From patchwork Wed May 12 20:15:44 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ben Pfaff flood
+ This section documents how Open vSwitch implements output to the
+ normal
port. The OpenFlow specification places no
+ requirements on how this port works, so all of this documentation is
+ specific to Open vSwitch.
+
+ Open vSwitch uses the Open_vSwitch
database, detailed in
+ ovs-vswitchd.conf.db
(5), to determine the details of the
+ normal pipeline.
+
+ The normal pipeline executes the following ingress stages for each + packet. Each stage either accepts the packet, in which case the packet + goes on to the next stage, or drops the packet, which terminates the + pipeline. The result of the ingress stages is a set of output ports, + which is the empty set if some ingress stage drops the packet: +
+ +
+ Input port lookup: Looks up the OpenFlow
+ in_port
field's value to the corresponding
+ Port
and Interface
record in the database.
+
+ The in_port
is normally the OpenFlow port that the
+ packet was received on. If set_field
or another actions
+ changes the in_port
, the updated value is honored.
+ Accept the packet if the lookup succeeds, which it normally will. If
+ the lookupn fails, for example because in_port
was
+ changed to an unknown value, drop the packet.
+
output_port
in some
+ Mirror
record), then drop the packet.
+
+ VLAN input processing: This stage determines what VLAN the
+ packet is in. It also verifies that this VLAN is valid for the port;
+ if not, drop the packet. How the VLAN is determined and which ones
+ are valid vary based on the vlan-mode
in the input
+ port's Port
record:
+
trunk
trunks
+ column in the Port
record lists the valid VLANs; if it
+ is empty, all VLANs are valid.
+ access
tag
column
+ of its Port
record. The packet must not have an
+ 802.1Q header with a nonzero VLAN ID; if it does, drop the packet.
+ native-tagged
native-untagged
trunk
except that the VLAN of a packet without
+ an 802.1Q header is not necessarily zero; instead, it is taken from
+ the tag
column.
+ dot1q-tunnel
tag
column
+ of its Port
record, which is a QinQ service VLAN with
+ the Ethertype specified by the Port
's
+ other_config
: qinq-ethtype
. If the
+ packet has an 802.1Q header, then it specifies the customer VLAN.
+ The cvlans
column specifies the valid customer VLANs;
+ if it is empty, all customer VLANs are valid.
+ Bridge
+ record does not have other_config
:
+ forward-bpdu
set to true
, drop the packet.
+
+ LACP bond admissibility: This step applies only if the input
+ port is a member of a bond (a Port
with more than one
+ Interface
) and that bond is configured to use LACP.
+ Otherwise, skip to the next step.
+
+ The behavior here depends on the state of LACP negotiation: +
+ ++ Non-LACP bond admissibility: This step applies if the input + port is a member of a bond without LACP configured, or if a LACP bond + falls back to active-backup as described in the previous step. If + neither of these applies, skip to the next step. +
+ ++ If the packet is an Ethernet multicast or broadcast, and not received + on the bond's active member, drop the packet. +
+ ++ The remaining behavior depends on the bond's balancing mode: +
+ +
+ Learn source MAC: If the source Ethernet address is not a
+ multicast address, then insert a mapping from packet's source
+ Ethernet address and VLAN to the input port in the bridge's MAC
+ learning table. (This is skipped if the packet's VLAN is listed in
+ the switch's Bridge
record in the
+ flood_vlans
column, since there is no use for MAC
+ learning when all packets are flooded.)
+
+ When learning happens on a non-bond port, if the packet is a + gratuitous ARP, the entry is marked as ARP-locked. The lock expires + after 5 seconds. (See the ``SLB Bonding'' section in the OVS bonding + document for more information and a rationale.) +
+
+ Output port set: Search the MAC learning table for the port
+ corresponding to the packet's Ethernet destination and VLAN. If the
+ search finds an entry, the output port set is the just the learned
+ port. Otherwise (including the case where the packet is an Ethernet
+ multicast or in flood_vlans
), the output port set is all
+ of the ports in the bridge that belong to the packet's VLAN, except
+ for any ports that were disabled for flooding via OpenFlow or that
+ are configured in a Mirror
record as a mirror
+ destination port.
+
+ The following egress stages execute once for each element in the set of + output ports. They execute (conceptually) in parallel, so that a + decision or action taken for a given output port has no effect on those + for another one: +
+ +
+ VLAN output processing: This stage adjusts the packet to
+ represent the VLAN in the correct way for the output port. Its
+ behavior varies based on the vlan-mode
in the output
+ port's Port
record:
+
trunk
native-tagged
native-untagged
native-untagged
, if
+ the packet is in the native VLAN) drops any 802.1Q header.
+ Otherwise, ensures that there is an 802.1Q header designating the
+ VLAN.
+ access
dot1q-tunnel
other_config
: priority-tags
in the output
+ port's Port
record, then a priority-only tag is added
+ (perhaps only if the priority woule be nonzero, depending on the
+ configuration).
+ + Bond member choice: If the output port is a bond, the code + chooses a particular member. This step is skipped for non-bonded + ports. +
+ ++ If the bond is configured to use LACP, but LACP negotiation is + incomplete, then normally the packet is dropped. The exception is + that if fallback to active-backup mode is enabled, the egress + pipeline continues choosing a bond member as if active-backup mode + was in use. +
+ ++ For active-backup mode, the output member is the active member. + Other modes hash appropriate header fields and use the hash value to + choose one of the enabled members. +
+controller
actioncontroller