X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=vswitchd%2Fvswitch.xml;h=a16c486cc7f2ac1de4d062ffa999bff814337c20;hb=c64540e3fe43a83bbe8687c53fb7fdec95b94195;hp=b21b56004f06986571f5ca5c9f52e6648bad3cdf;hpb=8936565369410daa099708be4cd3fa7e0e39bade;p=sliver-openvswitch.git
diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index b21b56004..a16c486cc 100644
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -1,35 +1,48 @@
+
- A database with this schema holds the configuration for one Open
- vSwitch daemon. The root of the configuration for the daemon is
- the table, which must have exactly one
+
+ A database with this schema holds the configuration for one Open
+ vSwitch daemon. The top-level configuration for the daemon is the
+ table, which must have exactly one
record. Records in other tables are significant only when they
- can be reached directly or indirectly from the
- table.
+ can be reached directly or indirectly from the table. Records that are not reachable from
+ the table are automatically deleted
+ from the database, except for records in a few distinguished
+ ``root set'' tables noted below.
+
A port within a .
Most commonly, a port has exactly one ``interface,'' pointed to by its
- column. Such a port logically
+ column. Such a port logically
corresponds to a port on a physical Ethernet switch. A port
with more than one interface is a ``bonded port'' (see
).
@@ -168,53 +451,109 @@
A bridge port must be configured for VLANs in one of two
mutually exclusive ways:
- - A ``trunk port'' has an empty value for
-
and a possibly non-empty
- value.
+ - A ``trunk port'' has an empty value for
. Its value may be
+ empty or non-empty.
- An ``implicitly tagged VLAN port'' or ``access port''
- has an nonempty value for
and an empty
- value.
+ has an nonempty value for . Its
+ value must be empty.
If and are both
nonempty, the configuration is ill-formed.
- If nonempty, this port's implicitly tagged VLAN. Frames
- arriving on trunk ports will be forwarded to this port only
- if they are tagged with the given VLAN. Frames arriving on
- other VLAN ports will be forwarded to this port only if they
- have the same value. Frames forwarded
- to this port will not have an 802.1Q header.
- When a frame with a 802.1Q header that indicates a nonzero VLAN is
- received on an implicit VLAN port, it is discarded.
- Must be empty if this is a trunk port.
+
+ If this is an access port (see above), the port's implicitly
+ tagged VLAN. Must be empty if this is a trunk port.
+
+
+ Frames arriving on trunk ports will be forwarded to this
+ port only if they are tagged with the given VLAN (or, if
+ is 0, then if they lack a VLAN header).
+ Frames arriving on other access ports will be forwarded to
+ this port only if they have the same
+ value. Frames forwarded to this port will not have an
+ 802.1Q header.
+
+
+ When a frame with a 802.1Q header that indicates a nonzero
+ VLAN is received on an access port, it is discarded.
+
- The 802.1Q VLAN(s) that this port trunks. If the column is
- empty, then the port trunks all VLANs as well as packets that
- have no VLAN header. Otherwise, only frames that have an
- 802.1Q header with one of the specified VLANs are accepted.
- If 0
is included, then frames without an 802.1Q
- header are also accepted.
- Must be empty unless this is a trunk port.
+
+ If this is a trunk port (see above), the 802.1Q VLAN(s) that
+ this port trunks; if it is empty, then the port trunks all
+ VLANs. Must be empty if this is an access port.
+
+
+ Frames arriving on trunk ports are dropped if they are not
+ in one of the specified VLANs. For this purpose, packets
+ that have no VLAN header are treated as part of VLAN 0.
+
- A port that has more than one interface is a ``bonded port.''
- Bonding allows for load balancing and fail-over. Open vSwitch
- supports ``source load balancing'' (SLB) bonding, which
- assigns flows to slaves based on source MAC address, with
- periodic rebalancing as traffic patterns change. This form of
- bonding does not require 802.3ad or other special support from
- the upstream switch to which the slave devices are
- connected.
+ A port that has more than one interface is a ``bonded port.'' Bonding
+ allows for load balancing and fail-over. Some kinds of bonding will
+ work with any kind of upstream switch:
+
+
+ balance-slb
+ -
+ Balances flows among slaves based on source MAC address and output
+ VLAN, with periodic rebalancing as traffic patterns change.
+
+
+ active-backup
+ -
+ Assigns all flows to one slave, failing over to a backup slave when
+ the active slave is disabled.
+
+
+
+
+ The following modes require the upstream switch to support 802.3ad with
+ successful LACP negotiation. If LACP negotiation fails then
+ balance-slb
style flow hashing is used as a fallback:
+
+
+
+ balance-tcp
+ -
+ Balances flows among slaves based on L2, L3, and L4 protocol
+ information such as destination MAC address, IP address, and TCP
+ port.
+
+
+
+
+ stable
+ -
+
Attempts to always assign a given flow to the same slave
+ consistently. In an effort to maintain stability, no load
+ balancing is done. Uses a similar hashing strategy to
+ balance-tcp
, falling back to balance-slb
+ style hashing when LACP negotiations are unsuccessful.
+ Slave selection decisions are made based on
+ bond-stable-id
if set. Otherwise, OpenFlow port
+ number is used. Decisions are consistent across all ovs-vswitchd
+ instances with equivalent bond-stable-id
s.
+
+
These columns apply only to bonded ports. Their values are
otherwise ignored.
+
+ The type of bonding used for a bonded port. Defaults to
+ balance-slb
if unset.
+
+
+
For a bonded port, the number of milliseconds for which carrier must
stay up on an interface before the interface is considered to be up.
@@ -227,17 +566,33 @@
For a bonded port, the number of milliseconds for which carrier must
stay down on an interface before the interface is considered to be
- down. Specify 0
to enable the interface immediately.
+ down. Specify 0
to disable the interface immediately.
- For a bonded port, whether to create a fake interface with the name of
- the port. Use only for compatibility with legacy software that
+ For a bonded port, whether to create a fake internal interface with the
+ name of the port. Use only for compatibility with legacy software that
requires this.
+
+
+ Configures LACP on this port. LACP allows directly connected
+ switches to negotiate which links may be bonded. LACP may be enabled
+ on non-bonded ports for the benefit of any switches they may be
+ connected to. active
ports are allowed to initiate LACP
+ negotiations. passive
ports are allowed to participate
+ in LACP negotiations initiated by a remote switch, but not allowed to
+ initiate such negotiations themselves. If unset Open vSwitch will
+ choose a reasonable default.
+
+
+
+ Quality of Service configuration for this port.
+
+
The MAC address to use for this port for the purpose of choosing the
bridge's MAC address. This column does not necessarily reflect the
@@ -251,12 +606,21 @@
- Key-value pairs that identify this port's role in external systems. No
- key-value pairs native to are currently defined.
- For fake bridges (see the column), external
- IDs for the fake bridge are defined here by prefixing their keys
- with fake-bridge-
,
- e.g. fake-bridge-xs-network-uuids
.
+
+ Key-value pairs for use by external frameworks that integrate with
+ Open vSwitch, rather than by Open vSwitch itself. System integrators
+ should either use the Open vSwitch development mailing list to
+ coordinate on common key-value definitions, or choose key names that
+ are likely to be unique.
+
+
+ No key-value pairs native to are currently
+ defined. For fake bridges (see the
+ column), external IDs for the fake bridge are defined here by
+ prefixing a key with fake-bridge-
,
+ e.g. fake-bridge-xs-network-uuids
.
+
@@ -264,8 +628,60 @@
currently defined key-value pairs are:
hwaddr
- - Exactly 12 hex digits in the form
+
- An Ethernet address in the form
xx:xx:xx:xx:xx:xx
.
+ bond-rebalance-interval
+ - For an SLB bonded port, the number of milliseconds between
+ successive attempts to rebalance the bond, that is, to
+ move source MACs and their flows from one interface on
+ the bond to another in an attempt to keep usage of each
+ interface roughly equal. The default is 10000 (10
+ seconds), and the minimum is 1000 (1 second).
+ bond-detect-mode
+ - Sets the method used to detect link failures in a bonded port.
+ Options are
carrier
and miimon
. Defaults
+ to carrier
which uses each interface's carrier to detect
+ failures. When set to miimon
, will check for failures
+ by polling each interface's MII.
+ bond-miimon-interval
+ - The number of milliseconds between successive attempts to
+ poll each interface's MII. Only relevant on ports which use
+
miimon
to detect failures.
+ bond-hash-basis
+ - An integer hashed along with flows when choosing output slaves.
+ When changed, all flows will be assigned different hash values
+ possibly causing slave selection decisions to change.
+ lacp-system-id
+ - The LACP system ID of this
. The system ID
+ of a LACP bond is used to identify itself to its partners. Must
+ be a nonzero MAC address.
+ lacp-system-priority
+ - The LACP system priority of this
. In
+ LACP negotiations, link status decisions are made by the system
+ with the numerically lower priority. Must be a number between 1
+ and 65535.
+ lacp-time
+ -
+
The LACP timing which should be used on this
+ . Possible values are fast
,
+ slow
and a positive number of milliseconds. By
+ default slow
is used. When configured to be
+ fast
LACP heartbeats are requested at a rate of once
+ per second causing connectivity problems to be detected more
+ quickly. In slow
mode, heartbeats are requested at
+ a rate of once every 30 seconds.
+
+ Users may manually set a heartbeat transmission rate to increase
+ the fault detection speed further. When manually set, OVS
+ expects the partner switch to be configured with the same
+ transmission rate. Manually setting lacp-time
to
+ something other than fast
or slow
is
+ not supported by the LACP specification.
+
+ lacp-heartbeat
+ - Treats LACP like a simple heartbeat protocol for link state
+ monitoring. Most features of the LACP protocol are disabled when
+ this mode is in use.
@@ -293,7 +709,7 @@
whose name is first in alphabetical order). Internal ports and
bridge ports that are used as port mirroring destinations (see the
table) are ignored.
- For other internal interface, the default MAC is randomly
+ For other internal interfaces, the default MAC is randomly
generated.
External interfaces typically have a MAC address associated with
their hardware.
@@ -310,10 +726,10 @@
Open vSwitch populates this column when the port number becomes
known. If the interface is successfully added,
will be set to a number between 1 and 65535
- (generally either in the range 1 to 0xff00
, exclusive,
- or 0xfffe
, the port number for the OpenFlow ``local
- port''). If the interface cannot be added then Open vSwitch sets
- this column to -1
.
+ (generally either in the range 1 to 65279, inclusive, or 65534, the
+ port number for the OpenFlow ``local port''). If the interface
+ cannot be added then Open vSwitch sets this column
+ to -1.
@@ -328,7 +744,7 @@
vSwitch is running. The empty string is a synonym for
system
.
internal
- A simulated network devices that sent and receive traffic. An
+ A simulated network device that sends and receives traffic. An
internal interface whose is the same as its
bridge's is called the
``local interface.'' It does not make sense to bond an internal
@@ -337,7 +753,341 @@
tap
A TUN/TAP device managed by Open vSwitch.
gre
- A GRE tunnel device managed by Open vSwitch.
+ An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4
+ tunnel. Each tunnel must be uniquely identified by the
+ combination of remote_ip
, local_ip
, and
+ in_key
. Note that if two ports are defined that are
+ the same except one has an optional identifier and the other does
+ not, the more specific one is matched first. in_key
+ is considered more specific than local_ip
if a port
+ defines one and another port defines the other. The following
+ options may be specified in the column:
+
+ remote_ip
+ - Required. The tunnel endpoint.
+
+
+ local_ip
+ - Optional. The destination IP that received packets must
+ match. Default is to match all addresses.
+
+
+ in_key
+ - Optional. The GRE key that received packets must contain.
+ It may either be a 32-bit number (no key and a key of 0 are
+ treated as equivalent) or the word
flow
. If
+ flow
is specified then any key will be accepted
+ and the key will be placed in the tun_id
field
+ for matching in the flow table. The ovs-ofctl manual page
+ contains additional information about matching fields in
+ OpenFlow flows. Default is no key.
+
+
+ out_key
+ - Optional. The GRE key to be set on outgoing packets. It may
+ either be a 32-bit number or the word
flow
. If
+ flow
is specified then the key may be set using
+ the set_tunnel
Nicira OpenFlow vendor extension (0
+ is used in the absence of an action). The ovs-ofctl manual
+ page contains additional information about the Nicira OpenFlow
+ vendor extensions. Default is no key.
+
+
+ key
+ - Optional. Shorthand to set
in_key
and
+ out_key
at the same time.
+
+
+ tos
+ - Optional. The value of the ToS bits to be set on the
+ encapsulating packet. It may also be the word
+
inherit
, in which case the ToS will be copied from
+ the inner packet if it is IPv4 or IPv6 (otherwise it will be
+ 0). Note that the ECN fields are always inherited. Default is
+ 0.
+
+
+ ttl
+ - Optional. The TTL to be set on the encapsulating packet.
+ It may also be the word
inherit
, in which case the
+ TTL will be copied from the inner packet if it is IPv4 or IPv6
+ (otherwise it will be the system default, typically 64).
+ Default is the system default TTL.
+
+
+ csum
+ - Optional. Compute GRE checksums on outgoing packets.
+ Checksums present on incoming packets will be validated
+ regardless of this setting. Note that GRE checksums
+ impose a significant performance penalty as they cover the
+ entire packet. As the contents of the packet is typically
+ covered by L3 and L4 checksums, this additional checksum only
+ adds value for the GRE and encapsulated Ethernet headers.
+ Default is disabled, set to
true
to enable.
+
+
+ df_inherit
+ - Optional. If enabled, the Don't Fragment bit will be copied
+ from the inner IP headers (those of the encapsulated traffic)
+ to the outer (tunnel) headers. Default is disabled; set to
+
true
to enable.
+
+
+ df_default
+ - Optional. If enabled, the Don't Fragment bit will be set by
+ default on tunnel headers if the
df_inherit
option
+ is not set, or if the encapsulated packet is not IP. Default
+ is enabled; set to false
to disable.
+
+
+ pmtud
+ - Optional. Enable tunnel path MTU discovery. If enabled
+ ``ICMP Destination Unreachable - Fragmentation Needed''
+ messages will be generated for IPv4 packets with the DF bit set
+ and IPv6 packets above the minimum MTU if the packet size
+ exceeds the path MTU minus the size of the tunnel headers.
+ Note that this option causes behavior that is typically
+ reserved for routers and therefore is not entirely in
+ compliance with the IEEE 802.1D specification for bridges.
+ Default is enabled; set to
false
to disable.
+
+
+ header_cache
+ - Optional. Enable caching of tunnel headers and the output
+ path. This can lead to a significant performance increase
+ without changing behavior. In general it should not be
+ necessary to adjust this setting. However, the caching can
+ bypass certain components of the IP stack (such as IP tables)
+ and it may be useful to disable it if these features are
+ required or as a debugging measure. Default is enabled, set to
+
false
to disable.
+
+
+ ipsec_gre
+ An Ethernet over RFC 2890 Generic Routing Encapsulation
+ over IPv4 IPsec tunnel. Each tunnel (including those of type
+ gre
) must be uniquely identified by the
+ combination of remote_ip
and
+ local_ip
. Note that if two ports are defined
+ that are the same except one has an optional identifier and
+ the other does not, the more specific one is matched first.
+ An authentication method of peer_cert
or
+ psk
must be defined. The following options may
+ be specified in the column:
+
+ remote_ip
+ - Required. The tunnel endpoint.
+
+
+ local_ip
+ - Optional. The destination IP that received packets must
+ match. Default is to match all addresses.
+
+
+ peer_cert
+ - Required for certificate authentication. A string
+ containing the peer's certificate in PEM format.
+ Additionally the host's certificate must be specified
+ with the
certificate
option.
+
+
+ certificate
+ - Required for certificate authentication. The name of a
+ PEM file containing a certificate that will be presented
+ to the peer during authentication.
+
+
+ private_key
+ - Optional for certificate authentication. The name of
+ a PEM file containing the private key associated with
+
certificate
. If certificate
+ contains the private key, this option may be omitted.
+
+
+ psk
+ - Required for pre-shared key authentication. Specifies a
+ pre-shared key for authentication that must be identical on
+ both sides of the tunnel.
+
+
+ in_key
+ - Optional. The GRE key that received packets must contain.
+ It may either be a 32-bit number (no key and a key of 0 are
+ treated as equivalent) or the word
flow
. If
+ flow
is specified then any key will be accepted
+ and the key will be placed in the tun_id
field
+ for matching in the flow table. The ovs-ofctl manual page
+ contains additional information about matching fields in
+ OpenFlow flows. Default is no key.
+
+
+ out_key
+ - Optional. The GRE key to be set on outgoing packets. It may
+ either be a 32-bit number or the word
flow
. If
+ flow
is specified then the key may be set using
+ the set_tunnel
Nicira OpenFlow vendor extension (0
+ is used in the absence of an action). The ovs-ofctl manual
+ page contains additional information about the Nicira OpenFlow
+ vendor extensions. Default is no key.
+
+
+ key
+ - Optional. Shorthand to set
in_key
and
+ out_key
at the same time.
+
+
+ tos
+ - Optional. The value of the ToS bits to be set on the
+ encapsulating packet. It may also be the word
+
inherit
, in which case the ToS will be copied from
+ the inner packet if it is IPv4 or IPv6 (otherwise it will be
+ 0). Note that the ECN fields are always inherited. Default is
+ 0.
+
+
+ ttl
+ - Optional. The TTL to be set on the encapsulating packet.
+ It may also be the word
inherit
, in which case the
+ TTL will be copied from the inner packet if it is IPv4 or IPv6
+ (otherwise it will be the system default, typically 64).
+ Default is the system default TTL.
+
+
+ csum
+ - Optional. Compute GRE checksums on outgoing packets.
+ Checksums present on incoming packets will be validated
+ regardless of this setting. Note that GRE checksums
+ impose a significant performance penalty as they cover the
+ entire packet. As the contents of the packet is typically
+ covered by L3 and L4 checksums, this additional checksum only
+ adds value for the GRE and encapsulated Ethernet headers.
+ Default is disabled, set to
true
to enable.
+
+
+ df_inherit
+ - Optional. If enabled, the Don't Fragment bit will be copied
+ from the inner IP headers (those of the encapsulated traffic)
+ to the outer (tunnel) headers. Default is disabled; set to
+
true
to enable.
+
+
+ df_default
+ - Optional. If enabled, the Don't Fragment bit will be set by
+ default on tunnel headers if the
df_inherit
option
+ is not set, or if the encapsulated packet is not IP. Default
+ is enabled; set to false
to disable.
+
+
+ pmtud
+ - Optional. Enable tunnel path MTU discovery. If enabled
+ ``ICMP Destination Unreachable - Fragmentation Needed''
+ messages will be generated for IPv4 packets with the DF bit set
+ and IPv6 packets above the minimum MTU if the packet size
+ exceeds the path MTU minus the size of the tunnel headers.
+ Note that this option causes behavior that is typically
+ reserved for routers and therefore is not entirely in
+ compliance with the IEEE 802.1D specification for bridges.
+ Default is enabled; set to
false
to disable.
+
+
+ capwap
+ Ethernet tunneling over the UDP transport portion of CAPWAP
+ (RFC 5415). This allows interoperability with certain switches
+ where GRE is not available. Note that only the tunneling component
+ of the protocol is implemented. Due to the non-standard use of
+ CAPWAP, UDP ports 58881 and 58882 are used as the source and
+ destination ports respectively. Each tunnel must be uniquely
+ identified by the combination of remote_ip
and
+ local_ip
. If two ports are defined that are the same
+ except one includes local_ip
and the other does not,
+ the more specific one is matched first. CAPWAP support is not
+ available on all platforms. Currently it is only supported in the
+ Linux kernel module with kernel versions >= 2.6.25. The following
+ options may be specified in the column:
+
+ remote_ip
+ - Required. The tunnel endpoint.
+
+
+ local_ip
+ - Optional. The destination IP that received packets must
+ match. Default is to match all addresses.
+
+
+ tos
+ - Optional. The value of the ToS bits to be set on the
+ encapsulating packet. It may also be the word
+
inherit
, in which case the ToS will be copied from
+ the inner packet if it is IPv4 or IPv6 (otherwise it will be
+ 0). Note that the ECN fields are always inherited. Default is
+ 0.
+
+
+ ttl
+ - Optional. The TTL to be set on the encapsulating packet.
+ It may also be the word
inherit
, in which case the
+ TTL will be copied from the inner packet if it is IPv4 or IPv6
+ (otherwise it will be the system default, typically 64).
+ Default is the system default TTL.
+
+
+ df_inherit
+ - Optional. If enabled, the Don't Fragment bit will be copied
+ from the inner IP headers (those of the encapsulated traffic)
+ to the outer (tunnel) headers. Default is disabled; set to
+
true
to enable.
+
+
+ df_default
+ - Optional. If enabled, the Don't Fragment bit will be set by
+ default on tunnel headers if the
df_inherit
option
+ is not set, or if the encapsulated packet is not IP. Default
+ is enabled; set to false
to disable.
+
+
+ pmtud
+ - Optional. Enable tunnel path MTU discovery. If enabled
+ ``ICMP Destination Unreachable - Fragmentation Needed''
+ messages will be generated for IPv4 packets with the DF bit set
+ and IPv6 packets above the minimum MTU if the packet size
+ exceeds the path MTU minus the size of the tunnel headers.
+ Note that this option causes behavior that is typically
+ reserved for routers and therefore is not entirely in
+ compliance with the IEEE 802.1D specification for bridges.
+ Default is enabled; set to
false
to disable.
+
+
+ header_cache
+ - Optional. Enable caching of tunnel headers and the output
+ path. This can lead to a significant performance increase
+ without changing behavior. In general it should not be
+ necessary to adjust this setting. However, the caching can
+ bypass certain components of the IP stack (such as IP tables)
+ and it may be useful to disable it if these features are
+ required or as a debugging measure. Default is enabled, set to
+
false
to disable.
+
+
+ patch
+
+
+ A pair of virtual devices that act as a patch cable. The column must have the following key-value pair:
+
+
+ peer
+ -
+ The
of the for
+ the other side of the patch. The named 's own peer
option must specify
+ this 's name. That is, the two patch
+ interfaces must have reversed and
+ peer
values.
+
+
+
+ null
+ An ignored interface.
@@ -347,47 +1097,516 @@
+
+
+ Status information about interfaces attached to bridges, updated every
+ 5 seconds. Not all interfaces have all of these properties; virtual
+ interfaces don't have a link speed, for example. Non-applicable
+ columns will have empty values.
+
+
+
+ The administrative state of the physical network link.
+
+
+
+
+
+ The observed state of the physical network link. This is ordinarily
+ the link's carrier status. If the interface's is
+ a bond configured for miimon monitoring, it is instead the network
+ link's miimon status.
+
+
+
+
+
+ The negotiated speed of the physical network link.
+ Valid values are positive integers greater than 0.
+
+
+
+
+
+ The duplex mode of the physical network link.
+
+
+
+
+
+ The MTU (maximum transmission unit); i.e. the largest
+ amount of data that can fit into a single Ethernet frame.
+ The standard Ethernet MTU is 1500 bytes. Some physical media
+ and many kinds of virtual interfaces can be configured with
+ higher MTUs.
+
+
+ This column will be empty for an interface that does not
+ have an MTU as, for example, some kinds of tunnels do not.
+
+
+
+
+
+ Key-value pairs that report port status. Supported status
+ values are type
-dependent; some interfaces may not have
+ a valid driver_name
, for example.
+
+ The currently defined key-value pairs are:
+
+ driver_name
+ - The name of the device driver controlling the network
+ adapter.
+
+
+ driver_version
+ - The version string of the device driver controlling the
+ network adapter.
+
+
+ firmware_version
+ - The version string of the network adapter's firmware, if
+ available.
+
+
+ source_ip
+ - The source IP address used for an IPv4 tunnel end-point,
+ such as
gre
or capwap
.
+
+
+ tunnel_egress_iface
+ - Egress interface for tunnels. Currently only relevant for GRE
+ and CAPWAP tunnels. On Linux systems, this column will show
+ the name of the interface which is responsible for routing
+ traffic destined for the configured
remote_ip
.
+ This could be an internal interface such as a bridge port.
+
+
+ tunnel_egress_iface_carrier
+ - Whether a carrier is detected on
. Valid values are down
+ and up
.
+
+
+
+
+
+ These settings control ingress policing for packets received on this
+ interface. On a physical interface, this limits the rate at which
+ traffic is allowed into the system from the outside; on a virtual
+ interface (one connected to a virtual machine), this limits the rate at
+ which the VM is able to transmit.
+
+
+ Policing is a simple form of quality-of-service that simply drops
+ packets received in excess of the configured rate. Due to its
+ simplicity, policing is usually less accurate and less effective than
+ egress QoS (which is configured using the and tables).
+
+
+ Policing is currently implemented only on Linux. The Linux
+ implementation uses a simple ``token bucket'' approach:
+
+
+ -
+ The size of the bucket corresponds to
. Initially the bucket is full.
+
+ -
+ Whenever a packet is received, its size (converted to tokens) is
+ compared to the number of tokens currently in the bucket. If the
+ required number of tokens are available, they are removed and the
+ packet is forwarded. Otherwise, the packet is dropped.
+
+ -
+ Whenever it is not full, the bucket is refilled with tokens at the
+ rate specified by
.
+
+
+
+ Policing interacts badly with some network protocols, and especially
+ with fragmented IP packets. Suppose that there is enough network
+ activity to keep the bucket nearly empty all the time. Then this token
+ bucket algorithm will forward a single packet every so often, with the
+ period depending on packet size and on the configured rate. All of the
+ fragments of an IP packets are normally transmitted back-to-back, as a
+ group. In such a situation, therefore, only one of these fragments
+ will be forwarded and the rest will be dropped. IP does not provide
+ any way for the intended recipient to ask for only the remaining
+ fragments. In such a case there are two likely possibilities for what
+ will happen next: either all of the fragments will eventually be
+ retransmitted (as TCP will do), in which case the same problem will
+ recur, or the sender will not realize that its packet has been dropped
+ and data will simply be lost (as some UDP-based protocols will do).
+ Either way, it is possible that no forward progress will ever occur.
+
+
+
+ Maximum rate for data received on this interface, in kbps. Data
+ received faster than this rate is dropped. Set to 0
+ (the default) to disable policing.
+
+
+
Maximum burst size for data received on this interface, in kb. The
default burst size if set to 0
is 1000 kb. This value
has no effect if
is 0
.
- The burst size should be at least the size of the interface's
- MTU.
-
-
-
- Maximum rate for data received on this interface, in kbps. Data
- received faster than this rate is dropped. Set to 0
to
- disable policing.
- The meaning of ``ingress'' is from Open vSwitch's perspective. If
- configured on a physical interface, then it limits the rate at which
- traffic is allowed into the system from the outside. If configured
- on a virtual interface that is connected to a virtual machine, then
- it limits the rate at which the guest is able to transmit.
+
+ Specifying a larger burst size lets the algorithm be more forgiving,
+ which is important for protocols like TCP that react severely to
+ dropped packets. The burst size should be at least the size of the
+ interface's MTU. Specifying a value that is numerically at least as
+ large as 10% of helps TCP come
+ closer to achieving the full rate.
+
+
+
+ Connectivity monitor configuration for this interface.
+
+
+
+ Boolean value indicating LACP status for this interface. If true, this
+ interface has current LACP information about its LACP partner. This
+ information may be used to monitor the health of interfaces in a LACP
+ enabled port. This column will be empty if LACP is not enabled.
+
+
- Key-value pairs that identify this interface's role in external
- systems. The currently defined key-value pairs are:
+ Key-value pairs for use by external frameworks that integrate
+ with Open vSwitch, rather than by Open vSwitch itself. System
+ integrators should either use the Open vSwitch development
+ mailing list to coordinate on common key-value definitions, or
+ choose key names that are likely to be unique. The currently
+ defined common key-value pairs are:
+
+ attached-mac
+ -
+ The MAC address programmed into the ``virtual hardware'' for this
+ interface, in the form
+ xx:xx:xx:xx:xx:xx.
+ For Citrix XenServer, this is the value of the
MAC
+ field in the VIF record for this interface.
+ iface-id
+ - A system-unique identifier for the interface. On XenServer,
+ this will commonly be the same as
xs-vif-uuid
.
+
+
+ Additionally the following key-value pairs specifically
+ apply to an interface that represents a virtual Ethernet interface
+ connected to a virtual machine. These key-value pairs should not be
+ present for other types of interfaces. Keys whose names end
+ in -uuid
have values that uniquely identify the entity
+ in question. For a Citrix XenServer hypervisor, these values are
+ UUIDs in RFC 4122 format. Other hypervisors may use other
+ formats.
+
+ The currently defined key-value pairs for XenServer are:
xs-vif-uuid
- - UUID of the Citrix XenServer VIF associated with this
- interface
+ - The virtual interface associated with this interface.
xs-network-uuid
- - UUID of the Citrix XenServer network to which this interface is
- attached
- xs-vif-vm-uuid
- - UUID of the Citrix XenServer VM to which this interface
- belongs
- xs-vif-mac
- - The value of the "MAC" field in the Citrix XenServer VIF record
- for this interface.
+ - The virtual network to which this interface is attached.
+ xs-vm-uuid
+ - The VM to which this interface belongs.
+
+
+ Key-value pairs for rarely used interface features.
+
+ bond-stable-id
+ - A positive integer using in
stable
bond mode to
+ make slave selection decisions. Allocating
+ bond-stable-id
s consistently across interfaces
+ participating in a bond will guarantee consistent slave selection
+ decisions across ovs-vswitchd instances when using
+ stable
bonding mode.
+ lacp-port-id
+ - The LACP port ID of this
. Port IDs are
+ used in LACP negotiations to identify individual ports
+ participating in a bond. Must be a number between 1 and
+ 65535.
+ lacp-port-priority
+ - The LACP port priority of this
. In
+ LACP negotiations s with numerically lower
+ priorities are preferred for aggregation. Must be a number between
+ 1 and 65535.
+ lacp-aggregation-key
+ - The LACP aggregation key of this
.
+ s with different aggregation keys may not
+ be active within a given at the same time. Must
+ be a number between 1 and 65535.
+
+
+
+
+
+ Key-value pairs that report interface statistics. The current
+ implementation updates these counters periodically. In the future,
+ we plan to, instead, update them when an interface is created, when
+ they are queried (e.g. using an OVSDB select
operation),
+ and just before an interface is deleted due to virtual interface
+ hot-unplug or VM shutdown, and perhaps at other times, but not on any
+ regular periodic basis.
+
+ The currently defined key-value pairs are listed below. These are
+ the same statistics reported by OpenFlow in its struct
+ ofp_port_stats
structure. If an interface does not support a
+ given statistic, then that pair is omitted.
+
+ -
+ Successful transmit and receive counters:
+
+ rx_packets
+ - Number of received packets.
+ rx_bytes
+ - Number of received bytes.
+ tx_packets
+ - Number of transmitted packets.
+ tx_bytes
+ - Number of transmitted bytes.
+
+
+ -
+ Receive errors:
+
+ rx_dropped
+ - Number of packets dropped by RX.
+ rx_frame_err
+ - Number of frame alignment errors.
+ rx_over_err
+ - Number of packets with RX overrun.
+ rx_crc_err
+ - Number of CRC errors.
+ rx_errors
+ -
+ Total number of receive errors, greater than or equal
+ to the sum of the above.
+
+
+
+ -
+ Transmit errors:
+
+ tx_dropped
+ - Number of packets dropped by TX.
+ collisions
+ - Number of collisions.
+ tx_errors
+ -
+ Total number of transmit errors, greater
+ than or equal to the sum of the above.
+
+
+
+
+
+
+
+
+
+
+ These columns are mutually exclusive. Exactly one of them must be
+ nonempty.
+
+
- Output port for selected packets, if nonempty. Mutually exclusive
- with .
+ Output port for selected packets, if nonempty.
Specifying a port for mirror output reserves that port exclusively
for mirroring. No frames other than those selected for mirroring
will be forwarded to the port, and any frames received on the port
@@ -431,8 +1663,7 @@
- Output VLAN for selected packets, if nonempty. Mutually exclusive
- with .
+ Output VLAN for selected packets, if nonempty.
The frames will be sent out all ports that trunk
, as well as any ports with implicit VLAN
. When a mirrored frame is sent out a
@@ -467,24 +1698,95 @@
in the appropriate table or tables.
+
+ When this option is enabled, a maximum of 508 ports are supported.
+
+
+ Records in this table describe functionality supported by the hardware
+ and software platform on which this Open vSwitch is based. Clients
+ should not modify this table.
+
+ A record in this table is meaningful only if it is referenced by the
+ column in the
+ table. The key used to reference it, called
+ the record's ``category,'' determines the meanings of the
+ column. The following general forms of
+ categories are currently defined:
+
+
+ qos-type
+ - type is supported as the value for
+
in the table.
+
+
+
+
+ Key-value pairs that describe capabilities. The meaning of the pairs
+ depends on the category key that the column in the table
+ uses to reference this record, as described above.
+
+ The presence of a record for category qos-type
+ indicates that the switch supports type as the value of
+ the column in the
+ table. The following key-value pairs are defined to further describe
+ QoS capabilities:
+
+
+ n-queues
+ - Number of supported queues, as a positive integer. Keys in the
+
column for
+ records whose value
+ equals type must range between 0 and this value minus one,
+ inclusive.
+
+