+ <column name="options" key="remote_ip">
+ <p>
+ Required. The tunnel endpoint. Unicast and multicast endpoints are
+ both supported.
+ </p>
+
+ <p>
+ When a multicast endpoint is specified, a routing table lookup occurs
+ only when the tunnel is created. Following a routing change, delete
+ and then re-create the tunnel to force a new routing table lookup.
+ </p>
+ </column>
+
+ <column name="options" key="local_ip">
+ Optional. The destination IP that received packets must match.
+ Default is to match all addresses. Must be omitted when <ref
+ column="options" key="remote_ip"/> is a multicast address.
+ </column>
+
+ <column name="options" key="in_key">
+ <p>Optional. The key that received packets must contain, one of:</p>
+
+ <ul>
+ <li>
+ <code>0</code>. The tunnel receives packets with no key or with a
+ key of 0. This is equivalent to specifying no <ref column="options"
+ key="in_key"/> at all.
+ </li>
+ <li>
+ A positive 32-bit (for GRE) or 64-bit (for CAPWAP) number. The
+ tunnel receives only packets with the specified key.
+ </li>
+ <li>
+ The word <code>flow</code>. The tunnel accepts packets with any
+ key. The key will be placed in the <code>tun_id</code> field for
+ matching in the flow table. The <code>ovs-ofctl</code> manual page
+ contains additional information about matching fields in OpenFlow
+ flows.
+ </li>
+ </ul>
+
+ <p>
+ </p>
+ </column>
+
+ <column name="options" key="out_key">
+ <p>Optional. The key to be set on outgoing packets, one of:</p>
+
+ <ul>
+ <li>
+ <code>0</code>. Packets sent through the tunnel will have no key.
+ This is equivalent to specifying no <ref column="options"
+ key="out_key"/> at all.
+ </li>
+ <li>
+ A positive 32-bit (for GRE) or 64-bit (for CAPWAP) number. Packets
+ sent through the tunnel will have the specified key.
+ </li>
+ <li>
+ The word <code>flow</code>. Packets sent through the tunnel will
+ have the key set using the <code>set_tunnel</code> Nicira OpenFlow
+ vendor extension (0 is used in the absence of an action). The
+ <code>ovs-ofctl</code> manual page contains additional information
+ about the Nicira OpenFlow vendor extensions.
+ </li>
+ </ul>
+ </column>
+
+ <column name="options" key="key">
+ Optional. Shorthand to set <code>in_key</code> and
+ <code>out_key</code> at the same time.
+ </column>
+
+ <column name="options" key="tos">
+ Optional. The value of the ToS bits to be set on the encapsulating
+ packet. It may also be the word <code>inherit</code>, in which case
+ the ToS will be copied from the inner packet if it is IPv4 or IPv6
+ (otherwise it will be 0). The ECN fields are always inherited.
+ Default is 0.
+ </column>
+
+ <column name="options" key="ttl">
+ Optional. The TTL to be set on the encapsulating packet. It may also
+ be the word <code>inherit</code>, in which case the TTL will be copied
+ from the inner packet if it is IPv4 or IPv6 (otherwise it will be the
+ system default, typically 64). Default is the system default TTL.
+ </column>
+
+ <column name="options" key="df_inherit" type='{"type": "boolean"}'>
+ Optional. If enabled, the Don't Fragment bit will be copied from the
+ inner IP headers (those of the encapsulated traffic) to the outer
+ (tunnel) headers. Default is disabled; set to <code>true</code> to
+ enable.
+ </column>
+
+ <column name="options" key="df_default"
+ type='{"type": "boolean"}'>
+ Optional. If enabled, the Don't Fragment bit will be set by default on
+ tunnel headers if the <code>df_inherit</code> option is not set, or if
+ the encapsulated packet is not IP. Default is enabled; set to
+ <code>false</code> to disable.
+ </column>
+
+ <column name="options" key="pmtud" type='{"type": "boolean"}'>
+ Optional. Enable tunnel path MTU discovery. If enabled ``ICMP
+ Destination Unreachable - Fragmentation Needed'' messages will be
+ generated for IPv4 packets with the DF bit set and IPv6 packets above
+ the minimum MTU if the packet size exceeds the path MTU minus the size
+ of the tunnel headers. Note that this option causes behavior that is
+ typically reserved for routers and therefore is not entirely in
+ compliance with the IEEE 802.1D specification for bridges. Default is
+ enabled; set to <code>false</code> to disable.
+ </column>
+
+ <group title="Tunnel Options: gre only">
+ <p>
+ Only <code>gre</code> interfaces support these options.
+ </p>
+
+ <column name="options" key="header_cache" type='{"type": "boolean"}'>
+ Enable caching of tunnel headers and the output path. This can lead
+ to a significant performance increase without changing behavior. In
+ general it should not be necessary to adjust this setting. However,
+ the caching can bypass certain components of the IP stack (such as
+ <code>iptables</code>) and it may be useful to disable it if these
+ features are required or as a debugging measure. Default is enabled,
+ set to <code>false</code> to disable.
+ </column>
+ </group>
+
+ <group title="Tunnel Options: gre and ipsec_gre only">
+ <p>
+ Only <code>gre</code> and <code>ipsec_gre</code> interfaces support
+ these options.
+ </p>
+
+ <column name="options" key="csum" type='{"type": "boolean"}'>
+ <p>
+ Optional. Compute GRE checksums on outgoing packets. Default is
+ disabled, set to <code>true</code> to enable. Checksums present on
+ incoming packets will be validated regardless of this setting.
+ </p>
+
+ <p>
+ GRE checksums impose a significant performance penalty because they
+ cover the entire packet. The encapsulated L3, L4, and L7 packet
+ contents typically have their own checksums, so this additional
+ checksum only adds value for the GRE and encapsulated L2 headers.
+ </p>
+
+ <p>
+ This option is supported for <code>ipsec_gre</code>, but not useful
+ because GRE checksums are weaker than, and redundant with, IPsec
+ payload authentication.
+ </p>
+ </column>
+ </group>
+
+ <group title="Tunnel Options: ipsec_gre only">
+ <p>
+ Only <code>ipsec_gre</code> interfaces support these options.
+ </p>
+
+ <column name="options" key="peer_cert">
+ Required for certificate authentication. A string containing the
+ peer's certificate in PEM format. Additionally the host's
+ certificate must be specified with the <code>certificate</code>
+ option.
+ </column>
+
+ <column name="options" key="certificate">
+ Required for certificate authentication. The name of a PEM file
+ containing a certificate that will be presented to the peer during
+ authentication.
+ </column>
+
+ <column name="options" key="private_key">
+ Optional for certificate authentication. The name of a PEM file
+ containing the private key associated with <code>certificate</code>.
+ If <code>certificate</code> contains the private key, this option may
+ be omitted.
+ </column>
+
+ <column name="options" key="psk">
+ Required for pre-shared key authentication. Specifies a pre-shared
+ key for authentication that must be identical on both sides of the
+ tunnel.
+ </column>
+ </group>
+ </group>
+
+ <group title="Patch Options">
+ <p>
+ Only <code>patch</code> interfaces support these options.
+ </p>
+
+ <column name="options" key="peer">
+ The <ref column="name"/> of the <ref table="Interface"/> for the other
+ side of the patch. The named <ref table="Interface"/>'s own
+ <code>peer</code> option must specify this <ref table="Interface"/>'s
+ name. That is, the two patch interfaces must have reversed <ref
+ column="name"/> and <code>peer</code> values.