Configuration for a datapath within Open_vSwitch
.
A datapath is responsible for providing the packet handling in
Open vSwitch. There are two primary datapath implementations used
by Open vSwitch: kernel and userspace. Kernel datapath
implementations are available for Linux and Hyper-V, and selected
as system
in the datapath_type
column of the Bridge
table. The
userspace datapath is used by DPDK and AF-XDP, and is selected as
netdev
in the datapath_type
column of the Bridge
table.
A datapath of a particular type is shared by all the bridges that
use that datapath. Thus, configurations applied to this table
affect all bridges that use this datapath.
Summary:
datapath_version
string
ct_zones
map of integer-CT_Zone
pairs, key
in range 0 to 65,535
Capabilities:
capabilities : max_vlan_headers
optional string, containing an
integer, at least 0
capabilities : recirc
optional string, either true
or
false
capabilities : lb_output_action
optional string, either true
or
false
Connection-Tracking Capabilities:
capabilities : ct_state
optional string, either true
or
false
capabilities : ct_state_nat
optional string, either true
or
false
capabilities : ct_zone
optional string, either true
or
false
capabilities : ct_mark
optional string, either true
or
false
capabilities : ct_label
optional string, either true
or
false
capabilities : ct_orig_tuple
optional string, either true
or
false
capabilities : ct_orig_tuple6
optional string, either true
or
false
capabilities : masked_set_action
optional string, either true
or
false
capabilities : tnl_push_pop
optional string, either true
or
false
capabilities : ufid
optional string, either true
or
false
capabilities : trunc
optional string, either true
or
false
capabilities : nd_ext
optional string, either true
or
false
Clone Actions:
capabilities : clone
optional string, either true
or
false
capabilities : sample_nesting
optional string, containing an
integer, at least 0
capabilities : ct_eventmask
optional string, either true
or
false
capabilities : ct_clear
optional string, either true
or
false
capabilities : max_hash_alg
optional string, containing an
integer, at least 0
capabilities : check_pkt_len
optional string, either true
or
false
capabilities : ct_timeout
optional string, either true
or
false
capabilities : explicit_drop_action
optional string, either true
or
false
capabilities : ct_zero_snat
optional string, either true
or
false
Common Columns:
external_ids
map of string-string pairs
Details:
datapath_version
: string
Reports the version number of the Open vSwitch datapath in
use. This allows management software to detect and report
discrepancies between Open vSwitch userspace and datapath
versions. (The ovs_version
column in the Open_vSwitch
reports the Open vSwitch userspace version.) The version
reported depends on the datapath in use:
• When the kernel module included in the Open vSwitch
source tree is used, this column reports the Open
vSwitch version from which the module was taken.
• When the kernel module that is part of the upstream
Linux kernel is used, this column reports
<unknown>
.
• When the datapath is built into the ovs-vswitchd
binary, this column reports <built-in>
. A built-in
datapath is by definition the same version as the
rest of the Open vSwitch userspace.
• Other datapaths (such as the Hyper-V kernel
datapath) currently report <unknown>
.
A version discrepancy between ovs-vswitchd
and the
datapath in use is not normally cause for alarm. The Open
vSwitch kernel datapaths for Linux and Hyper-V, in
particular, are designed for maximum inter-version
compatibility: any userspace version works with with any
kernel version. Some reasons do exist to insist on
particular user/kernel pairings. First, newer kernel
versions add new features, that can only be used by new-
enough userspace, e.g. VXLAN tunneling requires certain
minimal userspace and kernel versions. Second, as an
extension to the first reason, some newer kernel versions
add new features for enhancing performance that only new-
enough userspace versions can take advantage of.
ct_zones
: map of integer-CT_Zone
pairs, key in range 0 to 65,535
Configuration for connection tracking zones. Each pair
maps from a zone id to a configuration for that zone. Zone
0
applies to the default zone (ie, the one used if a zone
is not specified in connection tracking-related OpenFlow
matches and actions).
Capabilities:
The capabilities
column reports a datapath's features. For the
netdev
datapath, the capabilities are fixed for a given version
of Open vSwitch because this datapath is built into the
ovs-vswitchd
binary. The Linux kernel and Windows and other
datapaths, which are external to OVS userspace, can vary in
version and capabilities independently from ovs-vswitchd
.
Some of these features indicate whether higher-level Open vSwitch
features are available. For example, OpenFlow features for
connection-tracking are available only when capabilities:ct_state
is true
. A controller that wishes to determine whether a feature
is supported could, therefore, consult the relevant capabilities
in this table. However, as a general rule, it is better for a
controller to try to use the higher-level feature and use the
result as an indication of support, since the low-level
capabilities are more likely to shift over time than the high-
level features that rely on them.
capabilities : max_vlan_headers
: optional string, containing an
integer, at least 0
Number of 802.1q VLAN headers supported by the datapath,
as probed by the ovs-vswitchd
slow path. If the datapath
supports more VLAN headers than the slow path, this
reports the slow path's limit. The value of other-
config:vlan-limit
in the Open_vSwitch
table does not
influence the number reported here.
capabilities : recirc
: optional string, either true
or false
If this is true, then the datapath supports recirculation,
specifically OVS_KEY_ATTR_RECIRC_ID. Recirculation enables
higher performance for MPLS and active-active load
balancing bonding modes.
capabilities : lb_output_action
: optional string, either true
or
false
If this is true, then the datapath supports optimized
balance-tcp bond mode. This capability replaces existing
hash
and recirc
actions with new action lb_output
and
avoids recirculation of packet in datapath. It is
supported only for balance-tcp bond mode in netdev
datapath. The new action gives higer performance by using
bond buckets instead of post recirculation flows for
selection of slave port from bond. By default this new
action is disabled, however it can be enabled by setting
other-config:lb-output-action
in Port
table.
Connection-Tracking Capabilities:
These capabilities are granular because Open vSwitch and its
datapaths added support for connection tracking over several
releases, with features added individually over that time.
capabilities : ct_state
: optional string, either true
or false
If true, datapath supports OVS_KEY_ATTR_CT_STATE, which
indicates support for the bits in the OpenFlow ct_state
field (see ovs-fields(7)) other than snat
and dnat
, which
have a separate capability.
If this is false, the datapath does not support
connection-tracking at all and the remaining connection-
tracking capabilities should all be false. In this case,
Open vSwitch will reject flows that match on the ct_state
field or use the ct
action.
capabilities : ct_state_nat
: optional string, either true
or
false
If true, it means that the datapath supports the snat
and
dnat
flags in the OpenFlow ct_state
field. The ct_state
capability must be true for this to make sense.
If false, Open vSwitch will reject flows that match on the
snat
or dnat
bits in ct_state
or use nat
in the ct
action.
capabilities : ct_zone
: optional string, either true
or false
If true, datapath supports OVS_KEY_ATTR_CT_ZONE. If false,
Open vSwitch rejects flows that match on the ct_zone
field
or that specify a nonzero zone or a zone field on the ct
action.
capabilities : ct_mark
: optional string, either true
or false
If true, datapath supports OVS_KEY_ATTR_CT_MARK. If false,
Open vSwitch rejects flows that match on the ct_mark
field
or that set ct_mark
in the ct
action.
capabilities : ct_label
: optional string, either true
or false
If true, datapath supports OVS_KEY_ATTR_CT_LABEL. If
false, Open vSwitch rejects flows that match on the
ct_label
field or that set ct_label
in the ct
action.
capabilities : ct_orig_tuple
: optional string, either true
or
false
If true, the datapath supports matching the 5-tuple from
the connection's original direction for IPv4 traffic. If
false, Open vSwitch rejects flows that match on ct_nw_src
or ct_nw_dst
, that use the ct
feature of the resubmit
action, or the force
keyword in the ct
action. (The latter
isn't tied to connection tracking support of original
tuples in any technical way. They are conflated because
all current datapaths implemented the two features at the
same time.)
If this and capabilities:ct_orig_tuple6
are both false,
Open vSwitch rejects flows that match on ct_nw_proto
,
ct_tp_src
, or ct_tp_dst
.
capabilities : ct_orig_tuple6
: optional string, either true
or
false
If true, the datapath supports matching the 5-tuple from
the connection's original direction for IPv6 traffic. If
false, Open vSwitch rejects flows that match on
ct_ipv6_src
or ct_ipv6_dst
.
capabilities : masked_set_action
: optional string, either true
or
false
True if the datapath supports masked data in
OVS_ACTION_ATTR_SET actions. Masked data can improve
performance by allowing megaflows to match on fewer
fields.
capabilities : tnl_push_pop
: optional string, either true
or
false
True if the datapath supports tnl_push and pop actions.
This is a prerequisite for a datapath to support native
tunneling.
capabilities : ufid
: optional string, either true
or false
True if the datapath supports OVS_FLOW_ATTR_UFID. UFID
support improves revalidation performance by transferring
less data between the slow path and the datapath.
capabilities : trunc
: optional string, either true
or false
True if the datapath supports OVS_ACTION_ATTR_TRUNC
action. If false, the output
action with packet truncation
requires every packet to be sent to the Open vSwitch slow
path, which is likely to make it too slow for mirroring
traffic in bulk.
capabilities : nd_ext
: optional string, either true
or false
True if the datapath supports OVS_KEY_ATTR_ND_EXTENSIONS
to match on ICMPv6 "ND reserved" and "ND option type"
header fields. If false, the datapath reports error if the
feature is used.
Clone Actions:
When Open vSwitch translates actions from OpenFlow into the
datapath representation, some of the datapath actions may modify
the packet or have other side effects that later datapath actions
can't undo. The OpenFlow ct
, meter
, output
with truncation,
encap
, decap
, and dec_nsh_ttl
actions fall into this category.
Often, this is not a problem because nothing later on needs the
original packet.
Such actions can, however, occur in circumstances where the
translation does require the original packet. For example, an
OpenFlow output
action might direct a packet to a patch port,
which might in turn lead to a ct
action that NATs the packet
(which cannot be undone), and then afterward when control flow
pops back across the patch port some other action might need to
act on the original packet.
Open vSwitch has two different ways to implement this ``save and
restore'' via datapath actions. These capabilities indicate which
one Open vSwitch will choose. When neither is available, Open
vSwitch simply fails in situations that require this feature.
capabilities : clone
: optional string, either true
or false
True if the datapath supports OVS_ACTION_ATTR_CLONE
action. This is the preferred option for saving and
restoring packets, since it is intended for the purpose,
but old datapaths do not support it. Open vSwitch will use
it whenever it is available.
(The OpenFlow clone
action does not always yield a
OVS_ACTION_ATTR_CLONE action. It only does so when the
datapath supports it and the clone
brackets actions that
otherwise cannot be undone.)
capabilities : sample_nesting
: optional string, containing an
integer, at least 0
Maximum level of nesting allowed by OVS_ACTION_ATTR_SAMPLE
action. Open vSwitch misuses this action for saving and
restoring packets when the datapath supports more than 3
levels of nesting and OVS_ACTION_ATTR_CLONE is not
available.
capabilities : ct_eventmask
: optional string, either true
or
false
True if the datapath's OVS_ACTION_ATTR_CT action
implements the OVS_CT_ATTR_EVENTMASK attribute. When this
is true, Open vSwitch uses the event mask feature to limit
the kinds of events reported to conntrack update
listeners. When Open vSwitch doesn't limit the event mask,
listeners receive reports of numerous usually unimportant
events, such as TCP state machine changes, which can waste
CPU time.
capabilities : ct_clear
: optional string, either true
or false
True if the datapath supports OVS_ACTION_ATTR_CT_CLEAR
action. If false, the OpenFlow ct_clear
action has no
effect on the datapath.
capabilities : max_hash_alg
: optional string, containing an
integer, at least 0
Highest supported dp_hash algorithm. This allows Open
vSwitch to avoid requesting a packet hash that the
datapath does not support.
capabilities : check_pkt_len
: optional string, either true
or
false
True if the datapath supports
OVS_ACTION_ATTR_CHECK_PKT_LEN. If false, Open vSwitch
implements the check_pkt_larger
action by sending every
packet through the Open vSwitch slow path, which is likely
to make it too slow for handling traffic in bulk.
capabilities : ct_timeout
: optional string, either true
or false
True if the datapath supports OVS_CT_ATTR_TIMEOUT in the
OVS_ACTION_ATTR_CT action. If false, Open vswitch cannot
implement timeout policies based on connection tracking
zones, as configured through the CT_Timeout_Policy
table.
capabilities : explicit_drop_action
: optional string, either true
or false
True if the datapath supports OVS_ACTION_ATTR_DROP. If
false, explicit drop action will not be sent to the
datapath.
capabilities : ct_zero_snat
: optional string, either true
or
false
True if the datapath supports all-zero SNAT. This is a
special case if the src
IP address is configured as all
0's, i.e., nat(src=0.0.0.0)
. In this case, when a source
port collision is detected during the commit, the source
port will be translated to an ephemeral port. If there is
no collision, no SNAT is performed.
Common Columns:
The overall purpose of these columns is described under Common
Columns
at the beginning of this document.
external_ids
: map of string-string pairs