the logical port owns the mac address and two
+ IPv4 addresses.
+ </dd>
+
+ <dt><code>80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41</code></dt>
+ <dd>
+ This indicates that the logical port owns the mac address and
+ 1 IPv6 address.
+ </dd>
+
+ <dt><code>80:fa:5b:06:72:b7 10.0.0.4 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41</code></dt>
+ <dd>
+ This indicates that the logical port owns the mac address and
+ 1 IPv4 address and 1 IPv6 address.
+ </dd>
+ </dl>
</dd>
<dt><code>unknown</code></dt>
<column name="port_security">
<p>
- A set of L2 (Ethernet) addresses from which the logical port is
- allowed to send packets and to which it is allowed to receive
- packets. If this column is empty, all addresses are permitted.
- Logical ports are always allowed to receive packets addressed to
- multicast and broadcast addresses.
+ This column controls the addresses from which the host attached to the
+ logical port (``the host'') is allowed to send packets and to which it
+ is allowed to receive packets. If this column is empty, all addresses
+ are permitted.
</p>
<p>
- Each member of the set is an Ethernet address in the form
- <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
+ Each element in the set must begin with one Ethernet address.
+ This would restrict the host to sending packets from and receiving
+ packets to the ethernet addresses defined in the logical port's
+ <ref column="port_security"/> column. It also restricts the inner
+ source MAC addresses that the host may send in ARP and IPv6
+ Neighbor Discovery packets. The host is always allowed to receive packets
+ to multicast and broadcast Ethernet addresses.
</p>
<p>
- This specification will be extended to support L3 port security.
+ Each element in the set may additionally contain one or more IPv4 or
+ IPv6 addresses (or both), with optional masks. If a mask is given, it
+ must be a CIDR mask. In addition to the restrictions described for
+ Ethernet addresses above, such an element restricts the IPv4 or IPv6
+ addresses from which the host may send and to which it may receive
+ packets to the specified addresses. A masked address, if the host part
+ is zero, indicates that the host is allowed to use any address in the
+ subnet; if the host part is nonzero, the mask simply indicates the size
+ of the subnet. In addition:
</p>
+
+ <ul>
+ <li>
+ <p>
+ If any IPv4 address is given, the host is also allowed to receive
+ packets to the IPv4 local broadcast address 255.255.255.255 and to
+ IPv4 multicast addresses (224.0.0.0/4). If an IPv4 address with a
+ mask is given, the host is also allowed to receive packets to the
+ broadcast address in that specified subnet.
+ </p>
+
+ <p>
+ If any IPv4 address is given, the host is additionally restricted
+ to sending ARP packets with the specified source IPv4 address.
+ (RARP is not restricted.)
+ </p>
+ </li>
+
+ <li>
+ <p>
+ If any IPv6 address is given, the host is also allowed to receive
+ packets to IPv6 multicast addresses (ff00::/8).
+ </p>
+
+ <p>
+ If any IPv6 address is given, the host is additionally restricted
+ to sending IPv6 Neighbor Discovery Solicitation or Advertisement
+ packets with the specified source address or, for solicitations,
+ the unspecified address.
+ </p>
+ </li>
+ </ul>
+
+ <p>
+ If an element includes an IPv4 address, but no IPv6 addresses, then
+ IPv6 traffic is not allowed. If an element includes an IPv6 address,
+ but no IPv4 address, then IPv4 and ARP traffic is not allowed.
+ </p>
+
+ <p>
+ This column uses the same lexical syntax as the <ref column="match"
+ table="Pipeline" db="OVN_Southbound"/> column in the OVN Southbound
+ database's <ref table="Pipeline" db="OVN_Southbound"/> table. Multiple
+ addresses within an element may be space or comma separated.
+ </p>
+
+ <p>
+ This column is provided as a convenience to cloud management systems,
+ but all of the features that it implements can be implemented as ACLs
+ using the <ref table="ACL"/> table.
+ </p>
+
+ <p>
+ Examples:
+ </p>
+
+ <dl>
+ <dt><code>80:fa:5b:06:72:b7</code></dt>
+ <dd>
+ The host may send traffic from and receive traffic to the specified
+ MAC address, and to receive traffic to Ethernet multicast and
+ broadcast addresses, but not otherwise. The host may not send ARP or
+ IPv6 Neighbor Discovery packets with inner source Ethernet addresses
+ other than the one specified.
+ </dd>
+
+ <dt><code>80:fa:5b:06:72:b7 192.168.1.10/24</code></dt>
+ <dd>
+ This adds further restrictions to the first example. The host may
+ send IPv4 packets from or receive IPv4 packets to only 192.168.1.10,
+ except that it may also receive IPv4 packets to 192.168.1.255 (based
+ on the subnet mask), 255.255.255.255, and any address in 224.0.0.0/4.
+ The host may not send ARPs with a source Ethernet address other than
+ 80:fa:5b:06:72:b7 or source IPv4 address other than 192.168.1.10.
+ The host may not send or receive any IPv6 (including IPv6 Neighbor
+ Discovery) traffic.
+ </dd>
+
+ <dt><code>"80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"</code></dt>
+ <dd>
+ The host may send traffic from and receive traffic to the
+ specified MAC addresses, and
+ to receive traffic to Ethernet multicast and broadcast addresses,
+ but not otherwise. With MAC 80:fa:5b:12:42:ba, the host may
+ send traffic from and receive traffic to any L3 address.
+ With MAC 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
+ receive IPv4 packets to only 192.168.1.10, except that it may also
+ receive IPv4 packets to 192.168.1.255 (based on the subnet mask),
+ 255.255.255.255, and any address in 224.0.0.0/4. The host may not
+ send or receive any IPv6 (including IPv6 Neighbor Discovery) traffic.
+ </dd>
+ </dl>
</column>
</group>
Note that you can not create an ACL matching on a port with
type=router.
</p>
+
+ <p>
+ Note that when <code>localnet</code> port exists in a lswitch, for
+ <code>to-lport</code> direction, the <code>inport</code> works only if
+ the <code>to-lport</code> is located on the same chassis as the
+ <code>inport</code>.
+ </p>
</column>
<column name="action">