X-Git-Url: http://git.cascardo.info/?a=blobdiff_plain;f=vswitchd%2Fvswitch.xml;h=15f71de7f8d4646915c129c5ceef1efe3506206c;hb=600766e877efa2713b9c87d127f7190d8ab48da9;hp=7f2fd587d754afc469964b1111935851a2e01854;hpb=d73728e6bc30c8e6b393699ef78eb7919b1c68c5;p=cascardo%2Fovs.git diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index 7f2fd587d..15f71de7f 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -1,5 +1,5 @@ - +

A database with this schema holds the configuration for one Open vSwitch daemon. The top-level configuration for the daemon is the @@ -72,6 +72,22 @@ host as displayed by xe host-list. + +

+ Interval for updating statistics to the database, in milliseconds. + This option will affect the update of the statistics + column in the following tables: Port, Interface + , Mirror. +

+

+ Default value is 5000 ms. +

+

+ Getting statistics more frequently can be achieved via OpenFlow. +

+ +

@@ -129,13 +145,47 @@ The maximum number of flows allowed in the datapath flow table. Internally OVS will choose a flow limit which will likely be lower than this number, - based on real time network conditions. + based on real time network conditions. Tweaking this value is + discouraged unless you know exactly what you're doing.

The default is 200000.

+ +

+ The maximum time (in ms) that idle flows will remain cached in the + datapath. Internally OVS will check the validity and activity for + datapath flows regularly and may expire flows quicker than this + number, based on real time network conditions. Tweaking this + value is discouraged unless you know exactly what you're doing. +

+

+ The default is 10000. +

+ + + +

+ Specifies CPU mask for setting the cpu affinity of PMD (Poll + Mode Driver) threads. Value should be in the form of hex string, + similar to the dpdk EAL '-c COREMASK' option input or the 'taskset' + mask input. +

+

+ The lowest order bit corresponds to the first CPU core. A set bit + means the corresponding core is available and a pmd thread will be + created and pinned to it. If the input does not cover all cores, + those uncovered cores are considered not set. +

+

+ If not specified, one pmd thread will be created for each numa node + and pinned to any available core on the numa node by default. +

+ +

@@ -379,6 +429,28 @@ + +

+ These columns report capabilities of the Open vSwitch instance. +

+ +

+ This column reports the different dpifs registered with the system. + These are the values that this instance supports in the column of the table. +

+ + +

+ This column reports the different netdevs registered with the system. + These are the values that this instance supports in the column of the table. +

+ + +

These columns primarily configure the Open vSwitch database @@ -422,9 +494,15 @@ - Bridge identifier. Should be alphanumeric and no more than about 8 - bytes long. Must be unique among the names of ports, interfaces, and - bridges on a host. +

+ Bridge identifier. Should be alphanumeric and no more than about 8 + bytes long. Must be unique among the names of ports, interfaces, and + bridges on a host. +

+ +

+ Forward and backward slashes are prohibited in bridge names. +

@@ -462,6 +540,10 @@ a different type of mirror instead.

+ + + Auto Attach configuration. + @@ -538,6 +620,56 @@ column="other-config" key="datapath-id"/> instead.) + +

+ Reports the version number of the Open vSwitch datapath in use. + This allows management software to detect and report discrepancies + between Open vSwitch userspace and datapath versions. (The column in the reports the Open vSwitch userspace version.) + The version reported depends on the datapath in use: +

+ +
    +
  • + When the kernel module included in the Open vSwitch source tree is + used, this column reports the Open vSwitch version from which the + module was taken. +
    • + +
  • + When the kernel module that is part of the upstream Linux kernel is + used, this column reports <unknown>. +
    • + +
  • + When the datapath is built into the ovs-vswitchd + binary, this column reports <built-in>. A + built-in datapath is by definition the same version as the rest of + the Open VSwitch userspace. +
    • + +
  • + Other datapaths (such as the Hyper-V kernel datapath) currently + report <unknown>. +
    • +
+ +

+ A version discrepancy between ovs-vswitchd and the + datapath in use is not normally cause for alarm. The Open vSwitch + kernel datapaths for Linux and Hyper-V, in particular, are designed + for maximum inter-version compatibility: any userspace version works + with with any kernel version. Some reasons do exist to insist on + particular user/kernel pairings. First, newer kernel versions add + new features, that can only be used by new-enough userspace, e.g. + VXLAN tunneling requires certain minimal userspace and kernel + versions. Second, as an extension to the first reason, some newer + kernel versions add new features for enhancing performance that only + new-enough userspace versions can take advantage of. +

+ + Exactly 16 hex digits to set the OpenFlow datapath ID to a specific value. May not be all-zero. @@ -565,79 +697,278 @@ -

- List of OpenFlow protocols that may be used when negotiating - a connection with a controller. OpenFlow 1.0, 1.1, 1.2, and - 1.3 are enabled by default if this column is empty. -

+

+ List of OpenFlow protocols that may be used when negotiating + a connection with a controller. OpenFlow 1.0, 1.1, 1.2, and + 1.3 are enabled by default if this column is empty. +

+ +

+ OpenFlow 1.4 is not enabled by default because its implementation is + missing features. +

-

- The current implementation of OpenFlow 1.4 support is not safe: - ovs-vswitchd will abort when certain unimplemented - features are tested. Thus, for now it is suitable only for - experimental use. For this reason, OpenFlow 1.4 is supported only - if, in addition to specifying OpenFlow14 in this field, - ovs-vswitchd is invoked with the - --enable-of14 option. (When support becomes safe, this - option will be removed.) -

+

+ OpenFlow 1.5 has the same risks as OpenFlow 1.4, but it is even more + experimental because the OpenFlow 1.5 specification is still under + development and thus subject to change. Pass + --enable-of15 to ovs-vswitchd to allow + OpenFlow 1.5 to be enabled. +

- The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol - that ensures loop-free topologies. It allows redundant links to - be included in the network to provide automatic backup paths if - the active links fails. +

+ The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol + that ensures loop-free topologies. It allows redundant links to + be included in the network to provide automatic backup paths if + the active links fails. +

- - Enable spanning tree on the bridge. By default, STP is disabled - on bridges. Bond, internal, and mirror ports are not supported - and will not participate in the spanning tree. - +

+ These settings configure the slower-to-converge but still widely + supported version of Spanning Tree Protocol, sometimes known as + 802.1D-1998. Open vSwitch also supports the newer Rapid Spanning Tree + Protocol (RSTP), documented later in the section titled Rapid + Spanning Tree Configuration. +

- - The bridge's STP identifier (the lower 48 bits of the bridge-id) - in the form - xx:xx:xx:xx:xx:xx. - By default, the identifier is the MAC address of the bridge. - + + +

+ Enable spanning tree on the bridge. By default, STP is disabled + on bridges. Bond, internal, and mirror ports are not supported + and will not participate in the spanning tree. +

- - The bridge's relative priority value for determining the root - bridge (the upper 16 bits of the bridge-id). A bridge with the - lowest bridge-id is elected the root. By default, the priority - is 0x8000. - +

+ STP and RSTP are mutually exclusive. If both are enabled, RSTP + will be used. +

+ - - The interval between transmissions of hello messages by - designated ports, in seconds. By default the hello interval is - 2 seconds. - + + The bridge's STP identifier (the lower 48 bits of the bridge-id) + in the form + xx:xx:xx:xx:xx:xx. + By default, the identifier is the MAC address of the bridge. + - - The maximum age of the information transmitted by the bridge - when it is the root bridge, in seconds. By default, the maximum - age is 20 seconds. - + + The bridge's relative priority value for determining the root + bridge (the upper 16 bits of the bridge-id). A bridge with the + lowest bridge-id is elected the root. By default, the priority + is 0x8000. + + + + The interval between transmissions of hello messages by + designated ports, in seconds. By default the hello interval is + 2 seconds. + + + + The maximum age of the information transmitted by the bridge + when it is the root bridge, in seconds. By default, the maximum + age is 20 seconds. + + + + The delay to wait between transitioning root and designated + ports to forwarding, in seconds. By default, the + forwarding delay is 15 seconds. + + + +

+ The maximum number of seconds to retain a multicast snooping entry for + which no packets have been seen. The default is currently 300 + seconds (5 minutes). The value, if specified, is forced into a + reasonable range, currently 15 to 3600 seconds. +

+ + + +

+ The maximum number of multicast snooping addresses to learn. The + default is currently 2048. The value, if specified, is forced into + a reasonable range, currently 10 to 1,000,000. +

+ + +

+ If set to false, unregistered multicast packets are forwarded + to all ports. + If set to true, unregistered multicast packets are forwarded + to ports connected to multicast routers. +

+ + + + +

+ These key-value pairs report the status of 802.1D-1998. They are + present only if STP is enabled (via the + column). +

+ + The bridge ID used in spanning tree advertisements, in the form + xxxx.yyyyyyyyyyyy where the xs are + the STP priority, the ys are the STP system ID, and each + x and y is a hex digit. + + + The designated root for this spanning tree, in the same form as . If this bridge is the root, + this will have the same value as , otherwise it will differ. + + + The path cost of reaching the designated bridge. A lower number is + better. The value is 0 if this bridge is the root, otherwise it is + higher. + + + + + +

+ Rapid Spanning Tree Protocol (RSTP), like STP, is a network protocol + that ensures loop-free topologies. RSTP superseded STP with the + publication of 802.1D-2004. Compared to STP, RSTP converges more + quickly and recovers more quickly from failures. +

+ + + +

+ Enable Rapid Spanning Tree on the bridge. By default, RSTP is disabled + on bridges. Bond, internal, and mirror ports are not supported + and will not participate in the spanning tree. +

+ +

+ STP and RSTP are mutually exclusive. If both are enabled, RSTP + will be used. +

+ + + + The bridge's RSTP address (the lower 48 bits of the bridge-id) + in the form + xx:xx:xx:xx:xx:xx. + By default, the address is the MAC address of the bridge. + + + + The bridge's relative priority value for determining the root + bridge (the upper 16 bits of the bridge-id). A bridge with the + lowest bridge-id is elected the root. By default, the priority + is 0x8000 (32768). This value needs to be a multiple of 4096, + otherwise it's rounded to the nearest inferior one. + + + + The Ageing Time parameter for the Bridge. The default value + is 300 seconds. + + + + The Force Protocol Version parameter for the Bridge. This + can take the value 0 (STP Compatibility mode) or 2 + (the default, normal operation). + + + + The maximum age of the information transmitted by the Bridge + when it is the Root Bridge. The default value is 20. + + + + The delay used by STP Bridges to transition Root and Designated + Ports to Forwarding. The default value is 15. + + + + The Transmit Hold Count used by the Port Transmit state machine + to limit transmission rate. The default value is 6. + + + + +

+ These key-value pairs report the status of 802.1D-2004. They are + present only if RSTP is enabled (via the + column). +

+ + The bridge ID used in rapid spanning tree advertisements, in the form + x.yyy.zzzzzzzzzzzz where + x is the RSTP priority, the ys are a locally + assigned system ID extension, the zs are the STP system + ID, and each x, y, or z is a hex + digit. + + + The root of this spanning tree, in the same form as . If this bridge is the + root, this will have the same value as , otherwise it will differ. + + + The path cost of reaching the root. A lower number is better. The + value is 0 if this bridge is the root, otherwise it is higher. + + + The RSTP designated ID, in the same form as . + + + The RSTP designated port ID, as a 4-digit hex number. + + + The RSTP bridge port ID, as a 4-digit hex number. + + + + + + Multicast snooping (RFC 4541) monitors the Internet Group Management + Protocol (IGMP) and Multicast Listener Discovery traffic between hosts + and multicast routers. The switch uses what IGMP and MLD snooping + learns to forward multicast traffic only to interfaces that are connected + to interested receivers. Currently it supports IGMPv1, IGMPv2, IGMPv3, + MLDv1 and MLDv2 protocols. - - The delay to wait between transitioning root and designated - ports to forwarding, in seconds. By default, the - forwarding delay is 15 seconds. + + Enable multicast snooping on the bridge. For now, the default + is disabled. - Name of datapath provider. The kernel datapath has - type system. The userspace datapath has - type netdev. + Name of datapath provider. The kernel datapath has type + system. The userspace datapath has type + netdev. A manager may refer to the column of the table for a list of the types accepted by this + Open vSwitch instance. @@ -662,18 +993,47 @@ - Option to allow forwarding of BPDU frames when NORMAL action is - invoked. Frames with reserved Ethernet addresses (e.g. STP - BPDU) will be forwarded when this option is enabled and the - switch is not providing that functionality. If STP is enabled - on the port, STP BPDUs will never be forwarded. If the Open - vSwitch bridge is used to connect different Ethernet networks, - and if Open vSwitch node does not run STP, then this option - should be enabled. Default is disabled, set to - true to enable. - - The following destination MAC addresss will not be forwarded when this - option is enabled. + +

+ Controls forwarding of BPDUs and other network control frames when + NORMAL action is invoked. When this option is false or + unset, frames with reserved Ethernet addresses (see table below) will + not be forwarded. When this option is true, such frames + will not be treated specially. +

+ +

+ The above general rule has the following exceptions: +

+ +
    +
  • + If STP is enabled on the bridge (see the column in the table), the + bridge processes all received STP packets and never passes them to + OpenFlow or forwards them. This is true even if STP is disabled on + an individual port. +
    • + +
  • + If LLDP is enabled on an interface (see the column in the table), + the interface processes received LLDP packets and never passes them + to OpenFlow or forwards them. +
    • +
+ +

+ Set this option to true if the Open vSwitch bridge + connects different Ethernet networks and is not configured to + participate in STP. +

+ +

+ This option affects packets with the following destination MAC + addresses: +

+
01:80:c2:00:00:00
IEEE 802.1D Spanning Tree Protocol (STP).
@@ -688,8 +1048,8 @@
Extreme Discovery Protocol (EDP).
- 00:e0:2b:00:00:04 and 00:e0:2b:00:00:06 -
+ 00:e0:2b:00:00:04 and 00:e0:2b:00:00:06 +
Ethernet Automatic Protection Switching (EAPS).
01:00:0c:cc:cc:cc
@@ -743,34 +1103,6 @@ - -

- Status information about bridges. -

- - Key-value pairs that report bridge status. - - -

- The bridge-id (in hex) used in spanning tree advertisements. - Configuring the bridge-id is described in the - stp-system-id and stp-priority keys - of the other_config section earlier. -

- - -

- The designated root (in hex) for this spanning tree. -

- - -

- The path cost of reaching the designated bridge. A lower - number is better. -

- - - The overall purpose of these columns is described under Common Columns at the beginning of this document. @@ -779,7 +1111,7 @@ - +

A port within a .

Most commonly, a port has exactly one ``interface,'' pointed to by its @@ -1062,7 +1394,7 @@ + type='{"type": "string", "enum": ["set", ["fast", "slow"]]}'>

The LACP timing which should be used on this . By default slow is used. When configured to be @@ -1074,7 +1406,7 @@ + type='{"type": "boolean"}'>

Determines the behavior of openvswitch bond in LACP mode. If the partner switch does not support LACP, setting this option @@ -1110,37 +1442,208 @@ - - - If spanning tree is enabled on the bridge, member ports are - enabled by default (with the exception of bond, internal, and - mirror ports which do not work with STP). If this column's - value is false spanning tree is disabled on the - port. - + +

+ The configuration here is only meaningful, and the status is only + populated, when 802.1D-1998 Spanning Tree Protocol is enabled on the + port's with its + column. +

- - The port number used for the lower 8 bits of the port-id. By - default, the numbers will be assigned automatically. If any - port's number is manually configured on a bridge, then they - must all be. - + + + When STP is enabled on a bridge, it is enabled by default on all of + the bridge's ports except bond, internal, and mirror ports (which do + not work with STP). If this column's value is false, + STP is disabled on the port. + - - The port's relative priority value for determining the root - port (the upper 8 bits of the port-id). A port with a lower - port-id will be chosen as the root port. By default, the - priority is 0x80. - + + The port number used for the lower 8 bits of the port-id. By + default, the numbers will be assigned automatically. If any + port's number is manually configured on a bridge, then they + must all be. + + + + The port's relative priority value for determining the root + port (the upper 8 bits of the port-id). A port with a lower + port-id will be chosen as the root port. By default, the + priority is 0x80. + + + + Spanning tree path cost for the port. A lower number indicates + a faster link. By default, the cost is based on the maximum + speed of the link. + + + + + + The port ID used in spanning tree advertisements for this port, as 4 + hex digits. Configuring the port ID is described in the + stp-port-num and stp-port-priority keys of + the other_config section earlier. + + + STP state of the port. + + + The amount of time this port has been in the current STP state, in + seconds. + + + STP role of the port. + + + + + +

+ The configuration here is only meaningful, and the status and + statistics are only populated, when 802.1D-1998 Spanning Tree Protocol + is enabled on the port's with its column. +

+ + + + When RSTP is enabled on a bridge, it is enabled by default on all of + the bridge's ports except bond, internal, and mirror ports (which do + not work with RSTP). If this column's value is false, + RSTP is disabled on the port. + + + + The port's relative priority value for determining the root port, in + multiples of 16. By default, the port priority is 0x80 (128). Any + value in the lower 4 bits is rounded off. The significant upper 4 + bits become the upper 4 bits of the port-id. A port with the lowest + port-id is elected as the root. + + + + The local RSTP port number, used as the lower 12 bits of the port-id. + By default the port numbers are assigned automatically, and typically + may not correspond to the OpenFlow port numbers. A port with the + lowest port-id is elected as the root. + + + + The port path cost. The Port's contribution, when it is + the Root Port, to the Root Path Cost for the Bridge. By default the + cost is automatically calculated from the port's speed. + + + + The admin edge port parameter for the Port. Default is + false. + + + + The auto edge port parameter for the Port. Default is + true. + + + +

+ The mcheck port parameter for the Port. Default is + false. May be set to force the Port Protocol + Migration state machine to transmit RST BPDUs for a + MigrateTime period, to test whether all STP Bridges on the + attached LAN have been removed and the Port can continue to + transmit RSTP BPDUs. Setting mcheck has no effect if the + Bridge is operating in STP Compatibility mode. +

+

+ Changing the value from true to + false has no effect, but needs to be done if + this behavior is to be triggered again by subsequently + changing the value from false to + true. +

+ + + + + + The port ID used in spanning tree advertisements for this port, as 4 + hex digits. Configuring the port ID is described in the + rstp-port-num and rstp-port-priority keys + of the other_config section earlier. + + + RSTP role of the port. + + + RSTP state of the port. + + + The port's RSTP designated bridge ID, in the same form as in the table. + + + The port's RSTP designated port ID, as 4 hex digits. + + + The port's RSTP designated path cost. Lower is better. + + + + + + Number of RSTP BPDUs transmitted through this port. + + + Number of valid RSTP BPDUs received by this port. + + + Number of invalid RSTP BPDUs received by this port. + + + The duration covered by the other RSTP statistics, in seconds. + + + - - Spanning tree path cost for the port. A lower number indicates - a faster link. By default, the cost is based on the maximum - speed of the link. + + +

+ If set to true, multicast packets (except Reports) are + unconditionally forwarded to the specific port. +

+ + +

+ If set to true, multicast Reports are unconditionally + forwarded to the specific port. +

@@ -1168,50 +1671,25 @@ fake-bridge-, e.g. fake-bridge-xs-network-uuids. - - -

- Status information about ports attached to bridges. -

- - Key-value pairs that report port status. - - -

- The port-id (in hex) used in spanning tree advertisements for - this port. Configuring the port-id is described in the - stp-port-num and stp-port-priority - keys of the other_config section earlier. -

- - -

- STP state of the port. -

- - -

- The amount of time (in seconds) port has been in the current - STP state. -

- - +

- STP role of the port. + If set to true, the port will be removed when + ovs-ctl start --delete-transient-ports is used.

+ + For a bonded port, record the mac address of the current active slave. + +

- Key-value pairs that report port statistics. + Key-value pairs that report port statistics. The update period + is controlled by in the Open_vSwitch table.

@@ -1279,65 +1757,75 @@ address.

 + + If the configuration of the port failed, as indicated by -1 in , Open vSwitch sets this column to an error + description in human readable form. Otherwise, Open vSwitch clears + this column. + + -

- When a client adds a new interface, Open vSwitch chooses an OpenFlow - port number for the new port. If the client that adds the port fills - in , then Open vSwitch tries to use its - value as the OpenFlow port number. Otherwise, or if the requested - port number is already in use or cannot be used for another reason, - Open vSwitch automatically assigns a free port number. Regardless of - how the port number was obtained, Open vSwitch then reports in the port number actually assigned. -

- -

- Open vSwitch limits the port numbers that it automatically assigns to - the range 1 through 32,767, inclusive. Controllers therefore have - free use of ports 32,768 and up. -

- - -

- OpenFlow port number for this interface. Open vSwitch sets this - column's value, so other clients should treat it as read-only. -

-

- The OpenFlow ``local'' port (OFPP_LOCAL) is 65,534. - The other valid port numbers are in the range 1 to 65,279, - inclusive. Value -1 indicates an error adding the interface. -

- - - -

- Requested OpenFlow port number for this interface. -

- -

- A client should ideally set this column's value in the same - database transaction that it uses to create the interface. Open - vSwitch version 2.1 and later will honor a later request for a - specific port number, althuogh it might confuse some controllers: - OpenFlow does not have a way to announce a port number change, so - Open vSwitch represents it over OpenFlow as a port deletion - followed immediately by a port addition. -

- -

- If is set or changed to some other - port's automatically assigned port number, Open vSwitch chooses a - new port number for the latter port. -

- +

+ When a client adds a new interface, Open vSwitch chooses an OpenFlow + port number for the new port. If the client that adds the port fills + in , then Open vSwitch tries to use its + value as the OpenFlow port number. Otherwise, or if the requested + port number is already in use or cannot be used for another reason, + Open vSwitch automatically assigns a free port number. Regardless of + how the port number was obtained, Open vSwitch then reports in the port number actually assigned. +

+ +

+ Open vSwitch limits the port numbers that it automatically assigns to + the range 1 through 32,767, inclusive. Controllers therefore have + free use of ports 32,768 and up. +

+ + +

+ OpenFlow port number for this interface. Open vSwitch sets this + column's value, so other clients should treat it as read-only. +

+

+ The OpenFlow ``local'' port (OFPP_LOCAL) is 65,534. + The other valid port numbers are in the range 1 to 65,279, + inclusive. Value -1 indicates an error adding the interface. +

+ + + +

+ Requested OpenFlow port number for this interface. +

+ +

+ A client should ideally set this column's value in the same + database transaction that it uses to create the interface. Open + vSwitch version 2.1 and later will honor a later request for a + specific port number, althuogh it might confuse some controllers: + OpenFlow does not have a way to announce a port number change, so + Open vSwitch represents it over OpenFlow as a port deletion + followed immediately by a port addition. +

+ +

+ If is set or changed to some other + port's automatically assigned port number, Open vSwitch chooses a + new port number for the latter port. +

+

- The interface type, one of: + The interface type. The types supported by a particular instance of + Open vSwitch are listed in the column in the + table. The following types are defined:

@@ -1359,6 +1847,15 @@
tap
A TUN/TAP device managed by Open vSwitch.
+
geneve
+
+ An Ethernet over Geneve (http://tools.ietf.org/html/draft-ietf-nvo3-geneve-00) + IPv4 tunnel. + + A description of how to match and set Geneve options can be found + in the ovs-ofctl manual page. +
+
gre
An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4 @@ -1371,33 +1868,17 @@ IPsec tunnel.
-
gre64
-
- It is same as GRE, but it allows 64 bit key. To store higher 32-bits - of key, it uses GRE protocol sequence number field. This is non - standard use of GRE protocol since OVS does not increment - sequence number for every packet at time of encap as expected by - standard GRE implementation. See - for information on configuring GRE tunnels. -
- -
ipsec_gre64
-
- Same as IPSEC_GRE except 64 bit key. -
-
vxlan
-

- An Ethernet tunnel over the experimental, UDP-based VXLAN - protocol described at - http://tools.ietf.org/html/draft-mahalingam-dutt-dcops-vxlan-03. -

-

- Open vSwitch uses UDP destination port 4789. The source port used for - VXLAN traffic varies on a per-flow basis and is in the ephemeral port - range. -

+

+ An Ethernet tunnel over the UDP-based VXLAN protocol described in + RFC 7348. +

+

+ Open vSwitch uses UDP destination port 4789. The source port used for + VXLAN traffic varies on a per-flow basis and is in the ephemeral port + range. +

lisp
@@ -1416,6 +1897,25 @@

+
stt
+
+ The Stateless TCP Tunnel (STT) is particularly useful when tunnel + endpoints are in end-systems, as it utilizes the capabilities of + standard network interface cards to improve performance. STT utilizes + a TCP-like header inside the IP header. It is stateless, i.e., there is + no TCP connection state of any kind associated with the tunnel. The + TCP-like header is used to leverage the capabilities of existing + network interface cards, but should not be interpreted as implying + any sort of connection state between endpoints. + Since the STT protocol does not engage in the usual TCP 3-way handshake, + so it will have difficulty traversing stateful firewalls. + The protocol is documented at + http://www.ietf.org/archive/id/draft-davie-stt-06.txt + + All traffic uses a default destination port of 7471. STT is only + available in kernel datapath on kernel 3.5 or newer. +
+
patch
A pair of virtual devices that act as a patch cable. @@ -1423,7 +1923,7 @@
null
An ignored interface. Deprecated and slated for removal in - February 2013.
+ February 2013.
@@ -1431,8 +1931,8 @@

These options apply to interfaces with of - gre, ipsec_gre, gre64, - ipsec_gre64, vxlan, and lisp. + geneve, gre, ipsec_gre, + vxlan, lisp and stt.

@@ -1467,9 +1967,9 @@

- The remote tunnel endpoint for any packet received from a tunnel - is available in the tun_src field for matching in the - flow table. + The remote tunnel endpoint for any packet received from a tunnel + is available in the tun_src field for matching in the + flow table.

@@ -1520,9 +2020,9 @@ key="in_key"/> at all.
  • - A positive 24-bit (for VXLAN and LISP), 32-bit (for GRE) or 64-bit - (for GRE64) number. The tunnel receives only packets with the - specified key. + A positive 24-bit (for Geneve, VXLAN, and LISP), 32-bit (for GRE) + or 64-bit (for STT) number. The tunnel receives only + packets with the specified key.
  • The word flow. The tunnel accepts packets with any @@ -1547,9 +2047,9 @@ key="out_key"/> at all.
  • - A positive 24-bit (for VXLAN and LISP), 32-bit (for GRE) or 64-bit - (for GRE64) number. Packets sent through the tunnel will have the - specified key. + A positive 24-bit (for Geneve, VXLAN and LISP), 32-bit (for GRE) or + 64-bit (for STT) number. Packets sent through the tunnel + will have the specified key.
  • The word flow. Packets sent through the tunnel will @@ -1589,30 +2089,54 @@ to false to disable. - + + + +

    Optional. Comma separated list of optional VXLAN extensions to + enable. The following extensions are supported:

    + +
      +
    • + gbp: VXLAN-GBP allows to transport the group policy + context of a packet across the VXLAN tunnel to other network + peers. See the field description of tun_gbp_id and + tun_gbp_flags in ovs-ofctl(8) for additional + information. + (https://tools.ietf.org/html/draft-smith-vxlan-group-policy) +
      • +
    +     + +     + +

    - Only gre and ipsec_gre interfaces support - these options. + gre, ipsec_gre, geneve, and + vxlan interfaces support these options.

    - Optional. Compute GRE checksums on outgoing packets. Default is - disabled, set to true to enable. Checksums present on - incoming packets will be validated regardless of this setting. -

    - -

    - GRE checksums impose a significant performance penalty because they - cover the entire packet. The encapsulated L3, L4, and L7 packet - contents typically have their own checksums, so this additional - checksum only adds value for the GRE and encapsulated L2 headers. + Optional. Compute encapsulation header (either GRE or UDP) + checksums on outgoing packets. Default is disabled, set to + true to enable. Checksums present on incoming + packets will be validated regardless of this setting. +

    + +

    + When using the upstream Linux kernel module, computation of + checksums for geneve and vxlan requires + Linux kernel version 4.0 or higher. gre supports + checksums for all versions of Open vSwitch that support GRE. + The out of tree kernel module distributed as part of OVS + can compute all tunnel checksums on any kernel version that it + is compatible with.

    - This option is supported for ipsec_gre, but not useful - because GRE checksums are weaker than, and redundant with, IPsec - payload authentication. + This option is supported for ipsec_gre, but not useful + because GRE checksums are weaker than, and redundant with, IPsec + payload authentication.

    @@ -1664,6 +2188,21 @@     + +

    + Only PMD netdevs support these options. +

    + + +

    + Specifies the maximum number of rx queues to be created for PMD + netdev. If not specified or specified to 0, one rx queue will + be created by default. +

    +     +     +

    Status information about interfaces attached to bridges, updated every @@ -1752,8 +2291,8 @@ - Egress interface for tunnels. Currently only relevant for GRE tunnels - On Linux systems, this column will show the name of the interface + Egress interface for tunnels. Currently only relevant for tunnels + on Linux systems, this column will show the name of the interface which is responsible for routing traffic destined for the configured . This could be an internal interface such as a bridge port. @@ -1769,12 +2308,14 @@

    Key-value pairs that report interface statistics. The current - implementation updates these counters periodically. Future - implementations may update them when an interface is created, when they - are queried (e.g. using an OVSDB select operation), and - just before an interface is deleted due to virtual interface hot-unplug - or VM shutdown, and perhaps at other times, but not on any regular - periodic basis. + implementation updates these counters periodically. The update period + is controlled by in the Open_vSwitch table. + Future implementations may update them when an interface is created, + when they are queried (e.g. using an OVSDB select + operation), and just before an interface is deleted due to virtual + interface hot-unplug or VM shutdown, and perhaps at other times, but + not on any regular periodic basis.

    These are the same statistics reported by OpenFlow in its struct @@ -1905,69 +2446,70 @@

    - BFD, defined in RFC 5880 and RFC 5881, allows point-to-point - detection of connectivity failures by occasional transmission of - BFD control messages. Open vSwitch implements BFD to serve - as a more popular and standards compliant alternative to CFM. + BFD, defined in RFC 5880 and RFC 5881, allows point-to-point + detection of connectivity failures by occasional transmission of + BFD control messages. Open vSwitch implements BFD to serve + as a more popular and standards compliant alternative to CFM.

    - BFD operates by regularly transmitting BFD control messages at a rate - negotiated independently in each direction. Each endpoint specifies - the rate at which it expects to receive control messages, and the rate - at which it is willing to transmit them. Open vSwitch uses a detection - multiplier of three, meaning that an endpoint signals a connectivity - fault if three consecutive BFD control messages fail to arrive. In the - case of a unidirectional connectivity issue, the system not receiving - BFD control messages signals the problem to its peer in the messages it - transmits. + BFD operates by regularly transmitting BFD control messages at a rate + negotiated independently in each direction. Each endpoint specifies + the rate at which it expects to receive control messages, and the rate + at which it is willing to transmit them. Open vSwitch uses a detection + multiplier of three, meaning that an endpoint signals a connectivity + fault if three consecutive BFD control messages fail to arrive. In the + case of a unidirectional connectivity issue, the system not receiving + BFD control messages signals the problem to its peer in the messages it + transmits.

    - The Open vSwitch implementation of BFD aims to comply faithfully - with RFC 5880 requirements. Open vSwitch does not implement the - optional Authentication or ``Echo Mode'' features. + The Open vSwitch implementation of BFD aims to comply faithfully + with RFC 5880 requirements. Open vSwitch does not implement the + optional Authentication or ``Echo Mode'' features.

    -

    - A controller sets up key-value pairs in the - column to enable and configure BFD. -

    +

    + A controller sets up key-value pairs in the + column to enable and configure BFD. +

    - - True to enable BFD on this . - + + True to enable BFD on this . If not + specified, BFD will not be enabled by default. + - + The shortest interval, in milliseconds, at which this BFD session offers to receive BFD control messages. The remote endpoint may choose to send messages at a slower rate. Defaults to 1000. - + - + The shortest interval, in milliseconds, at which this BFD session is willing to transmit BFD control messages. Messages will actually be transmitted at a slower rate if the remote endpoint is not willing to receive as quickly as specified. Defaults to 100. - - - - An alternate receive interval, in milliseconds, that must be greater - than or equal to . The - implementation switches from to when there is no obvious incoming - data traffic at the interface, to reduce the CPU and bandwidth cost - of monitoring an idle interface. This feature may be disabled by - setting a value of 0. This feature is reset whenever or - changes. - - - + + + + An alternate receive interval, in milliseconds, that must be greater + than or equal to . The + implementation switches from to when there is no obvious incoming + data traffic at the interface, to reduce the CPU and bandwidth cost + of monitoring an idle interface. This feature may be disabled by + setting a value of 0. This feature is reset whenever or + changes. + + + When true, traffic received on the is used to indicate the capability of packet I/O. BFD control packets are still transmitted and received. At @@ -1975,81 +2517,98 @@ column="bfd" key="min_rx"/> amount of time. Otherwise, even if traffic are received, the will be false. - + - - Set to true to notify the remote endpoint that traffic should not be - forwarded to this system for some reason other than a connectivty - failure on the interface being monitored. The typical underlying - reason is ``concatenated path down,'' that is, that connectivity - beyond the local system is down. Defaults to false. - + + Set to true to notify the remote endpoint that traffic should not be + forwarded to this system for some reason other than a connectivty + failure on the interface being monitored. The typical underlying + reason is ``concatenated path down,'' that is, that connectivity + beyond the local system is down. Defaults to false. + + + + Set to true to make BFD accept only control messages with a tunnel + key of zero. By default, BFD accepts control messages with any + tunnel key. + + + + Set to an Ethernet address in the form + xx:xx:xx:xx:xx:xx + to set the MAC used as source for transmitted BFD packets. The + default is the mac address of the BFD enabled interface. + + + + Set to an Ethernet address in the form + xx:xx:xx:xx:xx:xx + to set the MAC used as destination for transmitted BFD packets. The + default is 00:23:20:00:00:01. + + + + Set to an Ethernet address in the form + xx:xx:xx:xx:xx:xx + to set the MAC used for checking the destination of received BFD packets. + Packets with different destination MAC will not be considered as BFD packets. + If not specified the destination MAC address of received BFD packets + are not checked. + + + + Set to an IPv4 address to set the IP address used as source for + transmitted BFD packets. The default is 169.254.1.1. + + + + Set to an IPv4 address to set the IP address used as destination + for transmitted BFD packets. The default is 169.254.1.0. + +     + + +

    + The switch sets key-value pairs in the + column to report the status of BFD on this interface. When BFD is + not enabled, with , the switch clears + all key-value pairs from . +

    - - Set to true to make BFD accept only control messages with a tunnel - key of zero. By default, BFD accepts control messages with any - tunnel key. - + + Reports the state of the BFD session. The BFD session is fully + healthy and negotiated if UP. + - - Set to an Ethernet address in the form - xx:xx:xx:xx:xx:xx - to set the MAC used as destination for transmitted BFD packets and - expected as destination for received BFD packets. The default is - 00:23:20:00:00:01. - + + Reports whether the BFD session believes this may be used to forward traffic. Typically this + means the local session is signaling UP, and the remote + system isn't signaling a problem such as concatenated path down. + - - Set to an IPv4 address to set the IP address used as source for - transmitted BFD packets. The default is 169.254.1.0. - + + A diagnostic code specifying the local system's reason for the + last change in session state. The error messages are defined in + section 4.1 of [RFC 5880]. + - - Set to an IPv4 address to set the IP address used as destination - for transmitted BFD packets. The default is 169.254.1.1. - -     + + Reports the state of the remote endpoint's BFD session. + - -

    - The switch sets key-value pairs in the - column to report the status of BFD on this interface. When BFD is - not enabled, with , the switch clears - all key-value pairs from . -

    - - - Reports the state of the BFD session. The BFD session is fully - healthy and negotiated if UP. - - - - Reports whether the BFD session believes this may be used to forward traffic. Typically this - means the local session is signaling UP, and the remote - system isn't signaling a problem such as concatenated path down. - - - - In case of a problem, set to a short message that reports what the - local BFD session thinks is wrong. - - - - Reports the state of the remote endpoint's BFD session. - - - - In case of a problem, set to a short message that reports what the - remote endpoint's BFD session thinks is wrong. - + + A diagnostic code specifying the remote system's reason for the + last change in session state. The error messages are defined in + section 4.1 of [RFC 5880]. + + type='{"type": "integer", "minInteger": 0}'> Counts the number of flaps since start. A flap is considered as a change of the value. @@ -2077,9 +2636,9 @@

    - When operating over tunnels which have no in_key, or an - in_key of flow. CFM will only accept CCMs - with a tunnel key of zero. + When operating over tunnels which have no in_key, or an + in_key of flow. CFM will only accept CCMs + with a tunnel key of zero.

    @@ -2164,8 +2723,8 @@

    When in extended mode, indicates the operational state of the - remote endpoint as either up or down. See - . + remote endpoint as either up or down. See + .

    @@ -2241,7 +2800,7 @@

    - Demand mode has a couple of caveats: + Demand mode has a couple of caveats:

    • To ensure that ovs-vswitchd has enough time to pull statistics @@ -2279,14 +2838,14 @@ + type='{"type": "integer", "minInteger": 1, "maxInteger": 4095}'> When set, the CFM module will apply a VLAN tag to all CCMs it generates with the given value. May be the string random in which case each CCM will be tagged with a different randomly generated VLAN. + type='{"type": "integer", "minInteger": 1, "maxInteger": 7}'> When set, the CFM module will apply a VLAN tag to all CCMs it generates with the given PCP value, the VLAN ID of the tag is governed by the value of . If @@ -2394,17 +2953,17 @@

      - The ``VLAN splinters'' feature increases Open vSwitch compatibility - with buggy network drivers in old versions of Linux that do not - properly support VLANs when VLAN devices are not used, at some cost - in memory and performance. + The ``VLAN splinters'' feature increases Open vSwitch compatibility + with buggy network drivers in old versions of Linux that do not + properly support VLANs when VLAN devices are not used, at some cost + in memory and performance.

      - When VLAN splinters are enabled on a particular interface, Open vSwitch - creates a VLAN device for each in-use VLAN. For sending traffic tagged - with a VLAN on the interface, it substitutes the VLAN device. Traffic - received on the VLAN device is treated as if it had been received on + When VLAN splinters are enabled on a particular interface, Open vSwitch + creates a VLAN device for each in-use VLAN. For sending traffic tagged + with a VLAN on the interface, it substitutes the VLAN device. Traffic + received on the VLAN device is treated as if it had been received on the interface on the particular VLAN.

      @@ -2446,8 +3005,8 @@

      - VLAN splinters are deprecated. When broken device drivers are no - longer in widespread use, we will delete this feature. + VLAN splinters are deprecated. When broken device drivers are no + longer in widespread use, we will delete this feature.

      + +

      + Auto Attach configuration for a particular interface. +

      + + + True to enable LLDP on this . If not + specified, LLDP will be disabled by default. + +       + The overall purpose of these columns is described under Common Columns at the beginning of this document. @@ -2488,58 +3058,42 @@ dump-tables      . The name does not affect switch behavior. - - If set, limits the number of flows that may be added to the table. Open - vSwitch may limit the number of flows in a table for other reasons, - e.g. due to hardware limitations or for resource availability or - performance reasons. - - - +

      - Controls the switch's behavior when an OpenFlow flow table modification - request would add flows in excess of . The - supported values are: + Open vSwitch supports limiting the number of flows that may be + installed in a flow table, via the column. + When adding a flow would exceed this limit, by default Open vSwitch + reports an error, but there are two ways to configure Open vSwitch to + instead delete (``evict'') a flow to make room for the new one:

      -
      -
      refuse
      -
      - Refuse to add the flow or flows. This is also the default policy - when is unset. -
      - -
      evict
      -
      - Delete the flow that will expire soonest. See - for details. -
      -
      -       +
        +
      • + Set the column to evict. +
        • - -

        - When is evict, this - controls how flows are chosen for eviction when the flow table would - otherwise exceed flows. Its value is a set - of NXM fields or sub-fields, each of which takes one of the forms - field[] or - field[start..end], - e.g. NXM_OF_IN_PORT[]. Please see - nicira-ext.h for a complete list of NXM field names. -

        +
      • + Send an OpenFlow 1.4+ ``table mod request'' to enable eviction for + the flow table (e.g. ovs-ofctl -O OpenFlow14 mod-table br0 0 + evict to enable eviction on flow table 0 of bridge + br0). +
        • +

      When a flow must be evicted due to overflow, the flow to evict is - chosen through an approximation of the following algorithm: + chosen through an approximation of the following algorithm. This + algorithm is used regardless of how eviction was enabled:

      1. Divide the flows in the table into groups based on the values of the - specified fields or subfields, so that all of the flows in a given - group have the same values for those fields. If a flow does not - specify a given field, that field's value is treated as 0. + fields or subfields specified in the column, + so that all of the flows in a given group have the same values for + those fields. If a flow does not specify a given field, that field's + value is treated as 0. If is empty, then all + of the flows in the flow table are treated as a single group.
      2. @@ -2549,6 +3103,14 @@ those groups.
        3. +
      3. + If the flows under consideration have different importance values, + eliminate from consideration any flows except those with the lowest + importance. (``Importance,'' a 16-bit integer value attached to each + flow, was introduced in OpenFlow 1.4. Flows inserted with older + versions of OpenFlow always have an importance of 0.) +
        4. +
      4. Among the flows under consideration, choose the flow that expires soonest for eviction. @@ -2556,82 +3118,138 @@

      - The eviction process only considers flows that have an idle timeout or - a hard timeout. That is, eviction never deletes permanent flows. + The eviction process only considers flows that have an idle timeout + or a hard timeout. That is, eviction never deletes permanent flows. (Permanent flows do count against .)

      -

      - Open vSwitch ignores any invalid or unknown field specifications. -

      + + If set, limits the number of flows that may be added to the table. + Open vSwitch may limit the number of flows in a table for other + reasons, e.g. due to hardware limitations or for resource availability + or performance reasons. + -

      - When is not evict, this - column has no effect. -

      - + +

      + Controls the switch's behavior when an OpenFlow flow table + modification request would add flows in excess of . The supported values are: +

      - -

      - This string set specifies which fields should be used for - address prefix tracking. Prefix tracking allows the - classifier to skip rules with longer than necessary prefixes, - resulting in better wildcarding for datapath flows. -

      -

      - Prefix tracking may be beneficial when a flow table contains - matches on IP address fields with different prefix lengths. - For example, when a flow table contains IP address matches on - both full addresses and proper prefixes, the full address - matches will typically cause the datapath flow to un-wildcard - the whole address field (depending on flow entry priorities). - In this case each packet with a different address gets handed - to the userspace for flow processing and generates its own - datapath flow. With prefix tracking enabled for the address - field in question packets with addresses matching shorter - prefixes would generate datapath flows where the irrelevant - address bits are wildcarded, allowing the same datapath flow - to handle all the packets within the prefix in question. In - this case many userspace upcalls can be avoided and the - overall performance can be better. -

      -

      - This is a performance optimization only, so packets will - receive the same treatment with or without prefix tracking. -

      -

      - The supported fields are: tun_id, - tun_src, tun_dst, - nw_src, nw_dst (or aliases - ip_src and ip_dst), - ipv6_src, and ipv6_dst. (Using this - feature for tun_id would only make sense if the - tunnel IDs have prefix structure similar to IP addresses.) -

      -

      - For example, prefixes=ip_dst,ip_src instructs the - flow classifier to track the IP destination and source - addresses used by the rules in this specific flow table. To - set the prefix fields, the flow table record needs to exist: -

      -
      -
      ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create Flow_Table name=table0
      -
      - Creates a flow table record for the OpenFlow table number 0. -
      +
      +
      refuse
      +
      + Refuse to add the flow or flows. This is also the default policy + when is unset. +
      -
      ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src
      -
      - Enables prefix tracking for IP source and destination - address fields. -
      -
      +
      evict
      +
      + Delete a flow chosen according to the algorithm described above. +
      +
      +       -

      - There is a maximum number of fields that can be enabled for any - one flow table. Currently this limit is 3. -

      -       + +

      + When is evict, this + controls how flows are chosen for eviction when the flow table would + otherwise exceed flows. Its value is a + set of NXM fields or sub-fields, each of which takes one of the forms + field[] or + field[start..end], + e.g. NXM_OF_IN_PORT[]. Please see + nicira-ext.h for a complete list of NXM field names. +

      + +

      + Open vSwitch ignores any invalid or unknown field specifications. +

      + +

      + When eviction is not enabled, via or + an OpenFlow 1.4+ ``table mod,'' this column has no effect. +

      +       + + + + +

      + This string set specifies which fields should be used for + address prefix tracking. Prefix tracking allows the + classifier to skip rules with longer than necessary prefixes, + resulting in better wildcarding for datapath flows. +

      +

      + Prefix tracking may be beneficial when a flow table contains + matches on IP address fields with different prefix lengths. + For example, when a flow table contains IP address matches on + both full addresses and proper prefixes, the full address + matches will typically cause the datapath flow to un-wildcard + the whole address field (depending on flow entry priorities). + In this case each packet with a different address gets handed + to the userspace for flow processing and generates its own + datapath flow. With prefix tracking enabled for the address + field in question packets with addresses matching shorter + prefixes would generate datapath flows where the irrelevant + address bits are wildcarded, allowing the same datapath flow + to handle all the packets within the prefix in question. In + this case many userspace upcalls can be avoided and the + overall performance can be better. +

      +

      + This is a performance optimization only, so packets will + receive the same treatment with or without prefix tracking. +

      +

      + The supported fields are: tun_id, + tun_src, tun_dst, + nw_src, nw_dst (or aliases + ip_src and ip_dst), + ipv6_src, and ipv6_dst. (Using this + feature for tun_id would only make sense if the + tunnel IDs have prefix structure similar to IP addresses.) +

      + +

      + By default, the prefixes=ip_dst,ip_src are used + on each flow table. This instructs the flow classifier to + track the IP destination and source addresses used by the + rules in this specific flow table. +

      + +

      + The keyword none is recognized as an explicit + override of the default values, causing no prefix fields to be + tracked. +

      + +

      + To set the prefix fields, the flow table record needs to + exist: +

      + +
      +
      ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create Flow_Table name=table0
      +
      + Creates a flow table record for the OpenFlow table number 0. +
      + +
      ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src
      +
      + Enables prefix tracking for IP source and destination + address fields. +
      +
      + +

      + There is a maximum number of fields that can be enabled for any + one flow table. Currently this limit is 3. +

      +       +       The overall purpose of these columns is described under Common @@ -2665,6 +3283,33 @@ information on how this classifier works. +
      +
      linux-sfq
      +
      + Linux ``Stochastic Fairness Queueing'' classifier. See + tc-sfq(8) (also at + http://linux.die.net/man/8/tc-sfq) for information on + how this classifier works. +
      +
      +
      +
      linux-codel
      +
      + Linux ``Controlled Delay'' classifier. See tc-codel(8) + (also at + http://man7.org/linux/man-pages/man8/tc-codel.8.html) + for information on how this classifier works. +
      +
      +
      +
      linux-fq_codel
      +
      + Linux ``Fair Queuing with Controlled Delay'' classifier. See + tc-fq_codel(8) (also at + http://man7.org/linux/man-pages/man8/tc-fq_codel.8.html) + for information on how this classifier works. +
      +
      @@ -2798,6 +3443,32 @@ traffic may also be referred to as SPAN or RSPAN, depending on how the mirrored traffic is sent.

      +

      + When a packet enters an Open vSwitch bridge, it becomes eligible for + mirroring based on its ingress port and VLAN. As the packet travels + through the flow tables, each time it is output to a port, it becomes + eligible for mirroring based on the egress port and VLAN. In Open + vSwitch 2.5 and later, mirroring occurs just after a packet first becomes + eligible, using the packet as it exists at that point; in Open vSwitch + 2.4 and earlier, mirroring occurs only after a packet has traversed all + the flow tables, using the original packet as it entered the bridge. + This makes a difference only when the flow table modifies the packet: in + Open vSwitch 2.4, the modifications are never visible to mirrors, whereas + in Open vSwitch 2.5 and later modifications made before the first output + that makes it eligible for mirroring to a particular destination are + visible. +

      + +

      + A packet that enters an Open vSwitch bridge is mirrored to a particular + destination only once, even if it is eligible for multiple reasons. For + example, a packet would be mirrored to a particular only once, even if it is selected for mirroring to + that port by and in the same or different + records. +

      + Arbitrary identifier for the . @@ -2898,7 +3569,9 @@

      - Key-value pairs that report mirror statistics. + Key-value pairs that report mirror statistics. The update period + is controlled by in the Open_vSwitch table.

      Number of packets transmitted through this mirror. @@ -2994,9 +3667,7 @@ column="ssl"/> column in the table must point to a valid SSL configuration when this form is used.

      -

      If port is not specified, it currently - defaults to 6633. In the future, the default will change to - 6653, which is the IANA-defined value.

      +

      If port is not specified, it defaults to 6653.

      SSL support is an optional feature that is not always built as part of Open vSwitch.

      @@ -3007,12 +3678,10 @@ ip, which must be expressed as an IP address (not a DNS name), where ip can be IPv4 or IPv6 address. If ip is an IPv6 address, wrap it in square brackets, - e.g. tcp:[::1]:6632. + e.g. tcp:[::1]:6653.

      - If port is not specified, it currently defaults to - 6633. In the future, the default will change to 6653, which is - the IANA-defined value. + If port is not specified, it defaults to 6653.

      @@ -3029,20 +3698,18 @@ DNS name), is specified, then connections are restricted to the specified local IP address (either IPv4 or IPv6). If ip is an IPv6 address, wrap it in square brackets, - e.g. pssl:6632:[::1]. + e.g. pssl:6653:[::1].

      - If port is not specified, it currently defaults to - 6633. If ip is not specified then it listens only on + If port is not specified, it defaults to + 6653. If ip is not specified then it listens only on IPv4 (but not IPv6) addresses. The column in the table must point to a valid SSL configuration when this form is used.

      - If port is not specified, it currently defaults to - 6633. In the future, the default will change to 6653, which is - the IANA-defined value. + If port is not specified, it currently to 6653.

      SSL support is an optional feature that is not always built as @@ -3057,13 +3724,11 @@ DNS name), is specified, then connections are restricted to the specified local IP address (either IPv4 or IPv6). If ip is an IPv6 address, wrap it in square brackets, - e.g. ptcp:6632:[::1]. If ip is not + e.g. ptcp:6653:[::1]. If ip is not specified then it listens only on IPv4 addresses.

      - If port is not specified, it currently defaults to - 6633. In the future, the default will change to 6653, which is - the IANA-defined value. + If port is not specified, it defaults to 6653.

      @@ -3118,7 +3783,7 @@       - +

      OpenFlow switches send certain messages to controllers spontanenously, that is, not in response to any request from the controller. These @@ -3138,38 +3803,102 @@ on any messages that it does want to receive, if any. - +

      - The maximum rate at which the switch will forward packets to the - OpenFlow controller, in packets per second. This feature prevents a - single bridge from overwhelming the controller. If not specified, - the default is implementation-specific. + A switch can forward packets to a controller over the OpenFlow + protocol. Forwarding packets this way at too high a rate can + overwhelm a controller, frustrate use of the OpenFlow connection for + other purposes, increase the latency of flow setup, and use an + unreasonable amount of bandwidth. Therefore, Open vSwitch supports + limiting the rate of packet forwarding to a controller.

      - In addition, when a high rate triggers rate-limiting, Open vSwitch - queues controller packets for each port and transmits them to the - controller at the configured rate. The value limits the number of queued - packets. Ports on a bridge share the packet queue fairly. + There are two main reasons in OpenFlow for a packet to be sent to a + controller: either the packet ``misses'' in the flow table, that is, + there is no matching flow, or a flow table action says to send the + packet to the controller. Open vSwitch limits the rate of each kind + of packet separately at the configured rate. Therefore, the actual + rate that packets are sent to the controller can be up to twice the + configured rate, when packets are sent for both reasons.

      - Open vSwitch maintains two such packet rate-limiters per bridge: one - for packets sent up to the controller because they do not correspond - to any flow, and the other for packets sent up to the controller by - request through flow actions. When both rate-limiters are filled with - packets, the actual rate that packets are sent to the controller is - up to twice the specified rate. + This feature is specific to forwarding packets over an OpenFlow + connection. It is not general-purpose QoS. See the table for quality of service configuration, and in the table for ingress policing configuration.

      -       - - In conjunction with , - the maximum number of unused packet credits that the bridge will - allow to accumulate, in packets. If not specified, the default - is implementation-specific. - + +

      + The maximum rate at which the switch will forward packets to the + OpenFlow controller, in packets per second. If no value is + specified, rate limiting is disabled. +

      +       + + +

      + When a high rate triggers rate-limiting, Open vSwitch queues + packets to the controller for each port and transmits them to the + controller at the configured rate. This value limits the number of + queued packets. Ports on a bridge share the packet queue fairly. +

      + +

      + This value has no effect unless is configured. The current + default when this value is not specified is one-quarter of , meaning that queuing can delay + forwarding a packet to the controller by up to 250 ms. +

      +       + + +

      + These values report the effects of rate limiting. Their values are + relative to establishment of the most recent OpenFlow connection, + or since rate limiting was enabled, whichever happened more + recently. Each consists of two values, one with TYPE + replaced by miss for rate limiting flow table misses, + and the other with TYPE replaced by + action for rate limiting packets sent by OpenFlow + actions. +

      + +

      + These statistics are reported only when controller rate limiting is + enabled. +

      + + + Number of packets sent directly to the controller, without queuing, + because the rate did not exceed the configured maximum. + + + + Number of packets added to the queue to send later. + + + + Number of packets added to the queue that were later dropped due to + overflow. This value is less than or equal to . + + + + Number of packets currently queued. The other statistics increase + monotonically, but this one fluctuates between 0 and the as conditions change. + +       +       @@ -3219,7 +3948,7 @@
      Equivalent to other, except that there may be at most one master controller at a time. When a controller configures itself as master, any existing master is demoted to - the slaverole.
      + the slave role.
      slave
      Allows the controller read-only access to OpenFlow features. Attempts to modify the flow table will be rejected with an @@ -3284,7 +4013,7 @@

      + type='{"type": "integer"}'> The Differentiated Service Code Point (DSCP) is specified using 6 bits in the Type of Service (TOS) field in the IP header. DSCP provides a mechanism to classify the network traffic and provide Quality of @@ -3344,9 +4073,7 @@ form is used.

      - If port is not specified, it currently defaults - to 6632. In the future, the default will change to 6640, - which is the IANA-defined value. + If port is not specified, it defaults to 6640.

      SSL support is an optional feature that is not always @@ -3361,12 +4088,10 @@ ip, which must be expressed as an IP address (not a DNS name), where ip can be IPv4 or IPv6 address. If ip is an IPv6 address, wrap it in square brackets, - e.g. tcp:[::1]:6632. + e.g. tcp:[::1]:6640.

      - If port is not specified, it currently defaults - to 6632. In the future, the default will change to 6640, - which is the IANA-defined value. + If port is not specified, it defaults to 6640.

      pssl:[port][:ip]
      @@ -3379,16 +4104,14 @@ connections are restricted to the specified local IP address (either IPv4 or IPv6 address). If ip is an IPv6 address, wrap in square brackets, - e.g. pssl:6632:[::1]. If ip is not + e.g. pssl:6640:[::1]. If ip is not specified then it listens only on IPv4 (but not IPv6) addresses. The column in the table must point to a valid SSL configuration when this form is used.

      - If port is not specified, it currently defaults - to 6632. In the future, the default will change to 6640, - which is the IANA-defined value. + If port is not specified, it defaults to 6640.

      SSL support is an optional feature that is not always built as @@ -3405,13 +4128,11 @@ connections are restricted to the specified local IP address (either IPv4 or IPv6 address). If ip is an IPv6 address, wrap it in square brackets, - e.g. ptcp:6632:[::1]. If ip is not + e.g. ptcp:6640:[::1]. If ip is not specified then it listens only on IPv4 addresses.

      - If port is not specified, it currently defaults - to 6632. In the future, the default will change to 6640, - which is the IANA-defined value. + If port is not specified, it defaults to 6640.

      @@ -3472,7 +4193,28 @@       - +

      + Key-value pair of is always updated. + Other key-value pairs in the status columns may be updated depends + on the type. +

      + +

      + When specifies a connection method that + listens for inbound connections (e.g. ptcp: or + punix:), both and + may also be updated while the + remaining key-value pairs are omitted. +

      + +

      + On the other hand, when specifies an + outbound connection, all key-value pairs may be updated, except + the above-mentioned two key-value pairs associated with inbound + connection targets. They are omitted. +

      + + true if currently connected to this manager, false otherwise. @@ -3543,26 +4285,19 @@ -

      - When specifies a connection method that - listens for inbound connections (e.g. ptcp: or - pssl:) and more than one connection is actually active, - the value is the number of active connections. Otherwise, this - key-value pair is omitted. -

      -

      - When multiple connections are active, status columns and key-value - pairs (other than this one) report the status of one arbitrarily - chosen connection. -

      + When specifies a connection method that + listens for inbound connections (e.g. ptcp: or + pssl:) and more than one connection is actually active, + the value is the number of active connections. Otherwise, this + key-value pair is omitted.       - When is ptcp: or - pssl:, this is the TCP port on which the OVSDB server is - listening. (This is is particularly useful when specifies a port of 0, allowing the kernel to - choose any available port.) + When is ptcp: or + pssl:, this is the TCP port on which the OVSDB server is + listening. (This is particularly useful when specifies a port of 0, allowing the kernel to + choose any available port.)       @@ -3573,7 +4308,7 @@

      + type='{"type": "integer"}'> The Differentiated Service Code Point (DSCP) is specified using 6 bits in the Type of Service (TOS) field in the IP header. DSCP provides a mechanism to classify the network traffic and provide Quality of @@ -3617,10 +4352,20 @@ - The interval at which NetFlow records are sent for flows that are - still active, in seconds. A value of 0 requests the - default timeout (currently 600 seconds); a value of -1 - disables active timeouts. +

      + The interval at which NetFlow records are sent for flows that + are still active, in seconds. A value of 0 + requests the default timeout (currently 600 seconds); a value + of -1 disables active timeouts. +

      + +

      + The NetFlow passive timeout, for flows that become inactive, + is not configurable. It will vary depending on the Open + vSwitch version, the forms and contents of the OpenFlow flow + tables, CPU and memory usage, and network activity. A typical + passive timeout is about a second. +

      @@ -3726,38 +4471,53 @@
    • -

    A set of IPFIX collectors. IPFIX is a protocol that exports a - number of details about flows.

    +

    Configuration for sending packets to IPFIX collectors.

    - - IPFIX target collectors in the form - ip:port. - +

    + IPFIX is a protocol that exports a number of details about flows. The + IPFIX implementation in Open vSwitch samples packets at a configurable + rate, extracts flow information from those packets, optionally caches and + aggregates the flow information, and sends the result to one or more + collectors. +

    - - For per-bridge packet sampling, i.e. when this row is referenced - from a , the rate at which packets should - be sampled and sent to each target collector. If not specified, - defaults to 400, which means one out of 400 packets, on average, - will be sent to each target collector. Ignored for per-flow - sampling, i.e. when this row is referenced from a . - +

    + IPFIX in Open vSwitch can be configured two different ways: +

    - - For per-bridge packet sampling, i.e. when this row is referenced - from a , the IPFIX Observation Domain ID - sent in each IPFIX packet. If not specified, defaults to 0. - Ignored for per-flow sampling, i.e. when this row is referenced - from a . - +
      +
    • + With per-bridge sampling, Open vSwitch performs IPFIX sampling + automatically on all packets that pass through a bridge. To configure + per-bridge sampling, create an record and point a + table's + column to it. The table is + not used for per-bridge sampling. +
      • + +
    • +

      + With flow-based sampling, sample actions in the + OpenFlow flow table drive IPFIX sampling. See + ovs-ofctl(8) for a description of the + sample action. +

      - - For per-bridge packet sampling, i.e. when this row is referenced - from a , the IPFIX Observation Point ID - sent in each IPFIX flow record. If not specified, defaults to - 0. Ignored for per-flow sampling, i.e. when this row is - referenced from a . +

      + Flow-based sampling also requires database configuration: create a + record that describes the IPFIX configuration + and a record that points to + the whose flow table holds the + sample actions and to record. The + in the + table is not used for flow-based sampling. +

      +
      • +
    + + + IPFIX target collectors in the form + ip:port. @@ -3772,6 +4532,124 @@ disabled. + +

    + These values affect only per-bridge sampling. See above for a + description of the differences between per-bridge and flow-based + sampling. +

    + + + The rate at which packets should be sampled and sent to each target + collector. If not specified, defaults to 400, which means one out of + 400 packets, on average, will be sent to each target collector. + + + + The IPFIX Observation Domain ID sent in each IPFIX packet. If not + specified, defaults to 0. + + + + The IPFIX Observation Point ID sent in each IPFIX flow record. If not + specified, defaults to 0. + + + +

    + Set to true to enable sampling and reporting tunnel + header 7-tuples in IPFIX flow records. Tunnel sampling is disabled + by default. +

    + +

    + The following enterprise entities report the sampled tunnel info: +

    + +
    +
    tunnelType:
    +
    +

    ID: 891, and enterprise ID 6876 (VMware).

    +

    type: unsigned 8-bit integer.

    +

    data type semantics: identifier.

    +

    description: Identifier of the layer 2 network overlay network + encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x05 IPsec+GRE, + 0x07 GENEVE.

    +
    +
    tunnelKey:
    +
    +

    ID: 892, and enterprise ID 6876 (VMware).

    +

    type: variable-length octetarray.

    +

    data type semantics: identifier.

    +

    description: Key which is used for identifying an individual + traffic flow within a VxLAN (24-bit VNI), GENEVE (24-bit VNI), + GRE (32-bit key), or LISP (24-bit instance ID) tunnel. The + key is encoded in this octetarray as a 3-, 4-, or 8-byte integer + ID in network byte order.

    +
    +
    tunnelSourceIPv4Address:
    +
    +

    ID: 893, and enterprise ID 6876 (VMware).

    +

    type: unsigned 32-bit integer.

    +

    data type semantics: identifier.

    +

    description: The IPv4 source address in the tunnel IP packet + header.

    +
    +
    tunnelDestinationIPv4Address:
    +
    +

    ID: 894, and enterprise ID 6876 (VMware).

    +

    type: unsigned 32-bit integer.

    +

    data type semantics: identifier.

    +

    description: The IPv4 destination address in the tunnel IP + packet header.

    +
    +
    tunnelProtocolIdentifier:
    +
    +

    ID: 895, and enterprise ID 6876 (VMware).

    +

    type: unsigned 8-bit integer.

    +

    data type semantics: identifier.

    +

    description: The value of the protocol number in the tunnel + IP packet header. The protocol number identifies the tunnel IP + packet payload type.

    +
    +
    tunnelSourceTransportPort:
    +
    +

    ID: 896, and enterprise ID 6876 (VMware).

    +

    type: unsigned 16-bit integer.

    +

    data type semantics: identifier.

    +

    description: The source port identifier in the tunnel transport + header. For the transport protocols UDP, TCP, and SCTP, this is + the source port number given in the respective header.

    +
    +
    tunnelDestinationTransportPort:
    +
    +

    ID: 897, and enterprise ID 6876 (VMware).

    +

    type: unsigned 16-bit integer.

    +

    data type semantics: identifier.

    +

    description: The destination port identifier in the tunnel + transport header. For the transport protocols UDP, TCP, and SCTP, + this is the destination port number given in the respective header. +

    +
    +
    +     + + + By default, Open vSwitch samples and reports flows at bridge port input + in IPFIX flow records. Set this column to false to + disable input sampling. + + + + By default, Open vSwitch samples and reports flows at bridge port + output in IPFIX flow records. Set this column to false to + disable output sampling. + +     + The overall purpose of these columns is described under Common Columns at the beginning of this document. @@ -3781,8 +4659,12 @@
    -

    A set of IPFIX collectors of packet samples generated by - OpenFlow sample actions.

    +

    + A set of IPFIX collectors of packet samples generated by OpenFlow + sample actions. This table is used only for IPFIX + flow-based sampling, not for per-bridge sampling (see the table for a description of the two forms). +

    The ID of this collector set, unique among the bridge's @@ -3808,4 +4690,61 @@
    + +

    + Auto Attach configuration within a bridge. The IETF Auto-Attach SPBM + draft standard describes a compact method of using IEEE 802.1AB Link + Layer Discovery Protocol (LLDP) together with a IEEE 802.1aq Shortest + Path Bridging (SPB) network to automatically attach network devices + to individual services in a SPB network. The intent here is to allow + network applications and devices using OVS to be able to easily take + advantage of features offered by industry standard SPB networks. +

    + +

    + Auto Attach (AA) uses LLDP to communicate between a directly connected + Auto Attach Client (AAC) and Auto Attach Server (AAS). The LLDP protocol + is extended to add two new Type-Length-Value tuples (TLVs). The first + new TLV supports the ongoing discovery of directly connected AA + correspondents. Auto Attach operates by regularly transmitting AA + discovery TLVs between the AA client and AA server. By exchanging these + discovery messages, both the AAC and AAS learn the system name and + system description of their peer. In the OVS context, OVS operates as + the AA client and the AA server resides on a switch at the edge of the + SPB network. +

    + +

    + Once AA discovery has been completed the AAC then uses the second new TLV + to deliver identifier mappings from the AAC to the AAS. A primary feature + of Auto Attach is to facilitate the mapping of VLANs defined outside the + SPB network onto service ids (ISIDs) defined within the SPM network. By + doing so individual external VLANs can be mapped onto specific SPB + network services. These VLAN id to ISID mappings can be configured and + managed locally using new options added to the ovs-vsctl command. +

    + +

    + The Auto Attach OVS feature does not provide a full implementation of + the LLDP protocol. Support for the mandatory TLVs as defined by the LLDP + standard and support for the AA TLV extensions is provided. LLDP + protocol support in OVS can be enabled or disabled on a port by port + basis. LLDP support is disabled by default. +

    + + + The system_name string is exported in LLDP messages. It should uniquely + identify the bridge in the network. + + + + The system_description string is exported in LLDP messages. It should + describe the type of software and hardware. + + + + A mapping from SPB network Individual Service Identifier (ISID) to VLAN + id. + +