X-Git-Url: http://git.cascardo.eti.br/?a=blobdiff_plain;ds=sidebyside;f=vswitchd%2Fvswitch.xml;h=932e4b287b6113aa3b7a1a1f346a7bc463a6a2f9;hb=526df7d8543f7f651059338e42f409f04bb9970b;hp=2889a4105511ae473c547d1e3770d1a4dad8aded;hpb=4abb8608afb4000726adf9e3a09da26874880fe3;p=cascardo%2Fovs.git diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index 2889a4105..932e4b287 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -72,6 +72,22 @@ host as displayed by xe host-list. + +

+ Interval for updating statistics to the database, in milliseconds. + This option will affect the update of the statistics + column in the following tables: Port, Interface + , Mirror. +

+

+ Default value is 5000 ms. +

+

+ Getting statistics more frequently can be achieved via OpenFlow. +

+ +

@@ -123,39 +139,44 @@

-

- A number of flows as a nonnegative integer. This sets number of - flows at which eviction from the datapath flow table will be - triggered. If there are a large number of flows then increasing this - value to around the number of flows present can result in reduced CPU - usage and packet loss. + The maximum + number of flows allowed in the datapath flow table. Internally OVS + will choose a flow limit which will likely be lower than this number, + based on real time network conditions.

- The default is 2500. Values below 100 will be rounded up to 100. + The default is 200000.

- +

- Specifies userspace behaviour for handling flow misses. This takes - precedence over flow-eviction-threshold. + Specifies the number of rx queues to be created for each dpdk + interface. If not specified or specified to 0, one rx queue will + be created for each dpdk interface by default.

+ + +

-

-
auto
-
Handle automatically based on the flow-eviction-threshold and - the flow setup governer (default, recommended).
-
with-facets
-
Always create facets. Expensive kernel flow creation and - statistics tracking is always performed, even on flows with only - a small number of packets.
-
without-facets
-
Always handle without facets. Forces flow misses to be handled - in userspace. May cause an increase in CPU usage and packet loss - on high throughput.
-
+ Specifies CPU mask for setting the cpu affinity of PMD (Poll + Mode Driver) threads. Value should be in the form of hex string, + similar to the dpdk EAL '-c COREMASK' option input or the 'taskset' + mask input. +

+

+ The lowest order bit corresponds to the first CPU core. A set bit + means the corresponding core is available and a pmd thread will be + created and pinned to it. If the input does not cover all cores, + those uncovered cores are considered not set. +

+

+ If not specified, one pmd thread will be created for each numa node + and pinned to any available core on the numa node by default.

@@ -163,8 +184,28 @@ type='{"type": "integer", "minInteger": 1}'>

Specifies the number of threads for software datapaths to use for - handling new flows. The default is two less than the number of - online CPU cores (but at least 1). + handling new flows. The default the number of online CPU cores minus + the number of revalidators. +

+

+ This configuration is per datapath. If you have more than one + software datapath (e.g. some system bridges and some + netdev bridges), then the total number of threads is + n-handler-threads times the number of software + datapaths. +

+ + + +

+ Specifies the number of threads for software datapaths to use for + revalidating flows in the datapath. Typically, there is a direct + correlation between the number of revalidator threads, and the number + of flows allowed in the datapath. The default is the number of cpu + cores divided by four plus one. If n-handler-threads is + set, the default changes to the number of cpu cores minus the number + of handler threads.

This configuration is per datapath. If you have more than one @@ -541,6 +582,56 @@ column="other-config" key="datapath-id"/> instead.) + +

+ Reports the version number of the Open vSwitch datapath in use. + This allows management software to detect and report discrepancies + between Open vSwitch userspace and datapath versions. (The column in the reports the Open vSwitch userspace version.) + The version reported depends on the datapath in use: +

+ + + +

+ A version discrepancy between ovs-vswitchd and the + datapath in use is not normally cause for alarm. The Open vSwitch + kernel datapaths for Linux and Hyper-V, in particular, are designed + for maximum inter-version compatibility: any userspace version works + with with any kernel version. Some reasons do exist to insist on + particular user/kernel pairings. First, newer kernel versions add + new features, that can only be used by new-enough userspace, e.g. + VXLAN tunneling requires certain minimal userspace and kernel + versions. Second, as an extension to the first reason, some newer + kernel versions add new features for enhancing performance that only + new-enough userspace versions can take advantage of. +

+ + Exactly 16 hex digits to set the OpenFlow datapath ID to a specific value. May not be all-zero. @@ -568,9 +659,24 @@ - List of OpenFlow protocols that may be used when negotiating a - connection with a controller. A default value of - OpenFlow10 will be used if this column is empty. +

+ List of OpenFlow protocols that may be used when negotiating + a connection with a controller. OpenFlow 1.0, 1.1, 1.2, and + 1.3 are enabled by default if this column is empty. +

+ +

+ OpenFlow 1.4 is not enabled by default because its implementation is + missing features. +

+ +

+ OpenFlow 1.5 has the same risks as OpenFlow 1.4, but it is even more + experimental because the OpenFlow 1.5 specification is still under + development and thus subject to change. Pass + --enable-of15 to ovs-vswitchd to allow + OpenFlow 1.5 to be enabled. +

@@ -580,7 +686,7 @@ be included in the network to provide automatic backup paths if the active links fails. - + Enable spanning tree on the bridge. By default, STP is disabled on bridges. Bond, internal, and mirror ports are not supported and will not participate in the spanning tree. @@ -621,6 +727,114 @@ ports to forwarding, in seconds. By default, the forwarding delay is 15 seconds. + + +

+ The maximum number of seconds to retain a multicast snooping entry for + which no packets have been seen. The default is currently 300 + seconds (5 minutes). The value, if specified, is forced into a + reasonable range, currently 15 to 3600 seconds. +

+ + + +

+ The maximum number of multicast snooping addresses to learn. The + default is currently 2048. The value, if specified, is forced into + a reasonable range, currently 10 to 1,000,000. +

+ + +

+ If set to false, unregistered multicast packets are forwarded + to all ports. + If set to true, unregistered multicast packets are forwarded + to ports connected to multicast routers. +

+ + + + + Multicast snooping (RFC 4541) monitors the Internet Group Management + Protocol (IGMP) traffic between hosts and multicast routers. The + switch uses what IGMP snooping learns to forward multicast traffic + only to interfaces that are connected to interested receivers. + Currently it supports IGMPv1 and IGMPv2 protocols. + + + Enable multicast snooping on the bridge. For now, the default + is disabled. + + + + + In IEEE Std 802.1D, 1998 Edition, and prior editions of this standard, + Clause 8 specified the spanning tree algorithm and protocol (STP). STP + has now been superseded by the Rapid Spanning Tree Protocol (RSTP) + specified in Clause 17 of the IEEE Std 802.1D, 2004 Edition. + The IEEE 802.1D-2004 Rapid Spanning Tree Algorithm Protocol configures + full, simple, and symmetric connectivity throughout a Bridged Local Area + Network that comprises individual LANs interconnected by Bridges. + Like STP, RSTP is a network protocol that ensures loop-free topologies. + It allows redundant links to be included in the network to provide + automatic backup paths if the active links fails. + + + Enable Rapid Spanning Tree on the bridge. By default, RSTP is disabled + on bridges. Bond, internal, and mirror ports are not supported + and will not participate in the spanning tree. + + + + The bridge's RSTP address (the lower 48 bits of the bridge-id) + in the form + xx:xx:xx:xx:xx:xx. + By default, the address is the MAC address of the bridge. + + + + The bridge's relative priority value for determining the root + bridge (the upper 16 bits of the bridge-id). A bridge with the + lowest bridge-id is elected the root. By default, the priority + is 0x8000 (32768). This value needs to be a multiple of 4096, + otherwise it's rounded to the nearest inferior one. + + + + The Ageing Time parameter for the Bridge. The default value + is 300 seconds. + + + + The Force Protocol Version parameter for the Bridge. This + can take the value 0 (STP Compatibility mode) or 2 + (the default, normal operation). + + + + The maximum age of the information transmitted by the Bridge + when it is the Root Bridge. The default value is 20. + + + + The delay used by STP Bridges to transition Root and Designated + Ports to Forwarding. The default value is 15. + + + + The Transmit Hold Count used by the Port Transmit state machine + to limit transmission rate. The default value is 6. + + @@ -769,8 +983,8 @@ - - + +

A port within a .

Most commonly, a port has exactly one ``interface,'' pointed to by its column. Such a port logically @@ -1134,6 +1348,90 @@ + + + If rapid spanning tree is enabled on the bridge, member ports are + enabled by default (with the exception of bond, internal, and + mirror ports which do not work with RSTP). If this column's + value is false rapid spanning tree is disabled on the + port. + + + + The port's relative priority value for determining the root + port, in multiples of 16. By default, the port priority is 0x80 + (128). Any value in the lower 4 bits is rounded off. The significant + upper 4 bits become the upper 4 bits of the port-id. A port with the + lowest port-id is elected as the root. + + + + The local RSTP port number, used as the lower 12 bits of the port-id. + By default the port numbers are assigned automatically, and typically + may not correspond to the OpenFlow port numbers. A port with the + lowest port-id is elected as the root. + + + + The port path cost. The Port's contribution, when it is + the Root Port, to the Root Path Cost for the Bridge. By default the + cost is automatically calculated from the port's speed. + + + + The admin edge port parameter for the Port. Default is + false. + + + + The auto edge port parameter for the Port. Default is + true. + + + +

+ The mcheck port parameter for the Port. Default is + false. May be set to force the Port Protocol + Migration state machine to transmit RST BPDUs for a + MigrateTime period, to test whether all STP Bridges on the + attached LAN have been removed and the Port can continue to + transmit RSTP BPDUs. Setting mcheck has no effect if the + Bridge is operating in STP Compatibility mode. +

+

+ Changing the value from true to + false has no effect, but needs to be done if + this behavior is to be triggered again by subsequently + changing the value from false to + true. +

+ + + + + +

+ If set to true, multicast packets (except Reports) are + unconditionally forwarded to the specific port. +

+ + +

+ If set to true, multicast Reports are unconditionally + forwarded to the specific port. +

+ + + Quality of Service configuration for this port. @@ -1197,11 +1495,20 @@ STP role of the port.

+ + +

+ For a bonded port, record the mac address of the current active slave. +

+ +

- Key-value pairs that report port statistics. + Key-value pairs that report port statistics. The update period + is controlled by in the Open_vSwitch table.

@@ -1269,6 +1576,13 @@ address.

 + + If the configuration of the port failed, as indicated by -1 in , Open vSwitch sets this column to an error + description in human readable form. Otherwise, Open vSwitch clears + this column. + +

When a client adds a new interface, Open vSwitch chooses an OpenFlow @@ -1349,6 +1663,16 @@

tap
A TUN/TAP device managed by Open vSwitch.
+
geneve
+
+ An Ethernet over Geneve (http://tools.ietf.org/html/draft-gross-geneve-00) + IPv4 tunnel. + + Geneve supports options as a means to transport additional metadata, + however, currently only the 24-bit VNI is supported. This is planned + to be extended in the future. +
+
gre
An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4 @@ -1421,8 +1745,9 @@

These options apply to interfaces with of - gre, ipsec_gre, gre64, - ipsec_gre64, vxlan, and lisp. + geneve, gre, ipsec_gre, + gre64, ipsec_gre64, vxlan, + and lisp.

@@ -1510,9 +1835,9 @@ key="in_key"/> at all.

  • - A positive 24-bit (for VXLAN and LISP), 32-bit (for GRE) or 64-bit - (for GRE64) number. The tunnel receives only packets with the - specified key. + A positive 24-bit (for Geneve, VXLAN, and LISP), 32-bit (for GRE) + or 64-bit (for GRE64) number. The tunnel receives only packets + with the specified key.
  • The word flow. The tunnel accepts packets with any @@ -1537,9 +1862,9 @@ key="out_key"/> at all.
  • - A positive 24-bit (for VXLAN and LISP), 32-bit (for GRE) or 64-bit - (for GRE64) number. Packets sent through the tunnel will have the - specified key. + A positive 24-bit (for Geneve, VXLAN and LISP), 32-bit (for GRE) or + 64-bit (for GRE64) number. Packets sent through the tunnel will + have the specified key.
  • The word flow. Packets sent through the tunnel will @@ -1579,6 +1904,26 @@ to false to disable. + + + +

    Optional. Comma separated list of optional VXLAN extensions to + enable. The following extensions are supported:

    + +
      +
    • + gbp: VXLAN-GBP allows to transport the group policy + context of a packet across the VXLAN tunnel to other network + peers. See the field description of tun_gbp_id and + tun_gbp_flags in ovs-ofctl(8) for additional + information. + (https://tools.ietf.org/html/draft-smith-vxlan-group-policy) +
      • +
    +     + +     +

    Only gre and ipsec_gre interfaces support @@ -1742,8 +2087,8 @@ - Egress interface for tunnels. Currently only relevant for GRE tunnels - On Linux systems, this column will show the name of the interface + Egress interface for tunnels. Currently only relevant for tunnels + on Linux systems, this column will show the name of the interface which is responsible for routing traffic destined for the configured . This could be an internal interface such as a bridge port. @@ -1759,12 +2104,14 @@

    Key-value pairs that report interface statistics. The current - implementation updates these counters periodically. Future - implementations may update them when an interface is created, when they - are queried (e.g. using an OVSDB select operation), and - just before an interface is deleted due to virtual interface hot-unplug - or VM shutdown, and perhaps at other times, but not on any regular - periodic basis. + implementation updates these counters periodically. The update period + is controlled by in the Open_vSwitch table. + Future implementations may update them when an interface is created, + when they are queried (e.g. using an OVSDB select + operation), and just before an interface is deleted due to virtual + interface hot-unplug or VM shutdown, and perhaps at other times, but + not on any regular periodic basis.

    These are the same statistics reported by OpenFlow in its struct @@ -1926,7 +2273,8 @@

    - True to enable BFD on this . + True to enable BFD on this . If not + specified, BFD will not be enabled by default. - True to consider the interface capable of packet I/O as long as it - continues to receive any packets (not just BFD packets). This - prevents link congestion that causes consecutive BFD control packets - to be lost from marking the interface down. + When true, traffic received on the + is used to indicate the capability of packet + I/O. BFD control packets are still transmitted and received. At + least one BFD control packet must be received every 100 * amount of time. Otherwise, even if + traffic are received, the + will be false. @@ -1978,12 +2329,37 @@ tunnel key. - + + Set to an Ethernet address in the form + xx:xx:xx:xx:xx:xx + to set the MAC used as source for transmitted BFD packets. The + default is the mac address of the BFD enabled interface. + + + Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx - to set the MAC used as destination for transmitted BFD packets and - expected as destination for received BFD packets. The default is - 00:23:20:00:00:01. + to set the MAC used as destination for transmitted BFD packets. The + default is 00:23:20:00:00:01. + + + + Set to an Ethernet address in the form + xx:xx:xx:xx:xx:xx + to set the MAC used for checking the destination of received BFD packets. + Packets with different destination MAC will not be considered as BFD packets. + If not specified the destination MAC address of received BFD packets + are not checked. + + + + Set to an IPv4 address to set the IP address used as source for + transmitted BFD packets. The default is 169.254.1.1. + + + + Set to an IPv4 address to set the IP address used as destination + for transmitted BFD packets. The default is 169.254.1.0.     @@ -2010,8 +2386,9 @@ - In case of a problem, set to a short message that reports what the - local BFD session thinks is wrong. + In case of a problem, set to an error message that reports what the + local BFD session thinks is wrong. The error messages are defined + in section 4.1 of [RFC 5880]. - In case of a problem, set to a short message that reports what the - remote endpoint's BFD session thinks is wrong. + In case of a problem, set to an error message that reports what the + remote endpoint's BFD session thinks is wrong. The error messages + are defined in section 4.1 of [RFC 5880]. - A Maintenance Point ID (MPID) uniquely identifies each endpoint within - a Maintenance Association. The MPID is used to identify this endpoint - to other Maintenance Points in the MA. Each end of a link being - monitored should have a different MPID. Must be configured to enable - CFM on this . +

    + A Maintenance Point ID (MPID) uniquely identifies each endpoint + within a Maintenance Association. The MPID is used to identify this + endpoint to other Maintenance Points in the MA. Each end of a link + being monitored should have a different MPID. Must be configured to + enable CFM on this . +

    +

    + According to the 802.1ag specification, MPIDs can only range between + [1, 8191]. However, extended mode (see ) supports eight byte MPIDs. +

    @@ -2194,8 +2579,8 @@ with compliant implementations which may be running concurrently on the network. Furthermore, extended mode increases the accuracy of the cfm_interval configuration parameter by breaking wire - compatibility with 802.1ag compliant implementations. Defaults to - false. + compatibility with 802.1ag compliant implementations. And extended + mode allows eight byte MPIDs. Defaults to false. @@ -2204,9 +2589,10 @@ is true, the CFM module operates in demand mode. When in demand mode, traffic received on the is used to indicate - liveness. CCMs are still transmitted and received, but if the - is receiving traffic, their absence does not - cause a connectivity fault. + liveness. CCMs are still transmitted and received. At least one + CCM must be received every 100 * amount of time. Otherwise, even if traffic + are received, the CFM module will raise the connectivity fault.

    @@ -2577,12 +2963,25 @@ feature for tun_id would only make sense if the tunnel IDs have prefix structure similar to IP addresses.)

    + +

    + By default, the prefixes=ip_dst,ip_src are used + on each flow table. This instructs the flow classifier to + track the IP destination and source addresses used by the + rules in this specific flow table. +

    + +

    + The keyword none is recognized as an explicit + override of the default values, causing no prefix fields to be + tracked. +

    +

    - For example, prefixes=ip_dst,ip_src instructs the - flow classifier to track the IP destination and source - addresses used by the rules in this specific flow table. To - set the prefix fields, the flow table record needs to exist: + To set the prefix fields, the flow table record needs to + exist:

    +
    ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create Flow_Table name=table0
    @@ -2601,6 +3000,13 @@ one flow table. Currently this limit is 3.

    + + + The overall purpose of these columns is described under Common + Columns at the beginning of this document. + + +
    • @@ -2860,7 +3266,9 @@

    - Key-value pairs that report mirror statistics. + Key-value pairs that report mirror statistics. The update period + is controlled by in the Open_vSwitch table.

    Number of packets transmitted through this mirror. @@ -2964,12 +3372,18 @@
    tcp:ip[:port]
    -

    The specified TCP port on the host at the - given ip, which must be expressed as an IP - address (not a DNS name).

    -

    If port is not specified, it currently - defaults to 6633. In the future, the default will change to - 6653, which is the IANA-defined value.

    +

    + The specified TCP port on the host at the given + ip, which must be expressed as an IP address (not a + DNS name), where ip can be IPv4 or IPv6 address. If + ip is an IPv6 address, wrap it in square brackets, + e.g. tcp:[::1]:6632. +

    +

    + If port is not specified, it currently defaults to + 6633. In the future, the default will change to 6653, which is + the IANA-defined value. +

    @@ -2979,29 +3393,48 @@

    pssl:[port][:ip]
    -

    Listens for SSL connections on the specified TCP - port. If ip, which must be expressed - as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP - address. The - column in the table must point - to a valid SSL configuration when this form is used.

    -

    If port is not specified, it currently - defaults to 6633. In the future, the default will change to - 6653, which is the IANA-defined value.

    -

    SSL support is an optional feature that is not always built as - part of Open vSwitch.

    +

    + Listens for SSL connections on the specified TCP port. + If ip, which must be expressed as an IP address (not a + DNS name), is specified, then connections are restricted to the + specified local IP address (either IPv4 or IPv6). If + ip is an IPv6 address, wrap it in square brackets, + e.g. pssl:6632:[::1]. +

    +

    + If port is not specified, it currently defaults to + 6633. If ip is not specified then it listens only on + IPv4 (but not IPv6) addresses. The + + column in the table must point to a + valid SSL configuration when this form is used. +

    +

    + If port is not specified, it currently defaults to + 6633. In the future, the default will change to 6653, which is + the IANA-defined value. +

    +

    + SSL support is an optional feature that is not always built as + part of Open vSwitch. +

    ptcp:[port][:ip]
    -

    Listens for connections on the specified TCP - port. If ip, which must be expressed - as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP - address.

    -

    If port is not specified, it currently - defaults to 6633. In the future, the default will change to - 6653, which is the IANA-defined value.

    +

    + Listens for connections on the specified TCP port. If + ip, which must be expressed as an IP address (not a + DNS name), is specified, then connections are restricted to the + specified local IP address (either IPv4 or IPv6). If + ip is an IPv6 address, wrap it in square brackets, + e.g. ptcp:6632:[::1]. If ip is not + specified then it listens only on IPv4 addresses. +

    +

    + If port is not specified, it currently defaults to + 6633. In the future, the default will change to 6653, which is + the IANA-defined value. +

    When multiple controllers are configured for a single bridge, the @@ -3055,7 +3488,7 @@ - +

    OpenFlow switches send certain messages to controllers spontanenously, that is, not in response to any request from the controller. These @@ -3075,38 +3508,102 @@ on any messages that it does want to receive, if any. - +

    - The maximum rate at which the switch will forward packets to the - OpenFlow controller, in packets per second. This feature prevents a - single bridge from overwhelming the controller. If not specified, - the default is implementation-specific. + A switch can forward packets to a controller over the OpenFlow + protocol. Forwarding packets this way at too high a rate can + overwhelm a controller, frustrate use of the OpenFlow connection for + other purposes, increase the latency of flow setup, and use an + unreasonable amount of bandwidth. Therefore, Open vSwitch supports + limiting the rate of packet forwarding to a controller.

    - In addition, when a high rate triggers rate-limiting, Open vSwitch - queues controller packets for each port and transmits them to the - controller at the configured rate. The value limits the number of queued - packets. Ports on a bridge share the packet queue fairly. + There are two main reasons in OpenFlow for a packet to be sent to a + controller: either the packet ``misses'' in the flow table, that is, + there is no matching flow, or a flow table action says to send the + packet to the controller. Open vSwitch limits the rate of each kind + of packet separately at the configured rate. Therefore, the actual + rate that packets are sent to the controller can be up to twice the + configured rate, when packets are sent for both reasons.

    - Open vSwitch maintains two such packet rate-limiters per bridge: one - for packets sent up to the controller because they do not correspond - to any flow, and the other for packets sent up to the controller by - request through flow actions. When both rate-limiters are filled with - packets, the actual rate that packets are sent to the controller is - up to twice the specified rate. + This feature is specific to forwarding packets over an OpenFlow + connection. It is not general-purpose QoS. See the table for quality of service configuration, and in the table for ingress policing configuration.

    -     - - In conjunction with , - the maximum number of unused packet credits that the bridge will - allow to accumulate, in packets. If not specified, the default - is implementation-specific. - + +

    + The maximum rate at which the switch will forward packets to the + OpenFlow controller, in packets per second. If no value is + specified, rate limiting is disabled. +

    +     + + +

    + When a high rate triggers rate-limiting, Open vSwitch queues + packets to the controller for each port and transmits them to the + controller at the configured rate. This value limits the number of + queued packets. Ports on a bridge share the packet queue fairly. +

    + +

    + This value has no effect unless is configured. The current + default when this value is not specified is one-quarter of , meaning that queuing can delay + forwarding a packet to the controller by up to 250 ms. +

    +     + + +

    + These values report the effects of rate limiting. Their values are + relative to establishment of the most recent OpenFlow connection, + or since rate limiting was enabled, whichever happened more + recently. Each consists of two values, one with TYPE + replaced by miss for rate limiting flow table misses, + and the other with TYPE replaced by + action for rate limiting packets sent by OpenFlow + actions. +

    + +

    + These statistics are reported only when controller rate limiting is + enabled. +

    + + + Number of packets sent directly to the controller, without queuing, + because the rate did not exceed the configured maximum. + + + + Number of packets added to the queue to send later. + + + + Number of packets added to the queue that were later dropped due to + overflow. This value is less than or equal to . + + + + Number of packets currently queued. The other statistics increase + monotonically, but this one fluctuates between 0 and the as conditions change. + +     +     @@ -3156,7 +3653,7 @@
    Equivalent to other, except that there may be at most one master controller at a time. When a controller configures itself as master, any existing master is demoted to - the slaverole.
    + the slave role.
    slave
    Allows the controller read-only access to OpenFlow features. Attempts to modify the flow table will be rejected with an @@ -3295,8 +3792,10 @@

    The specified TCP port on the host at the given - ip, which must be expressed as an IP address - (not a DNS name). + ip, which must be expressed as an IP address (not a + DNS name), where ip can be IPv4 or IPv6 address. If + ip is an IPv6 address, wrap it in square brackets, + e.g. tcp:[::1]:6632.

    If port is not specified, it currently defaults @@ -3307,13 +3806,16 @@

    pssl:[port][:ip]

    - Listens for SSL connections on the specified TCP - port. Specify 0 for port to have - the kernel automatically choose an available port. If - ip, which must be expressed as an IP address - (not a DNS name), is specified, then connections are - restricted to the specified local IP address. The column in the port. + Specify 0 for port to have the kernel automatically + choose an available port. If ip, which must be + expressed as an IP address (not a DNS name), is specified, then + connections are restricted to the specified local IP address + (either IPv4 or IPv6 address). If ip is an IPv6 + address, wrap in square brackets, + e.g. pssl:6632:[::1]. If ip is not + specified then it listens only on IPv4 (but not IPv6) addresses. + The column in the table must point to a valid SSL configuration when this form is used.

    @@ -3330,12 +3832,15 @@
    ptcp:[port][:ip]

    - Listens for connections on the specified TCP - port. Specify 0 for port to have - the kernel automatically choose an available port. If - ip, which must be expressed as an IP address - (not a DNS name), is specified, then connections are - restricted to the specified local IP address. + Listens for connections on the specified TCP port. + Specify 0 for port to have the kernel automatically + choose an available port. If ip, which must be + expressed as an IP address (not a DNS name), is specified, then + connections are restricted to the specified local IP address + (either IPv4 or IPv6 address). If ip is an IPv6 + address, wrap it in square brackets, + e.g. ptcp:6632:[::1]. If ip is not + specified then it listens only on IPv4 addresses.

    If port is not specified, it currently defaults @@ -3546,10 +4051,20 @@ - The interval at which NetFlow records are sent for flows that are - still active, in seconds. A value of 0 requests the - default timeout (currently 600 seconds); a value of -1 - disables active timeouts. +

    + The interval at which NetFlow records are sent for flows that + are still active, in seconds. A value of 0 + requests the default timeout (currently 600 seconds); a value + of -1 disables active timeouts. +

    + +

    + The NetFlow passive timeout, for flows that become inactive, + is not configurable. It will vary depending on the Open + vSwitch version, the forms and contents of the OpenFlow flow + tables, CPU and memory usage, and network activity. A typical + passive timeout is about a second. +

    @@ -3655,38 +4170,53 @@
    -

    A set of IPFIX collectors. IPFIX is a protocol that exports a - number of details about flows.

    +

    Configuration for sending packets to IPFIX collectors.

    - - IPFIX target collectors in the form - ip:port. - +

    + IPFIX is a protocol that exports a number of details about flows. The + IPFIX implementation in Open vSwitch samples packets at a configurable + rate, extracts flow information from those packets, optionally caches and + aggregates the flow information, and sends the result to one or more + collectors. +

    - - For per-bridge packet sampling, i.e. when this row is referenced - from a , the rate at which packets should - be sampled and sent to each target collector. If not specified, - defaults to 400, which means one out of 400 packets, on average, - will be sent to each target collector. Ignored for per-flow - sampling, i.e. when this row is referenced from a . - +

    + IPFIX in Open vSwitch can be configured two different ways: +

    - - For per-bridge packet sampling, i.e. when this row is referenced - from a , the IPFIX Observation Domain ID - sent in each IPFIX packet. If not specified, defaults to 0. - Ignored for per-flow sampling, i.e. when this row is referenced - from a . - + + + + IPFIX target collectors in the form + ip:port. @@ -3701,6 +4231,124 @@ disabled. + +

    + These values affect only per-bridge sampling. See above for a + description of the differences between per-bridge and flow-based + sampling. +

    + + + The rate at which packets should be sampled and sent to each target + collector. If not specified, defaults to 400, which means one out of + 400 packets, on average, will be sent to each target collector. + + + + The IPFIX Observation Domain ID sent in each IPFIX packet. If not + specified, defaults to 0. + + + + The IPFIX Observation Point ID sent in each IPFIX flow record. If not + specified, defaults to 0. + + + +

    + Set to true to enable sampling and reporting tunnel + header 7-tuples in IPFIX flow records. Tunnel sampling is disabled + by default. +

    + +

    + The following enterprise entities report the sampled tunnel info: +

    + +
    +
    tunnelType:
    +
    +

    ID: 891, and enterprise ID 6876 (VMware).

    +

    type: unsigned 8-bit integer.

    +

    data type semantics: identifier.

    +

    description: Identifier of the layer 2 network overlay network + encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x05 IPsec+GRE, + 0x07 GENEVE.

    +
    +
    tunnelKey:
    +
    +

    ID: 892, and enterprise ID 6876 (VMware).

    +

    type: variable-length octetarray.

    +

    data type semantics: identifier.

    +

    description: Key which is used for identifying an individual + traffic flow within a VxLAN (24-bit VNI), GENEVE (24-bit VNI), + GRE (32- or 64-bit key), or LISP (24-bit instance ID) tunnel. The + key is encoded in this octetarray as a 3-, 4-, or 8-byte integer + ID in network byte order.

    +
    +
    tunnelSourceIPv4Address:
    +
    +

    ID: 893, and enterprise ID 6876 (VMware).

    +

    type: unsigned 32-bit integer.

    +

    data type semantics: identifier.

    +

    description: The IPv4 source address in the tunnel IP packet + header.

    +
    +
    tunnelDestinationIPv4Address:
    +
    +

    ID: 894, and enterprise ID 6876 (VMware).

    +

    type: unsigned 32-bit integer.

    +

    data type semantics: identifier.

    +

    description: The IPv4 destination address in the tunnel IP + packet header.

    +
    +
    tunnelProtocolIdentifier:
    +
    +

    ID: 895, and enterprise ID 6876 (VMware).

    +

    type: unsigned 8-bit integer.

    +

    data type semantics: identifier.

    +

    description: The value of the protocol number in the tunnel + IP packet header. The protocol number identifies the tunnel IP + packet payload type.

    +
    +
    tunnelSourceTransportPort:
    +
    +

    ID: 896, and enterprise ID 6876 (VMware).

    +

    type: unsigned 16-bit integer.

    +

    data type semantics: identifier.

    +

    description: The source port identifier in the tunnel transport + header. For the transport protocols UDP, TCP, and SCTP, this is + the source port number given in the respective header.

    +
    +
    tunnelDestinationTransportPort:
    +
    +

    ID: 897, and enterprise ID 6876 (VMware).

    +

    type: unsigned 16-bit integer.

    +

    data type semantics: identifier.

    +

    description: The destination port identifier in the tunnel + transport header. For the transport protocols UDP, TCP, and SCTP, + this is the destination port number given in the respective header. +

    +
    +
    +     + + + By default, Open vSwitch samples and reports flows at bridge port input + in IPFIX flow records. Set this column to false to + disable input sampling. + + + + By default, Open vSwitch samples and reports flows at bridge port + output in IPFIX flow records. Set this column to false to + disable output sampling. + +     + The overall purpose of these columns is described under Common Columns at the beginning of this document. @@ -3710,8 +4358,12 @@
    -

    A set of IPFIX collectors of packet samples generated by - OpenFlow sample actions.

    +

    + A set of IPFIX collectors of packet samples generated by OpenFlow + sample actions. This table is used only for IPFIX + flow-based sampling, not for per-bridge sampling (see the table for a description of the two forms). +

    The ID of this collector set, unique among the bridge's