+ </group>
+
+ <group title="Tunnel Options">
+ <p>
+ These options apply to interfaces with <ref column="type"/> of
+ <code>gre</code>, <code>ipsec_gre</code>, and <code>capwap</code>.
+ </p>
+
+ <p>
+ Each tunnel must be uniquely identified by the combination of <ref
+ column="type"/>, <ref column="options" key="remote_ip"/>, <ref
+ column="options" key="local_ip"/>, and <ref column="options"
+ key="in_key"/>. If two ports are defined that are the same except one
+ has an optional identifier and the other does not, the more specific
+ one is matched first. <ref column="options" key="in_key"/> is
+ considered more specific than <ref column="options" key="local_ip"/> if
+ a port defines one and another port defines the other.
+ </p>
+
+ <column name="options" key="remote_ip">
+ Required. The tunnel endpoint.
+ </column>
+
+ <column name="options" key="local_ip">
+ Optional. The destination IP that received packets must
+ match. Default is to match all addresses.
+ </column>
+
+ <column name="options" key="in_key">
+ <p>Optional. The key that received packets must contain, one of:</p>
+
+ <ul>
+ <li>
+ <code>0</code>. The tunnel receives packets with no key or with a
+ key of 0. This is equivalent to specifying no <ref column="options"
+ key="in_key"/> at all.
+ </li>
+ <li>
+ A positive 32-bit (for GRE) or 64-bit (for CAPWAP) number. The
+ tunnel receives only packets with the specified key.
+ </li>
+ <li>
+ The word <code>flow</code>. The tunnel accepts packets with any
+ key. The key will be placed in the <code>tun_id</code> field for
+ matching in the flow table. The <code>ovs-ofctl</code> manual page
+ contains additional information about matching fields in OpenFlow
+ flows.
+ </li>
+ </ul>
+
+ <p>
+ </p>
+ </column>
+
+ <column name="options" key="out_key">
+ <p>Optional. The key to be set on outgoing packets, one of:</p>
+
+ <ul>
+ <li>
+ <code>0</code>. Packets sent through the tunnel will have no key.
+ This is equivalent to specifying no <ref column="options"
+ key="out_key"/> at all.
+ </li>
+ <li>
+ A positive 32-bit (for GRE) or 64-bit (for CAPWAP) number. Packets
+ sent through the tunnel will have the specified key.
+ </li>
+ <li>
+ The word <code>flow</code>. Packets sent through the tunnel will
+ have the key set using the <code>set_tunnel</code> Nicira OpenFlow
+ vendor extension (0 is used in the absence of an action). The
+ <code>ovs-ofctl</code> manual page contains additional information
+ about the Nicira OpenFlow vendor extensions.
+ </li>
+ </ul>
+ </column>
+
+ <column name="options" key="key">
+ Optional. Shorthand to set <code>in_key</code> and
+ <code>out_key</code> at the same time.
+ </column>
+
+ <column name="options" key="tos">
+ Optional. The value of the ToS bits to be set on the encapsulating
+ packet. It may also be the word <code>inherit</code>, in which case
+ the ToS will be copied from the inner packet if it is IPv4 or IPv6
+ (otherwise it will be 0). The ECN fields are always inherited.
+ Default is 0.
+ </column>
+
+ <column name="options" key="ttl">
+ Optional. The TTL to be set on the encapsulating packet. It may also
+ be the word <code>inherit</code>, in which case the TTL will be copied
+ from the inner packet if it is IPv4 or IPv6 (otherwise it will be the
+ system default, typically 64). Default is the system default TTL.
+ </column>
+
+ <column name="options" key="df_inherit">
+ Optional. If enabled, the Don't Fragment bit will be copied from the
+ inner IP headers (those of the encapsulated traffic) to the outer
+ (tunnel) headers. Default is disabled; set to <code>true</code> to
+ enable.
+ </column>
+
+ <column name="options" key="df_default">
+ Optional. If enabled, the Don't Fragment bit will be set by default on
+ tunnel headers if the <code>df_inherit</code> option is not set, or if
+ the encapsulated packet is not IP. Default is enabled; set to
+ <code>false</code> to disable.
+ </column>
+
+ <column name="options" key="pmtud">
+ Optional. Enable tunnel path MTU discovery. If enabled ``ICMP
+ Destination Unreachable - Fragmentation Needed'' messages will be
+ generated for IPv4 packets with the DF bit set and IPv6 packets above
+ the minimum MTU if the packet size exceeds the path MTU minus the size
+ of the tunnel headers. Note that this option causes behavior that is
+ typically reserved for routers and therefore is not entirely in
+ compliance with the IEEE 802.1D specification for bridges. Default is
+ enabled; set to <code>false</code> to disable.
+ </column>
+
+ <group title="Tunnel Options: gre only">
+ <p>
+ Only <code>gre</code> interfaces support these options.
+ </p>
+
+ <column name="options" key="header_cache">
+ Enable caching of tunnel headers and the output path. This can lead
+ to a significant performance increase without changing behavior. In
+ general it should not be necessary to adjust this setting. However,
+ the caching can bypass certain components of the IP stack (such as
+ <code>iptables</code>) and it may be useful to disable it if these
+ features are required or as a debugging measure. Default is enabled,
+ set to <code>false</code> to disable.
+ </column>
+ </group>
+
+ <group title="Tunnel Options: gre and ipsec_gre only">
+ <p>
+ Only <code>gre</code> and <code>ipsec_gre</code> interfaces support
+ these options.
+ </p>
+
+ <column name="options" key="csum">
+ <p>
+ Optional. Compute GRE checksums on outgoing packets. Default is
+ disabled, set to <code>true</code> to enable. Checksums present on
+ incoming packets will be validated regardless of this setting.
+ </p>
+
+ <p>
+ GRE checksums impose a significant performance penalty because they
+ cover the entire packet. The encapsulated L3, L4, and L7 packet
+ contents typically have their own checksums, so this additional
+ checksum only adds value for the GRE and encapsulated L2 headers.
+ </p>
+
+ <p>
+ This option is supported for <code>ipsec_gre</code>, but not useful
+ because GRE checksums are weaker than, and redundant with, IPsec
+ payload authentication.
+ </p>
+ </column>
+ </group>
+
+ <group title="Tunnel Options: ipsec_gre only">
+ <p>
+ Only <code>ipsec_gre</code> interfaces support these options.
+ </p>
+
+ <column name="options" key="peer_cert">
+ Required for certificate authentication. A string containing the
+ peer's certificate in PEM format. Additionally the host's
+ certificate must be specified with the <code>certificate</code>
+ option.
+ </column>
+
+ <column name="options" key="certificate">
+ Required for certificate authentication. The name of a PEM file
+ containing a certificate that will be presented to the peer during
+ authentication.
+ </column>
+
+ <column name="options" key="private_key">
+ Optional for certificate authentication. The name of a PEM file
+ containing the private key associated with <code>certificate</code>.
+ If <code>certificate</code> contains the private key, this option may
+ be omitted.
+ </column>
+
+ <column name="options" key="psk">
+ Required for pre-shared key authentication. Specifies a pre-shared
+ key for authentication that must be identical on both sides of the
+ tunnel.
+ </column>
+ </group>
+ </group>
+
+ <group title="Patch Options">
+ <p>
+ Only <code>patch</code> interfaces support these options.
+ </p>
+
+ <column name="options" key="peer">
+ The <ref column="name"/> of the <ref table="Interface"/> for the other
+ side of the patch. The named <ref table="Interface"/>'s own
+ <code>peer</code> option must specify this <ref table="Interface"/>'s
+ name. That is, the two patch interfaces must have reversed <ref
+ column="name"/> and <code>peer</code> values.
+ </column>
+ </group>
+
+ <group title="Interface Status">
+ <p>
+ Status information about interfaces attached to bridges, updated every
+ 5 seconds. Not all interfaces have all of these properties; virtual
+ interfaces don't have a link speed, for example. Non-applicable
+ columns will have empty values.
+ </p>
+ <column name="admin_state">
+ <p>
+ The administrative state of the physical network link.
+ </p>
+ </column>
+
+ <column name="link_state">
+ <p>
+ The observed state of the physical network link. This is ordinarily
+ the link's carrier status. If the interface's <ref table="Port"/> is
+ a bond configured for miimon monitoring, it is instead the network
+ link's miimon status.
+ </p>
+ </column>
+
+ <column name="link_speed">
+ <p>
+ The negotiated speed of the physical network link.
+ Valid values are positive integers greater than 0.
+ </p>
+ </column>
+
+ <column name="duplex">
+ <p>
+ The duplex mode of the physical network link.
+ </p>
+ </column>
+
+ <column name="mtu">
+ <p>
+ The MTU (maximum transmission unit); i.e. the largest
+ amount of data that can fit into a single Ethernet frame.
+ The standard Ethernet MTU is 1500 bytes. Some physical media
+ and many kinds of virtual interfaces can be configured with
+ higher MTUs.
+ </p>
+ <p>
+ This column will be empty for an interface that does not
+ have an MTU as, for example, some kinds of tunnels do not.
+ </p>
+ </column>
+
+ <column name="lacp_current">
+ Boolean value indicating LACP status for this interface. If true, this
+ interface has current LACP information about its LACP partner. This
+ information may be used to monitor the health of interfaces in a LACP
+ enabled port. This column will be empty if LACP is not enabled.
+ </column>
+
+ <column name="status">
+ Key-value pairs that report port status. Supported status values are
+ <ref column="type"/>-dependent; some interfaces may not have a valid
+ <ref column="status" key="driver_name"/>, for example.
+ </column>