[ovs-dev] [PATCH 3/3] ovn-northd: Document logical flow table structure.
Ben Pfaff
blp at nicira.com
Fri Sep 11 18:36:27 UTC 2015
Signed-off-by: Ben Pfaff <blp at nicira.com>
---
ovn/northd/ovn-northd.8.xml | 106 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 106 insertions(+)
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index 316f729..1655958 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -100,4 +100,110 @@
</dl>
</p>
+ <h1>Logical Flow Table Structure</h1>
+
+ <p>
+ One of the main purposes of <code>ovn-northd</code> is to populate the
+ <code>Logical_Flow</code> table in the <code>OVN_Southbound</code>
+ database. This section describes how <code>ovn-northd</code> does this
+ for logical datapaths.
+ </p>
+
+ <h2>Ingress Table 0: Admission Control and Ingress Port Security</h2>
+
+ <p>
+ Ingress table 0 contains these logical flows:
+ </p>
+
+ <ul>
+ <li>
+ Priority 100 flows to drop packets with VLAN tags or multicast Ethernet
+ source addresses.
+ </li>
+
+ <li>
+ Priority 50 flows that implement ingress port security for each enabled
+ logical port. For logical ports on which port security is enabled,
+ these match the <code>inport</code> and the valid <code>eth.src</code>
+ address(es) and advance only those packets to the next flow table. For
+ logical ports on which port security is not enabled, these advance all
+ packets that match the <code>inport</code>.
+ </li>
+ </ul>
+
+ <p>
+ There are no flows for disabled logical ports because the default-drop
+ behavior of logical flow tables causes packets that ingress from them to
+ be dropped.
+ </p>
+
+ <h2>Ingress table 1: <code>from-lport</code> ACLs</h2>
+
+ <p>
+ Logical flows in this table closely reproduce those in the
+ <code>ACL</code> table in the <code>OVN_Northbound</code> database for
+ the <code>from-lport</code> direction. <code>allow</code> and
+ <code>allow-related</code> ACLs translate into logical flows with the
+ <code>next;</code> action, others to <code>drop;</code>. The
+ <code>priority</code> values from the <code>ACL</code> table are used
+ directly.
+ </p>
+
+ <p>
+ Ingress table 1 also contains a priority 0 flow with action
+ <code>next;</code>, so that ACLs allow packets by default.
+ </p>
+
+ <h2>Ingress Table 2: Destination Lookup</h2>
+
+ <p>
+ This table implements switching behavior. It contains these logical
+ flows:
+ </p>
+
+ <ul>
+ <li>
+ A priority-100 flow that outputs all packets with an Ethernet broadcast
+ or multicast <code>eth.dst</code> to the <code>MC_FLOOD</code>
+ multicast group, which <code>ovn-northd</code> populates with all
+ enabled logical ports.
+ </li>
+
+ <li>
+ One priority-50 flow that matches each known Ethernet address against
+ <code>eth.dst</code> and outputs the packet to the single associated
+ output port.
+ </li>
+
+ <li>
+ One priority-0 fallback flow that matches all packets and outputs them
+ to the <code>MC_UNKNOWN</code> multicast group, which
+ <code>ovn-northd</code> populates with all enabled logical ports that
+ accept unknown destination packets. As a small optimization, if no
+ logical ports accept unknown destination packets,
+ <code>ovn-northd</code> omits this multicast group and logical flow.
+ </li>
+ </ul>
+
+ <h2>Egress Table 0: <code>to-lport</code> ACLs</h2>
+
+ <p>
+ This is similar to ingress table 1 except for <code>to-lport</code> ACLs.
+ </p>
+
+ <h2>Egress Table 1: Egress Port Security</h2>
+
+ <p>
+ This is similar to the ingress port security logic in ingress table 0,
+ but with important differences. Most obviously, <code>outport</code> and
+ <code>eth.dst</code> are checked instead of <code>inport</code> and
+ <code>eth.src</code>. Second, packets directed to broadcast or multicast
+ <code>eth.dst</code> are always accepted instead of being subject to the
+ port security rules; this is implemented through a priority-100 flow that
+ matches on <code>eth.dst[40]</code> with action <code>output;</code>.
+ Finally, to ensure that even broadcast and multicast packets are not
+ delivered to disabled logical ports, a priority-150 flow for each
+ disabled logical <code>outport</code> overrides the priority-100 flow
+ with a <code>drop;</code> action.
+ </p>
</manpage>
--
2.1.3
More information about the dev
mailing list