Provided by: ovn-central_2.9.8-0ubuntu0.18.04.5_amd64 bug

NAME

       ovn-northd - Open Virtual Network central control daemon

SYNOPSIS

       ovn-northd [options]

DESCRIPTION

       ovn-northd  is  a  centralized  daemon  responsible  for  translating  the  high-level OVN
       configuration into logical configuration consumable by daemons such as ovn-controller.  It
       translates  the  logical  network configuration in terms of conventional network concepts,
       taken from the OVN Northbound Database (see ovn-nb(5)), into logical datapath flows in the
       OVN Southbound Database (see ovn-sb(5)) below it.

OPTIONS

       --ovnnb-db=database
              The  OVSDB  database  containing  the  OVN  Northbound  Database.  If the OVN_NB_DB
              environment variable is set, its value is  used  as  the  default.  Otherwise,  the
              default is unix:/var/run/openvswitch/ovnnb_db.sock.

       --ovnsb-db=database
              The  OVSDB  database  containing  the  OVN  Southbound  Database.  If the OVN_SB_DB
              environment variable is set, its value is  used  as  the  default.  Otherwise,  the
              default is unix:/var/run/openvswitch/ovnsb_db.sock.

       database  in  the  above  options must be an OVSDB active or passive connection method, as
       described in ovsdb(7).

   Daemon Options
       --pidfile[=pidfile]
              Causes a file (by default, program.pid) to be created indicating  the  PID  of  the
              running  process. If the pidfile argument is not specified, or if it does not begin
              with /, then it is created in /var/run/openvswitch.

              If --pidfile is not specified, no pidfile is created.

       --overwrite-pidfile
              By default, when --pidfile is specified and the specified  pidfile  already  exists
              and  is  locked  by  a  running  process,  the  daemon  refuses  to  start. Specify
              --overwrite-pidfile to cause it to instead overwrite the pidfile.

              When --pidfile is not specified, this option has no effect.

       --detach
              Runs this program as a background process. The process forks, and in the  child  it
              starts  a  new  session,  closes  the standard file descriptors (which has the side
              effect of disabling logging to the console), and changes its current  directory  to
              the   root  (unless  --no-chdir  is  specified).  After  the  child  completes  its
              initialization, the parent exits.

       --monitor
              Creates an additional process to monitor this program. If it dies due to  a  signal
              that  indicates  a  programming  error  (SIGABRT,  SIGALRM, SIGBUS, SIGFPE, SIGILL,
              SIGPIPE, SIGSEGV, SIGXCPU, or SIGXFSZ) then the monitor process starts a  new  copy
              of it. If the daemon dies or exits for another reason, the monitor process exits.

              This option is normally used with --detach, but it also functions without it.

       --no-chdir
              By  default,  when  --detach  is  specified, the daemon changes its current working
              directory to the root directory after it detaches. Otherwise, invoking  the  daemon
              from  a carelessly chosen directory would prevent the administrator from unmounting
              the file system that holds that directory.

              Specifying --no-chdir suppresses this behavior, preventing the daemon from changing
              its  current working directory. This may be useful for collecting core files, since
              it is common behavior to write core dumps into the current  working  directory  and
              the root directory is not a good directory to use.

              This option has no effect when --detach is not specified.

       --no-self-confinement
              By  default  this  daemon  will try to self-confine itself to work with files under
              well-known directories whitelisted at build time. It is better to stick  with  this
              default  behavior and not to use this flag unless some other Access Control is used
              to confine daemon. Note that in contrast to other  access  control  implementations
              that  are  typically enforced from kernel-space (e.g. DAC or MAC), self-confinement
              is imposed from the user-space daemon itself and hence should not be considered  as
              a full confinement strategy, but instead should be viewed as an additional layer of
              security.

       --user=user:group
              Causes this program to run as  a  different  user  specified  in  user:group,  thus
              dropping most of the root privileges. Short forms user and :group are also allowed,
              with current user or group assumed, respectively. Only daemons started by the  root
              user accepts this argument.

              On  Linux,  daemons  will  be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES before
              dropping  root  privileges.  Daemons  that  interact  with  a  datapath,  such   as
              ovs-vswitchd, will be granted two additional capabilities, namely CAP_NET_ADMIN and
              CAP_NET_RAW. The capability change will apply even if the new user is root.

              On  Windows,  this  option  is  not  currently  supported.  For  security  reasons,
              specifying this option will cause the daemon process not to start.

   Logging Options
       -v[spec]
       --verbose=[spec]
            Sets  logging  levels.  Without  any  spec,  sets  the log level for every module and
            destination to dbg. Otherwise, spec is a list of words separated by spaces or  commas
            or colons, up to one from each category below:

            •      A  valid  module name, as displayed by the vlog/list command on ovs-appctl(8),
                   limits the log level change to the specified module.

            •      syslog, console, or file, to limit the log level change to only to the  system
                   log,  to  the  console, or to a file, respectively. (If --detach is specified,
                   the daemon closes its standard file descriptors, so  logging  to  the  console
                   will have no effect.)

                   On  Windows  platform,  syslog  is accepted as a word and is only useful along
                   with the --syslog-target option (the word has no effect otherwise).

            •      off, emer, err, warn, info, or dbg, to control the log level. Messages of  the
                   given  severity  or higher will be logged, and messages of lower severity will
                   be filtered out. off  filters  out  all  messages.  See  ovs-appctl(8)  for  a
                   definition of each log level.

            Case is not significant within spec.

            Regardless  of  the  log  levels  set for file, logging to a file will not take place
            unless --log-file is also specified (see below).

            For compatibility with older versions of OVS, any is accepted as a word  but  has  no
            effect.

       -v
       --verbose
            Sets the maximum logging verbosity level, equivalent to --verbose=dbg.

       -vPATTERN:destination:pattern
       --verbose=PATTERN:destination:pattern
            Sets  the  log  pattern  for  destination  to  pattern.  Refer to ovs-appctl(8) for a
            description of the valid syntax for pattern.

       -vFACILITY:facility
       --verbose=FACILITY:facility
            Sets the RFC5424 facility of the log message. facility can  be  one  of  kern,  user,
            mail,  daemon,  auth, syslog, lpr, news, uucp, clock, ftp, ntp, audit, alert, clock2,
            local0, local1, local2, local3, local4, local5, local6 or local7. If this  option  is
            not  specified,  daemon is used as the default for the local system syslog and local0
            is used while sending a message  to  the  target  provided  via  the  --syslog-target
            option.

       --log-file[=file]
            Enables  logging  to  a file. If file is specified, then it is used as the exact name
            for  the  log  file.  The  default  log  file  name  used  if  file  is  omitted   is
            /var/log/openvswitch/program.log.

       --syslog-target=host:port
            Send  syslog messages to UDP port on host, in addition to the system syslog. The host
            must be a numerical IP address, not a hostname.

       --syslog-method=method
            Specify method as how syslog messages should be sent to syslog daemon. The  following
            forms are supported:

            •      libc,  to  use  the  libc  syslog()  function.  This  is the default behavior.
                   Downside of using this options is that libc adds fixed prefix to every message
                   before  it  is  actually  sent  to the syslog daemon over /dev/log UNIX domain
                   socket.

            •      unix:file, to use a UNIX domain socket directly. It  is  possible  to  specify
                   arbitrary  message  format  with  this option. However, rsyslogd 8.9 and older
                   versions use hard coded parser function anyway that limits UNIX domain  socket
                   use. If you want to use arbitrary message format with older rsyslogd versions,
                   then use UDP socket to localhost IP address instead.

            •      udp:ip:port, to use a UDP socket. With this  method  it  is  possible  to  use
                   arbitrary  message  format  also  with  older  rsyslogd.  When  sending syslog
                   messages over UDP socket extra precaution needs to be taken into account,  for
                   example,  syslog  daemon needs to be configured to listen on the specified UDP
                   port, accidental iptables rules could be interfering with local syslog traffic
                   and  there  are some security considerations that apply to UDP sockets, but do
                   not apply to UNIX domain sockets.

   PKI Options
       PKI configuration is required in order to use SSL for the connections  to  the  Northbound
       and Southbound databases.

              -p privkey.pem
              --private-key=privkey.pem
                   Specifies  a PEM file containing the private key used as identity for outgoing
                   SSL connections.

              -c cert.pem
              --certificate=cert.pem
                   Specifies a PEM file containing a certificate that certifies the  private  key
                   specified  on  -p  or --private-key to be trustworthy. The certificate must be
                   signed by the certificate authority (CA) that the peer in SSL connections will
                   use to verify it.

              -C cacert.pem
              --ca-cert=cacert.pem
                   Specifies  a PEM file containing the CA certificate for verifying certificates
                   presented to this program by SSL peers. (This may be the same certificate that
                   SSL  peers  use to verify the certificate specified on -c or --certificate, or
                   it may be a different one, depending on the PKI design in use.)

              -C none
              --ca-cert=none
                   Disables verification of certificates presented by SSL peers. This  introduces
                   a  security  risk, because it means that certificates cannot be verified to be
                   those of known trusted hosts.

   Other Options
       --unixctl=socket
              Sets the name of the control socket on which program listens for runtime management
              commands (see RUNTIME MANAGEMENT COMMANDS, below). If socket does not begin with /,
              it is interpreted as relative to /var/run/openvswitch. If --unixctl is not used  at
              all,  the  default  socket  is  /var/run/openvswitch/program.pid.ctl,  where pid is
              program’s process ID.

              On Windows a local named pipe is used to listen for runtime management commands.  A
              file  is  created  in the absolute path as pointed by socket or if --unixctl is not
              used at all, a file is created as program in the configured  OVS_RUNDIR  directory.
              The file exists just to mimic the behavior of a Unix domain socket.

              Specifying none for socket disables the control socket feature.

       -h
       --help
            Prints a brief help message to the console.

       -V
       --version
            Prints version information to the console.

RUNTIME MANAGEMENT COMMANDS

       ovs-appctl  can  send  commands  to  a running ovn-northd process. The currently supported
       commands are described below.

              exit   Causes ovn-northd to gracefully terminate.

ACTIVE-STANDBY FOR HIGH AVAILABILITY

       You may run ovn-northd more than once in an OVN deployment. OVN will automatically  ensure
       that only one of them is active at a time. If multiple instances of ovn-northd are running
       and the active ovn-northd fails, one of the  hot  standby  instances  of  ovn-northd  will
       automatically take over.

LOGICAL FLOW TABLE STRUCTURE

       One  of  the  main  purposes  of  ovn-northd  is to populate the Logical_Flow table in the
       OVN_Southbound database. This section describes how ovn-northd does this  for  switch  and
       router logical datapaths.

   Logical Switch Datapaths
     Ingress Table 0: Admission Control and Ingress Port Security - L2

       Ingress table 0 contains these logical flows:

              •      Priority  100  flows  to  drop  packets with VLAN tags or multicast Ethernet
                     source addresses.

              •      Priority 50 flows that implement ingress  port  security  for  each  enabled
                     logical  port.  For  logical  ports on which port security is enabled, these
                     match the inport and the valid eth.src address(es) and  advance  only  those
                     packets  to the next flow table. For logical ports on which port security is
                     not enabled, these advance all packets that match the inport.

       There are no flows for disabled logical ports because the default-drop behavior of logical
       flow tables causes packets that ingress from them to be dropped.

     Ingress Table 1: Ingress Port Security - IP

       Ingress table 1 contains these logical flows:

              •      For  each  element  in the port security set having one or more IPv4 or IPv6
                     addresses (or both),

                     •      Priority 90 flow to allow IPv4 traffic if it has IPv4 addresses which
                            match the inport, valid eth.src and valid ip4.src address(es).

                     •      Priority  90  flow  to  allow IPv4 DHCP discovery traffic if it has a
                            valid eth.src. This is necessary since DHCP  discovery  messages  are
                            sent  from  the  unspecified  IPv4  address  (0.0.0.0) since the IPv4
                            address has not yet been assigned.

                     •      Priority 90 flow to allow IPv6 traffic if it has IPv6 addresses which
                            match the inport, valid eth.src and valid ip6.src address(es).

                     •      Priority  90  flow  to  allow  IPv6 DAD (Duplicate Address Detection)
                            traffic if it has a valid eth.src. This is  is  necessary  since  DAD
                            include  requires  joining  an  multicast  group and sending neighbor
                            solicitations for the newly assigned address. Since no address is yet
                            assigned, these are sent from the unspecified IPv6 address (::).

                     •      Priority  80 flow to drop IP (both IPv4 and IPv6) traffic which match
                            the inport and valid eth.src.

              •      One priority-0 fallback flow that matches all packets and  advances  to  the
                     next table.

     Ingress Table 2: Ingress Port Security - Neighbor discovery

       Ingress table 2 contains these logical flows:

              •      For each element in the port security set,

                     •      Priority  90  flow  to  allow  ARP traffic which match the inport and
                            valid eth.src and arp.sha. If  the  element  has  one  or  more  IPv4
                            addresses, then it also matches the valid arp.spa.

                     •      Priority   90   flow   to   allow   IPv6  Neighbor  Solicitation  and
                            Advertisement traffic which  match  the  inport,  valid  eth.src  and
                            nd.sll/nd.tll. If the element has one or more IPv6 addresses, then it
                            also  matches  the   valid   nd.target   address(es)   for   Neighbor
                            Advertisement traffic.

                     •      Priority  80  flow  to  drop  ARP  and IPv6 Neighbor Solicitation and
                            Advertisement traffic which match the inport and valid eth.src.

              •      One priority-0 fallback flow that matches all packets and  advances  to  the
                     next table.

     Ingress Table 3: from-lport Pre-ACLs

       This  table  prepares flows for possible stateful ACL processing in ingress table ACLs. It
       contains a priority-0 flow that simply moves traffic to the next table. If  stateful  ACLs
       are  used  in  the  logical  datapath, a priority-100 flow is added that sets a hint (with
       reg0[0] = 1; next;) for table Pre-stateful to send IP packets to  the  connection  tracker
       before eventually advancing to ingress table ACLs. If special ports such as route ports or
       localnet ports can’t use ct(), a priority-110 flow is added to skip over stateful ACLs.

     Ingress Table 4: Pre-LB

       This table prepares flows for possible stateful load balancing processing in ingress table
       LB  and  Stateful.  It  contains  a  priority-0 flow that simply moves traffic to the next
       table. If load balancing rules with virtual IP addresses (and  ports)  are  configured  in
       OVN_Northbound  database  for  a logical switch datapath, a priority-100 flow is added for
       each configured virtual IP address VIP. For IPv4 VIPs, the match is ip && ip4.dst ==  VIP.
       For  IPv6  VIPs,  the  match is ip && ip6.dst == VIP. The flow sets an action reg0[0] = 1;
       next; to act as a hint for table Pre-stateful to send IP packets to the connection tracker
       for packet de-fragmentation before eventually advancing to ingress table LB.

     Ingress Table 5: Pre-stateful

       This table prepares flows for all possible stateful processing in next tables. It contains
       a priority-0 flow that simply moves traffic to the next table. A priority-100  flow  sends
       the  packets to connection tracker based on a hint provided by the previous tables (with a
       match for reg0[0] == 1) by using the ct_next; action.

     Ingress table 6: from-lport ACLs

       Logical flows in this table closely reproduce those in the ACL table in the OVN_Northbound
       database  for  the  from-lport  direction.  The  priority values from the ACL table have a
       limited range and have 1000 added to them to leave room for  OVN  default  flows  at  both
       higher and lower priorities.

              •      allow  ACLs translate into logical flows with the next; action. If there are
                     any stateful ACLs on this datapath, then allow ACLs translate to  ct_commit;
                     next;  (which acts as a hint for the next tables to commit the connection to
                     conntrack),

              •      allow-related   ACLs    translate    into    logical    flows    with    the
                     ct_commit(ct_label=0/1);  next; actions for new connections and reg0[1] = 1;
                     next; for existing connections.

              •      Other  ACLs  translate  to  drop;  for  new  or  untracked  connections  and
                     ct_commit(ct_label=1/1);  for  known  connections.  Setting ct_label marks a
                     connection as one that was previously  allowed,  but  should  no  longer  be
                     allowed due to a policy change.

       This  table  also contains a priority 0 flow with action next;, so that ACLs allow packets
       by default. If the logical datapath has a statetful ACL, the following flows will also  be
       added:

              •      A  priority-1 flow that sets the hint to commit IP traffic to the connection
                     tracker (with action reg0[1] = 1; next;). This is  needed  for  the  default
                     allow  policy  because,  while  the  initiator’s  direction may not have any
                     stateful rules, the server’s may and then its return traffic  would  not  be
                     known and marked as invalid.

              •      A  priority-65535  flow that allows any traffic in the reply direction for a
                     connection  that  has  been  committed  to  the  connection  tracker  (i.e.,
                     established   flows),   as   long  as  the  committed  flow  does  not  have
                     ct_label.blocked set. We only handle traffic in  the  reply  direction  here
                     because  we  want  all  packets  going  in the request direction to still go
                     through the flows that implement the currently defined policy based on ACLs.
                     If  a  connection  is no longer allowed by policy, ct_label.blocked will get
                     set and packets in the reply direction will no longer be allowed, either.

              •      A priority-65535 flow that allows any traffic that is considered related  to
                     a  committed  flow in the connection tracker (e.g., an ICMP Port Unreachable
                     from a non-listening UDP port), as long as the committed flow does not  have
                     ct_label.blocked set.

              •      A  priority-65535  flow  that  drops  all  traffic  marked by the connection
                     tracker as invalid.

              •      A priority-65535 flow that drops all trafic  in  the  reply  direction  with
                     ct_label.blocked set meaning that the connection should no longer be allowed
                     due to a policy change. Packets in the request direction are skipped here to
                     let a newly created ACL re-allow this connection.

     Ingress Table 7: from-lport QoS Marking

       Logical  flows  in  this  table  closely  reproduce those in the QoS table with the action
       column set in the OVN_Northbound database for the from-lport direction.

              •      For every qos_rules entry in a logical switch with DSCP marking  enabled,  a
                     flow will be added at the priority mentioned in the QoS table.

              •      One  priority-0  fallback  flow that matches all packets and advances to the
                     next table.

     Ingress Table 8: from-lport QoS Meter

       Logical flows in this table closely reproduce those in the QoS table  with  the  bandwidth
       column set in the OVN_Northbound database for the from-lport direction.

              •      For  every qos_rules entry in a logical switch with metering enabled, a flow
                     will be added at the priorirty mentioned in the QoS table.

              •      One priority-0 fallback flow that matches all packets and  advances  to  the
                     next table.

     Ingress Table 9: LB

       It contains a priority-0 flow that simply moves traffic to the next table. For established
       connections a priority 100 flow matches on ct.est && !ct.rel &&  !ct.new  &&  !ct.inv  and
       sets  an  action  reg0[2]  =  1; next; to act as a hint for table Stateful to send packets
       through connection tracker to NAT the packets. (The packet will automatically  get  DNATed
       to the same IP address as the first packet in that connection.)

     Ingress Table 10: Stateful

              •      For  all  the configured load balancing rules for a switch in OVN_Northbound
                     database that includes a L4 port PORT of protocol P and IP  address  VIP,  a
                     priority-120 flow is added. For IPv4 VIPs , the flow matches ct.new && ip &&
                     ip4.dst == VIP && P && P.dst == PORT. For IPv6 VIPs, the flow matches ct.new
                     &&  ip  &&  ip6.dst  ==  VIP  &&  P  &&  P.dst == PORT. The flow’s action is
                     ct_lb(args) , where args contains comma separated IP addresses (and optional
                     port  numbers) to load balance to. The address family of the IP addresses of
                     args is the same as the address family of VIP

              •      For all the configured load balancing rules for a switch  in  OVN_Northbound
                     database  that  includes  just  an  IP  address  VIP to match on, OVN adds a
                     priority-110 flow. For IPv4 VIPs, the flow matches ct.new && ip  &&  ip4.dst
                     ==  VIP. For IPv6 VIPs, the flow matches ct.new && ip && ip6.dst == VIP. The
                     action on this flow is ct_lb(args), where args contains comma  separated  IP
                     addresses of the same address family as VIP.

              •      A  priority-100  flow commits packets to connection tracker using ct_commit;
                     next; action based on a hint provided by the previous tables (with  a  match
                     for reg0[1] == 1).

              •      A  priority-100 flow sends the packets to connection tracker using ct_lb; as
                     the action based on a hint provided by the previous tables (with a match for
                     reg0[2] == 1).

              •      A priority-0 flow that simply moves traffic to the next table.

     Ingress Table 11: ARP/ND responder

       This table implements ARP/ND responder in a logical switch for known IPs. The advantage of
       the ARP responder flow is to limit ARP broadcasts by locally responding  to  ARP  requests
       without  the  need  to  send to other hypervisors. One common case is when the inport is a
       logical port associated with a VIF  and  the  broadcast  is  responded  to  on  the  local
       hypervisor  rather  than  broadcast  across  the  whole  network  and  responded to by the
       destination VM. This behavior is proxy ARP.

       ARP requests arrive from VMs from a logical switch inport of type default. For this  case,
       the  logical  switch proxy ARP rules can be for other VMs or logical router ports. Logical
       switch proxy ARP rules may be programmed both for mac binding of  IP  addresses  on  other
       logical  switch VIF ports (which are of the default logical switch port type, representing
       connectivity to VMs or containers), and for mac binding of IP addresses on logical  switch
       router type ports, representing their logical router port peers. In order to support proxy
       ARP for logical router ports, an IP address must  be  configured  on  the  logical  switch
       router  type port, with the same value as the peer logical router port. The configured MAC
       addresses must match as well. When a VM sends an ARP request  for  a  distributed  logical
       router  port and if the peer router type port of the attached logical switch does not have
       an IP address configured, the ARP request will be broadcast on the logical switch. One  of
       the  copies  of the ARP request will go through the logical switch router type port to the
       logical router datapath, where the logical router ARP responder will generate a reply. The
       MAC binding of a distributed logical router, once learned by an associated VM, is used for
       all that VM’s communication needing routing. Hence, the action of a VM re-arping  for  the
       mac binding of the logical router port should be rare.

       Logical  switch  ARP responder proxy ARP rules can also be hit when receiving ARP requests
       externally on a L2 gateway port. In this case, the hypervisor acting  as  an  L2  gateway,
       responds to the ARP request on behalf of a destination VM.

       Note  that  ARP  requests  received  from  localnet  or vtep logical inports can either go
       directly to VMs, in which case the VM responds or can hit an ARP responder for  a  logical
       router  port  if  the packet is used to resolve a logical router port next hop address. In
       either case, logical switch ARP responder rules will not be hit. It contains these logical
       flows:

              •      Priority-100  flows  to skip the ARP responder if inport is of type localnet
                     or vtep and advances directly to  the  next  table.  ARP  requests  sent  to
                     localnet or vtep ports can be received by multiple hypervisors. Now, because
                     the same mac binding rules are downloaded to all hypervisors,  each  of  the
                     multiple  hypervisors  will  respond.  This  will confuse L2 learning on the
                     source of the ARP requests. ARP requests  received  on  an  inport  of  type
                     router  are  not  expected  to  hit  any logical switch ARP responder flows.
                     However, no skip flows are installed for these packets, as  there  would  be
                     some additional flow cost for this and the value appears limited.

              •      Priority-50  flows  that  match  ARP  requests to each known IP address A of
                     every logical switch port,  and  respond  with  ARP  replies  directly  with
                     corresponding Ethernet address E:

                     eth.dst = eth.src;
                     eth.src = E;
                     arp.op = 2; /* ARP reply. */
                     arp.tha = arp.sha;
                     arp.sha = E;
                     arp.tpa = arp.spa;
                     arp.spa = A;
                     outport = inport;
                     flags.loopback = 1;
                     output;

                     These  flows  are  omitted  for  logical  ports  (other than router ports or
                     localport ports) that are down.

              •      Priority-50 flows that match IPv6 ND neighbor solicitations to each known IP
                     address  A  (and  A’s  solicited  node address) of every logical switch port
                     except of type router, and respond  with  neighbor  advertisements  directly
                     with corresponding Ethernet address E:

                     nd_na {
                         eth.src = E;
                         ip6.src = A;
                         nd.target = A;
                         nd.tll = E;
                         outport = inport;
                         flags.loopback = 1;
                         output;
                     };

                     Priority-50 flows that match IPv6 ND neighbor solicitations to each known IP
                     address A (and A’s solicited node address) of logical switch  port  of  type
                     router, and respond with neighbor advertisements directly with corresponding
                     Ethernet address E:

                     nd_na_router {
                         eth.src = E;
                         ip6.src = A;
                         nd.target = A;
                         nd.tll = E;
                         outport = inport;
                         flags.loopback = 1;
                         output;
                     };

                     These flows are omitted for  logical  ports  (other  than  router  ports  or
                     localport ports) that are down.

              •      Priority-100  flows  with  match  criteria  like the ARP and ND flows above,
                     except that they only match  packets  from  the  inport  that  owns  the  IP
                     addresses  in  question,  with  action  next;.  These flows prevent OVN from
                     replying to, for example, an ARP request emitted by a  VM  for  its  own  IP
                     address.  A  VM  only  makes  this  kind  of  request to attempt to detect a
                     duplicate IP address assignment, so sending a reply will prevent the VM from
                     accepting the IP address that it owns.

                     In  place  of  next;,  it  would  be  reasonable to use drop; for the flows’
                     actions. If everything is working as  it  is  configured,  then  this  would
                     produce  equivalent  results, since no host should reply to the request. But
                     ARPing for one’s own IP address is intended to detect situations  where  the
                     network  is  not  working  as  configured,  so  dropping  the  request would
                     frustrate that intent.

              •      One priority-0 fallback flow that matches all packets and  advances  to  the
                     next table.

     Ingress Table 12: DHCP option processing

       This  table  adds  the DHCPv4 options to a DHCPv4 packet from the logical ports configured
       with IPv4 address(es) and DHCPv4 options, and similarly for DHCPv6 options.

              •      A priority-100 logical flow is added for these logical ports  which  matches
                     the  IPv4  packet  with udp.src = 68 and udp.dst = 67 and applies the action
                     put_dhcp_opts and advances the packet to the next table.

                     reg0[3] = put_dhcp_opts(offer_ip = ip, options...);
                     next;

                     For DHCPDISCOVER and DHCPREQUEST, this transforms the  packet  into  a  DHCP
                     reply,  adds  the  DHCP  offer IP ip and options to the packet, and stores 1
                     into reg0[3]. For other kinds of packets, it just  stores  0  into  reg0[3].
                     Either way, it continues to the next table.

              •      A  priority-100  logical flow is added for these logical ports which matches
                     the IPv6 packet with udp.src = 546 and udp.dst = 547 and applies the  action
                     put_dhcpv6_opts and advances the packet to the next table.

                     reg0[3] = put_dhcpv6_opts(ia_addr = ip, options...);
                     next;

                     For  DHCPv6 Solicit/Request/Confirm packets, this transforms the packet into
                     a DHCPv6 Advertise/Reply, adds the DHCPv6 offer IP ip  and  options  to  the
                     packet,  and  stores  1  into  reg0[3].  For other kinds of packets, it just
                     stores 0 into reg0[3]. Either way, it continues to the next table.

              •      A priority-0 flow that matches all packets to advances to table 11.

     Ingress Table 13: DHCP responses

       This table implements DHCP responder for the DHCP replies generated by the previous table.

              •      A priority 100 logical flow is added for the logical ports  configured  with
                     DHCPv4  options  which matches IPv4 packets with udp.src == 68 && udp.dst ==
                     67 && reg0[3] == 1 and responds back to  the  inport  after  applying  these
                     actions.  If reg0[3] is set to 1, it means that the action put_dhcp_opts was
                     successful.

                     eth.dst = eth.src;
                     eth.src = E;
                     ip4.dst = A;
                     ip4.src = S;
                     udp.src = 67;
                     udp.dst = 68;
                     outport = P;
                     flags.loopback = 1;
                     output;

                     where E is the server MAC address and S is the server IPv4  address  defined
                     in  the  DHCPv4  options  and  A  is the IPv4 address defined in the logical
                     port’s addresses column.

                     (This terminates ingress packet processing; the packet does not  go  to  the
                     next ingress table.)

              •      A  priority  100 logical flow is added for the logical ports configured with
                     DHCPv6 options which matches IPv6 packets with udp.src == 546 && udp.dst  ==
                     547  &&  reg0[3]  ==  1 and responds back to the inport after applying these
                     actions. If reg0[3] is set to 1, it means that  the  action  put_dhcpv6_opts
                     was successful.

                     eth.dst = eth.src;
                     eth.src = E;
                     ip6.dst = A;
                     ip6.src = S;
                     udp.src = 547;
                     udp.dst = 546;
                     outport = P;
                     flags.loopback = 1;
                     output;

                     where  E  is  the  server  MAC  address and S is the server IPv6 LLA address
                     generated from the server_id defined in the DHCPv6 options and A is the IPv6
                     address defined in the logical port’s addresses column.

                     (This  terminates  packet  processing;  the  packet  does not go on the next
                     ingress table.)

              •      A priority-0 flow that matches all packets to advances to table 12.

     Ingress Table 14 DNS Lookup

       This table looks up and  resolves  the  DNS  names  to  the  corresponding  configured  IP
       address(es).

              •      A  priority-100  logical  flow  for  each  logical  switch datapath if it is
                     configured with DNS records, which matches the IPv4 and  IPv6  packets  with
                     udp.dst  =  53  and applies the action dns_lookup and advances the packet to
                     the next table.

                     reg0[4] = dns_lookup(); next;

                     For valid DNS packets, this transforms the packet into a DNS  reply  if  the
                     DNS  name  can  be  resolved,  and  stores  1  into  reg0[4]. For failed DNS
                     resolution or other kinds of packets, it just stores 0 into reg0[4].  Either
                     way, it continues to the next table.

     Ingress Table 15 DNS Responses

       This table implements DNS responder for the DNS replies generated by the previous table.

              •      A  priority-100  logical  flow  for  each  logical  switch datapath if it is
                     configured with DNS records, which matches the IPv4 and  IPv6  packets  with
                     udp.dst  = 53 && reg0[4] == 1 and responds back to the inport after applying
                     these actions. If reg0[4] is set to 1, it means that the  action  dns_lookup
                     was successful.

                     eth.dst <-> eth.src;
                     ip4.src <-> ip4.dst;
                     udp.dst = udp.src;
                     udp.src = 53;
                     outport = P;
                     flags.loopback = 1;
                     output;

                     (This  terminates  ingress  packet processing; the packet does not go to the
                     next ingress table.)

     Ingress Table 16 Destination Lookup

       This table implements switching behavior. It contains these logical flows:

              •      A priority-100 flow that outputs all packets with an Ethernet  broadcast  or
                     multicast   eth.dst  to  the  MC_FLOOD  multicast  group,  which  ovn-northd
                     populates with all enabled logical ports.

              •      One priority-50 flow  that  matches  each  known  Ethernet  address  against
                     eth.dst and outputs the packet to the single associated output port.

                     For  the Ethernet address on a logical switch port of type router, when that
                     logical switch port’s addresses column is set to router  and  the  connected
                     logical router port specifies a redirect-chassis:

                     •      The  flow for the connected logical router port’s Ethernet address is
                            only programmed on the redirect-chassis.

                     •      If the logical router has rules specified in nat  with  external_mac,
                            then   those  addresses  are  also  used  to  populate  the  switch’s
                            destination lookup on the chassis where logical_port is resident.

              •      One priority-0 fallback flow that matches all packets and  outputs  them  to
                     the  MC_UNKNOWN multicast group, which ovn-northd populates with all enabled
                     logical  ports  that  accept  unknown  destination  packets.  As   a   small
                     optimization,  if  no  logical  ports  accept  unknown  destination packets,
                     ovn-northd omits this multicast group and logical flow.

     Egress Table 0: Pre-LB

       This table is similar to ingress table Pre-LB. It contains a priority-0 flow  that  simply
       moves  traffic  to  the  next table. If any load balancing rules exist for the datapath, a
       priority-100 flow is added with a match of ip and action of reg0[0] = 1; next; to act as a
       hint  for  table  Pre-stateful to send IP packets to the connection tracker for packet de-
       fragmentation.

     Egress Table 1: to-lport Pre-ACLs

       This is similar to ingress table Pre-ACLs except for to-lport traffic.

     Egress Table 2: Pre-stateful

       This is similar to ingress table Pre-stateful.

     Egress Table 3: LB

       This is similar to ingress table LB.

     Egress Table 4: to-lport ACLs

       This is similar to ingress table ACLs except for to-lport ACLs.

     Egress Table 5: to-lport QoS Marking

       This is similar to ingress table QoS marking except they apply to to-lport QoS rules.

     Egress Table 6: to-lport QoS Meter

       This is similar to ingress table QoS meter except they apply to to-lport QoS rules.

     Egress Table 7: Stateful

       This is similar to ingress table Stateful except that there are no rules  added  for  load
       balancing new connections.

       Also the following flows are added.

              •      A  priority  34000  logical  flow  is  added for each logical port which has
                     DHCPv4 options defined to allow the DHCPv4 reply packet and which has DHCPv6
                     options  defined to allow the DHCPv6 reply packet from the Ingress Table 13:
                     DHCP responses.

              •      A priority 34000 logical flow is added  for  each  logical  switch  datapath
                     configured  with  DNS  records  with the match udp.dst = 53 to allow the DNS
                     reply packet from the Ingress Table 15:DNS responses.

     Egress Table 8: Egress Port Security - IP

       This is similar to the port security logic in table Ingress Port Security - IP except that
       outport,  eth.dst, ip4.dst and ip6.dst are checked instead of inport, eth.src, ip4.src and
       ip6.src

     Egress Table 9: Egress Port Security - L2

       This is similar to the ingress port security logic in ingress table Admission Control  and
       Ingress  Port  Security  - L2, but with important differences. Most obviously, outport and
       eth.dst are checked instead of inport and eth.src. Second, packets directed  to  broadcast
       or  multicast  eth.dst  are  always accepted instead of being subject to the port security
       rules; this is implemented through a priority-100 flow  that  matches  on  eth.mcast  with
       action  output;.  Finally,  to  ensure  that  even broadcast and multicast packets are not
       delivered to disabled logical ports, a priority-150 flow for each disabled logical outport
       overrides the priority-100 flow with a drop; action.

   Logical Router Datapaths
       Logical  router  datapaths  will  only exist for Logical_Router rows in the OVN_Northbound
       database that do not have enabled set to false

     Ingress Table 0: L2 Admission Control

       This table drops packets that the router shouldn’t see at  all  based  on  their  Ethernet
       headers. It contains the following flows:

              •      Priority-100  flows  to  drop  packets  with VLAN tags or multicast Ethernet
                     source addresses.

              •      For each enabled router port P with Ethernet address E, a  priority-50  flow
                     that matches inport == P && (eth.mcast || eth.dst == E), with action next;.

                     For  the  gateway  port  on  a  distributed logical router (where one of the
                     logical router ports specifies a redirect-chassis), the above flow  matching
                     eth.dst  ==  E  is  only  programmed  on  the  gateway  port instance on the
                     redirect-chassis.

              •      For each dnat_and_snat NAT rule on a distributed router  that  specifies  an
                     external Ethernet address E, a priority-50 flow that matches inport == GW &&
                     eth.dst == E, where GW is the  logical  router  gateway  port,  with  action
                     next;.

                     This  flow  is  only  programmed on the gateway port instance on the chassis
                     where the logical_port specified in the NAT rule resides.

       Other packets are implicitly dropped.

     Ingress Table 1: IP Input

       This table is the core of the logical  router  datapath  functionality.  It  contains  the
       following flows to implement very basic IP host functionality.

              •      L3  admission  control:  A priority-100 flow drops packets that match any of
                     the following:

                     •      ip4.src[28..31] == 0xe (multicast source)

                     •      ip4.src == 255.255.255.255 (broadcast source)

                     •      ip4.src == 127.0.0.0/8 || ip4.dst == 127.0.0.0/8 (localhost source or
                            destination)

                     •      ip4.src  == 0.0.0.0/8 || ip4.dst == 0.0.0.0/8 (zero network source or
                            destination)

                     •      ip4.src or ip6.src is any IP address owned by the router, unless  the
                            packet  was  recirculated  due  to  egress  loopback  as indicated by
                            REGBIT_EGRESS_LOOPBACK.

                     •      ip4.src is the broadcast address of  any  IP  network  known  to  the
                            router.

              •      ICMP  echo  reply.  These flows reply to ICMP echo requests received for the
                     router’s IP address. Let A be an IP address owned by a  router  port.  Then,
                     for each A that is an IPv4 address, a priority-90 flow matches on ip4.dst ==
                     A and icmp4.type == 8 && icmp4.code == 0 (ICMP echo  request).  For  each  A
                     that  is  an  IPv6  address,  a priority-90 flow matches on ip6.dst == A and
                     icmp6.type == 128 && icmp6.code == 0 (ICMPv6 echo request). The port of  the
                     router  that  receives the echo request does not matter. Also, the ip.ttl of
                     the echo request packet is not  checked,  so  it  complies  with  RFC  1812,
                     section 4.2.2.9. Flows for ICMPv4 echo requests use the following actions:

                     ip4.dst <-> ip4.src;
                     ip.ttl = 255;
                     icmp4.type = 0;
                     flags.loopback = 1;
                     next;

                     Flows for ICMPv6 echo requests use the following actions:

                     ip6.dst <-> ip6.src;
                     ip.ttl = 255;
                     icmp6.type = 129;
                     flags.loopback = 1;
                     next;

              •      Reply to ARP requests.

                     These  flows  reply  to  ARP  requests  for  the router’s own IP address and
                     populates mac binding table of the logical router port. The ARP requests are
                     handled  only  if  the  requestor’s  IP  belongs  to the same subnets of the
                     logical router port. For each router port P that owns IP  address  A,  which
                     belongs  to  subnet  S  with  prefix  length  L,  and  Ethernet address E, a
                     priority-90 flow matches inport == P && arp.spa == S/L &&  arp.op  ==  1  &&
                     arp.tpa == A (ARP request) with the following actions:

                     put_arp(inport, arp.spa, arp.sha);
                     eth.dst = eth.src;
                     eth.src = E;
                     arp.op = 2; /* ARP reply. */
                     arp.tha = arp.sha;
                     arp.sha = E;
                     arp.tpa = arp.spa;
                     arp.spa = A;
                     outport = P;
                     flags.loopback = 1;
                     output;

                     For  the  gateway  port  on  a  distributed logical router (where one of the
                     logical router ports specifies a redirect-chassis), the above flows are only
                     programmed  on  the  gateway  port  instance  on  the redirect-chassis. This
                     behavior avoids generation of multiple ARP responses from different chassis,
                     and allows upstream MAC learning to point to the redirect-chassis.

              •      These  flows  handles ARP requests not for router’s own IP address. They use
                     the SPA and SHA to populate the logical router  port’s  mac  binding  table,
                     with  priority  80.  The  typical  use case of these flows are GARP requests
                     handling. For the gateway port on a distributed logical router, these  flows
                     are only programmed on the gateway port instance on the redirect-chassis.

              •      These flows reply to ARP requests for the virtual IP addresses configured in
                     the router for DNAT or load balancing. For a configured DNAT IP address or a
                     load  balancer IPv4 VIP A, for each router port P with Ethernet address E, a
                     priority-90 flow matches inport == P && arp.op == 1 &&  arp.tpa  ==  A  (ARP
                     request) with the following actions:

                     eth.dst = eth.src;
                     eth.src = E;
                     arp.op = 2; /* ARP reply. */
                     arp.tha = arp.sha;
                     arp.sha = E;
                     arp.tpa = arp.spa;
                     arp.spa = A;
                     outport = P;
                     flags.loopback = 1;
                     output;

                     For  the gateway port on a distributed logical router with NAT (where one of
                     the logical router ports specifies a redirect-chassis):

                     •      If the corresponding NAT rule cannot  be  handled  in  a  distributed
                            manner,  then  this  flow  is  only  programmed  on  the gateway port
                            instance on the redirect-chassis. This behavior avoids generation  of
                            multiple  ARP  responses  from different chassis, and allows upstream
                            MAC learning to point to the redirect-chassis.

                     •      If the corresponding NAT rule can be handled in a distributed manner,
                            then  this flow is only programmed on the gateway port instance where
                            the logical_port specified in the NAT rule resides.

                            Some  of  the  actions  are  different  for  this  case,  using   the
                            external_mac specified in the NAT rule rather than the gateway port’s
                            Ethernet address E:

                            eth.src = external_mac;
                            arp.sha = external_mac;

                            This behavior  avoids  generation  of  multiple  ARP  responses  from
                            different  chassis,  and allows upstream MAC learning to point to the
                            correct chassis.

              •      ARP reply handling. This flow uses  ARP  replies  to  populate  the  logical
                     router’s  ARP  table.  A priority-90 flow with match arp.op == 2 has actions
                     put_arp(inport, arp.spa, arp.sha);.

              •      Reply  to  IPv6  Neighbor  Solicitations.  These  flows  reply  to  Neighbor
                     Solicitation  requests  for the router’s own IPv6 address and load balancing
                     IPv6 VIPs and populate the logical router’s mac binding table.

                     For each router port P that owns IPv6 address A, solicited node  address  S,
                     and  Ethernet  address E, a priority-90 flow matches inport == P && nd_ns &&
                     ip6.dst == {A, E} && nd.target == A with the following actions:

                     put_nd(inport, ip6.src, nd.sll);
                     nd_na_router {
                         eth.src = E;
                         ip6.src = A;
                         nd.target = A;
                         nd.tll = E;
                         outport = inport;
                         flags.loopback = 1;
                         output;
                     };

                     For each router port P that has load balancing VIP A, solicited node address
                     S,  and  Ethernet address E, a priority-90 flow matches inport == P && nd_ns
                     && ip6.dst == {A, E} && nd.target == A with the following actions:

                     put_nd(inport, ip6.src, nd.sll);
                     nd_na {
                         eth.src = E;
                         ip6.src = A;
                         nd.target = A;
                         nd.tll = E;
                         outport = inport;
                         flags.loopback = 1;
                         output;
                     };

                     For the gateway port on a distributed  logical  router  (where  one  of  the
                     logical router ports specifies a redirect-chassis), the above flows replying
                     to IPv6 Neighbor Solicitations are  only  programmed  on  the  gateway  port
                     instance  on  the  redirect-chassis.  This  behavior  avoids  generation  of
                     multiple replies from different chassis, and allows upstream MAC learning to
                     point to the redirect-chassis.

              •      IPv6 neighbor advertisement handling. This flow uses neighbor advertisements
                     to populate the logical router’s mac binding table. A priority-90 flow  with
                     match nd_na has actions put_nd(inport, nd.target, nd.tll);.

              •      IPv6 neighbor solicitation for non-hosted addresses handling. This flow uses
                     neighbor solicitations to populate the logical router’s  mac  binding  table
                     (ones  that  were  directed  at  the  logical  router would have matched the
                     priority-90 neighbor solicitation flow already).  A  priority-80  flow  with
                     match nd_ns has actions put_nd(inport, ip6.src, nd.sll);.

              •      UDP  port  unreachable.  Priority-80  flows  generate  ICMP port unreachable
                     messages in reply to UDP datagrams directed to the router’s IP address.  The
                     logical  router doesn’t accept any UDP traffic so it always generates such a
                     reply.

                     These flows should not match IP fragments with nonzero offset.

                     Details TBD. Not yet implemented.

              •      TCP reset. Priority-80 flows generate TCP reset messages  in  reply  to  TCP
                     datagrams  directed  to  the router’s IP address. The logical router doesn’t
                     accept any TCP traffic so it always generates such a reply.

                     These flows should not match IP fragments with nonzero offset.

                     Details TBD. Not yet implemented.

              •      Protocol unreachable. Priority-70 flows generate ICMP  protocol  unreachable
                     messages  in  reply  to  packets  directed  to the router’s IP address on IP
                     protocols other than UDP, TCP, and ICMP.

                     These flows should not match IP fragments with nonzero offset.

                     Details TBD. Not yet implemented.

              •      Drop other IP traffic to this router. These flows  drop  any  other  traffic
                     destined  to an IP address of this router that is not already handled by one
                     of the flows above, which amounts to ICMP (other  than  echo  requests)  and
                     fragments with nonzero offsets. For each IP address A owned by the router, a
                     priority-60 flow matches ip4.dst == A and drops the traffic. An exception is
                     made  and the above flow is not added if the router port’s own IP address is
                     used to SNAT packets passing through that router.

       The flows above handle all of the traffic that might be directed to the router itself. The
       following  flows  (with  lower  priorities)  handle the remaining traffic, potentially for
       forwarding:

              •      Drop Ethernet local broadcast. A priority-50 flow with match eth.bcast drops
                     traffic destined to the local Ethernet broadcast address. By definition this
                     traffic should not be forwarded.

              •      ICMP time exceeded. For each router  port  P,  whose  IP  address  is  A,  a
                     priority-40   flow   with  match  inport  ==  P  &&  ip.ttl  ==  {0,  1}  &&
                     !ip.later_frag matches packets whose TTL has  expired,  with  the  following
                     actions to send an ICMP time exceeded reply:

                     icmp4 {
                         icmp4.type = 11; /* Time exceeded. */
                         icmp4.code = 0;  /* TTL exceeded in transit. */
                         ip4.dst = ip4.src;
                         ip4.src = A;
                         ip.ttl = 255;
                         next;
                     };

                     Not yet implemented.

              •      TTL  discard.  A  priority-30  flow  with match ip.ttl == {0, 1} and actions
                     drop; drops other packets whose TTL has expired, that should not  receive  a
                     ICMP error reply (i.e. fragments with nonzero offset).

              •      Next table. A priority-0 flows match all packets that aren’t already handled
                     and uses actions next; to feed them to the next table.

     Ingress Table 2: DEFRAG

       This is to send packets  to  connection  tracker  for  tracking  and  defragmentation.  It
       contains  a priority-0 flow that simply moves traffic to the next table. If load balancing
       rules with virtual IP addresses (and ports) are configured in OVN_Northbound database  for
       a Gateway router, a priority-100 flow is added for each configured virtual IP address VIP.
       For IPv4 VIPs the flow matches ip && ip4.dst == VIP. For IPv6 VIPs, the flow matches ip &&
       ip6.dst  ==  VIP.  The  flow uses the action ct_next; to send IP packets to the connection
       tracker for packet de-fragmentation and tracking before sending it to the next table.

     Ingress Table 3: UNSNAT

       This is for already established connections’ reverse traffic. i.e., SNAT has already  been
       done  in  egress pipeline and now the packet has entered the ingress pipeline as part of a
       reply. It is unSNATted here.

       Ingress Table 3: UNSNAT on Gateway Routers

              •      If the Gateway router has been  configured  to  force  SNAT  any  previously
                     DNATted packets to B, a priority-110 flow matches ip && ip4.dst == B with an
                     action ct_snat; .

                     If the Gateway router has been configured to force SNAT any previously load-
                     balanced  packets  to B, a priority-100 flow matches ip && ip4.dst == B with
                     an action ct_snat; .

                     For each NAT configuration in the OVN  Northbound  database,  that  asks  to
                     change  the  source  IP  address of a packet from A to B, a priority-90 flow
                     matches ip && ip4.dst == B with an action ct_snat; .

                     A priority-0 logical flow with match 1 has actions next;.

       Ingress Table 3: UNSNAT on Distributed Routers

              •      For each configuration in the OVN Northbound database, that asks  to  change
                     the  source  IP address of a packet from A to B, a priority-100 flow matches
                     ip && ip4.dst == B && inport == GW, where GW is the logical  router  gateway
                     port, with an action ct_snat;.

                     If  the  NAT  rule  cannot  be  handled  in  a  distributed manner, then the
                     priority-100 flow above is only programmed on the redirect-chassis.

                     For each configuration in the OVN Northbound database, that asks  to  change
                     the source IP address of a packet from A to B, a priority-50 flow matches ip
                     && ip4.dst == B with an action REGBIT_NAT_REDIRECT = 1; next;. This flow  is
                     for  east/west  traffic  to  a  NAT destination IPv4 address. By setting the
                     REGBIT_NAT_REDIRECT flag, in the ingress table Gateway  Redirect  this  will
                     trigger   a   redirect   to   the  instance  of  the  gateway  port  on  the
                     redirect-chassis.

                     A priority-0 logical flow with match 1 has actions next;.

     Ingress Table 4: DNAT

       Packets enter the pipeline with destination IP address that needs to  be  DNATted  from  a
       virtual  IP  address  to  a  real IP address. Packets in the reverse direction needs to be
       unDNATed.

       Ingress Table 4: Load balancing DNAT rules

       Following load balancing DNAT flows are added for Gateway router or  Router  with  gateway
       port.  These  flows  are  programmed  only on the redirect-chassis. These flows do not get
       programmed for load balancers with IPv6 VIPs.

              •      For all the configured load balancing rules for a Gateway router  or  Router
                     with gateway port in OVN_Northbound database that includes a L4 port PORT of
                     protocol P and IPv4 address VIP, a priority-120 flow that matches on  ct.new
                     && ip && ip4.dst == VIP && P && P.dst == PORT
                      with  an  action  of  ct_lb(args), where args contains comma separated IPv4
                     addresses (and optional port numbers) to load balance to. If the  router  is
                     configured to force SNAT any load-balanced packets, the above action will be
                     replaced by flags.force_snat_for_lb = 1; ct_lb(args);.

              •      For all the configured load balancing rules for a router  in  OVN_Northbound
                     database  that includes a L4 port PORT of protocol P and IPv4 address VIP, a
                     priority-120 flow that matches on ct.est && ip && ip4.dst ==  VIP  &&  P  &&
                     P.dst == PORT
                      with  an  action of ct_dnat;. If the router is configured to force SNAT any
                     load-balanced   packets,   the   above   action   will   be   replaced    by
                     flags.force_snat_for_lb = 1; ct_dnat;.

              •      For  all  the configured load balancing rules for a router in OVN_Northbound
                     database that includes just an IP address VIP to match  on,  a  priority-110
                     flow  that  matches  on  ct.new  &&  ip  && ip4.dst == VIP with an action of
                     ct_lb(args), where args contains comma  separated  IPv4  addresses.  If  the
                     router  is  configured  to  force  SNAT any load-balanced packets, the above
                     action will be replaced by flags.force_snat_for_lb = 1; ct_lb(args);.

              •      For all the configured load balancing rules for a router  in  OVN_Northbound
                     database  that  includes  just an IP address VIP to match on, a priority-110
                     flow that matches on ct.est && ip &&  ip4.dst  ==  VIP  with  an  action  of
                     ct_dnat;.  If  the  router  is  configured  to  force SNAT any load-balanced
                     packets, the above action will be replaced by flags.force_snat_for_lb  =  1;
                     ct_dnat;.

       Ingress Table 4: DNAT on Gateway Routers

              •      For  each  configuration in the OVN Northbound database, that asks to change
                     the destination IP address of a packet from A  to  B,  a  priority-100  flow
                     matches  ip  && ip4.dst == A with an action flags.loopback = 1; ct_dnat(B);.
                     If the Gateway router is configured to force SNAT  any  DNATed  packet,  the
                     above   action   will   be   replaced   by  flags.force_snat_for_dnat  =  1;
                     flags.loopback = 1; ct_dnat(B);.

              •      For all IP packets of a Gateway router, a priority-50 flow  with  an  action
                     flags.loopback = 1; ct_dnat;.

              •      A priority-0 logical flow with match 1 has actions next;.

       Ingress Table 4: DNAT on Distributed Routers

       On  distributed  routers,  the DNAT table only handles packets with destination IP address
       that needs to be DNATted from a virtual IP address  to  a  real  IP  address.  The  unDNAT
       processing in the reverse direction is handled in a separate table in the egress pipeline.

              •      For  each  configuration in the OVN Northbound database, that asks to change
                     the destination IP address of a packet from A  to  B,  a  priority-100  flow
                     matches  ip  && ip4.dst == B && inport == GW, where GW is the logical router
                     gateway port, with an action ct_dnat(B);.

                     If the NAT rule  cannot  be  handled  in  a  distributed  manner,  then  the
                     priority-100 flow above is only programmed on the redirect-chassis.

                     For  each  configuration in the OVN Northbound database, that asks to change
                     the destination IP address of a packet from  A  to  B,  a  priority-50  flow
                     matches  ip  &&  ip4.dst == B with an action REGBIT_NAT_REDIRECT = 1; next;.
                     This flow is for east/west traffic to a NAT  destination  IPv4  address.  By
                     setting  the REGBIT_NAT_REDIRECT flag, in the ingress table Gateway Redirect
                     this will trigger a redirect to the instance of  the  gateway  port  on  the
                     redirect-chassis.

                     A priority-0 logical flow with match 1 has actions next;.

     Ingress Table 5: IPv6 ND RA option processing

              •      A  priority-50 logical flow is added for each logical router port configured
                     with IPv6 ND RA options which matches IPv6 ND Router Solicitation packet and
                     applies the action put_nd_ra_opts and advances the packet to the next table.

                     reg0[5] = put_nd_ra_opts(options);next;

                     For a valid IPv6 ND RS packet, this transforms the packet into an IPv6 ND RA
                     reply and sets the RA options to the packet and stores 1 into  reg0[5].  For
                     other  kinds  of  packets,  it  just  stores  0 into reg0[5]. Either way, it
                     continues to the next table.

              •      A priority-0 logical flow with match 1 has actions next;.

     Ingress Table 6: IPv6 ND RA responder

       This table implements IPv6 ND RA responder for the IPv6 ND RA  replies  generated  by  the
       previous table.

              •      A  priority-50 logical flow is added for each logical router port configured
                     with IPv6 ND RA options which matches IPv6 ND RA packets and  reg0[5]  ==  1
                     and  responds back to the inport after applying these actions. If reg0[5] is
                     set to 1, it means that the action put_nd_ra_opts was successful.

                     eth.dst = eth.src;
                     eth.src = E;
                     ip6.dst = ip6.src;
                     ip6.src = I;
                     outport = P;
                     flags.loopback = 1;
                     output;

                     where E is the MAC address and I is the  IPv6  link  local  address  of  the
                     logical router port.

                     (This  terminates packet processing in ingress pipeline; the packet does not
                     go to the next ingress table.)

              •      A priority-0 logical flow with match 1 has actions next;.

     Ingress Table 7: IP Routing

       A packet that arrives at this table is an IP packet that should be routed to  the  address
       in ip4.dst or ip6.dst. This table implements IP routing, setting reg0 (or xxreg0 for IPv6)
       to the next-hop IP address (leaving ip4.dst or ip6.dst, the  packet’s  final  destination,
       unchanged)  and  advances  to  the  next  table  for ARP resolution. It also sets reg1 (or
       xxreg1) to the IP address owned by the selected router port  (ingress  table  ARP  Request
       will generate an ARP request, if needed, with reg0 as the target protocol address and reg1
       as the source protocol address).

       This table contains the following logical flows:

              •      For distributed logical routers  where  one  of  the  logical  router  ports
                     specifies  a  redirect-chassis,  a  priority-300  logical  flow  with  match
                     REGBIT_NAT_REDIRECT == 1 has actions ip.ttl--; next;. The  outport  will  be
                     set later in the Gateway Redirect table.

              •      IPv4  routing  table.  For  each  route to IPv4 network N with netmask M, on
                     router port P with IP address A and Ethernet address E, a logical flow  with
                     match  ip4.dst  == N/M, whose priority is the number of 1-bits in M, has the
                     following actions:

                     ip.ttl--;
                     reg0 = G;
                     reg1 = A;
                     eth.src = E;
                     outport = P;
                     flags.loopback = 1;
                     next;

                     (Ingress table 1 already verified  that  ip.ttl--;  will  not  yield  a  TTL
                     exceeded error.)

                     If  the  route  has  a gateway, G is the gateway IP address. Instead, if the
                     route is from a configured static route, G is the next hop IP address.  Else
                     it is ip4.dst.

              •      IPv6  routing  table.  For  each  route to IPv6 network N with netmask M, on
                     router port P with IP address A and Ethernet address E, a logical flow  with
                     match  in  CIDR notation ip6.dst == N/M, whose priority is the integer value
                     of M, has the following actions:

                     ip.ttl--;
                     xxreg0 = G;
                     xxreg1 = A;
                     eth.src = E;
                     outport = P;
                     flags.loopback = 1;
                     next;

                     (Ingress table 1 already verified  that  ip.ttl--;  will  not  yield  a  TTL
                     exceeded error.)

                     If  the  route  has  a gateway, G is the gateway IP address. Instead, if the
                     route is from a configured static route, G is the next hop IP address.  Else
                     it is ip6.dst.

                     If  the  address  A is in the link-local scope, the route will be limited to
                     sending on the ingress port.

     Ingress Table 8: ARP/ND Resolution

       Any packet that reaches this table is an IP packet whose next-hop IPv4 address is in  reg0
       or  IPv6  address  is in xxreg0. (ip4.dst or ip6.dst contains the final destination.) This
       table resolves the IP address in reg0 (or xxreg0) into an output port in  outport  and  an
       Ethernet address in eth.dst, using the following flows:

              •      For  distributed  logical  routers  where  one  of  the logical router ports
                     specifies  a  redirect-chassis,  a  priority-200  logical  flow  with  match
                     REGBIT_NAT_REDIRECT  ==  1  has  actions  eth.dst = E; next;, where E is the
                     ethernet address of the router’s distributed gateway port.

              •      Static MAC bindings. MAC bindings can be known statically based on  data  in
                     the OVN_Northbound database. For router ports connected to logical switches,
                     MAC bindings can be known  statically  from  the  addresses  column  in  the
                     Logical_Switch_Port  table.  For  router  ports  connected  to other logical
                     routers, MAC bindings can be known statically  from  the  mac  and  networks
                     column in the Logical_Router_Port table.

                     For  each  IPv4  address A whose host is known to have Ethernet address E on
                     router port P, a priority-100 flow with match outport === P && reg0 == A has
                     actions eth.dst = E; next;.

                     For  each  IPv6  address A whose host is known to have Ethernet address E on
                     router port P, a priority-100 flow with match outport === P && xxreg0  ==  A
                     has actions eth.dst = E; next;.

                     For  each  logical router port with an IPv4 address A and a mac address of E
                     that is reachable via a different logical router port P, a priority-100 flow
                     with match outport === P && reg0 == A has actions eth.dst = E; next;.

                     For  each  logical router port with an IPv6 address A and a mac address of E
                     that is reachable via a different logical router port P, a priority-100 flow
                     with match outport === P && xxreg0 == A has actions eth.dst = E; next;.

              •      Dynamic  MAC  bindings.  These  flows  resolve  MAC-to-IP bindings that have
                     become known dynamically through ARP or  neighbor  discovery.  (The  ingress
                     table  ARP  Request  will  issue an ARP or neighbor solicitation request for
                     cases where the binding is not yet known.)

                     A priority-0 logical flow with match ip4 has actions get_arp(outport, reg0);
                     next;.

                     A  priority-0  logical  flow  with  match  ip6  has  actions get_nd(outport,
                     xxreg0); next;.

     Ingress Table 9: Gateway Redirect

       For distributed logical routers  where  one  of  the  logical  router  ports  specifies  a
       redirect-chassis,  this  table  redirects  certain packets to the distributed gateway port
       instance on the redirect-chassis. This table has the following flows:

              •      A priority-200 logical flow with match REGBIT_NAT_REDIRECT == 1 has  actions
                     outport  =  CR; next;, where CR is the chassisredirect port representing the
                     instance  of  the  logical  router   distributed   gateway   port   on   the
                     redirect-chassis.

              •      A  priority-150  logical  flow  with  match  outport  ==  GW  &&  eth.dst ==
                     00:00:00:00:00:00 has actions outport = CR; next;, where GW is  the  logical
                     router   distributed  gateway  port  and  CR  is  the  chassisredirect  port
                     representing the instance of the logical router distributed gateway port  on
                     the redirect-chassis.

              •      For  each  NAT  rule in the OVN Northbound database that can be handled in a
                     distributed manner, a priority-100 logical flow with match ip4.src ==  B  &&
                     outport == GW, where GW is the logical router distributed gateway port, with
                     actions next;.

              •      A priority-50 logical flow with match outport == GW has  actions  outport  =
                     CR; next;, where GW is the logical router distributed gateway port and CR is
                     the chassisredirect port representing the instance  of  the  logical  router
                     distributed gateway port on the redirect-chassis.

              •      A priority-0 logical flow with match 1 has actions next;.

     Ingress Table 10: ARP Request

       In  the  common  case where the Ethernet destination has been resolved, this table outputs
       the packet. Otherwise, it composes and sends an ARP or IPv6 Neighbor Solicitation request.
       It holds the following flows:

              •      Unknown MAC address. A priority-100 flow for IPv4 packets with match eth.dst
                     == 00:00:00:00:00:00 has the following actions:

                     arp {
                         eth.dst = ff:ff:ff:ff:ff:ff;
                         arp.spa = reg1;
                         arp.tpa = reg0;
                         arp.op = 1;  /* ARP request. */
                         output;
                     };

                     Unknown MAC address. A priority-100 flow for IPv6 packets with match eth.dst
                     == 00:00:00:00:00:00 has the following actions:

                     nd_ns {
                         nd.target = xxreg0;
                         output;
                     };

                     (Ingress  table  IP  Routing  initialized  reg1 with the IP address owned by
                     outport and (xx)reg0 with the next-hop IP address)

                     The IP packet that triggers the ARP/IPv6 NS request is dropped.

              •      Known MAC address. A priority-0 flow with match 1 has actions output;.

     Egress Table 0: UNDNAT

       This is for already established connections’ reverse traffic. i.e., DNAT has already  been
       done  in  ingress pipeline and now the packet has entered the egress pipeline as part of a
       reply. For NAT on a distributed router, it is unDNATted here.  For  Gateway  routers,  the
       unDNAT processing is carried out in the ingress DNAT table.

              •      For  all  the configured load balancing rules for a router with gateway port
                     in OVN_Northbound database that includes an  IPv4  address  VIP,  for  every
                     backend IPv4 address B defined for the VIP a priority-120 flow is programmed
                     on redirect-chassis that matches ip && ip4.src == B && outport == GW,  where
                     GW  is  the  logical  router  gateway  port  with an action ct_dnat;. If the
                     backend IPv4 address B is also configured with L4 port PORT of  protocol  P,
                     then  the  match  also includes P.src == PORT. These flows are not added for
                     load balancers with IPv6 VIPs.

                     If the router is configured to force SNAT any load-balanced  packets,  above
                     action will be replaced by flags.force_snat_for_lb = 1; ct_dnat;.

              •      For  each  configuration  in the OVN Northbound database that asks to change
                     the destination IP address of a packet from an IP  address  of  A  to  B,  a
                     priority-100  flow  matches ip && ip4.src == B && outport == GW, where GW is
                     the logical router gateway port, with an action ct_dnat;.

                     If the NAT rule  cannot  be  handled  in  a  distributed  manner,  then  the
                     priority-100 flow above is only programmed on the redirect-chassis.

                     If  the  NAT  rule  can be handled in a distributed manner, then there is an
                     additional action eth.src = EA;, where EA is the ethernet address associated
                     with  the IP address A in the NAT rule. This allows upstream MAC learning to
                     point to the correct chassis.

              •      A priority-0 logical flow with match 1 has actions next;.

     Egress Table 1: SNAT

       Packets that are configured to be SNATed get their source IP address changed based on  the
       configuration in the OVN Northbound database.

       Egress Table 1: SNAT on Gateway Routers

              •      If  the Gateway router in the OVN Northbound database has been configured to
                     force SNAT a packet (that has been previously DNATted) to B, a  priority-100
                     flow   matches   flags.force_snat_for_dnat   ==  1  &&  ip  with  an  action
                     ct_snat(B);.

                     If the Gateway router in the OVN Northbound database has been configured  to
                     force  SNAT  a  packet  (that  has  been  previously  load-balanced) to B, a
                     priority-100 flow matches flags.force_snat_for_lb == 1 && ip with an  action
                     ct_snat(B);.

                     For  each  configuration in the OVN Northbound database, that asks to change
                     the source IP address of a packet from an IP address of A or to  change  the
                     source IP address of a packet that belongs to network A to B, a flow matches
                     ip && ip4.src == A with an action ct_snat(B);. The priority of the  flow  is
                     calculated  based on the mask of A, with matches having larger masks getting
                     higher priorities.

                     A priority-0 logical flow with match 1 has actions next;.

       Egress Table 1: SNAT on Distributed Routers

              •      For each configuration in the OVN Northbound database, that asks  to  change
                     the  source  IP address of a packet from an IP address of A or to change the
                     source IP address of a packet that belongs to network A to B, a flow matches
                     ip  && ip4.src == A && outport == GW, where GW is the logical router gateway
                     port, with an action ct_snat(B);. The priority of  the  flow  is  calculated
                     based  on  the  mask  of  A, with matches having larger masks getting higher
                     priorities.

                     If the NAT rule cannot be handled in a distributed  manner,  then  the  flow
                     above is only programmed on the redirect-chassis.

                     If  the  NAT  rule  can be handled in a distributed manner, then there is an
                     additional action eth.src = EA;, where EA is the ethernet address associated
                     with  the IP address A in the NAT rule. This allows upstream MAC learning to
                     point to the correct chassis.

              •      A priority-0 logical flow with match 1 has actions next;.

     Egress Table 2: Egress Loopback

       For distributed logical routers  where  one  of  the  logical  router  ports  specifies  a
       redirect-chassis.

       Earlier   in   the  ingress  pipeline,  some  east-west  traffic  was  redirected  to  the
       chassisredirect port, based on flows in the UNSNAT and DNAT  ingress  tables  setting  the
       REGBIT_NAT_REDIRECT  flag,  which then triggered a match to a flow in the Gateway Redirect
       ingress table. The intention was not to actually send traffic out the distributed  gateway
       port  instance  on  the redirect-chassis. This traffic was sent to the distributed gateway
       port instance in order for DNAT and/or SNAT processing to be applied.

       While UNDNAT and SNAT processing have already occurred by this point, this  traffic  needs
       to  be  forced through egress loopback on this distributed gateway port instance, in order
       for UNSNAT and DNAT processing to be applied, and also for IP routing and  ARP  resolution
       after all of the NAT processing, so that the packet can be forwarded to the destination.

       This table has the following flows:

              •      For  each NAT rule in the OVN Northbound database on a distributed router, a
                     priority-100 logical flow with match ip4.dst == E && outport == GW, where  E
                     is  the external IP address specified in the NAT rule, and GW is the logical
                     router distributed gateway port, with the following actions:

                     clone {
                         ct_clear;
                         inport = outport;
                         outport = "";
                         flags = 0;
                         flags.loopback = 1;
                         reg0 = 0;
                         reg1 = 0;
                         ...
                         reg9 = 0;
                         REGBIT_EGRESS_LOOPBACK = 1;
                         next(pipeline=ingress, table=0);
                     };

                     flags.loopback is set since in_port is unchanged and the packet  may  return
                     back  to  that  port  after NAT processing. REGBIT_EGRESS_LOOPBACK is set to
                     indicate that egress loopback has occurred, in order to skip the  source  IP
                     address check against the router address.

              •      A priority-0 logical flow with match 1 has actions next;.

     Egress Table 3: Delivery

       Packets  that  reach  this  table are ready for delivery. It contains priority-100 logical
       flows that match packets on each enabled logical router port, with action output;.