Provided by: ovn-central_2.9.8-0ubuntu0.18.04.5_amd64 
NAME
ovn-northd - Open Virtual Network central control daemon
SYNOPSIS
ovn-northd [options]
DESCRIPTION
ovn-northd is a centralized daemon responsible for translating the high-level OVN configuration into
logical configuration consumable by daemons such as ovn-controller. It translates the logical network
configuration in terms of conventional network concepts, taken from the OVN Northbound Database (see
ovn-nb(5)), into logical datapath flows in the OVN Southbound Database (see ovn-sb(5)) below it.
OPTIONS
--ovnnb-db=database
The OVSDB database containing the OVN Northbound Database. If the OVN_NB_DB environment variable
is set, its value is used as the default. Otherwise, the default is
unix:/var/run/openvswitch/ovnnb_db.sock.
--ovnsb-db=database
The OVSDB database containing the OVN Southbound Database. If the OVN_SB_DB environment variable
is set, its value is used as the default. Otherwise, the default is
unix:/var/run/openvswitch/ovnsb_db.sock.
database in the above options must be an OVSDB active or passive connection method, as described in
ovsdb(7).
Daemon Options
--pidfile[=pidfile]
Causes a file (by default, program.pid) to be created indicating the PID of the running process.
If the pidfile argument is not specified, or if it does not begin with /, then it is created in
/var/run/openvswitch.
If --pidfile is not specified, no pidfile is created.
--overwrite-pidfile
By default, when --pidfile is specified and the specified pidfile already exists and is locked by
a running process, the daemon refuses to start. Specify --overwrite-pidfile to cause it to instead
overwrite the pidfile.
When --pidfile is not specified, this option has no effect.
--detach
Runs this program as a background process. The process forks, and in the child it starts a new
session, closes the standard file descriptors (which has the side effect of disabling logging to
the console), and changes its current directory to the root (unless --no-chdir is specified).
After the child completes its initialization, the parent exits.
--monitor
Creates an additional process to monitor this program. If it dies due to a signal that indicates a
programming error (SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU, or
SIGXFSZ) then the monitor process starts a new copy of it. If the daemon dies or exits for another
reason, the monitor process exits.
This option is normally used with --detach, but it also functions without it.
--no-chdir
By default, when --detach is specified, the daemon changes its current working directory to the
root directory after it detaches. Otherwise, invoking the daemon from a carelessly chosen
directory would prevent the administrator from unmounting the file system that holds that
directory.
Specifying --no-chdir suppresses this behavior, preventing the daemon from changing its current
working directory. This may be useful for collecting core files, since it is common behavior to
write core dumps into the current working directory and the root directory is not a good directory
to use.
This option has no effect when --detach is not specified.
--no-self-confinement
By default this daemon will try to self-confine itself to work with files under well-known
directories whitelisted at build time. It is better to stick with this default behavior and not to
use this flag unless some other Access Control is used to confine daemon. Note that in contrast to
other access control implementations that are typically enforced from kernel-space (e.g. DAC or
MAC), self-confinement is imposed from the user-space daemon itself and hence should not be
considered as a full confinement strategy, but instead should be viewed as an additional layer of
security.
--user=user:group
Causes this program to run as a different user specified in user:group, thus dropping most of the
root privileges. Short forms user and :group are also allowed, with current user or group assumed,
respectively. Only daemons started by the root user accepts this argument.
On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES before dropping root
privileges. Daemons that interact with a datapath, such as ovs-vswitchd, will be granted two
additional capabilities, namely CAP_NET_ADMIN and CAP_NET_RAW. The capability change will apply
even if the new user is root.
On Windows, this option is not currently supported. For security reasons, specifying this option
will cause the daemon process not to start.
Logging Options
-v[spec]
--verbose=[spec]
Sets logging levels. Without any spec, sets the log level for every module and destination to dbg.
Otherwise, spec is a list of words separated by spaces or commas or colons, up to one from each
category below:
• A valid module name, as displayed by the vlog/list command on ovs-appctl(8), limits the log
level change to the specified module.
• syslog, console, or file, to limit the log level change to only to the system log, to the
console, or to a file, respectively. (If --detach is specified, the daemon closes its
standard file descriptors, so logging to the console will have no effect.)
On Windows platform, syslog is accepted as a word and is only useful along with the
--syslog-target option (the word has no effect otherwise).
• off, emer, err, warn, info, or dbg, to control the log level. Messages of the given severity
or higher will be logged, and messages of lower severity will be filtered out. off filters
out all messages. See ovs-appctl(8) for a definition of each log level.
Case is not significant within spec.
Regardless of the log levels set for file, logging to a file will not take place unless --log-file
is also specified (see below).
For compatibility with older versions of OVS, any is accepted as a word but has no effect.
-v
--verbose
Sets the maximum logging verbosity level, equivalent to --verbose=dbg.
-vPATTERN:destination:pattern
--verbose=PATTERN:destination:pattern
Sets the log pattern for destination to pattern. Refer to ovs-appctl(8) for a description of the
valid syntax for pattern.
-vFACILITY:facility
--verbose=FACILITY:facility
Sets the RFC5424 facility of the log message. facility can be one of kern, user, mail, daemon, auth,
syslog, lpr, news, uucp, clock, ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
local4, local5, local6 or local7. If this option is not specified, daemon is used as the default for
the local system syslog and local0 is used while sending a message to the target provided via the
--syslog-target option.
--log-file[=file]
Enables logging to a file. If file is specified, then it is used as the exact name for the log file.
The default log file name used if file is omitted is /var/log/openvswitch/program.log.
--syslog-target=host:port
Send syslog messages to UDP port on host, in addition to the system syslog. The host must be a
numerical IP address, not a hostname.
--syslog-method=method
Specify method as how syslog messages should be sent to syslog daemon. The following forms are
supported:
• libc, to use the libc syslog() function. This is the default behavior. Downside of using this
options is that libc adds fixed prefix to every message before it is actually sent to the
syslog daemon over /dev/log UNIX domain socket.
• unix:file, to use a UNIX domain socket directly. It is possible to specify arbitrary message
format with this option. However, rsyslogd 8.9 and older versions use hard coded parser
function anyway that limits UNIX domain socket use. If you want to use arbitrary message
format with older rsyslogd versions, then use UDP socket to localhost IP address instead.
• udp:ip:port, to use a UDP socket. With this method it is possible to use arbitrary message
format also with older rsyslogd. When sending syslog messages over UDP socket extra
precaution needs to be taken into account, for example, syslog daemon needs to be configured
to listen on the specified UDP port, accidental iptables rules could be interfering with
local syslog traffic and there are some security considerations that apply to UDP sockets,
but do not apply to UNIX domain sockets.
PKI Options
PKI configuration is required in order to use SSL for the connections to the Northbound and Southbound
databases.
-p privkey.pem
--private-key=privkey.pem
Specifies a PEM file containing the private key used as identity for outgoing SSL
connections.
-c cert.pem
--certificate=cert.pem
Specifies a PEM file containing a certificate that certifies the private key specified on -p
or --private-key to be trustworthy. The certificate must be signed by the certificate
authority (CA) that the peer in SSL connections will use to verify it.
-C cacert.pem
--ca-cert=cacert.pem
Specifies a PEM file containing the CA certificate for verifying certificates presented to
this program by SSL peers. (This may be the same certificate that SSL peers use to verify the
certificate specified on -c or --certificate, or it may be a different one, depending on the
PKI design in use.)
-C none
--ca-cert=none
Disables verification of certificates presented by SSL peers. This introduces a security
risk, because it means that certificates cannot be verified to be those of known trusted
hosts.
Other Options
--unixctl=socket
Sets the name of the control socket on which program listens for runtime management commands (see
RUNTIME MANAGEMENT COMMANDS, below). If socket does not begin with /, it is interpreted as
relative to /var/run/openvswitch. If --unixctl is not used at all, the default socket is
/var/run/openvswitch/program.pid.ctl, where pid is program’s process ID.
On Windows a local named pipe is used to listen for runtime management commands. A file is created
in the absolute path as pointed by socket or if --unixctl is not used at all, a file is created as
program in the configured OVS_RUNDIR directory. The file exists just to mimic the behavior of a
Unix domain socket.
Specifying none for socket disables the control socket feature.
-h
--help
Prints a brief help message to the console.
-V
--version
Prints version information to the console.
RUNTIME MANAGEMENT COMMANDS
ovs-appctl can send commands to a running ovn-northd process. The currently supported commands are
described below.
exit Causes ovn-northd to gracefully terminate.
ACTIVE-STANDBY FOR HIGH AVAILABILITY
You may run ovn-northd more than once in an OVN deployment. OVN will automatically ensure that only one
of them is active at a time. If multiple instances of ovn-northd are running and the active ovn-northd
fails, one of the hot standby instances of ovn-northd will automatically take over.
LOGICAL FLOW TABLE STRUCTURE
One of the main purposes of ovn-northd is to populate the Logical_Flow table in the OVN_Southbound
database. This section describes how ovn-northd does this for switch and router logical datapaths.
Logical Switch Datapaths
Ingress Table 0: Admission Control and Ingress Port Security - L2
Ingress table 0 contains these logical flows:
• Priority 100 flows to drop packets with VLAN tags or multicast Ethernet source addresses.
• Priority 50 flows that implement ingress port security for each enabled logical port. For
logical ports on which port security is enabled, these match the inport and the valid
eth.src address(es) and advance only those packets to the next flow table. For logical
ports on which port security is not enabled, these advance all packets that match the
inport.
There are no flows for disabled logical ports because the default-drop behavior of logical flow tables
causes packets that ingress from them to be dropped.
Ingress Table 1: Ingress Port Security - IP
Ingress table 1 contains these logical flows:
• For each element in the port security set having one or more IPv4 or IPv6 addresses (or
both),
• Priority 90 flow to allow IPv4 traffic if it has IPv4 addresses which match the
inport, valid eth.src and valid ip4.src address(es).
• Priority 90 flow to allow IPv4 DHCP discovery traffic if it has a valid eth.src.
This is necessary since DHCP discovery messages are sent from the unspecified IPv4
address (0.0.0.0) since the IPv4 address has not yet been assigned.
• Priority 90 flow to allow IPv6 traffic if it has IPv6 addresses which match the
inport, valid eth.src and valid ip6.src address(es).
• Priority 90 flow to allow IPv6 DAD (Duplicate Address Detection) traffic if it has a
valid eth.src. This is is necessary since DAD include requires joining an multicast
group and sending neighbor solicitations for the newly assigned address. Since no
address is yet assigned, these are sent from the unspecified IPv6 address (::).
• Priority 80 flow to drop IP (both IPv4 and IPv6) traffic which match the inport and
valid eth.src.
• One priority-0 fallback flow that matches all packets and advances to the next table.
Ingress Table 2: Ingress Port Security - Neighbor discovery
Ingress table 2 contains these logical flows:
• For each element in the port security set,
• Priority 90 flow to allow ARP traffic which match the inport and valid eth.src and
arp.sha. If the element has one or more IPv4 addresses, then it also matches the
valid arp.spa.
• Priority 90 flow to allow IPv6 Neighbor Solicitation and Advertisement traffic which
match the inport, valid eth.src and nd.sll/nd.tll. If the element has one or more
IPv6 addresses, then it also matches the valid nd.target address(es) for Neighbor
Advertisement traffic.
• Priority 80 flow to drop ARP and IPv6 Neighbor Solicitation and Advertisement
traffic which match the inport and valid eth.src.
• One priority-0 fallback flow that matches all packets and advances to the next table.
Ingress Table 3: from-lport Pre-ACLs
This table prepares flows for possible stateful ACL processing in ingress table ACLs. It contains a
priority-0 flow that simply moves traffic to the next table. If stateful ACLs are used in the logical
datapath, a priority-100 flow is added that sets a hint (with reg0[0] = 1; next;) for table Pre-stateful
to send IP packets to the connection tracker before eventually advancing to ingress table ACLs. If
special ports such as route ports or localnet ports can’t use ct(), a priority-110 flow is added to skip
over stateful ACLs.
Ingress Table 4: Pre-LB
This table prepares flows for possible stateful load balancing processing in ingress table LB and
Stateful. It contains a priority-0 flow that simply moves traffic to the next table. If load balancing
rules with virtual IP addresses (and ports) are configured in OVN_Northbound database for a logical
switch datapath, a priority-100 flow is added for each configured virtual IP address VIP. For IPv4 VIPs,
the match is ip && ip4.dst == VIP. For IPv6 VIPs, the match is ip && ip6.dst == VIP. The flow sets an
action reg0[0] = 1; next; to act as a hint for table Pre-stateful to send IP packets to the connection
tracker for packet de-fragmentation before eventually advancing to ingress table LB.
Ingress Table 5: Pre-stateful
This table prepares flows for all possible stateful processing in next tables. It contains a priority-0
flow that simply moves traffic to the next table. A priority-100 flow sends the packets to connection
tracker based on a hint provided by the previous tables (with a match for reg0[0] == 1) by using the
ct_next; action.
Ingress table 6: from-lport ACLs
Logical flows in this table closely reproduce those in the ACL table in the OVN_Northbound database for
the from-lport direction. The priority values from the ACL table have a limited range and have 1000 added
to them to leave room for OVN default flows at both higher and lower priorities.
• allow ACLs translate into logical flows with the next; action. If there are any stateful
ACLs on this datapath, then allow ACLs translate to ct_commit; next; (which acts as a hint
for the next tables to commit the connection to conntrack),
• allow-related ACLs translate into logical flows with the ct_commit(ct_label=0/1); next;
actions for new connections and reg0[1] = 1; next; for existing connections.
• Other ACLs translate to drop; for new or untracked connections and ct_commit(ct_label=1/1);
for known connections. Setting ct_label marks a connection as one that was previously
allowed, but should no longer be allowed due to a policy change.
This table also contains a priority 0 flow with action next;, so that ACLs allow packets by default. If
the logical datapath has a statetful ACL, the following flows will also be added:
• A priority-1 flow that sets the hint to commit IP traffic to the connection tracker (with
action reg0[1] = 1; next;). This is needed for the default allow policy because, while the
initiator’s direction may not have any stateful rules, the server’s may and then its return
traffic would not be known and marked as invalid.
• A priority-65535 flow that allows any traffic in the reply direction for a connection that
has been committed to the connection tracker (i.e., established flows), as long as the
committed flow does not have ct_label.blocked set. We only handle traffic in the reply
direction here because we want all packets going in the request direction to still go
through the flows that implement the currently defined policy based on ACLs. If a
connection is no longer allowed by policy, ct_label.blocked will get set and packets in the
reply direction will no longer be allowed, either.
• A priority-65535 flow that allows any traffic that is considered related to a committed
flow in the connection tracker (e.g., an ICMP Port Unreachable from a non-listening UDP
port), as long as the committed flow does not have ct_label.blocked set.
• A priority-65535 flow that drops all traffic marked by the connection tracker as invalid.
• A priority-65535 flow that drops all trafic in the reply direction with ct_label.blocked
set meaning that the connection should no longer be allowed due to a policy change. Packets
in the request direction are skipped here to let a newly created ACL re-allow this
connection.
Ingress Table 7: from-lport QoS Marking
Logical flows in this table closely reproduce those in the QoS table with the action column set in the
OVN_Northbound database for the from-lport direction.
• For every qos_rules entry in a logical switch with DSCP marking enabled, a flow will be
added at the priority mentioned in the QoS table.
• One priority-0 fallback flow that matches all packets and advances to the next table.
Ingress Table 8: from-lport QoS Meter
Logical flows in this table closely reproduce those in the QoS table with the bandwidth column set in the
OVN_Northbound database for the from-lport direction.
• For every qos_rules entry in a logical switch with metering enabled, a flow will be added
at the priorirty mentioned in the QoS table.
• One priority-0 fallback flow that matches all packets and advances to the next table.
Ingress Table 9: LB
It contains a priority-0 flow that simply moves traffic to the next table. For established connections a
priority 100 flow matches on ct.est && !ct.rel && !ct.new && !ct.inv and sets an action reg0[2] = 1;
next; to act as a hint for table Stateful to send packets through connection tracker to NAT the packets.
(The packet will automatically get DNATed to the same IP address as the first packet in that connection.)
Ingress Table 10: Stateful
• For all the configured load balancing rules for a switch in OVN_Northbound database that
includes a L4 port PORT of protocol P and IP address VIP, a priority-120 flow is added. For
IPv4 VIPs , the flow matches ct.new && ip && ip4.dst == VIP && P && P.dst == PORT. For IPv6
VIPs, the flow matches ct.new && ip && ip6.dst == VIP && P && P.dst == PORT. The flow’s
action is ct_lb(args) , where args contains comma separated IP addresses (and optional port
numbers) to load balance to. The address family of the IP addresses of args is the same as
the address family of VIP
• For all the configured load balancing rules for a switch in OVN_Northbound database that
includes just an IP address VIP to match on, OVN adds a priority-110 flow. For IPv4 VIPs,
the flow matches ct.new && ip && ip4.dst == VIP. For IPv6 VIPs, the flow matches ct.new &&
ip && ip6.dst == VIP. The action on this flow is ct_lb(args), where args contains comma
separated IP addresses of the same address family as VIP.
• A priority-100 flow commits packets to connection tracker using ct_commit; next; action
based on a hint provided by the previous tables (with a match for reg0[1] == 1).
• A priority-100 flow sends the packets to connection tracker using ct_lb; as the action
based on a hint provided by the previous tables (with a match for reg0[2] == 1).
• A priority-0 flow that simply moves traffic to the next table.
Ingress Table 11: ARP/ND responder
This table implements ARP/ND responder in a logical switch for known IPs. The advantage of the ARP
responder flow is to limit ARP broadcasts by locally responding to ARP requests without the need to send
to other hypervisors. One common case is when the inport is a logical port associated with a VIF and the
broadcast is responded to on the local hypervisor rather than broadcast across the whole network and
responded to by the destination VM. This behavior is proxy ARP.
ARP requests arrive from VMs from a logical switch inport of type default. For this case, the logical
switch proxy ARP rules can be for other VMs or logical router ports. Logical switch proxy ARP rules may
be programmed both for mac binding of IP addresses on other logical switch VIF ports (which are of the
default logical switch port type, representing connectivity to VMs or containers), and for mac binding of
IP addresses on logical switch router type ports, representing their logical router port peers. In order
to support proxy ARP for logical router ports, an IP address must be configured on the logical switch
router type port, with the same value as the peer logical router port. The configured MAC addresses must
match as well. When a VM sends an ARP request for a distributed logical router port and if the peer
router type port of the attached logical switch does not have an IP address configured, the ARP request
will be broadcast on the logical switch. One of the copies of the ARP request will go through the logical
switch router type port to the logical router datapath, where the logical router ARP responder will
generate a reply. The MAC binding of a distributed logical router, once learned by an associated VM, is
used for all that VM’s communication needing routing. Hence, the action of a VM re-arping for the mac
binding of the logical router port should be rare.
Logical switch ARP responder proxy ARP rules can also be hit when receiving ARP requests externally on a
L2 gateway port. In this case, the hypervisor acting as an L2 gateway, responds to the ARP request on
behalf of a destination VM.
Note that ARP requests received from localnet or vtep logical inports can either go directly to VMs, in
which case the VM responds or can hit an ARP responder for a logical router port if the packet is used to
resolve a logical router port next hop address. In either case, logical switch ARP responder rules will
not be hit. It contains these logical flows:
• Priority-100 flows to skip the ARP responder if inport is of type localnet or vtep and
advances directly to the next table. ARP requests sent to localnet or vtep ports can be
received by multiple hypervisors. Now, because the same mac binding rules are downloaded to
all hypervisors, each of the multiple hypervisors will respond. This will confuse L2
learning on the source of the ARP requests. ARP requests received on an inport of type
router are not expected to hit any logical switch ARP responder flows. However, no skip
flows are installed for these packets, as there would be some additional flow cost for this
and the value appears limited.
• Priority-50 flows that match ARP requests to each known IP address A of every logical
switch port, and respond with ARP replies directly with corresponding Ethernet address E:
eth.dst = eth.src;
eth.src = E;
arp.op = 2; /* ARP reply. */
arp.tha = arp.sha;
arp.sha = E;
arp.tpa = arp.spa;
arp.spa = A;
outport = inport;
flags.loopback = 1;
output;
These flows are omitted for logical ports (other than router ports or localport ports) that
are down.
• Priority-50 flows that match IPv6 ND neighbor solicitations to each known IP address A (and
A’s solicited node address) of every logical switch port except of type router, and respond
with neighbor advertisements directly with corresponding Ethernet address E:
nd_na {
eth.src = E;
ip6.src = A;
nd.target = A;
nd.tll = E;
outport = inport;
flags.loopback = 1;
output;
};
Priority-50 flows that match IPv6 ND neighbor solicitations to each known IP address A (and
A’s solicited node address) of logical switch port of type router, and respond with
neighbor advertisements directly with corresponding Ethernet address E:
nd_na_router {
eth.src = E;
ip6.src = A;
nd.target = A;
nd.tll = E;
outport = inport;
flags.loopback = 1;
output;
};
These flows are omitted for logical ports (other than router ports or localport ports) that
are down.
• Priority-100 flows with match criteria like the ARP and ND flows above, except that they
only match packets from the inport that owns the IP addresses in question, with action
next;. These flows prevent OVN from replying to, for example, an ARP request emitted by a
VM for its own IP address. A VM only makes this kind of request to attempt to detect a
duplicate IP address assignment, so sending a reply will prevent the VM from accepting the
IP address that it owns.
In place of next;, it would be reasonable to use drop; for the flows’ actions. If
everything is working as it is configured, then this would produce equivalent results,
since no host should reply to the request. But ARPing for one’s own IP address is intended
to detect situations where the network is not working as configured, so dropping the
request would frustrate that intent.
• One priority-0 fallback flow that matches all packets and advances to the next table.
Ingress Table 12: DHCP option processing
This table adds the DHCPv4 options to a DHCPv4 packet from the logical ports configured with IPv4
address(es) and DHCPv4 options, and similarly for DHCPv6 options.
• A priority-100 logical flow is added for these logical ports which matches the IPv4 packet
with udp.src = 68 and udp.dst = 67 and applies the action put_dhcp_opts and advances the
packet to the next table.
reg0[3] = put_dhcp_opts(offer_ip = ip, options...);
next;
For DHCPDISCOVER and DHCPREQUEST, this transforms the packet into a DHCP reply, adds the
DHCP offer IP ip and options to the packet, and stores 1 into reg0[3]. For other kinds of
packets, it just stores 0 into reg0[3]. Either way, it continues to the next table.
• A priority-100 logical flow is added for these logical ports which matches the IPv6 packet
with udp.src = 546 and udp.dst = 547 and applies the action put_dhcpv6_opts and advances
the packet to the next table.
reg0[3] = put_dhcpv6_opts(ia_addr = ip, options...);
next;
For DHCPv6 Solicit/Request/Confirm packets, this transforms the packet into a DHCPv6
Advertise/Reply, adds the DHCPv6 offer IP ip and options to the packet, and stores 1 into
reg0[3]. For other kinds of packets, it just stores 0 into reg0[3]. Either way, it
continues to the next table.
• A priority-0 flow that matches all packets to advances to table 11.
Ingress Table 13: DHCP responses
This table implements DHCP responder for the DHCP replies generated by the previous table.
• A priority 100 logical flow is added for the logical ports configured with DHCPv4 options
which matches IPv4 packets with udp.src == 68 && udp.dst == 67 && reg0[3] == 1 and responds
back to the inport after applying these actions. If reg0[3] is set to 1, it means that the
action put_dhcp_opts was successful.
eth.dst = eth.src;
eth.src = E;
ip4.dst = A;
ip4.src = S;
udp.src = 67;
udp.dst = 68;
outport = P;
flags.loopback = 1;
output;
where E is the server MAC address and S is the server IPv4 address defined in the DHCPv4
options and A is the IPv4 address defined in the logical port’s addresses column.
(This terminates ingress packet processing; the packet does not go to the next ingress
table.)
• A priority 100 logical flow is added for the logical ports configured with DHCPv6 options
which matches IPv6 packets with udp.src == 546 && udp.dst == 547 && reg0[3] == 1 and
responds back to the inport after applying these actions. If reg0[3] is set to 1, it means
that the action put_dhcpv6_opts was successful.
eth.dst = eth.src;
eth.src = E;
ip6.dst = A;
ip6.src = S;
udp.src = 547;
udp.dst = 546;
outport = P;
flags.loopback = 1;
output;
where E is the server MAC address and S is the server IPv6 LLA address generated from the
server_id defined in the DHCPv6 options and A is the IPv6 address defined in the logical
port’s addresses column.
(This terminates packet processing; the packet does not go on the next ingress table.)
• A priority-0 flow that matches all packets to advances to table 12.
Ingress Table 14 DNS Lookup
This table looks up and resolves the DNS names to the corresponding configured IP address(es).
• A priority-100 logical flow for each logical switch datapath if it is configured with DNS
records, which matches the IPv4 and IPv6 packets with udp.dst = 53 and applies the action
dns_lookup and advances the packet to the next table.
reg0[4] = dns_lookup(); next;
For valid DNS packets, this transforms the packet into a DNS reply if the DNS name can be
resolved, and stores 1 into reg0[4]. For failed DNS resolution or other kinds of packets,
it just stores 0 into reg0[4]. Either way, it continues to the next table.
Ingress Table 15 DNS Responses
This table implements DNS responder for the DNS replies generated by the previous table.
• A priority-100 logical flow for each logical switch datapath if it is configured with DNS
records, which matches the IPv4 and IPv6 packets with udp.dst = 53 && reg0[4] == 1 and
responds back to the inport after applying these actions. If reg0[4] is set to 1, it means
that the action dns_lookup was successful.
eth.dst <-> eth.src;
ip4.src <-> ip4.dst;
udp.dst = udp.src;
udp.src = 53;
outport = P;
flags.loopback = 1;
output;
(This terminates ingress packet processing; the packet does not go to the next ingress
table.)
Ingress Table 16 Destination Lookup
This table implements switching behavior. It contains these logical flows:
• A priority-100 flow that outputs all packets with an Ethernet broadcast or multicast
eth.dst to the MC_FLOOD multicast group, which ovn-northd populates with all enabled
logical ports.
• One priority-50 flow that matches each known Ethernet address against eth.dst and outputs
the packet to the single associated output port.
For the Ethernet address on a logical switch port of type router, when that logical switch
port’s addresses column is set to router and the connected logical router port specifies a
redirect-chassis:
• The flow for the connected logical router port’s Ethernet address is only programmed
on the redirect-chassis.
• If the logical router has rules specified in nat with external_mac, then those
addresses are also used to populate the switch’s destination lookup on the chassis
where logical_port is resident.
• One priority-0 fallback flow that matches all packets and outputs them to the MC_UNKNOWN
multicast group, which ovn-northd populates with all enabled logical ports that accept
unknown destination packets. As a small optimization, if no logical ports accept unknown
destination packets, ovn-northd omits this multicast group and logical flow.
Egress Table 0: Pre-LB
This table is similar to ingress table Pre-LB. It contains a priority-0 flow that simply moves traffic to
the next table. If any load balancing rules exist for the datapath, a priority-100 flow is added with a
match of ip and action of reg0[0] = 1; next; to act as a hint for table Pre-stateful to send IP packets
to the connection tracker for packet de-fragmentation.
Egress Table 1: to-lport Pre-ACLs
This is similar to ingress table Pre-ACLs except for to-lport traffic.
Egress Table 2: Pre-stateful
This is similar to ingress table Pre-stateful.
Egress Table 3: LB
This is similar to ingress table LB.
Egress Table 4: to-lport ACLs
This is similar to ingress table ACLs except for to-lport ACLs.
Egress Table 5: to-lport QoS Marking
This is similar to ingress table QoS marking except they apply to to-lport QoS rules.
Egress Table 6: to-lport QoS Meter
This is similar to ingress table QoS meter except they apply to to-lport QoS rules.
Egress Table 7: Stateful
This is similar to ingress table Stateful except that there are no rules added for load balancing new
connections.
Also the following flows are added.
• A priority 34000 logical flow is added for each logical port which has DHCPv4 options
defined to allow the DHCPv4 reply packet and which has DHCPv6 options defined to allow the
DHCPv6 reply packet from the Ingress Table 13: DHCP responses.
• A priority 34000 logical flow is added for each logical switch datapath configured with DNS
records with the match udp.dst = 53 to allow the DNS reply packet from the Ingress Table
15:DNS responses.
Egress Table 8: Egress Port Security - IP
This is similar to the port security logic in table Ingress Port Security - IP except that outport,
eth.dst, ip4.dst and ip6.dst are checked instead of inport, eth.src, ip4.src and ip6.src
Egress Table 9: Egress Port Security - L2
This is similar to the ingress port security logic in ingress table Admission Control and Ingress Port
Security - L2, but with important differences. Most obviously, outport and eth.dst are checked instead of
inport and eth.src. Second, packets directed to broadcast or multicast eth.dst are always accepted
instead of being subject to the port security rules; this is implemented through a priority-100 flow that
matches on eth.mcast with action output;. Finally, to ensure that even broadcast and multicast packets
are not delivered to disabled logical ports, a priority-150 flow for each disabled logical outport
overrides the priority-100 flow with a drop; action.
Logical Router Datapaths
Logical router datapaths will only exist for Logical_Router rows in the OVN_Northbound database that do
not have enabled set to false
Ingress Table 0: L2 Admission Control
This table drops packets that the router shouldn’t see at all based on their Ethernet headers. It
contains the following flows:
• Priority-100 flows to drop packets with VLAN tags or multicast Ethernet source addresses.
• For each enabled router port P with Ethernet address E, a priority-50 flow that matches
inport == P && (eth.mcast || eth.dst == E), with action next;.
For the gateway port on a distributed logical router (where one of the logical router ports
specifies a redirect-chassis), the above flow matching eth.dst == E is only programmed on
the gateway port instance on the redirect-chassis.
• For each dnat_and_snat NAT rule on a distributed router that specifies an external Ethernet
address E, a priority-50 flow that matches inport == GW && eth.dst == E, where GW is the
logical router gateway port, with action next;.
This flow is only programmed on the gateway port instance on the chassis where the
logical_port specified in the NAT rule resides.
Other packets are implicitly dropped.
Ingress Table 1: IP Input
This table is the core of the logical router datapath functionality. It contains the following flows to
implement very basic IP host functionality.
• L3 admission control: A priority-100 flow drops packets that match any of the following:
• ip4.src[28..31] == 0xe (multicast source)
• ip4.src == 255.255.255.255 (broadcast source)
• ip4.src == 127.0.0.0/8 || ip4.dst == 127.0.0.0/8 (localhost source or destination)
• ip4.src == 0.0.0.0/8 || ip4.dst == 0.0.0.0/8 (zero network source or destination)
• ip4.src or ip6.src is any IP address owned by the router, unless the packet was
recirculated due to egress loopback as indicated by REGBIT_EGRESS_LOOPBACK.
• ip4.src is the broadcast address of any IP network known to the router.
• ICMP echo reply. These flows reply to ICMP echo requests received for the router’s IP
address. Let A be an IP address owned by a router port. Then, for each A that is an IPv4
address, a priority-90 flow matches on ip4.dst == A and icmp4.type == 8 && icmp4.code == 0
(ICMP echo request). For each A that is an IPv6 address, a priority-90 flow matches on
ip6.dst == A and icmp6.type == 128 && icmp6.code == 0 (ICMPv6 echo request). The port of
the router that receives the echo request does not matter. Also, the ip.ttl of the echo
request packet is not checked, so it complies with RFC 1812, section 4.2.2.9. Flows for
ICMPv4 echo requests use the following actions:
ip4.dst <-> ip4.src;
ip.ttl = 255;
icmp4.type = 0;
flags.loopback = 1;
next;
Flows for ICMPv6 echo requests use the following actions:
ip6.dst <-> ip6.src;
ip.ttl = 255;
icmp6.type = 129;
flags.loopback = 1;
next;
• Reply to ARP requests.
These flows reply to ARP requests for the router’s own IP address and populates mac binding
table of the logical router port. The ARP requests are handled only if the requestor’s IP
belongs to the same subnets of the logical router port. For each router port P that owns IP
address A, which belongs to subnet S with prefix length L, and Ethernet address E, a
priority-90 flow matches inport == P && arp.spa == S/L && arp.op == 1 && arp.tpa == A (ARP
request) with the following actions:
put_arp(inport, arp.spa, arp.sha);
eth.dst = eth.src;
eth.src = E;
arp.op = 2; /* ARP reply. */
arp.tha = arp.sha;
arp.sha = E;
arp.tpa = arp.spa;
arp.spa = A;
outport = P;
flags.loopback = 1;
output;
For the gateway port on a distributed logical router (where one of the logical router ports
specifies a redirect-chassis), the above flows are only programmed on the gateway port
instance on the redirect-chassis. This behavior avoids generation of multiple ARP responses
from different chassis, and allows upstream MAC learning to point to the redirect-chassis.
• These flows handles ARP requests not for router’s own IP address. They use the SPA and SHA
to populate the logical router port’s mac binding table, with priority 80. The typical use
case of these flows are GARP requests handling. For the gateway port on a distributed
logical router, these flows are only programmed on the gateway port instance on the
redirect-chassis.
• These flows reply to ARP requests for the virtual IP addresses configured in the router for
DNAT or load balancing. For a configured DNAT IP address or a load balancer IPv4 VIP A, for
each router port P with Ethernet address E, a priority-90 flow matches inport == P &&
arp.op == 1 && arp.tpa == A (ARP request) with the following actions:
eth.dst = eth.src;
eth.src = E;
arp.op = 2; /* ARP reply. */
arp.tha = arp.sha;
arp.sha = E;
arp.tpa = arp.spa;
arp.spa = A;
outport = P;
flags.loopback = 1;
output;
For the gateway port on a distributed logical router with NAT (where one of the logical
router ports specifies a redirect-chassis):
• If the corresponding NAT rule cannot be handled in a distributed manner, then this
flow is only programmed on the gateway port instance on the redirect-chassis. This
behavior avoids generation of multiple ARP responses from different chassis, and
allows upstream MAC learning to point to the redirect-chassis.
• If the corresponding NAT rule can be handled in a distributed manner, then this flow
is only programmed on the gateway port instance where the logical_port specified in
the NAT rule resides.
Some of the actions are different for this case, using the external_mac specified in
the NAT rule rather than the gateway port’s Ethernet address E:
eth.src = external_mac;
arp.sha = external_mac;
This behavior avoids generation of multiple ARP responses from different chassis,
and allows upstream MAC learning to point to the correct chassis.
• ARP reply handling. This flow uses ARP replies to populate the logical router’s ARP table.
A priority-90 flow with match arp.op == 2 has actions put_arp(inport, arp.spa, arp.sha);.
• Reply to IPv6 Neighbor Solicitations. These flows reply to Neighbor Solicitation requests
for the router’s own IPv6 address and load balancing IPv6 VIPs and populate the logical
router’s mac binding table.
For each router port P that owns IPv6 address A, solicited node address S, and Ethernet
address E, a priority-90 flow matches inport == P && nd_ns && ip6.dst == {A, E} &&
nd.target == A with the following actions:
put_nd(inport, ip6.src, nd.sll);
nd_na_router {
eth.src = E;
ip6.src = A;
nd.target = A;
nd.tll = E;
outport = inport;
flags.loopback = 1;
output;
};
For each router port P that has load balancing VIP A, solicited node address S, and
Ethernet address E, a priority-90 flow matches inport == P && nd_ns && ip6.dst == {A, E} &&
nd.target == A with the following actions:
put_nd(inport, ip6.src, nd.sll);
nd_na {
eth.src = E;
ip6.src = A;
nd.target = A;
nd.tll = E;
outport = inport;
flags.loopback = 1;
output;
};
For the gateway port on a distributed logical router (where one of the logical router ports
specifies a redirect-chassis), the above flows replying to IPv6 Neighbor Solicitations are
only programmed on the gateway port instance on the redirect-chassis. This behavior avoids
generation of multiple replies from different chassis, and allows upstream MAC learning to
point to the redirect-chassis.
• IPv6 neighbor advertisement handling. This flow uses neighbor advertisements to populate
the logical router’s mac binding table. A priority-90 flow with match nd_na has actions
put_nd(inport, nd.target, nd.tll);.
• IPv6 neighbor solicitation for non-hosted addresses handling. This flow uses neighbor
solicitations to populate the logical router’s mac binding table (ones that were directed
at the logical router would have matched the priority-90 neighbor solicitation flow
already). A priority-80 flow with match nd_ns has actions put_nd(inport, ip6.src, nd.sll);.
• UDP port unreachable. Priority-80 flows generate ICMP port unreachable messages in reply to
UDP datagrams directed to the router’s IP address. The logical router doesn’t accept any
UDP traffic so it always generates such a reply.
These flows should not match IP fragments with nonzero offset.
Details TBD. Not yet implemented.
• TCP reset. Priority-80 flows generate TCP reset messages in reply to TCP datagrams directed
to the router’s IP address. The logical router doesn’t accept any TCP traffic so it always
generates such a reply.
These flows should not match IP fragments with nonzero offset.
Details TBD. Not yet implemented.
• Protocol unreachable. Priority-70 flows generate ICMP protocol unreachable messages in
reply to packets directed to the router’s IP address on IP protocols other than UDP, TCP,
and ICMP.
These flows should not match IP fragments with nonzero offset.
Details TBD. Not yet implemented.
• Drop other IP traffic to this router. These flows drop any other traffic destined to an IP
address of this router that is not already handled by one of the flows above, which amounts
to ICMP (other than echo requests) and fragments with nonzero offsets. For each IP address
A owned by the router, a priority-60 flow matches ip4.dst == A and drops the traffic. An
exception is made and the above flow is not added if the router port’s own IP address is
used to SNAT packets passing through that router.
The flows above handle all of the traffic that might be directed to the router itself. The following
flows (with lower priorities) handle the remaining traffic, potentially for forwarding:
• Drop Ethernet local broadcast. A priority-50 flow with match eth.bcast drops traffic
destined to the local Ethernet broadcast address. By definition this traffic should not be
forwarded.
• ICMP time exceeded. For each router port P, whose IP address is A, a priority-40 flow with
match inport == P && ip.ttl == {0, 1} && !ip.later_frag matches packets whose TTL has
expired, with the following actions to send an ICMP time exceeded reply:
icmp4 {
icmp4.type = 11; /* Time exceeded. */
icmp4.code = 0; /* TTL exceeded in transit. */
ip4.dst = ip4.src;
ip4.src = A;
ip.ttl = 255;
next;
};
Not yet implemented.
• TTL discard. A priority-30 flow with match ip.ttl == {0, 1} and actions drop; drops other
packets whose TTL has expired, that should not receive a ICMP error reply (i.e. fragments
with nonzero offset).
• Next table. A priority-0 flows match all packets that aren’t already handled and uses
actions next; to feed them to the next table.
Ingress Table 2: DEFRAG
This is to send packets to connection tracker for tracking and defragmentation. It contains a priority-0
flow that simply moves traffic to the next table. If load balancing rules with virtual IP addresses (and
ports) are configured in OVN_Northbound database for a Gateway router, a priority-100 flow is added for
each configured virtual IP address VIP. For IPv4 VIPs the flow matches ip && ip4.dst == VIP. For IPv6
VIPs, the flow matches ip && ip6.dst == VIP. The flow uses the action ct_next; to send IP packets to the
connection tracker for packet de-fragmentation and tracking before sending it to the next table.
Ingress Table 3: UNSNAT
This is for already established connections’ reverse traffic. i.e., SNAT has already been done in egress
pipeline and now the packet has entered the ingress pipeline as part of a reply. It is unSNATted here.
Ingress Table 3: UNSNAT on Gateway Routers
• If the Gateway router has been configured to force SNAT any previously DNATted packets to
B, a priority-110 flow matches ip && ip4.dst == B with an action ct_snat; .
If the Gateway router has been configured to force SNAT any previously load-balanced
packets to B, a priority-100 flow matches ip && ip4.dst == B with an action ct_snat; .
For each NAT configuration in the OVN Northbound database, that asks to change the source
IP address of a packet from A to B, a priority-90 flow matches ip && ip4.dst == B with an
action ct_snat; .
A priority-0 logical flow with match 1 has actions next;.
Ingress Table 3: UNSNAT on Distributed Routers
• For each configuration in the OVN Northbound database, that asks to change the source IP
address of a packet from A to B, a priority-100 flow matches ip && ip4.dst == B && inport
== GW, where GW is the logical router gateway port, with an action ct_snat;.
If the NAT rule cannot be handled in a distributed manner, then the priority-100 flow above
is only programmed on the redirect-chassis.
For each configuration in the OVN Northbound database, that asks to change the source IP
address of a packet from A to B, a priority-50 flow matches ip && ip4.dst == B with an
action REGBIT_NAT_REDIRECT = 1; next;. This flow is for east/west traffic to a NAT
destination IPv4 address. By setting the REGBIT_NAT_REDIRECT flag, in the ingress table
Gateway Redirect this will trigger a redirect to the instance of the gateway port on the
redirect-chassis.
A priority-0 logical flow with match 1 has actions next;.
Ingress Table 4: DNAT
Packets enter the pipeline with destination IP address that needs to be DNATted from a virtual IP address
to a real IP address. Packets in the reverse direction needs to be unDNATed.
Ingress Table 4: Load balancing DNAT rules
Following load balancing DNAT flows are added for Gateway router or Router with gateway port. These flows
are programmed only on the redirect-chassis. These flows do not get programmed for load balancers with
IPv6 VIPs.
• For all the configured load balancing rules for a Gateway router or Router with gateway
port in OVN_Northbound database that includes a L4 port PORT of protocol P and IPv4 address
VIP, a priority-120 flow that matches on ct.new && ip && ip4.dst == VIP && P && P.dst ==
PORT
with an action of ct_lb(args), where args contains comma separated IPv4 addresses (and
optional port numbers) to load balance to. If the router is configured to force SNAT any
load-balanced packets, the above action will be replaced by flags.force_snat_for_lb = 1;
ct_lb(args);.
• For all the configured load balancing rules for a router in OVN_Northbound database that
includes a L4 port PORT of protocol P and IPv4 address VIP, a priority-120 flow that
matches on ct.est && ip && ip4.dst == VIP && P && P.dst == PORT
with an action of ct_dnat;. If the router is configured to force SNAT any load-balanced
packets, the above action will be replaced by flags.force_snat_for_lb = 1; ct_dnat;.
• For all the configured load balancing rules for a router in OVN_Northbound database that
includes just an IP address VIP to match on, a priority-110 flow that matches on ct.new &&
ip && ip4.dst == VIP with an action of ct_lb(args), where args contains comma separated
IPv4 addresses. If the router is configured to force SNAT any load-balanced packets, the
above action will be replaced by flags.force_snat_for_lb = 1; ct_lb(args);.
• For all the configured load balancing rules for a router in OVN_Northbound database that
includes just an IP address VIP to match on, a priority-110 flow that matches on ct.est &&
ip && ip4.dst == VIP with an action of ct_dnat;. If the router is configured to force SNAT
any load-balanced packets, the above action will be replaced by flags.force_snat_for_lb =
1; ct_dnat;.
Ingress Table 4: DNAT on Gateway Routers
• For each configuration in the OVN Northbound database, that asks to change the destination
IP address of a packet from A to B, a priority-100 flow matches ip && ip4.dst == A with an
action flags.loopback = 1; ct_dnat(B);. If the Gateway router is configured to force SNAT
any DNATed packet, the above action will be replaced by flags.force_snat_for_dnat = 1;
flags.loopback = 1; ct_dnat(B);.
• For all IP packets of a Gateway router, a priority-50 flow with an action flags.loopback =
1; ct_dnat;.
• A priority-0 logical flow with match 1 has actions next;.
Ingress Table 4: DNAT on Distributed Routers
On distributed routers, the DNAT table only handles packets with destination IP address that needs to be
DNATted from a virtual IP address to a real IP address. The unDNAT processing in the reverse direction is
handled in a separate table in the egress pipeline.
• For each configuration in the OVN Northbound database, that asks to change the destination
IP address of a packet from A to B, a priority-100 flow matches ip && ip4.dst == B &&
inport == GW, where GW is the logical router gateway port, with an action ct_dnat(B);.
If the NAT rule cannot be handled in a distributed manner, then the priority-100 flow above
is only programmed on the redirect-chassis.
For each configuration in the OVN Northbound database, that asks to change the destination
IP address of a packet from A to B, a priority-50 flow matches ip && ip4.dst == B with an
action REGBIT_NAT_REDIRECT = 1; next;. This flow is for east/west traffic to a NAT
destination IPv4 address. By setting the REGBIT_NAT_REDIRECT flag, in the ingress table
Gateway Redirect this will trigger a redirect to the instance of the gateway port on the
redirect-chassis.
A priority-0 logical flow with match 1 has actions next;.
Ingress Table 5: IPv6 ND RA option processing
• A priority-50 logical flow is added for each logical router port configured with IPv6 ND RA
options which matches IPv6 ND Router Solicitation packet and applies the action
put_nd_ra_opts and advances the packet to the next table.
reg0[5] = put_nd_ra_opts(options);next;
For a valid IPv6 ND RS packet, this transforms the packet into an IPv6 ND RA reply and sets
the RA options to the packet and stores 1 into reg0[5]. For other kinds of packets, it just
stores 0 into reg0[5]. Either way, it continues to the next table.
• A priority-0 logical flow with match 1 has actions next;.
Ingress Table 6: IPv6 ND RA responder
This table implements IPv6 ND RA responder for the IPv6 ND RA replies generated by the previous table.
• A priority-50 logical flow is added for each logical router port configured with IPv6 ND RA
options which matches IPv6 ND RA packets and reg0[5] == 1 and responds back to the inport
after applying these actions. If reg0[5] is set to 1, it means that the action
put_nd_ra_opts was successful.
eth.dst = eth.src;
eth.src = E;
ip6.dst = ip6.src;
ip6.src = I;
outport = P;
flags.loopback = 1;
output;
where E is the MAC address and I is the IPv6 link local address of the logical router port.
(This terminates packet processing in ingress pipeline; the packet does not go to the next
ingress table.)
• A priority-0 logical flow with match 1 has actions next;.
Ingress Table 7: IP Routing
A packet that arrives at this table is an IP packet that should be routed to the address in ip4.dst or
ip6.dst. This table implements IP routing, setting reg0 (or xxreg0 for IPv6) to the next-hop IP address
(leaving ip4.dst or ip6.dst, the packet’s final destination, unchanged) and advances to the next table
for ARP resolution. It also sets reg1 (or xxreg1) to the IP address owned by the selected router port
(ingress table ARP Request will generate an ARP request, if needed, with reg0 as the target protocol
address and reg1 as the source protocol address).
This table contains the following logical flows:
• For distributed logical routers where one of the logical router ports specifies a
redirect-chassis, a priority-300 logical flow with match REGBIT_NAT_REDIRECT == 1 has
actions ip.ttl--; next;. The outport will be set later in the Gateway Redirect table.
• IPv4 routing table. For each route to IPv4 network N with netmask M, on router port P with
IP address A and Ethernet address E, a logical flow with match ip4.dst == N/M, whose
priority is the number of 1-bits in M, has the following actions:
ip.ttl--;
reg0 = G;
reg1 = A;
eth.src = E;
outport = P;
flags.loopback = 1;
next;
(Ingress table 1 already verified that ip.ttl--; will not yield a TTL exceeded error.)
If the route has a gateway, G is the gateway IP address. Instead, if the route is from a
configured static route, G is the next hop IP address. Else it is ip4.dst.
• IPv6 routing table. For each route to IPv6 network N with netmask M, on router port P with
IP address A and Ethernet address E, a logical flow with match in CIDR notation ip6.dst ==
N/M, whose priority is the integer value of M, has the following actions:
ip.ttl--;
xxreg0 = G;
xxreg1 = A;
eth.src = E;
outport = P;
flags.loopback = 1;
next;
(Ingress table 1 already verified that ip.ttl--; will not yield a TTL exceeded error.)
If the route has a gateway, G is the gateway IP address. Instead, if the route is from a
configured static route, G is the next hop IP address. Else it is ip6.dst.
If the address A is in the link-local scope, the route will be limited to sending on the
ingress port.
Ingress Table 8: ARP/ND Resolution
Any packet that reaches this table is an IP packet whose next-hop IPv4 address is in reg0 or IPv6 address
is in xxreg0. (ip4.dst or ip6.dst contains the final destination.) This table resolves the IP address in
reg0 (or xxreg0) into an output port in outport and an Ethernet address in eth.dst, using the following
flows:
• For distributed logical routers where one of the logical router ports specifies a
redirect-chassis, a priority-200 logical flow with match REGBIT_NAT_REDIRECT == 1 has
actions eth.dst = E; next;, where E is the ethernet address of the router’s distributed
gateway port.
• Static MAC bindings. MAC bindings can be known statically based on data in the
OVN_Northbound database. For router ports connected to logical switches, MAC bindings can
be known statically from the addresses column in the Logical_Switch_Port table. For router
ports connected to other logical routers, MAC bindings can be known statically from the mac
and networks column in the Logical_Router_Port table.
For each IPv4 address A whose host is known to have Ethernet address E on router port P, a
priority-100 flow with match outport === P && reg0 == A has actions eth.dst = E; next;.
For each IPv6 address A whose host is known to have Ethernet address E on router port P, a
priority-100 flow with match outport === P && xxreg0 == A has actions eth.dst = E; next;.
For each logical router port with an IPv4 address A and a mac address of E that is
reachable via a different logical router port P, a priority-100 flow with match outport ===
P && reg0 == A has actions eth.dst = E; next;.
For each logical router port with an IPv6 address A and a mac address of E that is
reachable via a different logical router port P, a priority-100 flow with match outport ===
P && xxreg0 == A has actions eth.dst = E; next;.
• Dynamic MAC bindings. These flows resolve MAC-to-IP bindings that have become known
dynamically through ARP or neighbor discovery. (The ingress table ARP Request will issue an
ARP or neighbor solicitation request for cases where the binding is not yet known.)
A priority-0 logical flow with match ip4 has actions get_arp(outport, reg0); next;.
A priority-0 logical flow with match ip6 has actions get_nd(outport, xxreg0); next;.
Ingress Table 9: Gateway Redirect
For distributed logical routers where one of the logical router ports specifies a redirect-chassis, this
table redirects certain packets to the distributed gateway port instance on the redirect-chassis. This
table has the following flows:
• A priority-200 logical flow with match REGBIT_NAT_REDIRECT == 1 has actions outport = CR;
next;, where CR is the chassisredirect port representing the instance of the logical router
distributed gateway port on the redirect-chassis.
• A priority-150 logical flow with match outport == GW && eth.dst == 00:00:00:00:00:00 has
actions outport = CR; next;, where GW is the logical router distributed gateway port and CR
is the chassisredirect port representing the instance of the logical router distributed
gateway port on the redirect-chassis.
• For each NAT rule in the OVN Northbound database that can be handled in a distributed
manner, a priority-100 logical flow with match ip4.src == B && outport == GW, where GW is
the logical router distributed gateway port, with actions next;.
• A priority-50 logical flow with match outport == GW has actions outport = CR; next;, where
GW is the logical router distributed gateway port and CR is the chassisredirect port
representing the instance of the logical router distributed gateway port on the
redirect-chassis.
• A priority-0 logical flow with match 1 has actions next;.
Ingress Table 10: ARP Request
In the common case where the Ethernet destination has been resolved, this table outputs the packet.
Otherwise, it composes and sends an ARP or IPv6 Neighbor Solicitation request. It holds the following
flows:
• Unknown MAC address. A priority-100 flow for IPv4 packets with match eth.dst ==
00:00:00:00:00:00 has the following actions:
arp {
eth.dst = ff:ff:ff:ff:ff:ff;
arp.spa = reg1;
arp.tpa = reg0;
arp.op = 1; /* ARP request. */
output;
};
Unknown MAC address. A priority-100 flow for IPv6 packets with match eth.dst ==
00:00:00:00:00:00 has the following actions:
nd_ns {
nd.target = xxreg0;
output;
};
(Ingress table IP Routing initialized reg1 with the IP address owned by outport and
(xx)reg0 with the next-hop IP address)
The IP packet that triggers the ARP/IPv6 NS request is dropped.
• Known MAC address. A priority-0 flow with match 1 has actions output;.
Egress Table 0: UNDNAT
This is for already established connections’ reverse traffic. i.e., DNAT has already been done in ingress
pipeline and now the packet has entered the egress pipeline as part of a reply. For NAT on a distributed
router, it is unDNATted here. For Gateway routers, the unDNAT processing is carried out in the ingress
DNAT table.
• For all the configured load balancing rules for a router with gateway port in
OVN_Northbound database that includes an IPv4 address VIP, for every backend IPv4 address B
defined for the VIP a priority-120 flow is programmed on redirect-chassis that matches ip
&& ip4.src == B && outport == GW, where GW is the logical router gateway port with an
action ct_dnat;. If the backend IPv4 address B is also configured with L4 port PORT of
protocol P, then the match also includes P.src == PORT. These flows are not added for load
balancers with IPv6 VIPs.
If the router is configured to force SNAT any load-balanced packets, above action will be
replaced by flags.force_snat_for_lb = 1; ct_dnat;.
• For each configuration in the OVN Northbound database that asks to change the destination
IP address of a packet from an IP address of A to B, a priority-100 flow matches ip &&
ip4.src == B && outport == GW, where GW is the logical router gateway port, with an action
ct_dnat;.
If the NAT rule cannot be handled in a distributed manner, then the priority-100 flow above
is only programmed on the redirect-chassis.
If the NAT rule can be handled in a distributed manner, then there is an additional action
eth.src = EA;, where EA is the ethernet address associated with the IP address A in the NAT
rule. This allows upstream MAC learning to point to the correct chassis.
• A priority-0 logical flow with match 1 has actions next;.
Egress Table 1: SNAT
Packets that are configured to be SNATed get their source IP address changed based on the configuration
in the OVN Northbound database.
Egress Table 1: SNAT on Gateway Routers
• If the Gateway router in the OVN Northbound database has been configured to force SNAT a
packet (that has been previously DNATted) to B, a priority-100 flow matches
flags.force_snat_for_dnat == 1 && ip with an action ct_snat(B);.
If the Gateway router in the OVN Northbound database has been configured to force SNAT a
packet (that has been previously load-balanced) to B, a priority-100 flow matches
flags.force_snat_for_lb == 1 && ip with an action ct_snat(B);.
For each configuration in the OVN Northbound database, that asks to change the source IP
address of a packet from an IP address of A or to change the source IP address of a packet
that belongs to network A to B, a flow matches ip && ip4.src == A with an action
ct_snat(B);. The priority of the flow is calculated based on the mask of A, with matches
having larger masks getting higher priorities.
A priority-0 logical flow with match 1 has actions next;.
Egress Table 1: SNAT on Distributed Routers
• For each configuration in the OVN Northbound database, that asks to change the source IP
address of a packet from an IP address of A or to change the source IP address of a packet
that belongs to network A to B, a flow matches ip && ip4.src == A && outport == GW, where
GW is the logical router gateway port, with an action ct_snat(B);. The priority of the flow
is calculated based on the mask of A, with matches having larger masks getting higher
priorities.
If the NAT rule cannot be handled in a distributed manner, then the flow above is only
programmed on the redirect-chassis.
If the NAT rule can be handled in a distributed manner, then there is an additional action
eth.src = EA;, where EA is the ethernet address associated with the IP address A in the NAT
rule. This allows upstream MAC learning to point to the correct chassis.
• A priority-0 logical flow with match 1 has actions next;.
Egress Table 2: Egress Loopback
For distributed logical routers where one of the logical router ports specifies a redirect-chassis.
Earlier in the ingress pipeline, some east-west traffic was redirected to the chassisredirect port, based
on flows in the UNSNAT and DNAT ingress tables setting the REGBIT_NAT_REDIRECT flag, which then triggered
a match to a flow in the Gateway Redirect ingress table. The intention was not to actually send traffic
out the distributed gateway port instance on the redirect-chassis. This traffic was sent to the
distributed gateway port instance in order for DNAT and/or SNAT processing to be applied.
While UNDNAT and SNAT processing have already occurred by this point, this traffic needs to be forced
through egress loopback on this distributed gateway port instance, in order for UNSNAT and DNAT
processing to be applied, and also for IP routing and ARP resolution after all of the NAT processing, so
that the packet can be forwarded to the destination.
This table has the following flows:
• For each NAT rule in the OVN Northbound database on a distributed router, a priority-100
logical flow with match ip4.dst == E && outport == GW, where E is the external IP address
specified in the NAT rule, and GW is the logical router distributed gateway port, with the
following actions:
clone {
ct_clear;
inport = outport;
outport = "";
flags = 0;
flags.loopback = 1;
reg0 = 0;
reg1 = 0;
...
reg9 = 0;
REGBIT_EGRESS_LOOPBACK = 1;
next(pipeline=ingress, table=0);
};
flags.loopback is set since in_port is unchanged and the packet may return back to that
port after NAT processing. REGBIT_EGRESS_LOOPBACK is set to indicate that egress loopback
has occurred, in order to skip the source IP address check against the router address.
• A priority-0 logical flow with match 1 has actions next;.
Egress Table 3: Delivery
Packets that reach this table are ready for delivery. It contains priority-100 logical flows that match
packets on each enabled logical router port, with action output;.
Open vSwitch 2.9.8 ovn-northd ovn-northd(8)