ovn-sb: Describe the pipeline stages generated by ovn-northd.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Russell Bryant <rbryant@redhat.com>

diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml
index 38837c1..8102eb3 100644 (file)
--- a/ovn/ovn-sb.xml
+++ b/ovn/ovn-sb.xml
@@ -321,6 +321,49 @@
       the logical output port replaced by the group member.
     </p>
 
+    <p><em>Pipeline Stages</em></p>
+
+    <p>
+      <code>ovn-northd</code> is responsible for populating the
+      <ref table="Logical_Flow"/> table, so the stages are an
+      implementation detail and subject to change.  This section
+      describes the current logical flow table.
+    </p>
+
+    <p>
+      The ingress pipeline consists of the following stages:
+    </p>
+    <ul>
+      <li>
+        Port Security (Table 0): Validates the source address, drops
+        packets with a VLAN tag, and, if configured, verifies that the
+        logical port is allowed to send with the source address.
+      </li>
+
+      <li>
+        L2 Destination Lookup (Table 1): Forwards known unicast
+        addresses to the appropriate logical port.  Unicast packets to
+        unknown hosts are forwarded to logical ports configured with the
+        special <code>unknown</code> mac address.  Broadcast, and
+        multicast are flooded to all ports in the logical switch.
+      </li>
+    </ul>
+
+    <p>
+      The egress pipeline consists of the following stages:
+    </p>
+    <ul>
+      <li>
+        ACL (Table 0): Applies any specified access control lists.
+      </li>
+
+      <li>
+        Port Security (Table 1): If configured, verifies that the
+        logical port is allowed to receive packets with the destination
+        address.
+      </li>
+    </ul>
+
     <column name="logical_datapath">
       The logical datapath to which the logical flow belongs.
     </column>