File: vswitch.xml

package info (click to toggle)
openvswitch 3.5.0-1
links: PTS, VCS
area: main
in suites: trixie
size: 97,848 kB
sloc: sh: 1,643,930; ansic: 313,386; python: 27,939; xml: 21,526; makefile: 546; javascript: 191
file content (7216 lines) | stat: -rw-r--r-- 304,678 bytes
<?xml version="1.0" encoding="utf-8"?>
<database name="ovs-vswitchd.conf.db" title="Open vSwitch Configuration Database">
  <p>
    A database with this schema holds the configuration for one Open
    vSwitch daemon.  The top-level configuration for the daemon is the
    <ref table="Open_vSwitch"/> table, which must have exactly one
    record.  Records in other tables are significant only when they
    can be reached directly or indirectly from the <ref
    table="Open_vSwitch"/> table.  Records that are not reachable from
    the <ref table="Open_vSwitch"/> table are automatically deleted
    from the database, except for records in a few distinguished
    ``root set'' tables.
  </p>

  <h2>Common Columns</h2>

  <p>
    Most tables contain two special columns, named <code>other_config</code>
    and <code>external_ids</code>.  These columns have the same form and
    purpose each place that they appear, so we describe them here to save space
    later.
  </p>

  <dl>
    <dt><code>other_config</code>: map of string-string pairs</dt>
    <dd>
      <p>
        Key-value pairs for configuring rarely used features.  Supported keys,
        along with the forms taken by their values, are documented individually
        for each table.
      </p>
      <p>
        A few tables do not have <code>other_config</code> columns because no
        key-value pairs have yet been defined for them.
      </p>
    </dd>

    <dt><code>external_ids</code>: map of string-string pairs</dt>
    <dd>
      Key-value pairs for use by external frameworks that integrate with Open
      vSwitch, rather than by Open vSwitch itself.  System integrators should
      either use the Open vSwitch development mailing list to coordinate on
      common key-value definitions, or choose key names that are likely to be
      unique.  In some cases, where key-value pairs have been defined that are
      likely to be widely useful, they are documented individually for each
      table.
    </dd>
  </dl>

  <table name="Open_vSwitch" title="Open vSwitch configuration.">
    Configuration for an Open vSwitch daemon.  There must be exactly
    one record in the <ref table="Open_vSwitch"/> table.

    <group title="Configuration">
      <column name="datapaths">
        Map of datapath types to datapaths.  The
        <ref column="datapath_type"/> column of the <ref table="Bridge"/>
        table is used as a key for this map.  The value points to a row in
        the <ref table="Datapath"/> table.
      </column>

      <column name="bridges">
        Set of bridges managed by the daemon.
      </column>

      <column name="ssl">
        SSL/TLS used globally by the daemon.
      </column>

      <column name="external_ids" key="system-id">
        A unique identifier for the Open vSwitch's physical host.
        The form of the identifier depends on the type of the host.
      </column>

      <column name="external_ids" key="hostname">
        The hostname for the host running Open vSwitch. This is a fully
        qualified domain name since version 2.6.2.
      </column>

      <column name="external_ids" key="rundir">
        In Open vSwitch 2.8 and later, the run directory of the running Open
        vSwitch daemon.  This directory is used for runtime state such as
        control and management sockets.  The value of <ref
        column="other_config" key="vhost-sock-dir"/> is relative to this
        directory.
      </column>

      <column name="other_config" key="stats-update-interval"
              type='{"type": "integer", "minInteger": 5000}'>
        <p>
          Interval for updating statistics to the database, in milliseconds.
          This option will affect the update of the <code>statistics</code>
          column in the following tables: <code>Port</code>, <code>Interface
          </code>, <code>Mirror</code>.
        </p>
        <p>
          Default value is 5000 ms.
        </p>
        <p>
          Getting statistics more frequently can be achieved via OpenFlow.
        </p>
      </column>

      <column name="other_config" key="flow-restore-wait"
              type='{"type": "boolean"}'>
        <p>
          When <code>ovs-vswitchd</code> starts up, it has an empty flow table
          and therefore it handles all arriving packets in its default fashion
          according to its configuration, by dropping them or sending them to
          an OpenFlow controller or switching them as a standalone switch.
          This behavior is ordinarily desirable.  However, if
          <code>ovs-vswitchd</code> is restarting as part of a ``hot-upgrade,''
          then this leads to a relatively long period during which packets are
          mishandled.
        </p>
        <p>
          This option allows for improvement.  When <code>ovs-vswitchd</code>
          starts with this value set as <code>true</code>, it will neither
          flush or expire previously set datapath flows nor will it send and
          receive any packets to or from the datapath.  When this value is
          later set to <code>false</code>, <code>ovs-vswitchd</code> will
          start receiving packets from the datapath and re-setup the flows.
        </p>
        <p>
          Additionally, <code>ovs-vswitchd</code> is prevented from connecting
          to controllers when this value is set to <code>true</code>. This
          prevents controllers from making changes to the flow table in the
          middle of flow restoration, which could result in undesirable
          intermediate states. Once this value has been set to
          <code>false</code> and the desired flow state has been
          restored, <code>ovs-vswitchd</code> will be able to reconnect to
          controllers and process any new flow table modifications.
        </p>
        <p>
          Thus, with this option, the procedure for a hot-upgrade of
          <code>ovs-vswitchd</code> becomes roughly the following:
        </p>
        <ol>
          <li>
            Stop <code>ovs-vswitchd</code>.
          </li>
          <li>
            Set <ref column="other_config" key="flow-restore-wait"/>
            to <code>true</code>.
          </li>
          <li>
            Start <code>ovs-vswitchd</code>.
          </li>
          <li>
            Use <code>ovs-ofctl</code> (or some other program, such as an
            OpenFlow controller) to restore the OpenFlow flow table
            to the desired state.
          </li>
          <li>
            Set <ref column="other_config" key="flow-restore-wait"/>
            to <code>false</code> (or remove it entirely from the database).
          </li>
        </ol>
        <p>
          The <code>ovs-ctl</code>'s ``restart'' and ``force-reload-kmod''
          functions use the above config option during hot upgrades.
        </p>
      </column>

      <column name="other_config" key="flow-limit"
              type='{"type": "integer", "minInteger": 0}'>
        <p>
          The maximum
          number of flows allowed in the datapath flow table.  Internally OVS
          will choose a flow limit which will likely be lower than this number,
          based on real time network conditions. Tweaking this value is
          discouraged unless you know exactly what you're doing.
        </p>
        <p>
          The default is 200000.
        </p>
      </column>

      <column name="other_config" key="max-idle"
              type='{"type": "integer", "minInteger": 500}'>
        <p>
          The maximum time (in ms) that idle flows will remain cached in the
          datapath. Internally OVS will check the validity and activity for
          datapath flows regularly and may expire flows quicker than this
          number, based on real time network conditions. Tweaking this
          value is discouraged unless you know exactly what you're doing.
        </p>
        <p>
          The default is 10000.
        </p>
    </column>

      <column name="other_config" key="max-revalidator"
              type='{"type": "integer", "minInteger": 100}'>
        <p>
          The maximum time (in ms) that revalidator threads will wait before
          executing flow revalidation. Note that this is maximum allowed value.
          Actual timeout used by OVS is minimum of max-idle and max-revalidator
          values. Tweaking this value is discouraged unless you know exactly
          what you're doing.
        </p>
        <p>
          The default is 500.
        </p>
      </column>

      <column name="other_config" key="min-revalidate-pps"
              type='{"type": "integer", "minInteger": 0}'>
        <p>
          Set minimum pps that flow must have in order to be revalidated when
          revalidation duration exceeds half of max-revalidator config variable.
          Setting to 0 means always revalidate flows regardless of pps.
        </p>
        <p>
          The default is 5.
        </p>
      </column>

      <column name="other_config" key="offloaded-stats-delay"
              type='{"type": "integer", "minInteger": 0}'>
        <p>
          Set worst case delay (in ms) it might take before statistics of
          offloaded flows are updated. Offloaded flows younger than this
          delay will always be revalidated regardless of
          <ref column="other_config" key="min-revalidate-pps"/>.
        </p>
        <p>
          The default is 2000.
        </p>
      </column>

      <column name="other_config" key="hw-offload"
              type='{"type": "boolean"}'>
        <p>
          Set this value to <code>true</code> to enable netdev flow offload.
        </p>
        <p>
          The default value is <code>false</code>. Changing this value requires
          restarting the daemon
        </p>
        <p>
          Currently Open vSwitch supports hardware offloading on
          Linux systems.  On other systems, this value is ignored.
          This functionality is considered 'experimental'. Depending
          on which OpenFlow matches and actions are configured,
          which kernel version is used, and what hardware is
          available, Open vSwitch may not be able to offload
          functionality to hardware.
        </p>
        <p>
          In order to dump HW offloaded flows use
          <code>ovs-appctl dpctl/dump-flows</code>, <code>ovs-dpctl</code>
          doesn't support this functionality. See ovs-vswitchd(8) for details.
        </p>
      </column>

      <column name="other_config" key="n-offload-threads"
              type='{"type": "integer", "minInteger": 1, "maxInteger": 10}'>
        <p>
          Set this value to the number of threads created to manage hardware
          offloads.
        </p>
        <p>
          The default value is <code>1</code>. Changing this value requires
          restarting the daemon.
        </p>
        <p>
          This is only relevant for userspace datapath and only if
          <ref column="other_config" key="hw-offload"/> is enabled.
        </p>
      </column>

      <column name="other_config" key="tc-policy"
              type='{"type": "string",
                     "enum": ["set", ["none", "skip_sw", "skip_hw"]]}'>
        <p>
          Specified the policy used with HW offloading.
          Options:
          <dl>
            <dt><code>none</code></dt>
            <dd>Add software rule and offload rule to HW.</dd>
            <dt><code>skip_sw</code></dt>
            <dd>Offload rule to HW only.</dd>
            <dt><code>skip_hw</code></dt>
            <dd>Add software rule without offloading rule to HW.</dd>
          </dl>
        </p>
        <p>
          This is only relevant if
          <ref column="other_config" key="hw-offload"/> is enabled.
        </p>
        <p>
          The default value is <code>none</code>.
        </p>
      </column>

      <column name="other_config" key="dpdk-init"
              type='{"type": "string",
                     "enum": ["set", ["false", "true", "try"]]}'>
        <p>
          Set this value to <code>true</code> or <code>try</code> to enable
          runtime support for DPDK ports. The vswitch must have compile-time
          support for DPDK as well.
        </p>
        <p>
          A value of <code>true</code> will cause the ovs-vswitchd process to
          abort if DPDK cannot be initialized. A value of <code>try</code>
          will allow the ovs-vswitchd process to continue running even if DPDK
          cannot be initialized.
        </p>
        <p>
          The default value is <code>false</code>. Changing this value requires
          restarting the daemon
        </p>
        <p>
          If this value is <code>false</code> at startup, any dpdk ports which
          are configured in the bridge will fail due to memory errors.
        </p>
      </column>

      <column name="other_config" key="dpdk-lcore-mask"
              type='{"type": "integer", "minInteger": 1}'>
        <p>
          Specifies the CPU cores where dpdk lcore threads should be spawned.
          The DPDK lcore threads are used for DPDK library tasks, such as
          library internal message processing, logging, etc. Value should be in
          the form of a hex string (so '0x123') similar to the 'taskset' mask
          input.
        </p>
        <p>
          The lowest order bit corresponds to the first CPU core.  A set bit
          means the corresponding core is available and an lcore thread will be
          created and pinned to it.  If the input does not cover all cores,
          those uncovered cores are considered not set.
        </p>
        <p>
          For performance reasons, it is best to set this to a single core on
          the system, rather than allow lcore threads to float.
        </p>
        <p>
          If not specified, the value will be determined by choosing the lowest
          CPU core from initial cpu affinity list. Otherwise, the value will be
          passed directly to the DPDK library.
        </p>
      </column>

      <column name="other_config" key="pmd-cpu-mask">
        <p>
          Specifies CPU mask for setting the cpu affinity of PMD (Poll
          Mode Driver) threads.  Value should be in the form of hex string,
          similar to the dpdk EAL '-c COREMASK' option input or the 'taskset'
          mask input.
        </p>
        <p>
          The lowest order bit corresponds to the first CPU core.  A set bit
          means the corresponding core is available and a pmd thread will be
          created and pinned to it.  If the input does not cover all cores,
          those uncovered cores are considered not set.
        </p>
        <p>
          If not specified, one pmd thread will be created for each numa node
          and pinned to any available core on the numa node by default.
        </p>
      </column>

      <column name="other_config" key="dpdk-alloc-mem"
              type='{"type": "integer", "minInteger": 0}'>
        <p>
          Specifies the amount of memory to preallocate from the hugepage pool,
          regardless of socket. It is recommended that dpdk-socket-mem is used
          instead.
        </p>
      </column>

      <column name="other_config" key="dpdk-socket-mem"
              type='{"type": "string"}'>
        <p>
          Specifies the amount of memory to preallocate from the hugepage pool,
          on a per-socket basis.
        </p>
        <p>
          The specifier is a comma-separated string, in ascending order of CPU
          socket. E.g. On a four socket system 1024,0,2048 would set socket 0
          to preallocate 1024MB, socket 1 to preallocate 0MB, socket 2 to
          preallocate 2048MB and socket 3 (no value given) to preallocate 0MB.
        </p>
        <p>
          If <ref column="other_config" key="dpdk-socket-mem"/> and
          <ref column="other_config" key="dpdk-alloc-mem"/> are not specified,
          neither will be used and there will be no default value for each numa
          node.  DPDK defaults will be used instead.
          If <ref column="other_config" key="dpdk-socket-mem"/> and
          <ref column="other_config" key="dpdk-alloc-mem"/> are specified at
          the same time, <ref column="other_config" key="dpdk-socket-mem"/>
          will be used as default.
          Changing this value requires restarting the daemon.
        </p>
      </column>

      <column name="other_config" key="dpdk-socket-limit"
              type='{"type": "string"}'>
        <p>
          Limits the maximum amount of memory that can be used from the
          hugepage pool, on a per-socket basis.
        </p>
        <p>
          The specifier is a comma-separated list of memory limits per socket.
          <code>0</code> will disable the limit for a particular socket.
        </p>
        <p>
          If not specified, OVS will not configure limits by default.
          Changing this value requires restarting the daemon.
        </p>
      </column>

      <column name="other_config" key="dpdk-hugepage-dir"
              type='{"type": "string"}'>
        <p>
          Specifies the path to the hugetlbfs mount point.
        </p>
        <p>
          If not specified, this will be guessed by the DPDK library (default
          is /dev/hugepages). Changing this value requires restarting the
          daemon.
        </p>
      </column>

      <column name="other_config" key="dpdk-extra"
              type='{"type": "string"}'>
        <p>
          Specifies additional eal command line arguments for DPDK.
        </p>
        <p>
          The default is empty. Changing this value requires restarting the
          daemon
        </p>
      </column>

      <column name="other_config" key="vhost-sock-dir"
              type='{"type": "string"}'>
        <p>
          Specifies a relative path from <ref column="external_ids"
          key="rundir"/> to the vhost-user unix domain socket files.  If this
          value is unset, the sockets are put directly in <ref
          column="external_ids" key="rundir"/>.
        </p>
        <p>
          Changing this value requires restarting the daemon.
        </p>
      </column>

      <column name="other_config" key="vhost-iommu-support"
              type='{"type": "boolean"}'>
        <p>
          vHost IOMMU is a security feature, which restricts the vhost memory
          that a virtio device may access. vHost IOMMU support is disabled by
          default, due to a bug in QEMU implementations of the vhost REPLY_ACK
          protocol, (on which vHost IOMMU relies) prior to v2.9.1. Setting this
          value to <code>true</code> enables vHost IOMMU support for vHost User
          Client ports in OvS-DPDK, starting from DPDK v17.11.
        </p>
        <p>
          Changing this value requires restarting the daemon.
        </p>
      </column>

      <column name="other_config" key="vhost-postcopy-support"
              type='{"type": "boolean"}'>
        <p>
          vHost post-copy is a feature which allows switching live migration
          of VM attached to dpdkvhostuserclient port to post-copy mode if
          default pre-copy migration can not be converged or takes too long to
          converge.
          Setting this value to <code>true</code> enables vHost post-copy
          support for all dpdkvhostuserclient ports. Available starting from
          DPDK v18.11 and QEMU 2.12.
        </p>
        <p>
          Changing this value requires restarting the daemon.
        </p>
      </column>

      <column name="other_config" key="per-port-memory"
              type='{"type": "boolean"}'>
        <p>
          By default OVS DPDK uses a shared memory model wherein devices
          that have the same MTU and socket values can share the same
          mempool. Setting this value to <code>true</code> changes this
          behaviour. Per port memory allow DPDK devices to use private
          memory per device. This can provide greater transparency as
          regards memory usage but potentially at the cost of greater memory
          requirements.
        </p>
        <p>
          Changing this value requires restarting the daemon if dpdk-init has
          already been set to true.
        </p>
      </column>

      <column name="other_config" key="shared-mempool-config">
              <p>Specifies dpdk shared mempool config.</p>
              <p>Value should be set in the following form:</p>
              <p>
                <code>other_config:shared-mempool-config=&lt;
                  user-shared-mempool-mtu-list&gt;</code>
              </p>
              <p>where</p>
              <p>
                <ul>
                  <li>
                    &lt;user-shared-mempool-mtu-list&gt; ::=
                    NULL | &lt;non-empty-list&gt;
                  </li>
                  <li>
                    &lt;non-empty-list&gt; ::= &lt;user-mtus&gt; |
                                               &lt;user-mtus&gt; ,
                                               &lt;non-empty-list&gt;
                  </li>
                  <li>
                    &lt;user-mtus&gt; ::= &lt;mtu-all-socket&gt; |
                                          &lt;mtu-socket-pair&gt;
                  </li>
                  <li>
                    &lt;mtu-all-socket&gt; ::= &lt;mtu&gt;
                  </li>
                  <li>
                    &lt;mtu-socket-pair&gt; ::= &lt;mtu&gt; : &lt;socket-id&gt;
                  </li>
                </ul>
              </p>
        <p>
          Changing this value requires restarting the daemon if dpdk-init has
          already been set to true.
        </p>
      </column>

      <column name="other_config" key="tx-flush-interval"
              type='{"type": "integer",
                     "minInteger": 0, "maxInteger": 1000000}'>
        <p>
          Specifies the time in microseconds that a packet can wait in output
          batch for sending i.e. amount of time that packet can spend in an
          intermediate output queue before sending to netdev.
          This option can be used to configure balance between throughput
          and latency. Lower values decreases latency while higher values
          may be useful to achieve higher performance.
        </p>
        <p>
          Defaults to 0 i.e. instant packet sending (latency optimized).
        </p>
      </column>

      <column name="other_config" key="pmd-perf-metrics"
              type='{"type": "boolean"}'>
        <p>
          Enables recording of detailed PMD performance metrics for analysis
          and trouble-shooting. This can have a performance impact in the
          order of 1%.
        </p>
        <p>
          Defaults to false but can be changed at any time.
        </p>
      </column>

      <column name="other_config" key="smc-enable"
              type='{"type": "boolean"}'>
        <p>
          Signature match cache or SMC is a cache between EMC and megaflow
          cache. It does not store the full key of the flow, so it is more
          memory efficient comparing to EMC cache. SMC is especially useful
          when flow count is larger than EMC capacity.
        </p>
        <p>
          Defaults to false but can be changed at any time.
        </p>
      </column>

      <column name="other_config" key="pmd-rxq-assign"
              type='{"type": "string",
                     "enum": ["set", ["cycles", "roundrobin", "group"]]}'>
        <p>
          Specifies how RX queues will be automatically assigned to CPU cores.
          Options:
          <dl>
            <dt><code>cycles</code></dt>
            <dd>Rxqs will be sorted by order of measured processing cycles
            before being assigned to CPU cores.</dd>
            <dt><code>roundrobin</code></dt>
            <dd>Rxqs will be round-robined across CPU cores.</dd>
            <dt><code>group</code></dt>
            <dd>Rxqs will be sorted by order of measured processing cycles
            before being assigned to CPU cores with lowest estimated load.</dd>
          </dl>
        </p>
        <p>
          The default value is <code>cycles</code>.
        </p>
        <p>
          Changing this value will affect an automatic re-assignment of Rxqs to
          CPUs. Note: Rxqs mapped to CPU cores with
          <code>pmd-rxq-affinity</code> are unaffected.
        </p>
      </column>

      <column name="other_config" key="pmd-rxq-isolate"
              type='{"type": "boolean"}'>
        <p>
          Specifies if a CPU core will be isolated after being pinned with
          an Rx queue.
        <p/>
          Set this value to <code>false</code> to non-isolate a CPU core after
          it is pinned with an Rxq using <code>pmd-rxq-affinity</code>. This
          will allow OVS to assign other Rxqs to that CPU core.
        </p>
        <p>
          The default value is <code>true</code>.
        </p>
        <p>
          This can only be <code>false</code> when <code>pmd-rxq-assign</code>
          is set to <code>group</code>.
        </p>
      </column>

      <column name="other_config" key="n-handler-threads"
              type='{"type": "integer", "minInteger": 1}'>
        <p>
          Attempts to specify the number of threads for software datapaths to
          use for handling new flows.  Some datapaths may choose to ignore
          this and it will be set to a sensible option for the datapath type.
        </p>
        <p>
          This configuration is per datapath.  If you have more than one
          software datapath (e.g. some <code>system</code> bridges and some
          <code>netdev</code> bridges), then the total number of threads is
          <code>n-handler-threads</code> times the number of software
          datapaths.
        </p>
      </column>

      <column name="other_config" key="n-revalidator-threads"
              type='{"type": "integer", "minInteger": 1}'>
        <p>
          Attempts to specify the number of threads for software datapaths to
          use for revalidating flows in the datapath.  Some datapaths may
          choose to ignore this and will set to a sensible option for the
          datapath type.
        </p>
        <p>
          Typically, there is a direct correlation between the
          number of revalidator threads, and the number of flows allowed in the
          datapath.  The default is the number of cpu cores divided by four
          plus one.  If <code>n-handler-threads</code> is set, the default
          changes to the number of cpu cores minus the number
          of handler threads.
        </p>
        <p>
          This configuration is per datapath.  If you have more than one
          software datapath (e.g. some <code>system</code> bridges and some
          <code>netdev</code> bridges), then the total number of threads is
          <code>n-handler-threads</code> times the number of software
          datapaths.
        </p>
      </column>

      <column name="other_config" key="emc-insert-inv-prob"
              type='{"type": "integer", "minInteger": 0, "maxInteger": 4294967295}'>
        <p>
          Specifies the inverse probability (1/emc-insert-inv-prob) of a flow
          being inserted into the Exact Match Cache (EMC). On average one in
          every <code>emc-insert-inv-prob</code> packets that generate a unique
          flow will cause an insertion into the EMC.

          A value of 1 will result in an insertion for every flow (1/1 = 100%)
          whereas a value of zero will result in no insertions and essentially
          disable the EMC.
        </p>
        <p>
          Defaults to 100 ie. there is (1/100 =) 1% chance of EMC insertion.
        </p>
      </column>

      <column name="other_config" key="vlan-limit"
              type='{"type": "integer", "minInteger": 0}'>
        <p>
          Limits the number of VLAN headers that can be matched to the
          specified number.  Further VLAN headers will be treated as payload,
          e.g. a packet with more 802.1q headers will match Ethernet type
          0x8100.
        </p>

        <p>
          Open vSwitch userspace currently supports at most 2 VLANs, and each
          datapath has its own limit.  If <code>vlan-limit</code> is nonzero,
          it acts as a further limit.
        </p>

        <p>
          If this value is absent, the default is currently 1.  This maintains
          backward compatibility with controllers that were designed for use
          with Open vSwitch versions earlier than 2.8, which only supported one
          VLAN.
        </p>
      </column>
      <column name="other_config" key="bundle-idle-timeout"
              type='{"type": "integer", "minInteger": 1}'>
        <p>
          The maximum time (in seconds) that idle bundles will wait
          to be expired since it was either opened, modified or closed.
        </p>
        <p>
          OpenFlow specification mandates the timeout to be at least one
          second. The default is 10 seconds.
        </p>
      </column>

      <column name="other_config" key="offload-rebalance"
              type='{"type": "boolean"}'>
        <p>
            Configures HW offload rebalancing, that allows to dynamically
            offload and un-offload flows while an offload-device is out of
            resources (OOR). This policy allows flows to be selected for
            offloading based on the packets-per-second (pps) rate of flows.
        </p>
        <p>
          Set this value to <code>true</code> to enable this option.
        </p>
        <p>
          The default value is <code>false</code>. Changing this value requires
          restarting the daemon.
        </p>
        <p>
            This is only relevant if HW offloading is enabled (hw-offload).
            When this policy is enabled, it also requires 'tc-policy' to
            be set to 'skip_sw'.
        </p>
      </column>
      <column name="other_config" key="pmd-auto-lb"
              type='{"type": "boolean"}'>
        <p>
         Configures PMD Auto Load Balancing that allows automatic assignment of
         RX queues to PMDs if any of PMDs is overloaded (i.e. a processing
         cycles >
         <ref column="other_config" key="pmd-auto-lb-load-threshold"/>).
        </p>
        <p>
         It uses current scheme of cycle based assignment of RX queues that
         are not statically pinned to PMDs.
        </p>
        <p>
          The default value is <code>false</code>.
        </p>
        <p>
          Set this value to <code>true</code> to enable this option. It is
          currently disabled by default and an experimental feature.
        </p>
        <p>
         This only comes in effect if cycle based assignment is enabled and
         there are more than one non-isolated PMDs present and at least one of
         it polls more than one queue.
        </p>
      </column>
      <column name="other_config" key="pmd-auto-lb-rebal-interval"
              type='{"type": "integer",
                     "minInteger": 0, "maxInteger": 20000}'>
        <p>
         The minimum time (in minutes) 2 consecutive PMD Auto Load Balancing
         iterations.
        </p>
        <p>
         The default value is 1 min. If configured to 0 then it would be
         converted to default value i.e. 1 min
        </p>
        <p>
         This option can be configured to avoid frequent trigger of auto load
         balancing of PMDs. For e.g. set the value (in min) such that it occurs
         once in few hours or a day or a week.
        </p>
      </column>
      <column name="other_config" key="pmd-auto-lb-load-threshold"
              type='{"type": "integer", "minInteger": 0, "maxInteger": 100}'>
        <p>
         Specifies the minimum PMD thread load threshold (% of used cycles) of
         any non-isolated PMD threads when a PMD Auto Load Balance may be
         triggered.
        </p>
        <p>
         The default value is <code>95%</code>.
        </p>
      </column>
      <column name="other_config" key="pmd-auto-lb-improvement-threshold"
              type='{"type": "integer", "minInteger": 0, "maxInteger": 100}'>
        <p>
         Specifies the minimum evaluated % improvement in load distribution
         across the non-isolated PMD threads that will allow a PMD Auto Load
         Balance to occur.
        </p>
        <p>
         Note, setting this parameter to 0 will always allow an auto load
         balance to occur regardless of estimated improvement or not.
        </p>
        <p>
         The default value is <code>25%</code>.
        </p>
      </column>
      <column name="other_config" key="pmd-sleep-max">
        <p>
          Specifies the maximum sleep time that will be requested in
          microseconds per iteration for a PMD thread which has received zero
          or a small amount of packets from the Rx queues it is polling.
        </p>
        <p>
          The actual sleep time requested is based on the load
          of the Rx queues that the PMD polls and may be less than
          the maximum value.
        </p>
        <p>
          The default value is <code>0 microseconds</code>, which means
          that the PMD will not sleep regardless of the load from the
          Rx queues that it polls.
        </p>
        <p>
          The maximum value is <code>10000 microseconds</code>.
        </p>
        <p>
         <code>other_config:pmd-sleep-max=&lt;pmd-sleep-list&gt;</code>
        </p>
        <p>where</p>
        <p>
         <ul>
           <li>
             &lt;pmd-sleep-list&gt; ::= NULL | &lt;non-empty-list&gt;
           </li>
           <li>
             &lt;non-empty-list&gt; ::= &lt;pmd-sleep-value&gt; |
                                        &lt;pmd-sleep-value&gt; ,
                                        &lt;non-empty-list&gt;
           </li>
           <li>
             &lt;pmd-sleep-value&gt; ::= &lt;global-default-sleep-value&gt; |
                                         &lt;pmd-core-sleep-pair&gt;
           </li>
           <li>
             &lt;global-default-sleep-value&gt; ::= &lt;max-sleep-time&gt;
           </li>
           <li>
             &lt;pmd-core-sleep-pair&gt; ::= &lt;core&gt; :
                                             &lt;max-sleep-time&gt;
           </li>
         </ul>
        </p>
      </column>
      <column name="other_config" key="userspace-tso-enable"
              type='{"type": "boolean"}'>
        <p>
          Set this value to <code>true</code> to enable userspace support for
          TCP Segmentation Offloading (TSO). When it is enabled, the interfaces
          can provide an oversized TCP segment to the datapath and the datapath
          will offload the TCP segmentation and checksum calculation to the
          interfaces when necessary.
        </p>
        <p>
          The default value is <code>false</code>. Changing this value requires
          restarting the daemon.
        </p>
        <p>
          The feature only works if Open vSwitch is built with DPDK support.
        </p>
        <p>
          The feature is considered experimental.
        </p>
      </column>

      <column name="other_config" key="explicit-sampled-drops"
              type='{"type": "boolean"}'>
        <p>
         When a flow is installed in the datapath with an empty action list,
         it indicates an implicit "drop" action.  Most datapaths report this
         for event for statistics and monitoring (in datapath-specific ways).
        </p>
        <p>
         However, if any of the per-bridge or per-flow sampling functionalities
         are enabled (e.g: sFlow, IPFIX, local sampling), the action list might
         not be empty, but contain an action to implement such functionality.
         This makes the datapaths not report the packet drop.
        </p>
        <p>
         This knob makes Open vSwitch detect when the last datapath action
         comes from these sampling features and add an explicit drop action at
         the end to keep drop statistics accurate.
        </p>
        <p>
         The default value is <code>false</code>.
        </p>
      </column>

    </group>
    <group title="Status">
      <column name="next_cfg">
        Sequence number for client to increment.  When a client modifies
        any part of the database configuration and wishes to wait for
        Open vSwitch to finish applying the changes, it may increment
        this sequence number.
      </column>

      <column name="cur_cfg">
        Sequence number that Open vSwitch sets to the current value of
        <ref column="next_cfg"/> after it finishes applying a set of
        configuration changes.
      </column>

      <column name="dpdk_initialized">
        True if <ref column="other_config" key="dpdk-init"/> is set to
        true and the DPDK library is successfully initialized.
      </column>

      <group title="Statistics">
        <p>
          The <code>statistics</code> column contains key-value pairs that
          report statistics about a system running an Open vSwitch.  These are
          updated periodically (currently, every 5 seconds).  Key-value pairs
          that cannot be determined or that do not apply to a platform are
          omitted.
        </p>

        <column name="other_config" key="enable-statistics"
                type='{"type": "boolean"}'>
          Statistics are disabled by default to avoid overhead in the common
          case when statistics gathering is not useful.  Set this value to
          <code>true</code> to enable populating the <ref column="statistics"/>
          column or to <code>false</code> to explicitly disable it.
        </column>

        <column name="statistics" key="cpu"
                type='{"type": "integer", "minInteger": 1}'>
          <p>
            Number of CPU processors, threads, or cores currently online and
            available to the operating system on which Open vSwitch is running,
            as an integer.  This may be less than the number installed, if some
            are not online or if they are not available to the operating
            system.
          </p>
          <p>
            Open vSwitch userspace processes are not multithreaded, but the
            Linux kernel-based datapath is.
          </p>
        </column>

        <column name="statistics" key="load_average">
          A comma-separated list of three floating-point numbers,
          representing the system load average over the last 1, 5, and 15
          minutes, respectively.
        </column>

        <column name="statistics" key="memory">
          <p>
            A comma-separated list of integers, each of which represents a
            quantity of memory in kilobytes that describes the operating
            system on which Open vSwitch is running.  In respective order,
            these values are:
          </p>

          <ol>
            <li>Total amount of RAM allocated to the OS.</li>
            <li>RAM allocated to the OS that is in use.</li>
            <li>RAM that can be flushed out to disk or otherwise discarded
            if that space is needed for another purpose.  This number is
            necessarily less than or equal to the previous value.</li>
            <li>Total disk space allocated for swap.</li>
            <li>Swap space currently in use.</li>
          </ol>

          <p>
            On Linux, all five values can be determined and are included.  On
            other operating systems, only the first two values can be
            determined, so the list will only have two values.
          </p>
        </column>

        <column name="statistics" key="process_NAME">
          <p>
            One such key-value pair, with <code>NAME</code> replaced by
            a process name, will exist for each running Open vSwitch
            daemon process, with <var>name</var> replaced by the
            daemon's name (e.g. <code>process_ovs-vswitchd</code>).  The
            value is a comma-separated list of integers.  The integers
            represent the following, with memory measured in kilobytes
            and durations in milliseconds:
          </p>

          <ol>
            <li>The process's virtual memory size.</li>
            <li>The process's resident set size.</li>
            <li>The amount of user and system CPU time consumed by the
            process.</li>
            <li>The number of times that the process has crashed and been
            automatically restarted by the monitor.</li>
            <li>The duration since the process was started.</li>
            <li>The duration for which the process has been running.</li>
          </ol>

          <p>
            The interpretation of some of these values depends on whether the
            process was started with the <option>--monitor</option>.  If it
            was not, then the crash count will always be 0 and the two
            durations will always be the same.  If <option>--monitor</option>
            was given, then the crash count may be positive; if it is, the
            latter duration is the amount of time since the most recent crash
            and restart.
          </p>

          <p>
            There will be one key-value pair for each file in Open vSwitch's
            ``run directory'' (usually <code>/var/run/openvswitch</code>)
            whose name ends in <code>.pid</code>, whose contents are a
            process ID, and which is locked by a running process.  The
            <var>name</var> is taken from the pidfile's name.
          </p>

          <p>
            Currently Open vSwitch is only able to obtain all of the above
            detail on Linux systems.  On other systems, the same key-value
            pairs will be present but the values will always be the empty
            string.
          </p>
        </column>

        <column name="statistics" key="file_systems">
          <p>
            A space-separated list of information on local, writable file
            systems.  Each item in the list describes one file system and
            consists in turn of a comma-separated list of the following:
          </p>

          <ol>
            <li>Mount point, e.g. <code>/</code> or <code>/var/log</code>.
            Any spaces or commas in the mount point are replaced by
            underscores.</li>
            <li>Total size, in kilobytes, as an integer.</li>
            <li>Amount of storage in use, in kilobytes, as an integer.</li>
          </ol>

          <p>
            This key-value pair is omitted if there are no local, writable
            file systems or if Open vSwitch cannot obtain the needed
            information.
          </p>
        </column>
      </group>
    </group>

    <group title="Version Reporting">
      <p>
        These columns report the types and versions of the hardware and
        software running Open vSwitch.  We recommend in general that software
        should test whether specific features are supported instead of relying
        on version number checks.  These values are primarily intended for
        reporting to human administrators.
      </p>

      <column name="ovs_version">
        The Open vSwitch version number, e.g. <code>1.1.0</code>.
      </column>

      <column name="db_version">
        <p>
          The database schema version number, e.g. <code>1.2.3</code>.  See
          ovsdb-tool(1) for an explanation of the numbering scheme.
        </p>

        <p>
          The schema version is part of the database schema, so it can also be
          retrieved by fetching the schema using the Open vSwitch database
          protocol.
        </p>
      </column>

      <column name="system_type">
        <p>
          An identifier for the type of system on top of which Open vSwitch
          runs, e.g. <code>KVM</code>.
        </p>
        <p>
          System integrators are responsible for choosing and setting an
          appropriate value for this column.
        </p>
      </column>

      <column name="system_version">
        <p>
          The version of the system identified by <ref column="system_type"/>,
          e.g. <code>4.18.0-372.19.1.el8_6</code> on RHEL 8.6 with kernel
          4.18.0-372.19.1.
        </p>
        <p>
          System integrators are responsible for choosing and setting an
          appropriate value for this column.
        </p>
      </column>

      <column name="dpdk_version">
        <p>
          The version of the linked DPDK library.
        </p>
      </column>

    </group>

    <group title="Capabilities">
      <p>
        These columns report capabilities of the Open vSwitch instance.
      </p>
      <column name="datapath_types">
        <p>
          This column reports the different dpifs registered with the system.
          These are the values that this instance supports in the <ref
          column="datapath_type" table="Bridge"/> column of the <ref
          table="Bridge"/> table.
        </p>
      </column>
      <column name="iface_types">
        <p>
          This column reports the different netdevs registered with the system.
          These are the values that this instance supports in the <ref
          column="type" table="Interface"/> column of the <ref
          table="Interface"/> table.
        </p>
      </column>
    </group>

    <group title="Database Configuration">
      <p>
        These columns primarily configure the Open vSwitch database
        (<code>ovsdb-server</code>), not the Open vSwitch switch
        (<code>ovs-vswitchd</code>).  The OVSDB database also uses the <ref
        column="ssl"/> settings.
      </p>

      <p>
        The Open vSwitch switch does read the database configuration to
        determine remote IP addresses to which in-band control should apply.
      </p>

      <column name="manager_options">
        <p>
          Database clients to which the Open vSwitch database server should
          connect or to which it should listen, along with options for how
          these connections should be configured.  See the <ref
          table="Manager"/> table for more information.
        </p>

        <p>
          For this column to serve its purpose, <code>ovsdb-server</code> must
          be configured to honor it.  The easiest way to do this is to invoke
          <code>ovsdb-server</code> with the option
          <option>--remote=db:Open_vSwitch,Open_vSwitch,manager_options</option>
          The startup scripts that accompany Open vSwitch do this by default.
        </p>
      </column>
    </group>

    <group title="IPsec">
      <p>
        These settings control the global configuration of IPsec tunnels.  The
        <code>options</code> column of the <code>Interface</code> table
        configures IPsec for individual tunnels. The <code>options</code>
        column also allows for custom options prefixed with <code>ipsec_</code>
        to be passed to the individual connections.
      </p>
      <p>
        OVS IPsec supports the following three forms of authentication.
        Currently, all IPsec tunnels must use the same form:
      </p>
      <ol>
        <li>
          Pre-shared keys: Omit the global settings.  On each tunnel, set <ref
          column="options" key="psk"/>.
        </li>
        <li>
          Self-signed certificates: Set the <code>private_key</code> and
          <code>certificate</code> global settings.  On each tunnel, set <ref
          column="options" key="remote_cert"/>.  The remote certificate can be
          self-signed.
        </li>
        <li>
          CA-signed certificates: Set all of the global settings.  On each
          tunnel, set <ref column="options" key="remote_name"/> to the common
          name (CN) of the remote certificate. The remote certificate must be
          signed by the CA.
        </li>
      </ol>
      <column name="other_config" key="private_key"
              type='{"type": "string"}'>
          <p>
            Name of a PEM file containing the private key used as the switch's
            identity for IPsec tunnels.
          </p>
      </column>
      <column name="other_config" key="certificate"
              type='{"type": "string"}'>
          <p>
            Name of a PEM file containing a certificate that certifies the
            switch's private key, and identifies a trustworthy switch for IPsec
            tunnels. The certificate must be x.509 version 3 and with the
            string in common name (CN) also set in the subject alternative name
            (SAN).
          </p>
      </column>
      <column name="other_config" key="ca_cert"
              type='{"type": "string"}'>
          <p>
            Name of a PEM file containing the CA certificate used to verify
            that a remote switch of the IPsec tunnel is trustworthy.
          </p>
      </column>

      <group title="Plaintext Tunnel Policy">
        <p>
          When an IPsec tunnel is configured in this database, multiple
          independent components take responsibility for implementing it.
          <code>ovs-vswitchd</code> and its datapath handle packet forwarding
          to the tunnel and a separate daemon pushes the tunnel's IPsec policy
          configuration to the kernel or other entity that implements it.
          There is a race: if the former configuration completes before the
          latter, then packets sent by the local host over the tunnel can be
          transmitted in plaintext.  Using this setting, OVS users can avoid
          this undesirable situation.
        </p>
        <column name="other_config" key="ipsec_skb_mark"
                type='{"type": "string"}'>
          <p>
            This setting takes the form
            <code><var>value</var>/<var>mask</var></code>.  If it is specified,
            then the <code>skb_mark</code> field in every outgoing tunneled
            packet sent in plaintext is compared against it and, if it matches,
            the packet is dropped.  This is a global setting that is applied to
            every tunneled packet, regardless of whether IPsec encryption is
            enabled for the tunnel, the type of tunnel, or whether OVS is
            involved.
          </p>

          <p>
            Example policies:
          </p>

          <dl>
            <dt><code>1/1</code></dt>
            <dd>
              Drop all unencrypted tunneled packets in which the
              least-significant bit of <code>skb_mark</code> is 1.  This would
              be a useful policy given an OpenFlow flow table that sets
              <code>skb_mark</code> to 1 for traffic that should be encrypted.
              The default <code>skb_mark</code> is 0, so this would not affect
              other traffic.
            </dd>

            <dt><code>0/1</code></dt>
            <dd>
              Drop all unencrypted tunneled packets in which the
              least-significant bit of <code>skb_mark</code> is 0.  This would
              be a useful policy if no unencrypted tunneled traffic should exit
              the system without being specially permitted by setting
              <code>skb_mark</code> to 1.
            </dd>

            <dt>(empty)</dt>
            <dd>
              If this setting is empty or unset, then all unencrypted tunneled
              packets are transmitted in the usual way.
            </dd>
          </dl>
        </column>
      </group>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="other_config"/>
      <column name="external_ids"/>
    </group>
  </table>

  <table name="Bridge">
    <p>
      Configuration for a bridge within an
      <ref table="Open_vSwitch"/>.
    </p>
    <p>
      A <ref table="Bridge"/> record represents an Ethernet switch with one or
      more ``ports,'' which are the <ref table="Port"/> records pointed to by
      the <ref table="Bridge"/>'s <ref column="ports"/> column.
    </p>

    <group title="Core Features">
      <column name="name">
        <p>
          Bridge identifier.  Must be unique among the names of ports,
          interfaces, and bridges on a host.
        </p>

        <p>
          The name must be alphanumeric and must not contain forward or
          backward slashes.  The name of a bridge is also the name of an <ref
          table="Interface"/> (and a <ref table="Port"/>) within the bridge, so
          the restrictions on the <ref table="Interface" column="name"/> column
          in the <ref table="Interface"/> table, particularly on length, also
          apply to bridge names.  Refer to the documentation for <ref
          table="Interface"/> names for details.
        </p>
      </column>

      <column name="ports">
        Ports included in the bridge.
      </column>

      <column name="mirrors">
        Port mirroring configuration.
      </column>

      <column name="netflow">
        NetFlow configuration.
      </column>

      <column name="sflow">
        sFlow(R) configuration.
      </column>

      <column name="ipfix">
        IPFIX configuration.
      </column>

      <column name="flood_vlans">
        <p>
          VLAN IDs of VLANs on which MAC address learning should be disabled,
          so that packets are flooded instead of being sent to specific ports
          that are believed to contain packets' destination MACs.  This should
          ordinarily be used to disable MAC learning on VLANs used for
          mirroring (RSPAN VLANs).  It may also be useful for debugging.
        </p>
        <p>
          SLB bonding (see the <ref table="Port" column="bond_mode"/> column in
          the <ref table="Port"/> table) is incompatible with
          <code>flood_vlans</code>.  Consider using another bonding mode or
          a different type of mirror instead.
        </p>
      </column>

      <column name="auto_attach">
        Auto Attach configuration.
      </column>
    </group>

    <group title="OpenFlow Configuration">
      <column name="controller">
        <p>
          OpenFlow controller set.  If unset, then no OpenFlow controllers
          will be used.
        </p>

        <p>
          If there are primary controllers, removing all of them clears the
          OpenFlow flow tables, group table, and meter table.  If there are no
          primary controllers, adding one also clears these tables.  Other
          changes to the set of controllers, such as adding or removing a
          service controller, adding another primary controller to supplement
          an existing primary controller, or removing only one of two primary
          controllers, have no effect on these tables.
        </p>
      </column>

      <column name="flow_tables">
        Configuration for OpenFlow tables.  Each pair maps from an OpenFlow
        table ID to configuration for that table.
      </column>

      <column name="fail_mode">
        <p>When a controller is configured, it is, ordinarily, responsible
        for setting up all flows on the switch.  Thus, if the connection to
        the controller fails, no new network connections can be set up.
        If the connection to the controller stays down long enough,
        no packets can pass through the switch at all.  This setting
        determines the switch's response to such a situation.  It may be set
        to one of the following:
        <dl>
          <dt><code>standalone</code></dt>
          <dd>If no message is received from the controller for three
          times the inactivity probe interval
          (see <ref column="inactivity_probe"/>), then Open vSwitch
          will take over responsibility for setting up flows.  In
          this mode, Open vSwitch causes the bridge to act like an
          ordinary MAC-learning switch.  Open vSwitch will continue
          to retry connecting to the controller in the background
          and, when the connection succeeds, it will discontinue its
          standalone behavior.</dd>
          <dt><code>secure</code></dt>
          <dd>Open vSwitch will not set up flows on its own when the
          controller connection fails or when no controllers are
          defined.  The bridge will continue to retry connecting to
          any defined controllers forever.</dd>
        </dl>
        </p>
        <p>
          The default is <code>standalone</code> if the value is unset, but
          future versions of Open vSwitch may change the default.
        </p>
        <p>
          The <code>standalone</code> mode can create forwarding loops on a
          bridge that has more than one uplink port unless STP is enabled.  To
          avoid loops on such a bridge, configure <code>secure</code> mode or
          enable STP (see <ref column="stp_enable"/>).
        </p>
        <p>
          The <ref column="fail_mode"/> setting applies only to primary
          controllers.  When more than one primary controller is configured,
          <ref column="fail_mode"/> is considered only when none of the
          configured controllers can be contacted.
        </p>
        <p>
          Changing <ref column="fail_mode"/> when no primary controllers are
          configured clears the OpenFlow flow tables, group table, and meter
          table.
        </p>
      </column>

      <column name="datapath_id">
        Reports the OpenFlow datapath ID in use.  Exactly 16 hex digits.
        (Setting this column has no useful effect.  Set <ref
        column="other-config" key="datapath-id"/> instead.)
      </column>

      <column name="datapath_version">
          Reports the datapath version.  This column is maintained for
          backwards compatibility.  The preferred locatation is the
          <ref column="datapath_id" table="Datapath"/> column of the
          <ref table="Datapath"/> table.  The full documentation for this
          column is there.
      </column>

      <column name="other_config" key="datapath-id">
        Overrides the default OpenFlow datapath ID, setting it to the specified
        value specified in hex.  The value must either have a <code>0x</code>
        prefix or be exactly 16 hex digits long.  May not be all-zero.
      </column>

      <column name="other_config" key="dp-desc">
        Human readable description of datapath.  It is a maximum 256
        byte-long free-form string to describe the datapath for
        debugging purposes, e.g. <code>switch3 in room 3120</code>.
        The value is returned by the switch as a part of reply to OFPMP_DESC
        request (ofp_desc). The OpenFlow specification (e.g. 1.3.5) describes
        the ofp_desc structure to contaion "NULL terminated ASCII strings".
        For the compatibility reasons no more than 255 ASCII characters should be used.
      </column>

      <column name="other_config" key="dp-sn">
        Serial number. It is a maximum 32 byte-long free-form string to
        provide an additional switch identification. The value is returned
        by the switch as a part of reply to OFPMP_DESC request (ofp_desc).
        Same as mentioned in the description of <ref column="other-config" key="dp-desc"/>,
        the string should be no more than 31 ASCII characters for the compatibility.
      </column>

      <column name="other_config" key="disable-in-band"
              type='{"type": "boolean"}'>
        If set to <code>true</code>, disable in-band control on the bridge
        regardless of controller and manager settings.
      </column>

      <column name="other_config" key="in-band-queue"
              type='{"type": "integer", "minInteger": 0, "maxInteger": 4294967295}'>
        A queue ID as a nonnegative integer.  This sets the OpenFlow queue ID
        that will be used by flows set up by in-band control on this bridge.
        If unset, or if the port used by an in-band control flow does not have
        QoS configured, or if the port does not have a queue with the specified
        ID, the default queue is used instead.
      </column>

      <column name="other_config" key="controller-queue-size"
              type='{"type": "integer", "minInteger": 1, "maxInteger": 512}'>
        This sets the maximum size of the queue of packets that need to be
        sent to the OpenFlow management controller. The value must be less
        than 512. If not specified the queue size is limited to 100 packets
        by default. Note: increasing the queue size might have a negative
        impact on latency.
      </column>

      <column name="protocols">
        List of OpenFlow protocols that may be used when negotiating a
        connection with a controller.  OpenFlow 1.0, 1.1, 1.2, 1.3, 1.4, and
        1.5 are enabled by default if this column is empty.
      </column>
    </group>

    <group title="Spanning Tree Configuration">
      <p>
        The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol
        that ensures loop-free topologies.  It allows redundant links to
        be included in the network to provide automatic backup paths if
        the active links fails.
      </p>

      <p>
        These settings configure the slower-to-converge but still widely
        supported version of Spanning Tree Protocol, sometimes known as
        802.1D-1998.  Open vSwitch also supports the newer Rapid Spanning Tree
        Protocol (RSTP), documented later in the section titled <code>Rapid
        Spanning Tree Configuration</code>.
      </p>

      <group title="STP Configuration">
        <column name="stp_enable" type='{"type": "boolean"}'>
          <p>
            Enable spanning tree on the bridge.  By default, STP is disabled
            on bridges.  Bond, internal, and mirror ports are not supported
            and will not participate in the spanning tree.
          </p>

          <p>
            STP and RSTP are mutually exclusive.  If both are enabled, RSTP
            will be used.
          </p>
        </column>

        <column name="other_config" key="stp-system-id">
          The bridge's STP identifier (the lower 48 bits of the bridge-id)
          in the form
          <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
          By default, the identifier is the MAC address of the bridge.
        </column>

        <column name="other_config" key="stp-priority"
                type='{"type": "integer", "minInteger": 0, "maxInteger": 65535}'>
          The bridge's relative priority value for determining the root
          bridge (the upper 16 bits of the bridge-id).  A bridge with the
          lowest bridge-id is elected the root.  By default, the priority
          is 0x8000.
        </column>

        <column name="other_config" key="stp-hello-time"
                type='{"type": "integer", "minInteger": 1, "maxInteger": 10}'>
          The interval between transmissions of hello messages by
          designated ports, in seconds.  By default the hello interval is
          2 seconds.
        </column>

        <column name="other_config" key="stp-max-age"
                type='{"type": "integer", "minInteger": 6, "maxInteger": 40}'>
          The maximum age of the information transmitted by the bridge
          when it is the root bridge, in seconds.  By default, the maximum
          age is 20 seconds.
        </column>

        <column name="other_config" key="stp-forward-delay"
                type='{"type": "integer", "minInteger": 4, "maxInteger": 30}'>
          The delay to wait between transitioning root and designated
          ports to <code>forwarding</code>, in seconds.  By default, the
          forwarding delay is 15 seconds.
        </column>

        <column name="other_config" key="mcast-snooping-aging-time"
                type='{"type": "integer", "minInteger": 1}'>
          <p>
            The maximum number of seconds to retain a multicast snooping entry for
            which no packets have been seen.  The default is currently 300
            seconds (5 minutes).  The value, if specified, is forced into a
            reasonable range, currently 15 to 3600 seconds.
          </p>
        </column>

        <column name="other_config" key="mcast-snooping-table-size"
                type='{"type": "integer", "minInteger": 1}'>
          <p>
            The maximum number of multicast snooping addresses to learn.  The
            default is currently 2048.  The value, if specified, is forced into
            a reasonable range, currently 10 to 1,000,000.
          </p>
        </column>
        <column name="other_config" key="mcast-snooping-disable-flood-unregistered"
                type='{"type": "boolean"}'>
          <p>
            If set to <code>false</code>, unregistered multicast packets are forwarded
            to all ports.
            If set to <code>true</code>, unregistered multicast packets are forwarded
            to ports connected to multicast routers.
          </p>
        </column>
      </group>

      <group title="STP Status">
        <p>
          These key-value pairs report the status of 802.1D-1998.  They are
          present only if STP is enabled (via the <ref column="stp_enable"/>
          column).
        </p>
        <column name="status" key="stp_bridge_id">
          The bridge ID used in spanning tree advertisements, in the form
          <var>xxxx</var>.<var>yyyyyyyyyyyy</var> where the <var>x</var>s are
          the STP priority, the <var>y</var>s are the STP system ID, and each
          <var>x</var> and <var>y</var> is a hex digit.
        </column>
        <column name="status" key="stp_designated_root">
          The designated root for this spanning tree, in the same form as <ref
          column="status" key="stp_bridge_id"/>.  If this bridge is the root,
          this will have the same value as <ref column="status"
          key="stp_bridge_id"/>, otherwise it will differ.
        </column>
        <column name="status" key="stp_root_path_cost">
          The path cost of reaching the designated bridge.  A lower number is
          better.  The value is 0 if this bridge is the root, otherwise it is
          higher.
        </column>
      </group>
    </group>

    <group title="Rapid Spanning Tree">
      <p>
        Rapid Spanning Tree Protocol (RSTP), like STP, is a network protocol
        that ensures loop-free topologies.  RSTP superseded STP with the
        publication of 802.1D-2004.  Compared to STP, RSTP converges more
        quickly and recovers more quickly from failures.
      </p>

      <group title="RSTP Configuration">
        <column name="rstp_enable" type='{"type": "boolean"}'>
          <p>
            Enable Rapid Spanning Tree on the bridge.  By default, RSTP is disabled
            on bridges.  Bond, internal, and mirror ports are not supported
            and will not participate in the spanning tree.
          </p>

          <p>
            STP and RSTP are mutually exclusive.  If both are enabled, RSTP
            will be used.
          </p>
        </column>

        <column name="other_config" key="rstp-address">
          The bridge's RSTP address (the lower 48 bits of the bridge-id)
          in the form
          <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
          By default, the address is the MAC address of the bridge.
        </column>

        <column name="other_config" key="rstp-priority"
                type='{"type": "integer", "minInteger": 0, "maxInteger": 61440}'>
          The bridge's relative priority value for determining the root
          bridge (the upper 16 bits of the bridge-id).  A bridge with the
          lowest bridge-id is elected the root.  By default, the priority
          is 0x8000 (32768).  This value needs to be a multiple of 4096,
          otherwise it's rounded to the nearest inferior one.
        </column>

        <column name="other_config" key="rstp-ageing-time"
                type='{"type": "integer", "minInteger": 10, "maxInteger": 1000000}'>
          The Ageing Time parameter for the Bridge.  The default value
          is 300 seconds.
        </column>

        <column name="other_config" key="rstp-force-protocol-version"
                type='{"type": "integer"}'>
          The Force Protocol Version parameter for the Bridge.  This
          can take the value 0 (STP Compatibility mode) or 2
          (the default, normal operation).
        </column>

        <column name="other_config" key="rstp-max-age"
                type='{"type": "integer", "minInteger": 6, "maxInteger": 40}'>
          The maximum age of the information transmitted by the Bridge
          when it is the Root Bridge.  The default value is 20.
        </column>

        <column name="other_config" key="rstp-forward-delay"
                type='{"type": "integer", "minInteger": 4, "maxInteger": 30}'>
          The delay used by STP Bridges to transition Root and Designated
          Ports to Forwarding.  The default value is 15.
        </column>

        <column name="other_config" key="rstp-transmit-hold-count"
                type='{"type": "integer", "minInteger": 1, "maxInteger": 10}'>
          The Transmit Hold Count used by the Port Transmit state machine
          to limit transmission rate.  The default value is 6.
        </column>
      </group>

      <group title="RSTP Status">
        <p>
          These key-value pairs report the status of 802.1D-2004.  They are
          present only if RSTP is enabled (via the <ref column="rstp_enable"/>
          column).
        </p>
        <column name="rstp_status" key="rstp_bridge_id">
          The bridge ID used in rapid spanning tree advertisements, in the form
          <var>x</var>.<var>yyy</var>.<var>zzzzzzzzzzzz</var> where
          <var>x</var> is the RSTP priority, the <var>y</var>s are a locally
          assigned system ID extension, the <var>z</var>s are the STP system
          ID, and each <var>x</var>, <var>y</var>, or <var>z</var> is a hex
          digit.
        </column>
        <column name="rstp_status" key="rstp_root_id">
          The root of this spanning tree, in the same form as <ref
          column="rstp_status" key="rstp_bridge_id"/>.  If this bridge is the
          root, this will have the same value as <ref column="rstp_status"
          key="rstp_bridge_id"/>, otherwise it will differ.
        </column>
        <column name="rstp_status" key="rstp_root_path_cost"
                type='{"type": "integer", "minInteger": 0}'>
          The path cost of reaching the root.  A lower number is better.  The
          value is 0 if this bridge is the root, otherwise it is higher.
        </column>
        <column name="rstp_status" key="rstp_designated_id">
          The RSTP designated ID, in the same form as <ref column="rstp_status"
          key="rstp_bridge_id"/>.
        </column>
        <column name="rstp_status" key="rstp_designated_port_id">
          The RSTP designated port ID, as a 4-digit hex number.
        </column>
        <column name="rstp_status" key="rstp_bridge_port_id">
          The RSTP bridge port ID, as a 4-digit hex number.
        </column>
      </group>
    </group>

    <group title="Multicast Snooping Configuration">
      Multicast snooping (RFC 4541) monitors the Internet Group Management
      Protocol (IGMP) and Multicast Listener Discovery traffic between hosts
      and multicast routers.  The switch uses what IGMP and MLD snooping
      learns to forward multicast traffic only to interfaces that are connected
      to interested receivers.  Currently it supports IGMPv1, IGMPv2, IGMPv3,
      MLDv1 and MLDv2 protocols.

      <column name="mcast_snooping_enable">
        Enable multicast snooping on the bridge. For now, the default
        is disabled.
      </column>
    </group>

    <group title="Other Features">
      <column name="datapath_type">
        Name of datapath provider.  The kernel datapath has type
        <code>system</code>.  The userspace datapath has type
        <code>netdev</code>.  A manager may refer to the <ref
        table="Open_vSwitch" column="datapath_types"/> column of the <ref
        table="Open_vSwitch"/> table for a list of the types accepted by this
        Open vSwitch instance.
      </column>

      <column name="external_ids" key="bridge-id">
        A unique identifier of the bridge.
      </column>

      <column name="other_config" key="hwaddr">
        An Ethernet address in the form
        <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
        to set the hardware address of the local port and influence the
        datapath ID.
      </column>

      <column name="other_config" key="forward-bpdu"
              type='{"type": "boolean"}'>

        <p>
          Controls forwarding of BPDUs and other network control frames when
          NORMAL action is invoked.  When this option is <code>false</code> or
          unset, frames with reserved Ethernet addresses (see table below) will
          not be forwarded.  When this option is <code>true</code>, such frames
          will not be treated specially.
        </p>

        <p>
          The above general rule has the following exceptions:
        </p>

        <ul>
          <li>
            If STP is enabled on the bridge (see the <ref column="stp_enable"
            table="Bridge"/> column in the <ref table="Bridge"/> table), the
            bridge processes all received STP packets and never passes them to
            OpenFlow or forwards them.  This is true even if STP is disabled on
            an individual port.
          </li>

          <li>
            If LLDP is enabled on an interface (see the <ref column="lldp"
            table="Interface"/> column in the <ref table="Interface"/> table),
            the interface processes received LLDP packets and never passes them
            to OpenFlow or forwards them.
          </li>
        </ul>

        <p>
          Set this option to <code>true</code> if the Open vSwitch bridge
          connects different Ethernet networks and is not configured to
          participate in STP.
        </p>

        <p>
          This option affects packets with the following destination MAC
          addresses:
        </p>

        <dl>
          <dt><code>01:80:c2:00:00:00</code></dt>
          <dd>IEEE 802.1D Spanning Tree Protocol (STP).</dd>

          <dt><code>01:80:c2:00:00:01</code></dt>
          <dd>IEEE Pause frame.</dd>

          <dt><code>01:80:c2:00:00:0<var>x</var></code></dt>
          <dd>Other reserved protocols.</dd>

          <dt><code>00:e0:2b:00:00:00</code></dt>
          <dd>Extreme Discovery Protocol (EDP).</dd>

          <dt>
            <code>00:e0:2b:00:00:04</code> and <code>00:e0:2b:00:00:06</code>
          </dt>
          <dd>Ethernet Automatic Protection Switching (EAPS).</dd>

          <dt><code>01:00:0c:cc:cc:cc</code></dt>
          <dd>
            Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP),
            Dynamic Trunking Protocol (DTP), Port Aggregation Protocol (PAgP),
            and others.
          </dd>

          <dt><code>01:00:0c:cc:cc:cd</code></dt>
          <dd>Cisco Shared Spanning Tree Protocol PVSTP+.</dd>

          <dt><code>01:00:0c:cd:cd:cd</code></dt>
          <dd>Cisco STP Uplink Fast.</dd>

          <dt><code>01:00:0c:00:00:00</code></dt>
          <dd>Cisco Inter Switch Link.</dd>

          <dt><code>01:00:0c:cc:cc:c<var>x</var></code></dt>
          <dd>Cisco CFM.</dd>
        </dl>
      </column>

      <column name="other_config" key="mac-aging-time"
              type='{"type": "integer", "minInteger": 1}'>
        <p>
          The maximum number of seconds to retain a MAC learning entry for
          which no packets have been seen.  The default is currently 300
          seconds (5 minutes).  The value, if specified, is forced into a
          reasonable range, currently 15 to 3600 seconds.
        </p>

        <p>
          A short MAC aging time allows a network to more quickly detect that a
          host is no longer connected to a switch port.  However, it also makes
          it more likely that packets will be flooded unnecessarily, when they
          are addressed to a connected host that rarely transmits packets.  To
          reduce the incidence of unnecessary flooding, use a MAC aging time
          longer than the maximum interval at which a host will ordinarily
          transmit packets.
        </p>
      </column>

      <column name="other_config" key="mac-table-size"
              type='{"type": "integer", "minInteger": 1}'>
        <p>
          The maximum number of MAC addresses to learn.  The default is
          currently 8192.  The value, if specified, is forced into a reasonable
          range, currently 10 to 1,000,000.
        </p>
      </column>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="other_config"/>
      <column name="external_ids"/>
    </group>
  </table>

  <table name="Port" table="Port or bond configuration.">
    <p>A port within a <ref table="Bridge"/>.</p>
    <p>Most commonly, a port has exactly one ``interface,'' pointed to by its
    <ref column="interfaces"/> column.  Such a port logically
    corresponds to a port on a physical Ethernet switch.  A port
    with more than one interface is a ``bonded port'' (see
    <ref group="Bonding Configuration"/>).</p>
    <p>Some properties that one might think as belonging to a port are actually
    part of the port's <ref table="Interface"/> members.</p>

    <column name="name">
      Port name.  For a non-bonded port, this should be the same as its
      interface's name.  Port names must otherwise be unique among the names of
      ports, interfaces, and bridges on a host.  Because port and interfaces
      names are usually the same, the restrictions on the <ref
      table="Interface" column="name"/> column in the <ref table="Interface"/>
      table, particularly on length, also apply to port names.  Refer to the
      documentation for <ref table="Interface"/> names for details.
    </column>

    <column name="interfaces">
      The port's interfaces.  If there is more than one, this is a
      bonded Port.
    </column>

    <group title="VLAN Configuration">
      <p>
        In short, a VLAN (short for ``virtual LAN'') is a way to partition a
        single switch into multiple switches.  VLANs can be confusing, so for
        an introduction, please refer to the question ``What's a VLAN?'' in the
        Open vSwitch FAQ.
      </p>

      <p>
        A VLAN is sometimes encoded into a packet using a 802.1Q or 802.1ad
        VLAN header, but every packet is part of some VLAN whether or not it is
        encoded in the packet.  (A packet that appears to have no VLAN is part
        of VLAN 0, by default.)  As a result, it's useful to think of a VLAN as
        a metadata property of a packet, separate from how the VLAN is encoded.
        For a given port, this column determines how the encoding of a packet
        that ingresses or egresses the port maps to the packet's VLAN.  When a
        packet enters the switch, its VLAN is determined based on its setting
        in this column and its VLAN headers, if any, and then, conceptually,
        the VLAN headers are then stripped off.  Conversely, when a packet
        exits the switch, its VLAN and the settings in this column determine
        what VLAN headers, if any, are pushed onto the packet before it
        egresses the port.
      </p>

      <p>
        The VLAN configuration in this column affects Open vSwitch only when it
        is doing ``normal switching.''  It does not affect flows set up by an
        OpenFlow controller, outside of the OpenFlow ``normal action.''
      </p>

      <p>
        Bridge ports support the following types of VLAN configuration:
      </p>

      <dl>
        <dt>trunk</dt>
        <dd>
          <p>
            A trunk port carries packets on one or more specified VLANs
            specified in the <ref column="trunks"/> column (often, on every
            VLAN).  A packet that ingresses on a trunk port is in the VLAN
            specified in its 802.1Q header, or VLAN 0 if the packet has no
            802.1Q header.  A packet that egresses through a trunk port will
            have an 802.1Q header if it has a nonzero VLAN ID.
          </p>

          <p>
            Any packet that ingresses on a trunk port tagged with a VLAN that
            the port does not trunk is dropped.
          </p>
        </dd>

        <dt>access</dt>
        <dd>
          <p>
            An access port carries packets on exactly one VLAN specified in the
            <ref column="tag"/> column.  Packets egressing on an access port
            have no 802.1Q header.
          </p>

          <p>
            Any packet with an 802.1Q header with a nonzero VLAN ID that
            ingresses on an access port is dropped, regardless of whether the
            VLAN ID in the header is the access port's VLAN ID.
          </p>
        </dd>

        <dt>native-tagged</dt>
        <dd>
          A native-tagged port resembles a trunk port, with the exception that
          a packet without an 802.1Q header that ingresses on a native-tagged
          port is in the ``native VLAN'' (specified in the <ref column="tag"/>
          column).
        </dd>

        <dt>native-untagged</dt>
        <dd>
          A native-untagged port resembles a native-tagged port, with the
          exception that a packet that egresses on a native-untagged port in
          the native VLAN will not have an 802.1Q header.
        </dd>

        <dt>dot1q-tunnel</dt>
        <dd>
          <p>
            A dot1q-tunnel port is somewhat like an access port.  Like an
            access port, it carries packets on the single VLAN specified in the
            <ref column="tag"/> column and this VLAN, called the service VLAN,
            does not appear in an 802.1Q header for packets that ingress or
            egress on the port.  The main difference lies in the behavior when
            packets that include a 802.1Q header ingress on the port.  Whereas
            an access port drops such packets, a dot1q-tunnel port treats these
            as double-tagged with the outer service VLAN <ref column="tag"/>
            and the inner customer VLAN taken from the 802.1Q header.
            Correspondingly, to egress on the port, a packet outer VLAN (or
            only VLAN) must be <ref column="tag"/>, which is removed before
            egress, which exposes the inner (customer) VLAN if one is present.
          </p>

          <p>
            If <ref column="cvlans"/> is set, only allows packets in the
            specified customer VLANs.
          </p>
        </dd>
      </dl>
      <p>
        A packet will only egress through bridge ports that carry the VLAN of
        the packet, as described by the rules above.
      </p>

      <column name="vlan_mode">
        <p>
          The VLAN mode of the port, as described above.  When this column is
          empty, a default mode is selected as follows:
        </p>
        <ul>
          <li>
            If <ref column="tag"/> contains a value, the port is an access
            port.  The <ref column="trunks"/> column should be empty.
          </li>
          <li>
            Otherwise, the port is a trunk port.  The <ref column="trunks"/>
            column value is honored if it is present.
          </li>
        </ul>
      </column>

      <column name="tag">
        <p>
          For an access port, the port's implicitly tagged VLAN.  For a
          native-tagged or native-untagged port, the port's native VLAN.  Must
          be empty if this is a trunk port.
        </p>
      </column>

      <column name="trunks">
        <p>
          For a trunk, native-tagged, or native-untagged port, the 802.1Q VLAN
          or VLANs that this port trunks; if it is empty, then the port trunks
          all VLANs.  Must be empty if this is an access port.
        </p>
        <p>
          A native-tagged or native-untagged port always trunks its native
          VLAN, regardless of whether <ref column="trunks"/> includes that
          VLAN.
        </p>
      </column>

      <column name="cvlans">
        <p>
          For a dot1q-tunnel port, the customer VLANs that this port includes.
          If this is empty, the port includes all customer VLANs.
        </p>
        <p>
          For other kinds of ports, this setting is ignored.
        </p>
      </column>

      <column name="other_config" key="qinq-ethtype"
              type='{"type": "string", "enum": ["set", ["802.1ad", "802.1q"]]}'>
        <p>
          For a dot1q-tunnel port, this is the TPID for the service tag, that
          is, for the 802.1Q header that contains the service VLAN ID.  Because
          packets that actually ingress and egress a dot1q-tunnel port do not
          include an 802.1Q header for the service VLAN, this does not affect
          packets on the dot1q-tunnel port itself.  Rather, it determines the
          service VLAN for a packet that ingresses on a dot1q-tunnel port and
          egresses on a trunk port.
        </p>
        <p>
          The value <code>802.1ad</code> specifies TPID 0x88a8, which is also
          the default if the setting is omitted.  The value <code>802.1q</code>
          specifies TPID 0x8100.
        </p>
        <p>
          For other kinds of ports, this setting is ignored.
        </p>
      </column>

      <column name="other_config" key="priority-tags"
              type='{"type": "string",
                     "enum": ["set", ["never", "if-nonzero", "always"]]}'>
        <p>
          An 802.1Q header contains two important pieces of information: a VLAN
          ID and a priority.  A frame with a zero VLAN ID, called a
          ``priority-tagged'' frame, is supposed to be treated the same way as
          a frame without an 802.1Q header at all (except for the priority).
        </p>

        <p>
          However, some network elements ignore any frame that has 802.1Q
          header at all, even when the VLAN ID is zero.  Therefore, by default
          Open vSwitch does not output priority-tagged frames, instead omitting
          the 802.1Q header entirely if the VLAN ID is zero.  Set this key to
          <code>if-nonzero</code> to enable priority-tagged frames on a port.
        </p>

        <p>
          For <code>if-nonzero</code> Open vSwitch omits the 802.1Q header on
          output if both the VLAN ID and priority would be zero. Set to
          <code>always</code> to retain the 802.1Q header in such frames as
          well.
        </p>

        <p>
          All frames output to native-tagged ports have a nonzero VLAN ID, so
          this setting is not meaningful on native-tagged ports.
        </p>
      </column>
    </group>

    <group title="Bonding Configuration">
      <p>A port that has more than one interface is a ``bonded port.'' Bonding
      allows for load balancing and fail-over.</p>

      <p>
        The following types of bonding will work with any kind of upstream
        switch.  On the upstream switch, do not configure the interfaces as a
        bond:
      </p>

      <dl>
        <dt><code>balance-slb</code></dt>
        <dd>
          Balances flows among members based on source MAC address and
          output VLAN, with periodic rebalancing as traffic patterns change.
        </dd>

        <dt><code>active-backup</code></dt>
        <dd>
          Assigns all flows to one member, failing over to a backup
          member when the active member is disabled.  This is the
          only bonding mode in which interfaces may be plugged into different
          upstream switches.
        </dd>
      </dl>

      <p>
        The following modes require the upstream switch to support 802.3ad with
        successful LACP negotiation. If LACP negotiation fails and
        other-config:lacp-fallback-ab is true, then <code>active-backup</code>
        mode is used:
      </p>

      <dl>
        <dt><code>balance-tcp</code></dt>
        <dd>
          Balances flows among members based on L3 and L4 protocol
          information such as IP addresses and TCP/UDP ports.
        </dd>
      </dl>

      <p>These columns apply only to bonded ports.  Their values are
      otherwise ignored.</p>

      <column name="bond_mode">
        <p>The type of bonding used for a bonded port.  Defaults to
        <code>active-backup</code> if unset.
        </p>
      </column>

      <column name="other_config" key="bond-hash-basis"
              type='{"type": "integer"}'>
        An integer hashed along with flows when choosing output members
        in load balanced bonds.  When changed, all flows will be assigned
        different hash values possibly causing member selection
        decisions to change.  Does not affect bonding modes which do not employ
        load balancing such as <code>active-backup</code>.
      </column>

      <column name="other_config" key="lb-output-action"
              type='{"type": "boolean"}'>
        Enable/disable usage of optimized <code>lb_output</code> action for
        balancing flows among output members in load balanced bonds in
        <code>balance-tcp</code>. When enabled, it uses optimized path for
        balance-tcp mode by using rss hash and avoids recirculation.  This knob
        does not affect other balancing modes.
      </column>

      <column name="other_config" key="bond-primary"
              type='{"type": "string"}'>
        If a member interface with this name exists in the bond and
        is up, it will be made active.  Relevant only when <ref
        column="other_config" key="bond_mode"/> is
        <code>active-backup</code> or if <code>balance-tcp</code> falls back
        to <code>active-backup</code> (e.g., LACP negotiation fails and
        <ref column="other_config" key="lacp-fallback-ab"/> is
        <code>true</code>).
      </column>

      <column name="other_config" key="all-members-active"
              type='{"type": "boolean"}'>
        <p>
          Enable/Disable delivery of broadcast/multicast packets on secondary
          interface of a balance-slb bond.  Relevant only when
          <ref column="lacp"/> is <code>off</code>.
        </p>
        <p>
          This parameter is identical to <code>all_slaves_active</code> for
          Linux kernel bonds.  Disabled by default as it is not a desirable
          configuration for most users.
        </p>
      </column>

      <group title="Link Failure Detection">
        <p>
          An important part of link bonding is detecting that links are down so
          that they may be disabled.  These settings determine how Open vSwitch
          detects link failure.
        </p>

        <column name="other_config" key="bond-detect-mode"
                type='{"type": "string", "enum": ["set", ["carrier", "miimon"]]}'>
          The means used to detect link failures.  Defaults to
          <code>carrier</code> which uses each interface's carrier to detect
          failures.  When set to <code>miimon</code>, will check for failures
          by polling each interface's MII.
        </column>

        <column name="other_config" key="bond-miimon-interval"
                type='{"type": "integer"}'>
          The interval, in milliseconds, between successive attempts to poll
          each interface's MII.  Relevant only when <ref column="other_config"
          key="bond-detect-mode"/> is <code>miimon</code>.
        </column>

        <column name="bond_updelay">
          <p>
            The number of milliseconds for which the link must stay up on an
            interface before the interface is considered to be up.  Specify
            <code>0</code> to enable the interface immediately.
          </p>

          <p>
            This setting is honored only when at least one bonded interface is
            already enabled.  When no interfaces are enabled, then the first
            bond interface to come up is enabled immediately.
          </p>
        </column>

        <column name="bond_downdelay">
          The number of milliseconds for which the link must stay down on an
          interface before the interface is considered to be down.  Specify
          <code>0</code> to disable the interface immediately.
        </column>
      </group>

      <group title="LACP Configuration">
        <p>
          LACP, the Link Aggregation Control Protocol, is an IEEE standard that
          allows switches to automatically detect that they are connected by
          multiple links and aggregate across those links.  These settings
          control LACP behavior.
        </p>

        <column name="lacp">
          Configures LACP on this port.  LACP allows directly connected
          switches to negotiate which links may be bonded.  LACP may be enabled
          on non-bonded ports for the benefit of any switches they may be
          connected to.  <code>active</code> ports are allowed to initiate LACP
          negotiations.  <code>passive</code> ports are allowed to participate
          in LACP negotiations initiated by a remote switch, but not allowed to
          initiate such negotiations themselves.  If LACP is enabled on a port
          whose partner switch does not support LACP, the bond will be
          disabled, unless other-config:lacp-fallback-ab is set to true.
          Defaults to <code>off</code> if unset.
        </column>

        <column name="other_config" key="lacp-system-id">
          The LACP system ID of this <ref table="Port"/>.  The system ID of a
          LACP bond is used to identify itself to its partners.  Must be a
          nonzero MAC address. Defaults to the bridge Ethernet address if
          unset.
        </column>

        <column name="other_config" key="lacp-system-priority"
                type='{"type": "integer", "minInteger": 1, "maxInteger": 65535}'>
          The LACP system priority of this <ref table="Port"/>.  In LACP
          negotiations, link status decisions are made by the system with the
          numerically lower priority.
        </column>

        <column name="other_config" key="lacp-time"
                type='{"type": "string", "enum": ["set", ["fast", "slow"]]}'>
          <p>
            The LACP timing which should be used on this <ref table="Port"/>.
            By default <code>slow</code> is used.  When configured to be
            <code>fast</code> LACP heartbeats are requested at a rate of once
            per second causing connectivity problems to be detected more
            quickly.  In <code>slow</code> mode, heartbeats are requested at a
            rate of once every 30 seconds.
          </p>
        </column>

        <column name="other_config" key="lacp-fallback-ab"
                type='{"type": "boolean"}'>
          <p>
            Determines the behavior of openvswitch bond in LACP mode. If
            the partner switch does not support LACP, setting this option
            to <code>true</code> allows openvswitch to fallback to
            active-backup. If the option is set to <code>false</code>, the
            bond will be disabled. In both the cases, once the partner switch
            is configured to LACP mode, the bond will use LACP.
          </p>
        </column>
      </group>

      <group title="Rebalancing Configuration">
        <p>
          These settings control behavior when a bond is in
          <code>balance-slb</code> or <code>balance-tcp</code> mode.
        </p>

        <column name="other_config" key="bond-rebalance-interval"
                type='{"type": "integer",
                       "minInteger": 0, "maxInteger": 2147483647}'>
          For a load balanced bonded port, the number of milliseconds between
          successive attempts to rebalance the bond, that is, to move flows
          from one interface on the bond to another in an attempt to keep usage
          of each interface roughly equal.  If zero, load balancing is disabled
          on the bond (link failure still cause flows to move).  If
          less than 1000ms, the rebalance interval will be 1000ms.
        </column>
      </group>

      <column name="bond_fake_iface">
        For a bonded port, whether to create a fake internal interface with the
        name of the port.  Use only for compatibility with legacy software that
        requires this.
      </column>
    </group>

    <group title="Spanning Tree Protocol">
      <p>
        The configuration here is only meaningful, and the status is only
        populated, when 802.1D-1998 Spanning Tree Protocol is enabled on the
        port's <ref column="Bridge"/> with its <ref column="stp_enable"/>
        column.
      </p>

      <group title="STP Configuration">
        <column name="other_config" key="stp-enable"
                type='{"type": "boolean"}'>
          When STP is enabled on a bridge, it is enabled by default on all of
          the bridge's ports except bond, internal, and mirror ports (which do
          not work with STP).  If this column's value is <code>false</code>,
          STP is disabled on the port.
        </column>

        <column name="other_config" key="stp-port-num"
                type='{"type": "integer", "minInteger": 1, "maxInteger": 255}'>
          The port number used for the lower 8 bits of the port-id.  By
          default, the numbers will be assigned automatically.  If any
          port's number is manually configured on a bridge, then they
          must all be.
        </column>

        <column name="other_config" key="stp-port-priority"
                type='{"type": "integer", "minInteger": 0, "maxInteger": 255}'>
          The port's relative priority value for determining the root
          port (the upper 8 bits of the port-id).  A port with a lower
          port-id will be chosen as the root port.  By default, the
          priority is 0x80.
        </column>

        <column name="other_config" key="stp-path-cost"
                type='{"type": "integer", "minInteger": 0, "maxInteger": 65535}'>
          Spanning tree path cost for the port.  A lower number indicates
          a faster link.  By default, the cost is based on the maximum
          speed of the link.
        </column>
      </group>

      <group title="STP Status">
        <column name="status" key="stp_port_id">
          The port ID used in spanning tree advertisements for this port, as 4
          hex digits.  Configuring the port ID is described in the
          <code>stp-port-num</code> and <code>stp-port-priority</code> keys of
          the <code>other_config</code> section earlier.
        </column>
        <column name="status" key="stp_state"
                type='{"type": "string", "enum": ["set",
                      ["disabled", "listening", "learning",
                      "forwarding", "blocking"]]}'>
          STP state of the port.
        </column>
        <column name="status" key="stp_sec_in_state"
                type='{"type": "integer", "minInteger": 0}'>
          The amount of time this port has been in the current STP state, in
          seconds.
        </column>
        <column name="status" key="stp_role"
                type='{"type": "string", "enum": ["set",
                      ["root", "designated", "alternate"]]}'>
          STP role of the port.
        </column>
      </group>
    </group>

    <group title="Rapid Spanning Tree Protocol">
      <p>
        The configuration here is only meaningful, and the status and
        statistics are only populated, when 802.1D-1998 Spanning Tree Protocol
        is enabled on the port's <ref column="Bridge"/> with its <ref
        column="stp_enable"/> column.
      </p>

      <group title="RSTP Configuration">
        <column name="other_config" key="rstp-enable"
                type='{"type": "boolean"}'>
          When RSTP is enabled on a bridge, it is enabled by default on all of
          the bridge's ports except bond, internal, and mirror ports (which do
          not work with RSTP).  If this column's value is <code>false</code>,
          RSTP is disabled on the port.
        </column>

        <column name="other_config" key="rstp-port-priority"
                type='{"type": "integer", "minInteger": 0, "maxInteger": 240}'>
          The port's relative priority value for determining the root port, in
          multiples of 16.  By default, the port priority is 0x80 (128).  Any
          value in the lower 4 bits is rounded off.  The significant upper 4
          bits become the upper 4 bits of the port-id.  A port with the lowest
          port-id is elected as the root.
        </column>

        <column name="other_config" key="rstp-port-num"
                type='{"type": "integer", "minInteger": 1, "maxInteger": 4095}'>
          The local RSTP port number, used as the lower 12 bits of the port-id.
          By default the port numbers are assigned automatically, and typically
          may not correspond to the OpenFlow port numbers.  A port with the
          lowest port-id is elected as the root.
        </column>

        <column name="other_config" key="rstp-path-cost"
                type='{"type": "integer"}'>
          The port path cost.  The Port's contribution, when it is
          the Root Port, to the Root Path Cost for the Bridge.  By default the
          cost is automatically calculated from the port's speed.
        </column>

        <column name="other_config" key="rstp-port-admin-edge"
                type='{"type": "boolean"}'>
          The admin edge port parameter for the Port.  Default is
          <code>false</code>.
        </column>

        <column name="other_config" key="rstp-port-auto-edge"
                type='{"type": "boolean"}'>
          The auto edge port parameter for the Port.  Default is
          <code>true</code>.
        </column>

        <column name="other_config" key="rstp-port-mcheck"
                type='{"type": "boolean"}'>
          <p>
            The mcheck port parameter for the Port.  Default is
            <code>false</code>.  May be set to force the Port Protocol
            Migration state machine to transmit RST BPDUs for a
            MigrateTime period, to test whether all STP Bridges on the
            attached LAN have been removed and the Port can continue to
            transmit RSTP BPDUs.  Setting mcheck has no effect if the
            Bridge is operating in STP Compatibility mode.
          </p>
          <p>
            Changing the value from <code>true</code> to
            <code>false</code> has no effect, but needs to be done if
            this behavior is to be triggered again by subsequently
            changing the value from <code>false</code> to
            <code>true</code>.
          </p>
        </column>
      </group>

      <group title="RSTP Status">
        <column name="rstp_status" key="rstp_port_id">
          The port ID used in spanning tree advertisements for this port, as 4
          hex digits.  Configuring the port ID is described in the
          <code>rstp-port-num</code> and <code>rstp-port-priority</code> keys
          of the <code>other_config</code> section earlier.
        </column>
        <column name="rstp_status" key="rstp_port_role"
                type='{"type": "string", "enum": ["set",
                      ["Root", "Designated", "Alternate", "Backup", "Disabled"]]}'>
          RSTP role of the port.
        </column>
        <column name="rstp_status" key="rstp_port_state"
                type='{"type": "string", "enum": ["set",
                      ["Disabled", "Learning", "Forwarding", "Discarding"]]}'>
          RSTP state of the port.
        </column>
        <column name="rstp_status" key="rstp_designated_bridge_id">
          The port's RSTP designated bridge ID, in the same form as <ref
          column="rstp_status" key="rstp_bridge_id"/> in the <ref
          table="Bridge"/> table.
        </column>
        <column name="rstp_status" key="rstp_designated_port_id">
          The port's RSTP designated port ID, as 4 hex digits.
        </column>
        <column name="rstp_status" key="rstp_designated_path_cost"
                type='{"type": "integer"}'>
          The port's RSTP designated path cost.  Lower is better.
        </column>
      </group>

      <group title="RSTP Statistics">
        <column name="rstp_statistics" key="rstp_tx_count">
          Number of RSTP BPDUs transmitted through this port.
        </column>
        <column name="rstp_statistics" key="rstp_rx_count">
          Number of valid RSTP BPDUs received by this port.
        </column>
        <column name="rstp_statistics" key="rstp_error_count">
          Number of invalid RSTP BPDUs received by this port.
        </column>
        <column name="rstp_statistics" key="rstp_uptime">
          The duration covered by the other RSTP statistics, in seconds.
        </column>
      </group>
    </group>

    <group title="Multicast Snooping">
      <column name="other_config" key="mcast-snooping-flood"
              type='{"type": "boolean"}'>
        <p>
          If set to <code>true</code>, multicast packets (except Reports) are
          unconditionally forwarded to the specific port.
        </p>
      </column>
      <column name="other_config" key="mcast-snooping-flood-reports"
              type='{"type": "boolean"}'>
        <p>
          If set to <code>true</code>, multicast Reports are unconditionally
          forwarded to the specific port.
        </p>
      </column>
    </group>

    <group title="Other Features">
      <column name="qos">
        Quality of Service configuration for this port.
      </column>

      <column name="mac">
        The MAC address to use for this port for the purpose of choosing the
        bridge's MAC address.  This column does not necessarily reflect the
        port's actual MAC address, nor will setting it change the port's actual
        MAC address.
      </column>

      <column name="fake_bridge">
        Does this port represent a sub-bridge for its tagged VLAN within the
        Bridge?  See ovs-vsctl(8) for more information.
      </column>

      <column name="protected" type='{"type": "boolean"}'>
        The protected ports feature allows certain ports to be designated as
        protected. Traffic between protected ports is blocked. Protected
        ports can send traffic to unprotected ports. Unprotected ports can
        send traffic to any port.
        Default is false.
      </column>

      <column name="external_ids" key="fake-bridge-*">
        External IDs for a fake bridge (see the <ref column="fake_bridge"/>
        column) are defined by prefixing a <ref table="Bridge"/> <ref
        table="Bridge" column="external_ids"/> key with
        <code>fake-bridge-</code>,
        e.g. <code>fake-bridge-bridge-id</code>.
      </column>

      <column name="other_config" key="transient"
              type='{"type": "boolean"}'>
        <p>
          If set to <code>true</code>, the port will be removed when
          <code>ovs-ctl start --delete-transient-ports</code> is used.
        </p>
      </column>
    </group>

    <column name="bond_active_slave">
      For a bonded port, record the MAC address of the current active
      member.
    </column>

    <group title="Port Statistics">
      <p>
        Key-value pairs that report port statistics.  The update period
        is controlled by <ref column="other_config"
        key="stats-update-interval"/> in the <code>Open_vSwitch</code> table.
      </p>
      <group title="Statistics: STP transmit and receive counters">
        <column name="statistics" key="stp_tx_count">
          Number of STP BPDUs sent on this port by the spanning
          tree library.
        </column>
        <column name="statistics" key="stp_rx_count">
          Number of STP BPDUs received on this port and accepted by the
          spanning tree library.
        </column>
        <column name="statistics" key="stp_error_count">
          Number of bad STP BPDUs received on this port.  Bad BPDUs
          include runt packets and those with an unexpected protocol ID.
        </column>
      </group>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="other_config"/>
      <column name="external_ids"/>
    </group>
  </table>

  <table name="Interface" title="One physical network device in a Port.">
    An interface within a <ref table="Port"/>.

    <group title="Core Features">
      <column name="name">
        <p>
          Interface name.  Should be alphanumeric.  For non-bonded port, this
          should be the same as the port name.  It must otherwise be unique
          among the names of ports, interfaces, and bridges on a host.
        </p>

        <p>
          The maximum length of an interface name depends on the underlying
          datapath:
        </p>

        <ul>
          <li>
            The names of interfaces implemented as Linux and BSD network
            devices, including interfaces with type <code>internal</code>,
            <code>tap</code>, or <code>system</code> plus the different types
            of tunnel ports, are limited to 15 bytes. Windows limits these
            names to 255 bytes.
          </li>

          <li>
            The names of patch ports are not used in the underlying datapath,
            so operating system restrictions do not apply.  Thus, they may have
            arbitrary length.
          </li>
        </ul>

        <p>
          Regardless of other restrictions, OpenFlow only supports 15-byte
          names, which means that <code>ovs-ofctl</code> and OpenFlow
          controllers will show names truncated to 15 bytes.
        </p>
      </column>

      <column name="ifindex">
        A positive interface index as defined for SNMP MIB-II in RFCs 1213 and
        2863, if the interface has one, otherwise 0.  The ifindex is useful for
        seamless integration with protocols such as SNMP and sFlow.
      </column>

      <column name="mac_in_use">
        The MAC address in use by this interface.
      </column>

      <column name="mac">
        <p>Ethernet address to set for this interface.  If unset then the
        default MAC address is used:</p>
        <ul>
          <li>For the local interface, the default is the lowest-numbered MAC
          address among the other bridge ports, either the value of the
          <ref table="Port" column="mac"/> in its <ref table="Port"/> record,
          if set, or its actual MAC (for bonded ports, the MAC of its
          member
          whose name is first in alphabetical order).  Internal ports and
          bridge ports that are used as port mirroring destinations (see the
          <ref table="Mirror"/> table) are ignored.</li>
          <li>For other internal interfaces, the default MAC is randomly
          generated.</li>
          <li>External interfaces typically have a MAC address associated with
          their hardware.</li>
        </ul>
        <p>Some interfaces may not have a software-controllable MAC
        address.  This option only affects internal ports.  For other type ports,
        you can change the MAC address outside Open vSwitch, using ip command.</p>
      </column>

      <column name="error">
        If the configuration of the port failed, as indicated by -1 in <ref
        column="ofport"/>, Open vSwitch sets this column to an error
        description in human readable form.  Otherwise, Open vSwitch clears
        this column.
      </column>

      <group title="OpenFlow Port Number">
        <p>
          When a client adds a new interface, Open vSwitch chooses an OpenFlow
          port number for the new port.  If the client that adds the port fills
          in <ref column="ofport_request"/>, then Open vSwitch tries to use its
          value as the OpenFlow port number.  Otherwise, or if the requested
          port number is already in use or cannot be used for another reason,
          Open vSwitch automatically assigns a free port number.  Regardless of
          how the port number was obtained, Open vSwitch then reports in <ref
          column="ofport"/> the port number actually assigned.
        </p>

        <p>
          Open vSwitch limits the port numbers that it automatically assigns to
          the range 1 through 32,767, inclusive.  Controllers therefore have
          free use of ports 32,768 and up.
        </p>

        <column name="ofport">
          <p>
            OpenFlow port number for this interface.  Open vSwitch sets this
            column's value, so other clients should treat it as read-only.
          </p>
          <p>
            The OpenFlow ``local'' port (<code>OFPP_LOCAL</code>) is 65,534.
            The other valid port numbers are in the range 1 to 65,279,
            inclusive.  Value -1 indicates an error adding the interface.
          </p>
        </column>

        <column name="ofport_request"
                type='{"type": "integer", "minInteger": 1, "maxInteger": 65279}'>
          <p>
            Requested OpenFlow port number for this interface.
          </p>

          <p>
            A client should ideally set this column's value in the same
            database transaction that it uses to create the interface.  Open
            vSwitch version 2.1 and later will honor a later request for a
            specific port number, althuogh it might confuse some controllers:
            OpenFlow does not have a way to announce a port number change, so
            Open vSwitch represents it over OpenFlow as a port deletion
            followed immediately by a port addition.
          </p>

          <p>
            If <ref column="ofport_request"/> is set or changed to some other
            port's automatically assigned port number, Open vSwitch chooses a
            new port number for the latter port.
          </p>
        </column>
      </group>
    </group>

    <group title="System-Specific Details">
      <column name="type">
        <p>
          The interface type.  The types supported by a particular instance of
          Open vSwitch are listed in the <ref table="Open_vSwitch"
          column="iface_types"/> column in the <ref table="Open_vSwitch"/>
          table.  The following types are defined:
        </p>

        <dl>
          <dt><code>system</code></dt>
          <dd>An ordinary network device, e.g. <code>eth0</code> on Linux.
          Sometimes referred to as ``external interfaces'' since they are
          generally connected to hardware external to that on which the Open
          vSwitch is running.  The empty string is a synonym for
          <code>system</code>.</dd>

          <dt><code>internal</code></dt>
          <dd>A simulated network device that sends and receives traffic.  An
          internal interface whose <ref column="name"/> is the same as its
          bridge's <ref table="Open_vSwitch" column="name"/> is called the
          ``local interface.''  It does not make sense to bond an internal
          interface, so the terms ``port'' and ``interface'' are often used
          imprecisely for internal interfaces.</dd>

          <dt><code>tap</code></dt>
          <dd>
            <p>
              A TUN/TAP device managed by Open vSwitch.
            </p>
            <p>
              Open vSwitch checks the interface state before send packets
              to the device.  When it is <code>down</code>, the packets are
              dropped and the tx_dropped statistic is updated accordingly.
              Older versions of Open vSwitch did not check the interface state
              and then the tx_packets was incremented along with tx_dropped.
            </p>
          </dd>

          <dt><code>geneve</code></dt>
          <dd>
            An Ethernet over Geneve (<code>http://tools.ietf.org/html/draft-ietf-nvo3-geneve</code>)
            IPv4/IPv6 tunnel.

            A description of how to match and set Geneve options can be found
            in the <code>ovs-ofctl</code> manual page.
          </dd>

          <dt><code>gre</code></dt>
          <dd>
            Generic Routing Encapsulation (GRE) over IPv4 tunnel,
            configurable to encapsulate layer 2 or layer 3 traffic.
          </dd>

          <dt><code>ip6gre</code></dt>
          <dd>
            Generic Routing Encapsulation (GRE) over IPv6 tunnel,
            encapsulate layer 2 traffic.
          </dd>

          <dt><code>vxlan</code></dt>
          <dd>
            <p>
              An Ethernet tunnel over the UDP-based VXLAN protocol described in
              RFC 7348.
            </p>
            <p>
              Open vSwitch uses IANA-assigned UDP destination port 4789.  The
              source port used for VXLAN traffic varies on a per-flow basis
              and is in the ephemeral port range.
            </p>
          </dd>

          <dt><code>lisp</code></dt>
          <dd>
            <p>
              This port type is deprecated.
            </p>
            <p>
              A layer 3 tunnel over the experimental, UDP-based Locator/ID
              Separation Protocol (RFC 6830).
            </p>
            <p>
              Only IPv4 and IPv6 packets are supported by the protocol, and
              they are sent and received without an Ethernet header.  Traffic
              to/from LISP ports is expected to be configured explicitly, and
              the ports are not intended to participate in learning based
              switching.  As such, they are always excluded from packet
              flooding.
            </p>
          </dd>

          <dt><code>stt</code></dt>
          <dd>
            <p>
              This port type is deprecated.
            </p>

            <p>
              The Stateless TCP Tunnel (STT) is particularly useful when tunnel
              endpoints are in end-systems, as it utilizes the capabilities of
              standard network interface cards to improve performance.
              STT utilizes a TCP-like header inside the IP header.  It is
              stateless, i.e., there is no TCP connection state of any kind
              associated with the tunnel.  The TCP-like header is used to
              leverage the capabilities of existing network interface cards,
              but should not be interpreted as implying any sort of connection
              state between endpoints.
            </p>

            <p>
              Since the STT protocol does not engage in the usual TCP 3-way
              handshake, so it will have difficulty traversing stateful
              firewalls.
            </p>

            <p>
              The protocol is documented at
              <code>https://tools.ietf.org/html/draft-davie-stt</code>.
              All traffic uses a default destination port of 7471.
            </p>
          </dd>

          <dt><code>patch</code></dt>
          <dd>
            A pair of virtual devices that act as a patch cable.
          </dd>

          <dt><code>gtpu</code></dt>
          <dd>
            <p>
            GPRS Tunneling Protocol (GTP) is a group of IP-based communications
            protocols used to carry general packet radio service (GPRS) within
            GSM, UMTS and LTE networks. GTP-U is used for carrying user data
            within the GPRS core network and between the radio access network
            and the core network. The user data transported can be packets in
            any of IPv4, IPv6, or PPP formats.
            </p>

            <p>
            The protocol is documented at
            http://www.3gpp.org/DynaReport/29281.htm
            </p>

            <p>
            Open vSwitch uses UDP destination port 2152. The source port used
            for GTP traffic varies on a per-flow basis and is in the ephemeral
            port range.
            </p>
          </dd>

          <dt><code>Bareudp</code></dt>
          <dd>
            <p>
            The Bareudp tunnel provides a generic L3 encapsulation support for
            tunnelling different L3 protocols like MPLS, IP, NSH etc. inside a
            UDP tunnel.
            </p>
          </dd>

          <dt><code>srv6</code></dt>
          <dd>
            <p>
            Segment Routing IPv6 (SRv6) tunnel encapsulates L3 traffic as
            "IPv6 in IPv6" or "IPv4 in IPv6" with Segment Routing Header (SRH)
            defined in RFC 8754. The segment list in SRH can be set using a
            SRv6 specific option.
            </p>
          </dd>

        </dl>
      </column>
    </group>

    <group title="Tunnel Options">
      <p>
        These options apply to interfaces with <ref column="type"/> of
        <code>geneve</code>, <code>bareudp</code>, <code>gre</code>,
        <code>ip6gre</code>, <code>vxlan</code>, <code>lisp</code>,
        <code>stt</code> and <code>srv6</code>.
      </p>

      <p>
        Each tunnel must be uniquely identified by the combination of <ref
        column="type"/>, <ref column="options" key="remote_ip"/>, <ref
        column="options" key="local_ip"/>, and <ref column="options"
        key="in_key"/>.  If two ports are defined that are the same except one
        has an optional identifier and the other does not, the more specific
        one is matched first.  <ref column="options" key="in_key"/> is
        considered more specific than <ref column="options" key="local_ip"/> if
        a port defines one and another port defines the other.
        <ref column="options" key="in_key"/> is not applicable for bareudp
        and srv6 tunnels. Hence it is not considered while identifying
        bareudp or srv6 tunnels.
      </p>

      <column name="options" key="remote_ip">
        <p>Required.  The remote tunnel endpoint, one of:</p>

        <ul>
          <li>
            An IPv4 or IPv6 address (not a DNS name), e.g. <code>192.168.0.123</code>.
            Only unicast endpoints are supported.
          </li>
          <li>
            The word <code>flow</code>.  The tunnel accepts packets from any
            remote tunnel endpoint.  To process only packets from a specific
            remote tunnel endpoint, the flow entries may match on the
            <code>tun_src</code> or <code>tun_ipv6_src</code>field.  When
            sending packets to a <code>remote_ip=flow</code> tunnel, the flow
            actions must explicitly set the <code>tun_dst</code> or
            <code>tun_ipv6_dst</code> field to the IP address of the desired
            remote tunnel endpoint, e.g. with a <code>set_field</code> action.
          </li>
        </ul>

        <p>
          The remote tunnel endpoint for any packet received from a tunnel
          is available in the <code>tun_src</code> field for matching in the
          flow table.
        </p>
      </column>

      <column name="options" key="local_ip">
        <p>
          Optional. The tunnel destination IP that received packets must match.
          Default is to match all addresses. If specified, may be one of:
        </p>

        <ul>
          <li>
            An IPv4/IPv6 address (not a DNS name), e.g. <code>192.168.12.3</code>.
          </li>
          <li>
            The word <code>flow</code>.  The tunnel accepts packets sent to any
            of the local IP addresses of the system running OVS.  To process
            only packets sent to a specific IP address, the flow entries may
            match on the <code>tun_dst</code> or <code>tun_ipv6_dst</code> field.
            When sending packets to a <code>local_ip=flow</code> tunnel, the flow
            actions may explicitly set the <code>tun_src</code> or <code>tun_ipv6_src</code>
            field to the desired IP address, e.g. with a <code>set_field</code> action.
            However, while routing the tunneled packet out, the local system may
            override the specified address with the local IP address configured for the
            outgoing system interface.

            <p>
              This option is valid only for tunnels also configured with the
              <code>remote_ip=flow</code> option.
            </p>
          </li>
        </ul>

        <p>
          The tunnel destination IP address for any packet received from a
          tunnel is available in the <code>tun_dst</code> or <code>tun_ipv6_dst</code>
          field for matching in the flow table.
        </p>
      </column>

      <column name="options" key="in_key">
        <p>
          Optional, not applicable for <code>bareudp</code> and
          <code>srv6</code>. The key that received packets must contain,
          one of:
        </p>

        <ul>
          <li>
            <code>0</code>.  The tunnel receives packets with no key or with a
            key of 0.  This is equivalent to specifying no <ref column="options"
            key="in_key"/> at all.
          </li>
          <li>
            A positive 24-bit (for Geneve, VXLAN, and LISP), 32-bit (for GRE)
            or 64-bit (for STT) number.  The tunnel receives only
            packets with the specified key.
          </li>
          <li>
            The word <code>flow</code>.  The tunnel accepts packets with any
            key.  The key will be placed in the <code>tun_id</code> field for
            matching in the flow table.  The <code>ovs-fields</code>(7) manual
            page contains additional information about matching fields in
            OpenFlow flows.
          </li>
        </ul>

        <p>
        </p>
      </column>

      <column name="options" key="out_key">
      <p>
        Optional, not applicable for <code>bareudp</code> and
        <code>srv6</code>. The key to be set on outgoing packets,
        one of:
      </p>

        <ul>
          <li>
            <code>0</code>.  Packets sent through the tunnel will have no key.
            This is equivalent to specifying no <ref column="options"
            key="out_key"/> at all.
          </li>
          <li>
            A positive 24-bit (for Geneve, VXLAN and LISP), 32-bit (for GRE) or
            64-bit (for STT) number.  Packets sent through the tunnel
            will have the specified key.
          </li>
          <li>
            The word <code>flow</code>.  Packets sent through the tunnel will
            have the key set using the <code>set_tunnel</code> Nicira OpenFlow
            vendor extension (0 is used in the absence of an action).  The
            <code>ovs-fields</code>(7) manual page contains additional
            information about the Nicira OpenFlow vendor extensions.
          </li>
        </ul>
      </column>

      <column name="options" key="dst_port">
        Optional.  The tunnel transport layer destination port, for UDP and TCP
        based tunnel protocols (Geneve, VXLAN, LISP, and STT).
      </column>

      <column name="options" key="key">
        Optional.  Shorthand to set <code>in_key</code> and
        <code>out_key</code> at the same time.
      </column>

      <column name="options" key="tos">
        Optional.  The value of the ToS bits to be set on the encapsulating
        packet.  ToS is interpreted as DSCP and ECN bits, ECN part must be
        zero.  It may also be the word <code>inherit</code>, in which case
        the ToS will be copied from the inner packet if it is IPv4 or IPv6
        (otherwise it will be 0).  The ECN fields are always inherited.
        Default is 0.
      </column>

      <column name="options" key="ttl">
        Optional.  The TTL to be set on the encapsulating packet.  It may also
        be the word <code>inherit</code>, in which case the TTL will be copied
        from the inner packet if it is IPv4 or IPv6 (otherwise it will be the
        system default, typically 64).  Default is the system default TTL.
      </column>

      <column name="options" key="df_default"
              type='{"type": "boolean"}'>
        Optional.  If enabled, the Don't Fragment bit will be set on tunnel
        outer headers to allow path MTU discovery. Default is enabled; set
        to <code>false</code> to disable.
      </column>

      <column name="options" key="egress_pkt_mark">
        Optional.  The pkt_mark to be set on the encapsulating packet.  This
        option sets packet mark for the tunnel endpoint for all tunnel packets
        including tunnel monitoring.
      </column>

      <group title="Tunnel Options: lisp only">
        <column name="options" key="packet_type"
                type='{"type": "string", "enum": ["set",
                      ["legacy_l3", "ptap"]]}'>
          <p>
            LISP tunnel type is deprecated.
          </p>

          <p>
            A LISP tunnel sends and receives only IPv4 and IPv6 packets.  This
            option controls what how the tunnel represents the packets that it
            sends and receives:
          </p>

          <ul>
            <li>
              By default, or if this option is <code>legacy_l3</code>, the
              tunnel represents packets as Ethernet frames for compatibility
              with legacy OpenFlow controllers that expect this behavior.
            </li>
            <li>
              If this option is <code>ptap</code>, the tunnel represents
              packets using the <code>packet_type</code> mechanism introduced
              in OpenFlow 1.5.
            </li>
          </ul>
        </column>
      </group>

      <group title="Tunnel Options: vxlan only">

        <column name="options" key="exts">
          <p>Optional.  Comma separated list of optional VXLAN extensions to
          enable. The following extensions are supported:</p>

          <ul>
            <li>
              <code>gbp</code>: VXLAN-GBP allows to transport the group policy
              context of a packet across the VXLAN tunnel to other network
              peers. See the description of <code>tun_gbp_id</code> and
              <code>tun_gbp_flags</code> in <code>ovs-fields</code>(7) for
              additional information.
              (<code>https://tools.ietf.org/html/draft-smith-vxlan-group-policy</code>)
            </li>
            <li>
              <code>gpe</code>: Support for Generic Protocol Encapsulation in
              accordance with IETF draft
              <code>https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe</code>.
              Without this option, a VXLAN packet always encapsulates an
              Ethernet frame.  With this option, an VXLAN packet may also
              encapsulate an IPv4, IPv6, NSH, or MPLS packet.
            </li>
          </ul>
        </column>

        <column name="options" key="packet_type"
                type='{"type": "string", "enum": ["set",
                      ["legacy_l2", "legacy_l3", "ptap"]]}'>
          <p>
            This option controls what types of packets the tunnel sends and
            receives and how it represents them:
          </p>

          <ul>
            <li>
              By default, or if this option is <code>legacy_l2</code>, the
              tunnel sends and receives only Ethernet frames.
            </li>
            <li>
              If this option is <code>legacy_l3</code>, the tunnel sends and
              receives only non-Ethernet (L3) packet, but the packets are
              represented as Ethernet frames for compatibility with legacy
              OpenFlow controllers that expect this behavior.  This requires
              enabling <code>gpe</code> in <ref column="options" key="exts"/>.
            </li>
            <li>
              If this option is <code>ptap</code>, Open vSwitch represents
              packets in the tunnel using the <code>packet_type</code>
              mechanism introduced in OpenFlow 1.5.  This mechanism supports
              any kind of packet, but actually sending and receiving
              non-Ethernet packets requires additionally enabling
              <code>gpe</code> in <ref column="options" key="exts"/>.
            </li>
          </ul>
        </column>
      </group>

      <group title="Tunnel Options: gre only">
        <p>
          <code>gre</code> interfaces support these options.
        </p>

        <column name="options" key="packet_type"
                type='{"type": "string", "enum": ["set",
                      ["legacy_l2", "legacy_l3", "ptap"]]}'>
          <p>
            This option controls what types of packets the tunnel sends and
            receives and how it represents them:
          </p>

          <ul>
            <li>
              By default, or if this option is <code>legacy_l2</code>, the
              tunnel sends and receives only Ethernet frames.
            </li>
            <li>
              If this option is <code>legacy_l3</code>, the tunnel sends and
              receives only non-Ethernet (L3) packet, but the packets are
              represented as Ethernet frames for compatibility with legacy
              OpenFlow controllers that expect this behavior.
            </li>
            <li>
              The <code>legacy_l3</code> option is only available via the
              user space datapath.  The OVS kernel datapath does not support
              devices of type ARPHRD_IPGRE which is the requirement for
              <code>legacy_l3</code> type packets.
            </li>
            <li>
              If this option is <code>ptap</code>, the tunnel sends and
              receives any kind of packet.  Open vSwitch represents packets in
              the tunnel using the <code>packet_type</code> mechanism
              introduced in OpenFlow 1.5.
            </li>
          </ul>
        </column>
        <column name="options" key="seq" type='{"type": "boolean"}'>
          <p>
            Optional.  A 4-byte sequence number field for GRE tunnel only.
            Default is disabled, set to <code>true</code> to enable.
            Sequence number is incremented by one on each outgoing packet.
          </p>
        </column>
      </group>

      <group title="Tunnel Options: gre, ip6gre, geneve, bareudp and vxlan">
        <p>
          <code>gre</code>, <code>ip6gre</code>, <code>geneve</code>,
          <code>bareudp</code> and <code>vxlan</code> interfaces support these
          options.
        </p>

        <column name="options" key="csum" type='{"type": "boolean"}'>
          <p>
            Optional.  Compute encapsulation header (either GRE or UDP)
            checksums on outgoing packets.  When unset (the default value),
            checksum computing for outgoing packets is enabled for UDP IPv6
            tunnels, and disabled for GRE and IPv4 UDP tunnels.  When set to
            <code>false</code>, no checksums will be computed for outgoing
            tunnel encapsulation headers.  When <code>true</code>, checksums
            will be computed for all outgoing tunnel encapsulation headers.
            Checksums present on incoming packets will be validated
            regardless of this setting.  Incoming packets without a checksum
            will also be accepted regardless of this setting.
          </p>

          <p>
            When using the upstream Linux kernel module, computation of
            checksums for <code>geneve</code> and <code>vxlan</code> requires
            Linux kernel version 4.0 or higher. <code>gre</code> and
            <code>ip6gre</code> support checksums for all versions of
            Open vSwitch that support GRE.
            The out of tree kernel module distributed as part of OVS
            can compute all tunnel checksums on any kernel version that it
            is compatible with.
          </p>

        </column>
      </group>

      <group title="Tunnel Options: IPsec">
        <p>
          Setting any of these options enables IPsec support for a given
          tunnel.  <code>gre</code>, <code>geneve</code>,
          <code>vxlan</code> and <code>stt</code>
          interfaces support these options.  See the <code>IPsec</code>
          section in the <ref table="Open_vSwitch"/> table for a description
          of each mode.
        </p>
        <column name="options" key="psk" type='{"type": "string"}'>
          <p>
            In PSK mode only, the preshared secret to negotiate tunnel. This
            value must match on both tunnel ends.
          </p>
        </column>
        <column name="options" key="remote_cert" type='{"type": "string"}'>
          <p>
            In self-signed certificate mode only, name of a PEM file
            containing a certificate of the remote switch.  The certificate
            must be x.509 version 3 and with the string in common name (CN)
            also set in the subject alternative name (SAN).
          </p>
        </column>
        <column name="options" key="remote_name" type='{"type": "string"}'>
          <p>
            In CA-signed certificate mode only, common name (CN) of the remote
            certificate.
          </p>
        </column>
      </group>
    </group>
    <group title="Tunnel Options: erspan only">
      <p>
        Only <code>erspan</code> interfaces support these options.
      </p>
      <column name="options" key="erspan_idx">
        <p>
          20 bit index/port number associated with the ERSPAN traffic's
          source port and direction (ingress/egress).  This field is
          platform dependent.
        </p>
      </column>

      <column name="options" key="erspan_ver">
        <p>
          ERSPAN version: 1 for version 1 (type II)
          or 2 for version 2 (type III).
        </p>
      </column>

      <column name="options" key="erspan_dir">
        <p>
          Specifies the ERSPAN v2 mirrored traffic's direction.
          1 for egress traffic, and 0 for ingress traffic.
        </p>
      </column>

      <column name="options" key="erspan_hwid">
        <p>
          ERSPAN hardware ID is a 6-bit unique identifier of an
          ERSPAN v2 engine within a system.
        </p>
      </column>
    </group>

    <group title="Tunnel Options: Bareudp only">
      <column name="options" key="payload_type">
        <p>
           Specifies the ethertype of the l3 protocol the bareudp
           device is tunnelling. For the tunnels which supports multiple
           ethertypes of a l3 protocol (IP, MPLS) this field specifies the
           protocol name as a string.
        </p>
      </column>
    </group>

    <group title="Tunnel Options: srv6 only">
      <column name="options" key="srv6_segs">
        <p>
           Specifies the segment list in Segment Routing Header (SRH).
           It consists of a comma-separated list of segments represented
           in IPv6 format, e.g. "fc00:100::1,fc00:200::1,fc00:300::1".
           Note that the first segment must be the same as
           <ref column="options" key="remote_ip"/>.
        </p>
      </column>
      <column name="options" key="srv6_flowlabel"
              type='{"type": "string",
                     "enum": ["set", ["zero", "copy", "compute"]]}'>
        <p>
          Optional.
          This option controls how flowlabel in outer IPv6 header is
          configured. It gives the benefit of IPv6 flow label based
          load balancing, which is supported by some popular vendor
          appliances. Like net.ipv6.seg6_flowlabel sysconfig, it is
          one of the three values below:
        </p>
        <ul>
          <li>
            By default, or if this option is <code>copy</code>, copy the
            flowlabel of inner IPv6 header to the flowlabel of outer IPv6
            header. If inner header is not IPv6, it is set to 0.
          </li>
          <li>
            If this option is <code>zero</code>, simply set flowlabel to 0.
          </li>
          <li>
            If this option is <code>compute</code>, set flowlabel to a hash
            over the L3/L4 fields of the inner packet.
          </li>
        </ul>
      </column>
    </group>

    <group title="Patch Options">
      <p>
        These options apply only to <dfn>patch ports</dfn>, that is, interfaces
        whose <ref column="type"/> column is <code>patch</code>.  Patch ports
        are mainly a way to connect otherwise independent bridges to one
        another, similar to how one might plug an Ethernet cable (a ``patch
        cable'') into two physical switches to connect those switches.  The
        effect of plugging a patch port into two switches is conceptually
        similar to that of plugging the two ends of a Linux <code>veth</code>
        device into those switches, but the implementation of patch ports makes
        them much more efficient.
      </p>

      <p>
        Patch ports may connect two different bridges (the usual case) or the
        same bridge.  In the latter case, take special care to avoid loops,
        e.g. by programming appropriate flows with OpenFlow.  Patch ports do
        not work if its ends are attached to bridges on different datapaths,
        e.g. to connect bridges in <code>system</code> and <code>netdev</code>
        datapaths.
      </p>

      <p>
        The following command creates and connects patch ports <code>p0</code>
        and <code>p1</code> and adds them to bridges <code>br0</code> and
        <code>br1</code>, respectively:
      </p>

      <pre>
ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
       -- add-port br1 p1 -- set Interface p1 type=patch options:peer=p0
      </pre>

      <column name="options" key="peer">
        The <ref column="name"/> of the <ref table="Interface"/> for the other
        side of the patch.  The named <ref table="Interface"/>'s own
        <code>peer</code> option must specify this <ref table="Interface"/>'s
        name.  That is, the two patch interfaces must have reversed <ref
        column="name"/> and <code>peer</code> values.
      </column>
    </group>

    <group title="PMD (Poll Mode Driver) Options">
      <p>
        Only PMD netdevs support these options.
      </p>

      <column name="options" key="n_rxq"
              type='{"type": "integer", "minInteger": 1}'>
        <p>
          Specifies the maximum number of rx queues to be created for PMD
          netdev.  If not specified or specified to 0, one rx queue will
          be created by default.
          Not supported by DPDK vHost interfaces.
        </p>
      </column>

      <column name="options" key="dpdk-devargs"
              type='{"type": "string"}'>
        <p>
          Specifies the PCI address associated with the port for physical
          devices, or the virtual driver to be used for the port when a virtual
          PMD is intended to be used. For the latter, the argument string
          typically takes the form of
          <code>eth_<var>driver_name</var><var>x</var></code>, where
          <var>driver_name</var> is a valid virtual DPDK PMD driver name and
          <var>x</var> is a unique identifier of your choice for the given
          port.  Only supported by the dpdk port type.
        </p>
      </column>

      <column name="other_config" key="pmd-rxq-affinity">
        <p>Specifies mapping of RX queues of this interface to CPU cores.</p>
        <p>Value should be set in the following form:</p>
        <p>
          <code>other_config:pmd-rxq-affinity=&lt;rxq-affinity-list&gt;</code>
        </p>
        <p>where</p>
        <p>
          <ul>
            <li>
              &lt;rxq-affinity-list&gt; ::= NULL | &lt;non-empty-list&gt;
            </li>
            <li>
              &lt;non-empty-list&gt; ::= &lt;affinity-pair&gt; |
                                  &lt;affinity-pair&gt; , &lt;non-empty-list&gt;
            </li>
            <li>
              &lt;affinity-pair&gt; ::= &lt;queue-id&gt; : &lt;core-id&gt;
            </li>
          </ul>
        </p>
      </column>

      <column name="options" key="xdp-mode"
              type='{"type": "string",
                     "enum": ["set", ["best-effort", "native-with-zerocopy",
                                      "native", "generic"]]}'>
        <p>
          Specifies the operational mode of the XDP program.
          <p>
            In <code>native-with-zerocopy</code> mode the XDP program is loaded
            into the device driver with zero-copy RX and TX enabled.  This mode
            requires device driver support and has the best performance because
            there should be no copying of packets.
          </p>
          <p>
            <code>native</code> is the same as
            <code>native-with-zerocopy</code>, but without zero-copy
            capability.  This requires at least one copy between kernel and the
            userspace. This mode also requires support from device driver.
          </p>
          <p>
            In <code>generic</code> case the XDP program in kernel works after
            skb allocation on early stages of packet processing inside the
            network stack.  This mode doesn't require driver support, but has
            much lower performance.
          </p>
          <p>
            <code>best-effort</code> tries to detect and choose the best
            (fastest) from the available modes for current interface.
          </p>
          <p>
            Note that this option is specific to netdev-afxdp.
            Defaults to <code>best-effort</code> mode.
          </p>
        </p>
      </column>

      <column name="options" key="use-need-wakeup"
              type='{"type": "boolean"}'>
        <p>
          Specifies whether to use need_wakeup feature in afxdp netdev.
          If enabled, OVS explicitly wakes up the kernel RX, using poll()
          syscall and wakes up TX, using sendto() syscall. For physical
          devices, this feature improves the performance by avoiding
          unnecessary sendto syscalls.
          Defaults to true if supported by libbpf.
        </p>
      </column>

      <column name="options" key="vhost-server-path"
              type='{"type": "string"}'>
        <p>
          The value specifies the path to the socket associated with a vHost
          User client mode device that has been or will be created by QEMU.
          Only supported by dpdkvhostuserclient interfaces.
        </p>
      </column>

      <column name="options" key="vhost-max-queue-pairs"
              type='{"type": "integer", "minInteger" : 1, "maxInteger": 128}'>
        <p>
          The value specifies the maximum number of queue pairs supported by
          a vHost device. This is ignored for vhost-user backends, only VDUSE
          is supported.
          Only supported by dpdkvhostuserclient interfaces.
        </p>
        <p>
          Default value is 1.
        </p>
      </column>

      <column name="options" key="tx-retries-max"
              type='{"type": "integer", "minInteger": 0, "maxInteger": 32}'>
        <p>
          The value specifies the maximum amount of vhost tx retries that can
          be made while trying to send a batch of packets to an interface.
          Only supported by dpdkvhostuserclient interfaces.
        </p>
        <p>
          Default value is 8.
        </p>
      </column>

      <column name="options" key="n_rxq_desc"
              type='{"type": "integer", "minInteger": 1, "maxInteger": 4096}'>
        <p>
          Specifies the rx queue size (number rx descriptors) for dpdk ports.
          The value must be a power of 2, less than 4096 and supported
          by the hardware of the device being configured.
          If not specified or an incorrect value is specified, 2048 rx
          descriptors will be used by default.
        </p>
      </column>

      <column name="options" key="n_txq_desc"
              type='{"type": "integer", "minInteger": 1, "maxInteger": 4096}'>
        <p>
          Specifies the tx queue size (number tx descriptors) for dpdk ports.
          The value must be a power of 2, less than 4096 and supported
          by the hardware of the device being configured.
          If not specified or an incorrect value is specified, 2048 tx
          descriptors will be used by default.
        </p>
      </column>

      <column name="options" key="dpdk-vf-mac">
        <p>
          Ethernet address to set for this VF interface.  If unset then the
          default MAC address is used:
        </p>
        <ul>
          <li>
            For most drivers, the default MAC address assigned by their
            hardware.
          </li>
          <li>
            For bifurcated drivers, the MAC currently used by the kernel
            netdevice.
          </li>
        </ul>
        <p>This option may only be used with dpdk VF representors.</p>
      </column>

      <column name="options" key="rx-steering"
              type='{"type": "string", "enum": ["set", ["rss", "rss+lacp"]]}'>
        <p>
          Configure hardware Rx queue steering policy.
        </p>
        <p>
          This option takes one of the following values:
        </p>
        <dl>
          <dt><code>rss</code></dt>
          <dd>
            Distribution of ingress packets in all Rx queues according to the
            RSS algorithm. This is the default behaviour.
          </dd>
          <dt><code>rss+lacp</code></dt>
          <dd>
            Distribution of ingress packets according to the RSS algorithm on
            all but the last Rx queue. An extra Rx queue is allocated for LACP
            packets.
          </dd>
        </dl>
        <p>
          If the user has already configured multiple <ref table="Interface"
          column="options" key="n_rxq" /> on the port, an additional one will
          be allocated for the specified protocols. Even if the hardware cannot
          satisfy the requested number of requested Rx queues, the last Rx
          queue will be used. If only one Rx queue is available or if the
          hardware does not support the rte_flow matchers/actions required to
          redirect the selected protocols, custom <code>rx-steering</code> will
          fall back to default <code>rss</code> mode.
        </p>
        <p>
          This feature is mutually exclusive with
          <ref table="Open_vSwitch" column="other_config" key="hw-offload" />
          as it may conflict with the offloaded flows. If both are enabled,
          <code>rx-steering</code> will fall back to default <code>rss</code>
          mode.
        </p>
        <p>
          This option is only applicable to interfaces with type
          <code>dpdk</code>.
        </p>
      </column>

      <column name="other_config" key="tx-steering"
              type='{"type": "string",
                     "enum": ["set", ["thread", "hash"]]}'>
        <p>
          Specifies the Tx steering mode for the interface.
        </p>
        <p>
          <code>thread</code> enables static (1:1) thread-to-txq mapping when
          the number of Tx queues is greater than number of PMD threads, and
          dynamic (N:1) mapping if equal or lower. In this mode a single thread
          can not use more than 1 transmit queue of a given port.
        </p>
        <p>
          <code>hash</code> enables hash-based Tx steering, which distributes
          the packets on all the transmit queues based on their 5-tuples
          hashes.
        </p>
        <p>
          Defaults to <code>thread</code>.
        </p>
      </column>

    </group>

    <group title="EMC (Exact Match Cache) Configuration">
      <p>
        These settings controls behaviour of EMC lookups/insertions for packets
        received from the interface.
      </p>

      <column name="other_config" key="emc-enable" type='{"type": "boolean"}'>
        <p>
          Specifies if Exact Match Cache (EMC) should be used while processing
          packets received from this interface.
          If true, <ref table="Open_vSwitch" column="other_config"
          key="emc-insert-inv-prob"/> will have effect on this interface.
        </p>
        <p>
          Defaults to true.
        </p>
      </column>
    </group>

    <group title="MTU">
      <p>
        The MTU (maximum transmission unit) is the largest amount of data
        that can fit into a single Ethernet frame.  The standard Ethernet
        MTU is 1500 bytes.  Some physical media and many kinds of virtual
        interfaces can be configured with higher MTUs.
      </p>

      <p>
        A client may change an interface MTU by filling in
        <ref column="mtu_request"/>.  Open vSwitch then reports in
        <ref column="mtu"/> the currently configured value.
      </p>

      <column name="mtu">
        <p>
          The currently configured MTU for the interface.
        </p>

        <p>
          This column will be empty for an interface that does not
          have an MTU as, for example, some kinds of tunnels do not.
        </p>

        <p>
          Open vSwitch sets this column's value, so other clients should treat
          it as read-only.
        </p>
      </column>

      <column name="mtu_request"
              type='{"type": "integer", "minInteger": 1}'>
        <p>
          Requested MTU (Maximum Transmission Unit) for the interface. A client
          can fill this column to change the MTU of an interface.
        </p>

        <p>
          RFC 791 requires every internet module to be able to forward a
          datagram of 68 octets without further fragmentation.  The maximum
          size of an IP packet is 65535 bytes.
        </p>

        <p>
          If this is not set and if the interface has <code>internal</code>
          type, Open vSwitch will change the MTU to match the minimum of the
          other interfaces in the bridge.
        </p>
    </column>

    </group>

    <group title="Interface Status">
      <p>
        Status information about interfaces attached to bridges, updated every
        5 seconds.  Not all interfaces have all of these properties; virtual
        interfaces don't have a link speed, for example.  Non-applicable
        columns will have empty values.
      </p>
      <column name="admin_state">
        <p>
          The administrative state of the physical network link.
        </p>
      </column>

      <column name="link_state">
        <p>
          The observed state of the physical network link.  This is ordinarily
          the link's carrier status.  If the interface's <ref table="Port"/> is
          a bond configured for miimon monitoring, it is instead the network
          link's miimon status.
        </p>
      </column>

      <column name="link_resets">
        <p>
          The number of times Open vSwitch has observed the
          <ref column="link_state"/> of this <ref table="Interface"/> change.
        </p>
      </column>

      <column name="link_speed">
        <p>
          The negotiated speed of the physical network link.
          Valid values are positive integers greater than 0.
        </p>
      </column>

      <column name="duplex">
        <p>
          The duplex mode of the physical network link.
        </p>
      </column>

      <column name="lacp_current">
        Boolean value indicating LACP status for this interface.  If true, this
        interface has current LACP information about its LACP partner.  This
        information may be used to monitor the health of interfaces in a LACP
        enabled port.  This column will be empty if LACP is not enabled.
      </column>

      <column name="status">
        Key-value pairs that report port status.  Supported status values are
        <ref column="type"/>-dependent; some interfaces may not have a valid
        <ref column="status" key="driver_name"/>, for example.
      </column>

      <column name="status" key="driver_name">
        The name of the device driver controlling the network adapter.
      </column>

      <column name="status" key="driver_version">
        The version string of the device driver controlling the network
        adapter.
      </column>

      <column name="status" key="firmware_version">
        The version string of the network adapter's firmware, if available.
      </column>

      <column name="status" key="source_ip">
        The source IP address used for an IPv4/IPv6 tunnel end-point, such as
        <code>gre</code>.
      </column>

      <column name="status" key="tunnel_egress_iface">
        Egress interface for tunnels.  Currently only relevant for tunnels
        on Linux systems, this column will show the name of the interface
        which is responsible for routing traffic destined for the configured
        <ref column="options" key="remote_ip"/>.  This could be an internal
        interface such as a bridge port.
      </column>

      <column name="status" key="tunnel_egress_iface_carrier"
              type='{"type": "string", "enum": ["set", ["down", "up"]]}'>
        Whether carrier is detected on <ref column="status"
        key="tunnel_egress_iface"/>.
      </column>

      <group title="dpdk">
        <p>
          DPDK specific interface status options.
        </p>

          <column name="status" key="port_no">
            DPDK port ID.
          </column>

          <column name="status" key="numa_id">
            NUMA socket ID to which an Ethernet device is connected.
          </column>

          <column name="status" key="min_rx_bufsize">
            Minimum size of RX buffer.
          </column>

          <column name="status" key="max_rx_pktlen">
            Maximum configurable length of RX pkt.
          </column>

          <column name="status" key="max_rx_queues">
            Maximum number of RX queues.
          </column>

          <column name="status" key="max_tx_queues">
            Maximum number of TX queues.
          </column>

          <column name="status" key="max_mac_addrs">
            Maximum number of MAC addresses.
          </column>

          <column name="status" key="max_hash_mac_addrs">
            Maximum number of hash MAC addresses for MTA and UTA.
          </column>

          <column name="status" key="max_vfs">
            Maximum number of hash MAC addresses for MTA and UTA.
            Maximum number of VFs.
          </column>

          <column name="status" key="max_vmdq_pools">
            Maximum number of VMDq pools.
          </column>

          <column name="status" key="n_rxq">
            Number of Rx queues.
          </column>

          <column name="status" key="n_txq">
            Number of Tx queues.
          </column>

          <column name="status" key="rx_csum_offload">
            Whether Rx Checksum offload is enabled or not.
          </column>

          <column name="status" key="if_type">
            Interface type ID according to IANA ifTYPE MIB definitions.
          </column>

          <column name="status" key="if_descr">
            Interface description string.
          </column>

          <column name="status" key="bus_info">
            Bus name and bus info such as Vendor ID and Device ID of PCI
            device.
          </column>

          <column name="status" key="dpdk-vf-mac">
            Ethernet address set for this VF interface. Only reported for dpdk
            VF representors.
          </column>

          <column name="status" key="rx-steering">
            Hardware Rx queue steering policy in use.
          </column>

          <column name="status" key="rx_steering_queue">
            ID of rx steering queue. Only reported if <code>rx-steering</code>
            is supported by hardware.
          </column>

          <column name="status" key="rss_queues">
            IDs of rss queues. Only reported if <code>rx-steering</code> is
            supported by hardware.
          </column>
      </group>

      <group title="dpdkvhostuser">
        <p>
          dpdkvhostuser and dpdkvhostuserclient
          netdev specific interface status information.
        </p>
          <column name="status" key="mode">
            client (connecting) or server (listening) in the socket
            communication.
          </column>
          <column name="status" key="features">
            virtio features bitmap as per virtio specification.
          </column>
          <column name="status" key="num_of_vrings">
            The number of available virtqueues.
          </column>
          <column name="status" key="numa">
            The numa id of the device and guest memory.
          </column>
          <column name="status" key="socket">
            The path to the socket used for communication.
          </column>
          <column name="status" key="status">
            Status of connection to the device.
          </column>
          <column name="status" key="vring_n_size">
            Each virtqueue will have it's size reported, where n is the
            virtqueue number from 0..(num_of_vrings-1).
          </column>
          <column name="status" key="userspace-tso">
            Whether userspace-tso is enabled or disabled.
          </column>
      </group>

      <group title="afxdp">
        <p>
          AF_XDP specific interface status options.
        </p>

          <column name="status" key="xdp-mode">
            XDP mode currently in use. See <ref column="options"
            key="xdp-mode"/> for description of possible values.
          </column>
      </group>
    </group>

    <group title="Statistics">
      <p>
        Key-value pairs that report interface statistics.  The current
        implementation updates these counters periodically.  The update period
        is controlled by <ref column="other_config"
        key="stats-update-interval"/> in the <code>Open_vSwitch</code> table.
        Future implementations may update them when an interface is created,
        when they are queried (e.g. using an OVSDB <code>select</code>
        operation), and just before an interface is deleted due to virtual
        interface hot-unplug or VM shutdown, and perhaps at other times, but
        not on any regular periodic basis.
      </p>
      <p>
        These are the same statistics reported by OpenFlow in its <code>struct
        ofp_port_stats</code> structure.  If an interface does not support a
        given statistic, then that pair is omitted.
      </p>
      <group title="Statistics: Successful transmit and receive counters">
        <column name="statistics" key="rx_packets">
          Number of received packets.
        </column>
        <column name="statistics" key="rx_bytes">
          Number of received bytes.
        </column>
        <column name="statistics" key="tx_packets">
          Number of transmitted packets.
        </column>
        <column name="statistics" key="tx_bytes">
          Number of transmitted bytes.
        </column>
      </group>
      <group title="Statistics: Receive errors">
        <column name="statistics" key="rx_dropped">
          Number of packets dropped by RX.
        </column>
        <column name="statistics" key="rx_frame_err">
          Number of frame alignment errors.
        </column>
        <column name="statistics" key="rx_over_err">
          Number of packets with RX overrun.
        </column>
        <column name="statistics" key="rx_crc_err">
          Number of CRC errors.
        </column>
        <column name="statistics" key="rx_errors">
          Total number of receive errors, greater than or equal to the sum of
          the above.
        </column>
      </group>
      <group title="Statistics: Transmit errors">
        <column name="statistics" key="tx_dropped">
          Number of packets dropped by TX.
        </column>
        <column name="statistics" key="collisions">
          Number of collisions.
        </column>
        <column name="statistics" key="tx_errors">
          Total number of transmit errors, greater than or equal to the sum of
          the above.
        </column>
      </group>
    </group>

    <group title="Ingress Policing">
      <p>
        These settings control ingress policing for packets received on this
        interface.  On a physical interface, this limits the rate at which
        traffic is allowed into the system from the outside; on a virtual
        interface (one connected to a virtual machine), this limits the rate at
        which the VM is able to transmit.
      </p>
      <p>
        Policing is a simple form of quality-of-service that simply drops
        packets received in excess of the configured rate.  Due to its
        simplicity, policing is usually less accurate and less effective than
        egress QoS (which is configured using the <ref table="QoS"/> and <ref
        table="Queue"/> tables).
      </p>
      <p>
        Policing settings can be set with byte rate or packet rate, and they
        can be configured together, in which case they take effect together,
        that means the smaller speed limit of them is in effect.
      </p>
      <p>
        Currently, byte rate policing is implemented on Linux and OVS with
        DPDK, while packet rate policing is only implemented on Linux.  Both
        Linux and OVS DPDK implementations use a simple ``token bucket''
        approach.
      </p>
      <p>
        Byte rate policing:
      </p>
      <ul>
        <li>
          The size of the bucket corresponds to <ref
          column="ingress_policing_burst"/>.  Initially the bucket is full.
        </li>
        <li>
          Whenever a packet is received, its size (converted to tokens) is
          compared to the number of tokens currently in the bucket.  If the
          required number of tokens are available, they are removed and the
          packet is forwarded.  Otherwise, the packet is dropped.
        </li>
        <li>
          Whenever it is not full, the bucket is refilled with tokens at the
          rate specified by <ref column="ingress_policing_rate"/>.
        </li>
      </ul>
      <p>
        Packet rate policing:
      </p>
      <ul>
        <li>
          The size of the bucket corresponds to <ref
          column="ingress_policing_kpkts_burst"/>.  Initially the bucket is
          full.
        </li>
        <li>
          Whenever a packet is received, it will consume one token from the
          current bucket.  If the token is available in the bucket, it's
          removed and the packet is forwarded.  Otherwise, the packet is
          dropped.
        </li>
        <li>
          Whenever it is not full, the bucket is refilled with tokens at the
          rate specified by <ref column="ingress_policing_kpkts_rate"/>.
        </li>
      </ul>
      <p>
        Policing interacts badly with some network protocols, and especially
        with fragmented IP packets.  Suppose that there is enough network
        activity to keep the bucket nearly empty all the time.  Then this token
        bucket algorithm will forward a single packet every so often, with the
        period depending on packet size and on the configured rate.  All of the
        fragments of an IP packets are normally transmitted back-to-back, as a
        group.  In such a situation, therefore, only one of these fragments
        will be forwarded and the rest will be dropped.  IP does not provide
        any way for the intended recipient to ask for only the remaining
        fragments.  In such a case there are two likely possibilities for what
        will happen next: either all of the fragments will eventually be
        retransmitted (as TCP will do), in which case the same problem will
        recur, or the sender will not realize that its packet has been dropped
        and data will simply be lost (as some UDP-based protocols will do).
        Either way, it is possible that no forward progress will ever occur.
      </p>
      <column name="ingress_policing_rate">
        <p>
          Maximum rate for data received on this interface, in kbps.  Data
          received faster than this rate is dropped.  Set to <code>0</code>
          (the default) to disable policing.
        </p>
      </column>

      <column name="ingress_policing_kpkts_rate">
        <p>
          Maximum rate for data received on this interface, in kpps (1 kpps is
          1000 pps).  Data received faster than this rate is dropped.  Set to
          <code>0</code> (the default) to disable policing.
        </p>
      </column>

      <column name="ingress_policing_burst">
        <p>Maximum burst size for data received on this interface, in kb.  The
        default burst size if set to <code>0</code> is 8000 kbit.  This value
        has no effect if <ref column="ingress_policing_rate"/>
        is <code>0</code>.</p>
        <p>
          Specifying a larger burst size lets the algorithm be more forgiving,
          which is important for protocols like TCP that react severely to
          dropped packets.  The burst size should be at least the size of the
          interface's MTU.  Specifying a value that is numerically at least as
          large as 80% of <ref column="ingress_policing_rate"/> helps TCP come
          closer to achieving the full rate.
        </p>
      </column>

      <column name="ingress_policing_kpkts_burst">
        <p>
          Maximum burst size for data received on this interface, in kpkts (1
          kpkts is 1000 packets).  The default burst size if set to
          <code>0</code> is 16 kpkts.  This value has no effect if
          <ref column="ingress_policing_kpkts_rate"/> is <code>0</code>.
        </p>
        <p>
          Specifying a larger burst size lets the algorithm be more forgiving,
          which is important for protocols like TCP that react severely to
          dropped packets.  Specifying a value that is numerically at least as
          large as 80% of <ref column="ingress_policing_kpkts_rate"/> helps TCP
          come closer to achieving the full rate.
        </p>
      </column>

    </group>

    <group title="Bidirectional Forwarding Detection (BFD)">
      <p>
        BFD, defined in RFC 5880 and RFC 5881, allows point-to-point
        detection of connectivity failures by occasional transmission of
        BFD control messages.  Open vSwitch implements BFD to serve
        as a more popular and standards compliant alternative to CFM.
      </p>

      <p>
        BFD operates by regularly transmitting BFD control messages at a rate
        negotiated independently in each direction.  Each endpoint specifies
        the rate at which it expects to receive control messages, and the rate
        at which it is willing to transmit them.  By default, Open vSwitch uses
        a detection multiplier of three, meaning that an endpoint signals a
        connectivity fault if three consecutive BFD control messages fail to
        arrive.  In the case of a unidirectional connectivity issue, the system
        not receiving BFD control messages signals the problem to its peer in
        the messages it transmits.
      </p>

      <p>
        The Open vSwitch implementation of BFD aims to comply faithfully
        with RFC 5880 requirements.  Open vSwitch does not implement the
        optional Authentication or ``Echo Mode'' features.
      </p>

      <p>
        OVS 2.13 and earlier intercepted and processed all BFD packets.
        OVS 2.14 and later only intercept and process BFD packets destined
        to a configured BFD instance, and other BFD packets are made available
        to the OVS flow table for forwarding.
      </p>

      <group title="BFD Configuration">
        <p>
          A controller sets up key-value pairs in the <ref column="bfd"/>
          column to enable and configure BFD.
        </p>

        <column name="bfd" key="enable" type='{"type": "boolean"}'>
          True to enable BFD on this <ref table="Interface"/>.  If not
          specified, BFD will not be enabled by default.
        </column>

        <column name="bfd" key="min_rx"
                type='{"type": "integer", "minInteger": 1}'>
          The shortest interval, in milliseconds, at which this BFD session
          offers to receive BFD control messages.  The remote endpoint may
          choose to send messages at a slower rate.  Defaults to
          <code>1000</code>.
        </column>

        <column name="bfd" key="min_tx"
                type='{"type": "integer", "minInteger": 1}'>
          The shortest interval, in milliseconds, at which this BFD session is
          willing to transmit BFD control messages.  Messages will actually be
          transmitted at a slower rate if the remote endpoint is not willing to
          receive as quickly as specified.  Defaults to <code>100</code>.
        </column>

        <column name="bfd" key="decay_min_rx" type='{"type": "integer"}'>
          An alternate receive interval, in milliseconds, that must be greater
          than or equal to <ref column="bfd" key="min_rx"/>.  The
          implementation switches from <ref column="bfd" key="min_rx"/> to <ref
          column="bfd" key="decay_min_rx"/> when there is no obvious incoming
          data traffic at the interface, to reduce the CPU and bandwidth cost
          of monitoring an idle interface.  This feature may be disabled by
          setting a value of 0.  This feature is reset whenever <ref
          column="bfd" key="decay_min_rx"/> or <ref column="bfd" key="min_rx"/>
          changes.
        </column>

        <column name="bfd" key="forwarding_if_rx" type='{"type": "boolean"}'>
          When <code>true</code>, traffic received on the
          <ref table="Interface"/> is used to indicate the capability of packet
          I/O.  BFD control packets are still transmitted and received.  At
          least one BFD control packet must be received every 100 * <ref
          column="bfd" key="min_rx"/> amount of time.  Otherwise, even if
          traffic are received, the <ref column="bfd" key="forwarding"/>
          will be <code>false</code>.
        </column>

        <column name="bfd" key="cpath_down" type='{"type": "boolean"}'>
          Set to true to notify the remote endpoint that traffic should not be
          forwarded to this system for some reason other than a connectivty
          failure on the interface being monitored.  The typical underlying
          reason is ``concatenated path down,'' that is, that connectivity
          beyond the local system is down.  Defaults to false.
        </column>

        <column name="bfd" key="check_tnl_key" type='{"type": "boolean"}'>
          Set to true to make BFD accept only control messages with a tunnel
          key of zero.  By default, BFD accepts control messages with any
          tunnel key.
        </column>

        <column name="bfd" key="bfd_local_src_mac">
          Set to an Ethernet address in the form
          <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
          to set the MAC used as source for transmitted BFD packets.  The
          default is the mac address of the BFD enabled interface.
        </column>

        <column name="bfd" key="bfd_local_dst_mac">
          Set to an Ethernet address in the form
          <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
          to set the MAC used as destination for transmitted BFD packets.  The
          default is <code>00:23:20:00:00:01</code>.
        </column>

        <column name="bfd" key="bfd_remote_dst_mac">
          Set to an Ethernet address in the form
          <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
          to set the MAC used for checking the destination of received BFD packets.
          Packets with different destination MAC will not be considered as BFD packets.
          If not specified the destination MAC address of received BFD packets
          are not checked.
        </column>

        <column name="bfd" key="bfd_src_ip">
          Set to an IPv4 address to set the IP address used as source for
          transmitted BFD packets.  The default is <code>169.254.1.1</code>.
        </column>

        <column name="bfd" key="bfd_dst_ip">
          Set to an IPv4 address to set the IP address used as destination
          for transmitted BFD packets.  The default is <code>169.254.1.0</code>.
        </column>

        <column name="bfd" key="oam">
          Some tunnel protocols (such as Geneve) include a bit in the header
          to indicate that the encapsulated packet is an OAM frame. By setting
          this to true, BFD packets will be marked as OAM if encapsulated in
          one of these tunnels.
        </column>

        <column name="bfd" key="mult"
                type='{"type": "integer", "minInteger": 1, "maxInteger": 255}'>
          The BFD detection multiplier, which defaults to 3.  An endpoint
          signals a connectivity fault if the given number of consecutive BFD
          control messages fail to arrive.
        </column>
      </group>

      <group title="BFD Status">
        <p>
          The switch sets key-value pairs in the <ref column="bfd_status"/>
          column to report the status of BFD on this interface.  When BFD is
          not enabled, with <ref column="bfd" key="enable"/>, the switch clears
          all key-value pairs from <ref column="bfd_status"/>.
        </p>

        <column name="bfd_status" key="state"
                type='{"type": "string",
                      "enum": ["set", ["admin_down", "down", "init", "up"]]}'>
          Reports the state of the BFD session.  The BFD session is fully
          healthy and negotiated if <code>UP</code>.
        </column>

        <column name="bfd_status" key="forwarding" type='{"type": "boolean"}'>
          Reports whether the BFD session believes this <ref
          table="Interface"/> may be used to forward traffic.  Typically this
          means the local session is signaling <code>UP</code>, and the remote
          system isn't signaling a problem such as concatenated path down.
        </column>

        <column name="bfd_status" key="diagnostic">
          A diagnostic code specifying the local system's reason for the
          last change in session state. The error messages are defined in
          section 4.1 of [RFC 5880].
        </column>

        <column name="bfd_status" key="remote_state"
                type='{"type": "string",
                      "enum": ["set", ["admin_down", "down", "init", "up"]]}'>
          Reports the state of the remote endpoint's BFD session.
        </column>

        <column name="bfd_status" key="remote_diagnostic">
          A diagnostic code specifying the remote system's reason for the
          last change in session state. The error messages are defined in
          section 4.1 of [RFC 5880].
        </column>

        <column name="bfd_status" key="flap_count"
                type='{"type": "integer", "minInteger": 0}'>
          Counts the number of <ref column="bfd_status" key="forwarding" />
          flaps since start.  A flap is considered as a change of the
          <ref column="bfd_status" key="forwarding" /> value.
        </column>
      </group>
    </group>

    <group title="Connectivity Fault Management">
      <p>
        802.1ag Connectivity Fault Management (CFM) allows a group of
        Maintenance Points (MPs) called a Maintenance Association (MA) to
        detect connectivity problems with each other.  MPs within a MA should
        have complete and exclusive interconnectivity.  This is verified by
        occasionally broadcasting Continuity Check Messages (CCMs) at a
        configurable transmission interval.
      </p>

      <p>
        According to the 802.1ag specification, each Maintenance Point should
        be configured out-of-band with a list of Remote Maintenance Points it
        should have connectivity to.  Open vSwitch differs from the
        specification in this area.  It simply assumes the link is faulted if
        no Remote Maintenance Points are reachable, and considers it not
        faulted otherwise.
      </p>

      <p>
        When operating over tunnels which have no <code>in_key</code>, or an
        <code>in_key</code> of <code>flow</code>.  CFM will only accept CCMs
        with a tunnel key of zero.
      </p>

      <column name="cfm_mpid">
        <p>
          A Maintenance Point ID (MPID) uniquely identifies each endpoint
          within a Maintenance Association.  The MPID is used to identify this
          endpoint to other Maintenance Points in the MA.  Each end of a link
          being monitored should have a different MPID.  Must be configured to
          enable CFM on this <ref table="Interface"/>.
        </p>
        <p>
          According to the 802.1ag specification, MPIDs can only range between
          [1, 8191].  However, extended mode (see <ref column="other_config"
          key="cfm_extended"/>) supports eight byte MPIDs.
        </p>
      </column>

      <column name="cfm_flap_count">
        Counts the number of cfm fault flapps since boot.  A flap is
        considered to be a change of the <ref column="cfm_fault"/> value.
      </column>

      <column name="cfm_fault">
        <p>
          Indicates a connectivity fault triggered by an inability to receive
          heartbeats from any remote endpoint.  When a fault is triggered on
          <ref table="Interface"/>s participating in bonds, they will be
          disabled.
        </p>
        <p>
          Faults can be triggered for several reasons.  Most importantly they
          are triggered when no CCMs are received for a period of 3.5 times the
          transmission interval. Faults are also triggered when any CCMs
          indicate that a Remote Maintenance Point is not receiving CCMs but
          able to send them.  Finally, a fault is triggered if a CCM is
          received which indicates unexpected configuration.  Notably, this
          case arises when a CCM is received which advertises the local MPID.
        </p>
      </column>

      <column name="cfm_fault_status" key="recv">
        Indicates a CFM fault was triggered due to a lack of CCMs received on
        the <ref table="Interface"/>.
      </column>

      <column name="cfm_fault_status" key="rdi">
        Indicates a CFM fault was triggered due to the reception of a CCM with
        the RDI bit flagged.  Endpoints set the RDI bit in their CCMs when they
        are not receiving CCMs themselves.  This typically indicates a
        unidirectional connectivity failure.
      </column>

      <column name="cfm_fault_status" key="maid">
        Indicates a CFM fault was triggered due to the reception of a CCM with
        a MAID other than the one Open vSwitch uses.  CFM broadcasts are tagged
        with an identification number in addition to the MPID called the MAID.
        Open vSwitch only supports receiving CCM broadcasts tagged with the
        MAID it uses internally.
      </column>

      <column name="cfm_fault_status" key="loopback">
        Indicates a CFM fault was triggered due to the reception of a CCM
        advertising the same MPID configured in the <ref column="cfm_mpid"/>
        column of this <ref table="Interface"/>.  This may indicate a loop in
        the network.
      </column>

      <column name="cfm_fault_status" key="overflow">
        Indicates a CFM fault was triggered because the CFM module received
        CCMs from more remote endpoints than it can keep track of.
      </column>

      <column name="cfm_fault_status" key="override">
        Indicates a CFM fault was manually triggered by an administrator using
        an <code>ovs-appctl</code> command.
      </column>

      <column name="cfm_fault_status" key="interval">
        Indicates a CFM fault was triggered due to the reception of a CCM
        frame having an invalid interval.
      </column>

      <column name="cfm_remote_opstate">
        <p>When in extended mode, indicates the operational state of the
        remote endpoint as either <code>up</code> or <code>down</code>.  See
        <ref column="other_config" key="cfm_opstate"/>.
        </p>
      </column>

      <column name="cfm_health">
        <p>
          Indicates the health of the interface as a percentage of CCM frames
          received over 21 <ref column="other_config" key="cfm_interval"/>s.
          The health of an interface is undefined if it is communicating with
          more than one <ref column="cfm_remote_mpids"/>.  It reduces if
          healthy heartbeats are not received at the expected rate, and
          gradually improves as healthy heartbeats are received at the desired
          rate. Every 21 <ref column="other_config" key="cfm_interval"/>s, the
          health of the interface is refreshed.
        </p>
        <p>
          As mentioned above, the faults can be triggered for several reasons.
          The link health will deteriorate even if heartbeats are received but
          they are reported to be unhealthy.  An unhealthy heartbeat in this
          context is a heartbeat for which either some fault is set or is out
          of sequence.  The interface health can be 100 only on receiving
          healthy heartbeats at the desired rate.
        </p>
      </column>

      <column name="cfm_remote_mpids">
        When CFM is properly configured, Open vSwitch will occasionally
        receive CCM broadcasts.  These broadcasts contain the MPID of the
        sending Maintenance Point.  The list of MPIDs from which this
        <ref table="Interface"/> is receiving broadcasts from is regularly
        collected and written to this column.
      </column>

      <column name="other_config" key="cfm_interval"
              type='{"type": "integer"}'>
        <p>
          The interval, in milliseconds, between transmissions of CFM
          heartbeats.  Three missed heartbeat receptions indicate a
          connectivity fault.
        </p>

        <p>
          In standard operation only intervals of 3, 10, 100, 1,000, 10,000,
          60,000, or 600,000 ms are supported.  Other values will be rounded
          down to the nearest value on the list.  Extended mode (see <ref
          column="other_config" key="cfm_extended"/>) supports any interval up
          to 65,535 ms.  In either mode, the default is 1000 ms.
        </p>

        <p>We do not recommend using intervals less than 100 ms.</p>
      </column>

      <column name="other_config" key="cfm_extended"
              type='{"type": "boolean"}'>
        When <code>true</code>, the CFM module operates in extended mode. This
        causes it to use a nonstandard destination address to avoid conflicting
        with compliant implementations which may be running concurrently on the
        network. Furthermore, extended mode increases the accuracy of the
        <code>cfm_interval</code> configuration parameter by breaking wire
        compatibility with 802.1ag compliant implementations.  And extended
        mode allows eight byte MPIDs.  Defaults to <code>false</code>.
      </column>

      <column name="other_config" key="cfm_demand" type='{"type": "boolean"}'>
        <p>
          When <code>true</code>, and
          <ref column="other_config" key="cfm_extended"/> is true, the CFM
          module operates in demand mode.  When in demand mode, traffic
          received on the <ref table="Interface"/> is used to indicate
          liveness.  CCMs are still transmitted and received.  At least one
          CCM must be received every 100 * <ref column="other_config"
          key="cfm_interval"/> amount of time.  Otherwise, even if traffic
          are received, the CFM module will raise the connectivity fault.
        </p>

        <p>
          Demand mode has a couple of caveats:
          <ul>
            <li>
              To ensure that ovs-vswitchd has enough time to pull statistics
              from the datapath, the fault detection interval is set to
              3.5 * MAX(<ref column="other_config" key="cfm_interval"/>, 500)
              ms.
            </li>

            <li>
              To avoid ambiguity, demand mode disables itself when there are
              multiple remote maintenance points.
            </li>

            <li>
              If the <ref table="Interface"/> is heavily congested, CCMs
              containing the <ref column="other_config" key="cfm_opstate"/>
              status may be dropped causing changes in the operational state to
              be delayed.  Similarly, if CCMs containing the RDI bit are not
              received, unidirectional link failures may not be detected.
            </li>
          </ul>
        </p>
      </column>

      <column name="other_config" key="cfm_opstate"
              type='{"type": "string", "enum": ["set", ["down", "up"]]}'>
        When <code>down</code>, the CFM module marks all CCMs it generates as
        operationally down without triggering a fault.  This allows remote
        maintenance points to choose not to forward traffic to the
        <ref table="Interface"/> on which this CFM module is running.
        Currently, in Open vSwitch, the opdown bit of CCMs affects
        <ref table="Interface"/>s participating in bonds, and the bundle
        OpenFlow action. This setting is ignored when CFM is not in extended
        mode.  Defaults to <code>up</code>.
      </column>

      <column name="other_config" key="cfm_ccm_vlan"
              type='{"type": "integer", "minInteger": 1, "maxInteger": 4095}'>
        When set, the CFM module will apply a VLAN tag to all CCMs it generates
        with the given value.  May be the string <code>random</code> in which
        case each CCM will be tagged with a different randomly generated VLAN.
      </column>

      <column name="other_config" key="cfm_ccm_pcp"
              type='{"type": "integer", "minInteger": 1, "maxInteger": 7}'>
        When set, the CFM module will apply a VLAN tag to all CCMs it generates
        with the given PCP value, the VLAN ID of the tag is governed by the
        value of <ref column="other_config" key="cfm_ccm_vlan"/>. If
        <ref column="other_config" key="cfm_ccm_vlan"/> is unset, a VLAN ID of
        zero is used.
      </column>

    </group>

    <group title="Bonding Configuration">
      <column name="other_config" key="lacp-port-id"
              type='{"type": "integer", "minInteger": 1, "maxInteger": 65535}'>
        The LACP port ID of this <ref table="Interface"/>.  Port IDs are
        used in LACP negotiations to identify individual ports
        participating in a bond.
      </column>

      <column name="other_config" key="lacp-port-priority"
              type='{"type": "integer", "minInteger": 1, "maxInteger": 65535}'>
        The LACP port priority of this <ref table="Interface"/>.  In LACP
        negotiations <ref table="Interface"/>s with numerically lower
        priorities are preferred for aggregation.
      </column>

      <column name="other_config" key="lacp-aggregation-key"
              type='{"type": "integer", "minInteger": 1, "maxInteger": 65535}'>
        The LACP aggregation key of this <ref table="Interface"/>.  <ref
        table="Interface"/>s with different aggregation keys may not be active
        within a given <ref table="Port"/> at the same time.
      </column>
    </group>

    <group title="Virtual Machine Identifiers">
      <p>
        These key-value pairs specifically apply to an interface that
        represents a virtual Ethernet interface connected to a virtual
        machine.  These key-value pairs should not be present for other types
        of interfaces.  Keys whose names end in <code>-uuid</code> have
        values that uniquely identify the entity in question.
      </p>

      <column name="external_ids" key="attached-mac">
        The MAC address programmed into the ``virtual hardware'' for this
        interface, in the form
        <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
      </column>

      <column name="external_ids" key="iface-id">
        A system-unique identifier for the interface.
      </column>

      <column name="external_ids" key="iface-status"
              type='{"type": "string",
                    "enum": ["set", ["active", "inactive"]]}'>
        <p>
          Hypervisors may sometimes have more than one interface associated
          with a given <ref column="external_ids" key="iface-id"/>, only one of
          which is actually in use at a given time.  For example, in some
          circumstances hypervisor may have both a ``tap'' and a ``vif''
          interface for a single <ref column="external_ids" key="iface-id"/>,
          but only uses one of them at a time.  A hypervisor that behaves this
          way must mark the currently in use interface <code>active</code> and
          the others <code>inactive</code>.  A hypervisor that never has more
          than one interface for a given <ref column="external_ids"
          key="iface-id"/> may mark that interface <code>active</code> or omit
          <ref column="external_ids" key="iface-status"/> entirely.
        </p>

        <p>
          During VM migration, a given <ref column="external_ids"
          key="iface-id"/> might transiently be marked <code>active</code> on
          two different hypervisors.  That is, <code>active</code> means that
          this <ref column="external_ids" key="iface-id"/> is the active
          instance within a single hypervisor, not in a broader scope.
          There is one exception: some hypervisors support ``migration'' from a
          given hypervisor to itself (most often for test purposes).  During
          such a ``migration,'' two instances of a single <ref
          column="external_ids" key="iface-id"/> might both be briefly marked
          <code>active</code> on a single hypervisor.
        </p>
      </column>

      <column name="external_ids" key="vm-id">
        The VM to which this interface belongs.
      </column>
    </group>

    <group title="Auto Attach Configuration">
      <p>
        Auto Attach configuration for a particular interface.
      </p>

      <column name="lldp" key="enable" type='{"type": "boolean"}'>
        True to enable LLDP on this <ref table="Interface"/>.  If not
        specified, LLDP will be disabled by default.
      </column>
    </group>

    <group title="Flow control Configuration">
      <p>
        Ethernet flow control defined in IEEE 802.1Qbb provides link level flow
        control using MAC pause frames.  Implemented only for interfaces with
        type <code>dpdk</code>.
      </p>

      <column name="options" key="rx-flow-ctrl" type='{"type": "boolean"}'>
        Set to <code>true</code> to enable Rx flow control on physical ports.
        By default, Rx flow control is disabled.
      </column>

      <column name="options" key="tx-flow-ctrl" type='{"type": "boolean"}'>
        Set to <code>true</code> to enable Tx flow control on physical ports.
        By default, Tx flow control is disabled.
      </column>

      <column name="options" key="flow-ctrl-autoneg"
              type='{"type": "boolean"}'>
        Set to <code>true</code> to enable flow control auto negotiation on
        physical ports. By default, auto-neg is disabled.
      </column>
    </group>

    <group title="Link State Change detection mode">
      <column name="options" key="dpdk-lsc-interrupt"
              type='{"type": "boolean"}'>
        <p>
          Set this value to <code>false</code> to configure poll mode for
          Link State Change (LSC) detection instead of interrupt mode for the
          DPDK interface.
        </p>
        <p>
          If this value is not set, interrupt mode is configured.
        </p>
        <p>
          This parameter has an effect only on netdev dpdk interfaces.
        </p>
      </column>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="other_config"/>
      <column name="external_ids"/>
    </group>
  </table>

  <table name="Flow_Table" title="OpenFlow table configuration">
    <p>Configuration for a particular OpenFlow table.</p>

    <column name="name">
      The table's name.  Set this column to change the name that controllers
      will receive when they request table statistics, e.g. <code>ovs-ofctl
      dump-tables</code>.  The name does not affect switch behavior.
    </column>

    <group title="Eviction Policy">
      <p>
        Open vSwitch supports limiting the number of flows that may be
        installed in a flow table, via the <ref column="flow_limit"/> column.
        When adding a flow would exceed this limit, by default Open vSwitch
        reports an error, but there are two ways to configure Open vSwitch to
        instead delete (``evict'') a flow to make room for the new one:
      </p>

      <ul>
        <li>
          Set the <ref column="overflow_policy"/> column to <code>evict</code>.
        </li>

        <li>
          Send an OpenFlow 1.4+ ``table mod request'' to enable eviction for
          the flow table (e.g. <code>ovs-ofctl -O OpenFlow14 mod-table br0 0
          evict</code> to enable eviction on flow table 0 of bridge
          <code>br0</code>).
        </li>
      </ul>

      <p>
        When a flow must be evicted due to overflow, the flow to evict is
        chosen through an approximation of the following algorithm.  This
        algorithm is used regardless of how eviction was enabled:
      </p>

      <ol>
        <li>
          Divide the flows in the table into groups based on the values of the
          fields or subfields specified in the <ref column="groups"/> column,
          so that all of the flows in a given group have the same values for
          those fields.  If a flow does not specify a given field, that field's
          value is treated as 0.  If <ref column="groups"/> is empty, then all
          of the flows in the flow table are treated as a single group.
        </li>

        <li>
          Consider the flows in the largest group, that is, the group that
          contains the greatest number of flows.  If two or more groups all
          have the same largest number of flows, consider the flows in all of
          those groups.
        </li>

        <li>
          If the flows under consideration have different importance values,
          eliminate from consideration any flows except those with the lowest
          importance.  (``Importance,'' a 16-bit integer value attached to each
          flow, was introduced in OpenFlow 1.4.  Flows inserted with older
          versions of OpenFlow always have an importance of 0.)
        </li>

        <li>
          Among the flows under consideration, choose the flow that expires
          soonest for eviction.
        </li>
      </ol>

      <p>
        The eviction process only considers flows that have an idle timeout
        or a hard timeout.  That is, eviction never deletes permanent flows.
        (Permanent flows do count against <ref column="flow_limit"/>.)
      </p>

      <column name="flow_limit">
        If set, limits the number of flows that may be added to the table.
        Open vSwitch may limit the number of flows in a table for other
        reasons, e.g. due to hardware limitations or for resource availability
        or performance reasons.
      </column>

      <column name="overflow_policy">
        <p>
          Controls the switch's behavior when an OpenFlow flow table
          modification request would add flows in excess of <ref
          column="flow_limit"/>.  The supported values are:
        </p>

        <dl>
          <dt><code>refuse</code></dt>
          <dd>
            Refuse to add the flow or flows.  This is also the default policy
            when <ref column="overflow_policy"/> is unset.
          </dd>

          <dt><code>evict</code></dt>
          <dd>
            Delete a flow chosen according to the algorithm described above.
          </dd>
        </dl>
      </column>

      <column name="groups">
        <p>
          When <ref column="overflow_policy"/> is <code>evict</code>, this
          controls how flows are chosen for eviction when the flow table would
          otherwise exceed <ref column="flow_limit"/> flows.  Its value is a
          set of NXM fields or sub-fields, each of which takes one of the forms
          <code><var>field</var>[]</code> or
          <code><var>field</var>[<var>start</var>..<var>end</var>]</code>,
          e.g. <code>NXM_OF_IN_PORT[]</code>.  Please see
          <code>meta-flow.h</code> for a complete list of NXM field names.
        </p>

        <p>
          Open vSwitch ignores any invalid or unknown field specifications.
        </p>

        <p>
          When eviction is not enabled, via <ref column="overflow_policy"/> or
          an OpenFlow 1.4+ ``table mod,'' this column has no effect.
        </p>
      </column>
    </group>

    <group title="Classifier Optimization">
      <column name="prefixes">
        <p>
          This string set specifies which fields should be used for
          address prefix tracking.  Prefix tracking allows the
          classifier to skip rules with longer than necessary prefixes,
          resulting in better wildcarding for datapath flows.
        </p>
        <p>
          Prefix tracking may be beneficial when a flow table contains
          matches on IP address fields with different prefix lengths.
          For example, when a flow table contains IP address matches on
          both full addresses and proper prefixes, the full address
          matches will typically cause the datapath flow to un-wildcard
          the whole address field (depending on flow entry priorities).
          In this case each packet with a different address gets handed
          to the userspace for flow processing and generates its own
          datapath flow.  With prefix tracking enabled for the address
          field in question packets with addresses matching shorter
          prefixes would generate datapath flows where the irrelevant
          address bits are wildcarded, allowing the same datapath flow
          to handle all the packets within the prefix in question.  In
          this case many userspace upcalls can be avoided and the
          overall performance can be better.
        </p>
        <p>
          This is a performance optimization only, so packets will
          receive the same treatment with or without prefix tracking.
        </p>
        <p>
          The supported fields are: <code>tun_id</code>,
          <code>tun_src</code>, <code>tun_dst</code>,
          <code>tun_ipv6_src</code>, <code>tun_ipv6_dst</code>,
          <code>nw_src</code>, <code>nw_dst</code> (or aliases
          <code>ip_src</code> and <code>ip_dst</code>),
          <code>ipv6_src</code>, and <code>ipv6_dst</code>.  (Using this
          feature for <code>tun_id</code> would only make sense if the
          tunnel IDs have prefix structure similar to IP addresses.)
        </p>

        <p>
          By default, the <code>prefixes=ip_dst,ip_src,ipv6_dst,ipv6_src</code>
          are used on each flow table.  This instructs the flow classifier to
          track the IPv4 and IPv6 destination and source addresses used by the
          rules in this specific flow table.
        </p>

        <p>
          The keyword <code>none</code> is recognized as an explicit
          override of the default values, causing no prefix fields to be
          tracked.
        </p>

        <p>
          To set the prefix fields, the flow table record needs to
          exist:
        </p>

        <dl>
          <dt><code>ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create Flow_Table name=table0</code></dt>
          <dd>
            Creates a flow table record for the OpenFlow table number 0.
          </dd>

          <dt><code>ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src</code></dt>
          <dd>
            Enables prefix tracking for IPv4 source and destination
            address fields.
          </dd>
        </dl>

        <p>
          There is a maximum number of fields that can be enabled for any
          one flow table.  Currently this limit is 4.
        </p>
      </column>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
    </group>
  </table>

  <table name="QoS" title="Quality of Service configuration">
    <p>Quality of Service (QoS) configuration for each Port that
    references it.</p>

    <column name="type">
      <p>The type of QoS to implement. The currently defined types are
      listed below:</p>
      <dl>
        <dt><code>linux-htb</code></dt>
        <dd>
          Linux ``hierarchy token bucket'' classifier.  See tc-htb(8) (also at
          <code>http://linux.die.net/man/8/tc-htb</code>) and the HTB manual
          (<code>http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm</code>)
          for information on how this classifier works and how to configure it.
        </dd>

        <dt><code>linux-hfsc</code></dt>
        <dd>
          Linux "Hierarchical Fair Service Curve" classifier.
          See <code>http://linux-ip.net/articles/hfsc.en/</code> for
          information on how this classifier works.
        </dd>

        <dt><code>linux-sfq</code></dt>
        <dd>
          Linux ``Stochastic Fairness Queueing'' classifier. See
          <code>tc-sfq</code>(8) (also at
          <code>http://linux.die.net/man/8/tc-sfq</code>) for information on
          how this classifier works.
        </dd>

        <dt><code>linux-codel</code></dt>
        <dd>
          Linux ``Controlled Delay'' classifier. See <code>tc-codel</code>(8)
          (also at
          <code>http://man7.org/linux/man-pages/man8/tc-codel.8.html</code>)
          for information on how this classifier works.
        </dd>

        <dt><code>linux-fq_codel</code></dt>
        <dd>
          Linux ``Fair Queuing with Controlled Delay'' classifier. See
          <code>tc-fq_codel</code>(8) (also at
          <code>http://man7.org/linux/man-pages/man8/tc-fq_codel.8.html</code>)
          for information on how this classifier works.
        </dd>

        <dt><code>linux-netem</code></dt>
        <dd>
          Linux ``Network Emulator'' classifier. See
          <code>tc-netem</code>(8) (also at
          <code>http://man7.org/linux/man-pages/man8/tc-netem.8.html</code>)
          for information on how this classifier works.
        </dd>

        <dt><code>linux-noop</code></dt>
        <dd>
          Linux ``No operation.''  By default, Open vSwitch manages quality of
          service on all of its configured ports.  This can be helpful, but
          sometimes administrators prefer to use other software to manage QoS.
          This <ref column="type"/> prevents Open vSwitch from changing the QoS
          configuration for a port.
        </dd>

        <dt><code>egress-policer</code></dt>
        <dd>
          A DPDK egress policer algorithm using the DPDK
          rte_meter library. The rte_meter library provides an implementation
          which allows the metering and policing of traffic. The implementation
          in OVS essentially creates a single token bucket used to police
          traffic. It should be noted that when the rte_meter is configured as
          part of QoS there will be a performance overhead as the rte_meter
          itself will consume CPU cycles in order to police traffic. These CPU
          cycles ordinarily are used for packet proccessing. As such the drop
          in performance will be noticed in terms of overall aggregate traffic
          throughput.
        </dd>
        <dt><code>trtcm-policer</code></dt>
        <dd>
          A DPDK egress policer algorithm using RFC 4115's Two-Rate,
          Three-Color marker. It's a two-level hierarchical policer
          which first does a color-blind marking of the traffic at the queue
          level, followed by a color-aware marking at the port level. At the
          end traffic marked as Green or Yellow is forwarded, Red is dropped.
          For details on how traffic is marked, see RFC 4115.

          If the ``default queue'', 0, is not configured it's automatically
          created with the same <code>other_config</code> values as the
          physical port.
        </dd>
      </dl>
    </column>

    <column name="queues">
      <p>A map from queue numbers to <ref table="Queue"/> records.  The
      supported range of queue numbers depend on <ref column="type"/>.  The
      queue numbers are the same as the <code>queue_id</code> used in
      OpenFlow in <code>struct ofp_action_enqueue</code> and other
      structures.</p>

      <p>
        Queue 0 is the ``default queue.''  It is used by OpenFlow output
        actions when no specific queue has been set.  When no configuration for
        queue 0 is present, it is automatically configured as if a <ref
        table="Queue"/> record with empty <ref table="Queue" column="dscp"/>
        and <ref table="Queue" column="other_config"/> columns had been
        specified.
        (Before version 1.6, Open vSwitch would leave queue 0 unconfigured in
        this case.  With some queuing disciplines, this dropped all packets
        destined for the default queue.)
      </p>
    </column>

    <group title="Configuration for linux-htb and linux-hfsc">
      <p>
        The <code>linux-htb</code> and <code>linux-hfsc</code> classes support
        the following key-value pair:
      </p>

      <column name="other_config" key="max-rate" type='{"type": "integer"}'>
        Maximum rate shared by all queued traffic, in bit/s.  Optional.  If not
        specified, for physical interfaces, the default is the link rate.  For
        other interfaces or if the link rate cannot be determined, the default
        is currently 10 Gbps.
      </column>
    </group>

    <group title="Configuration for egress-policer QoS">
      <p>
        <ref table="QoS"/> <ref table="QoS" column="type"/>
        <code>egress-policer</code> provides egress policing for userspace
        port types with DPDK.

        It has the following key-value pairs defined.
      </p>

      <column name="other_config" key="cir" type='{"type": "integer"}'>
        The Committed Information Rate (CIR) is measured in bytes of IP
        packets per second, i.e. it includes the IP header, but not link
        specific (e.g. Ethernet) headers. This represents the bytes per second
        rate at which the token bucket will be updated. The cir value is
        calculated by (pps x packet data size).  For example assuming a user
        wishes to limit a stream consisting of 64 byte packets to 1 million
        packets per second the CIR would be set to to to 46000000. This value
        can be broken into '1,000,000 x 46'. Where 1,000,000 is the policing
        rate for the number of packets per second and 46 represents the size
        of the packet data for a 64 bytes IP packet without 14 bytes Ethernet
        and 4 bytes FCS header.
      </column>
      <column name="other_config" key="cbs" type='{"type": "integer"}'>
        The Committed Burst Size (CBS) is measured in bytes and represents a
        token bucket. At a minimum this value should be be set to the expected
        largest size packet in the traffic stream. In practice larger values
        may be used to increase the size of the token bucket. If a packet can
        be transmitted then the cbs will be decremented by the number of
        bytes/tokens of the packet. If there are not enough tokens in the cbs
        bucket the packet will be dropped.
      </column>
      <column name="other_config" key="eir" type='{"type": "integer"}'>
        The Excess Information Rate (EIR) is measured in bytes of IP
        packets per second, i.e. it includes the IP header, but not link
        specific (e.g. Ethernet) headers. This represents the bytes per second
        rate at which the token bucket will be updated. The eir value is
        calculated by (pps x packet data size).  For example assuming a user
        wishes to limit a stream consisting of 64 byte packets to 1 million
        packets per second the EIR would be set to to to 46000000. This value
        can be broken into '1,000,000 x 46'. Where 1,000,000 is the policing
        rate for the number of packets per second and 46 represents the size
        of the packet data for a 64 bytes IP packet without 14 bytes Ethernet
        and 4 bytes FCS header.
      </column>
      <column name="other_config" key="ebs" type='{"type": "integer"}'>
        The Excess Burst Size (EBS) is measured in bytes and represents a
        token bucket. At a minimum this value should be be set to the expected
        largest size packet in the traffic stream. In practice larger values
        may be used to increase the size of the token bucket. If a packet can
        be transmitted then the ebs will be decremented by the number of
        bytes/tokens of the packet. If there are not enough tokens in the cbs
        bucket the packet might be dropped.
      </column>
    </group>

    <group title="Configuration for linux-sfq">
      <p>
        The <code>linux-sfq</code> QoS supports the following key-value pairs:
      </p>

      <column name="other_config" key="perturb" type='{"type": "integer"}'>
        Number of seconds between consecutive perturbations in hashing algorithm.
        Different flows can end up in the same hash bucket causing unfairness.
        Perturbation's goal is to remove possible unfairness.
        The default and recommended value is 10. Too low a value is discouraged
        because each perturbation can cause packet reordering.
      </column>
      <column name="other_config" key="quantum" type='{"type": "integer"}'>
        Number of bytes <code>linux-sfq</code> QoS can dequeue in one turn in
        round-robin from one flow. The default and recommended value is equal
        to interface's MTU.
      </column>
    </group>

    <group title="Configuration for linux-netem">
      <p>
        The <code>linux-netem</code> QoS supports the following key-value
        pairs:
      </p>

      <column name="other_config" key="latency" type='{"type": "integer"}'>
        Adds the chosen delay to the packets outgoing to chosen network
        interface. The latency value expressed in us.
      </column>
      <column name="other_config" key="limit" type='{"type": "integer"}'>
        Maximum number of packets the qdisc may hold queued at a time.
        The default value is 1000.
      </column>
      <column name="other_config" key="loss" type='{"type": "integer"}'>
        Adds an independent loss probability to the packets outgoing from the
        chosen network interface.
      </column>
      <column name="other_config" key="jitter" type='{"type": "integer"}'>
        Adds the provided jitter to the latency outgoing to the
        chosen network interface. The jitter value expressed in us.
      </column>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="other_config"/>
      <column name="external_ids"/>
    </group>
  </table>

  <table name="Queue" title="QoS output queue.">
    <p>A configuration for a port output queue, used in configuring Quality of
    Service (QoS) features.  May be referenced by <ref column="queues"
    table="QoS"/> column in <ref table="QoS"/> table.</p>

    <column name="dscp">
      If set, Open vSwitch will mark all traffic egressing this
      <ref table="Queue"/> with the given DSCP bits.  Traffic egressing the
      default <ref table="Queue"/> is only marked if it was explicitly selected
      as the <ref table="Queue"/> at the time the packet was output.  If unset,
      the DSCP bits of traffic egressing this <ref table="Queue"/> will remain
      unchanged.
    </column>

    <group title="Configuration for linux-htb QoS">
      <p>
        <ref table="QoS"/> <ref table="QoS" column="type"/>
        <code>linux-htb</code> may use <code>queue_id</code>s less than 61440.
        It has the following key-value pairs defined.
      </p>

      <column name="other_config" key="min-rate"
              type='{"type": "integer", "minInteger": 1}'>
        Minimum guaranteed bandwidth, in bit/s.
      </column>

      <column name="other_config" key="max-rate"
              type='{"type": "integer", "minInteger": 1}'>
        Maximum allowed bandwidth, in bit/s.  Optional.  If specified, the
        queue's rate will not be allowed to exceed the specified value, even
        if excess bandwidth is available.  If unspecified, defaults to no
        limit.
      </column>

      <column name="other_config" key="burst"
              type='{"type": "integer", "minInteger": 1}'>
        Burst size, in bits.  This is the maximum amount of ``credits'' that a
        queue can accumulate while it is idle.  Optional.  Details of the
        <code>linux-htb</code> implementation require a minimum burst size, so
        a too-small <code>burst</code> will be silently ignored.
      </column>

      <column name="other_config" key="priority"
              type='{"type": "integer", "minInteger": 0, "maxInteger": 4294967295}'>
        A queue with a smaller <code>priority</code> will receive all the
        excess bandwidth that it can use before a queue with a larger value
        receives any.  Specific priority values are unimportant; only relative
        ordering matters.  Defaults to 0 if unspecified.
      </column>
    </group>

    <group title="Configuration for linux-hfsc QoS">
      <p>
        <ref table="QoS"/> <ref table="QoS" column="type"/>
        <code>linux-hfsc</code> may use <code>queue_id</code>s less than 61440.
        It has the following key-value pairs defined.
      </p>

      <column name="other_config" key="min-rate"
              type='{"type": "integer", "minInteger": 1}'>
        Minimum guaranteed bandwidth, in bit/s.
      </column>

      <column name="other_config" key="max-rate"
              type='{"type": "integer", "minInteger": 1}'>
        Maximum allowed bandwidth, in bit/s.  Optional.  If specified, the
        queue's rate will not be allowed to exceed the specified value, even if
        excess bandwidth is available.  If unspecified, defaults to no
        limit.
      </column>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="other_config"/>
      <column name="external_ids"/>
    </group>
  </table>

  <table name="Mirror" title="Port mirroring.">
    <p>A port mirror within a <ref table="Bridge"/>.</p>
    <p>A port mirror configures a bridge to send selected frames to special
    ``mirrored'' ports, in addition to their normal destinations.  Mirroring
    traffic may also be referred to as SPAN or RSPAN, depending on how
    the mirrored traffic is sent.</p>

    <p>
      When a packet enters an Open vSwitch bridge, it becomes eligible for
      mirroring based on its ingress port and VLAN.  As the packet travels
      through the flow tables, each time it is output to a port, it becomes
      eligible for mirroring based on the egress port and VLAN.  In Open
      vSwitch 2.5 and later, mirroring occurs just after a packet first becomes
      eligible, using the packet as it exists at that point; in Open vSwitch
      2.4 and earlier, mirroring occurs only after a packet has traversed all
      the flow tables, using the original packet as it entered the bridge.
      This makes a difference only when the flow table modifies the packet: in
      Open vSwitch 2.4, the modifications are never visible to mirrors, whereas
      in Open vSwitch 2.5 and later modifications made before the first output
      that makes it eligible for mirroring to a particular destination are
      visible.
    </p>

    <p>
      A packet that enters an Open vSwitch bridge is mirrored to a particular
      destination only once, even if it is eligible for multiple reasons.  For
      example, a packet would be mirrored to a particular <ref
      column="output_port"/> only once, even if it is selected for mirroring to
      that port by <ref column="select_dst_port"/> and <ref
      column="select_src_port"/> in the same or different <ref table="Mirror"/>
      records.
    </p>

    <column name="name">
      Arbitrary identifier for the <ref table="Mirror"/>.
    </column>

    <group title="Selecting Packets for Mirroring">
      <p>
        To be selected for mirroring, a given packet must enter or leave the
        bridge through a selected port and it must also be in one of the
        selected VLANs.
      </p>

      <column name="select_all">
        If true, every packet arriving or departing on any port is
        selected for mirroring.
      </column>

      <column name="select_dst_port">
        Ports on which departing packets are selected for mirroring.
      </column>

      <column name="select_src_port">
        Ports on which arriving packets are selected for mirroring.
      </column>

      <column name="select_vlan">
        VLANs on which packets are selected for mirroring.  An empty set
        selects packets on all VLANs.
      </column>
      <column name="filter">
        <p>
          When set, only packets that match <ref column="filter"/> are
          selected for mirroring.  Packets that do not match are ignored
          by thie mirror.  The <ref column="filter"/> syntax is described
          in <code>ovs-fields</code>(7).  However, the <code>in_port</code>
          field is not supported; <ref column="select_src_port"/> should be
          used to limit the mirror to a source port.
        </p>
        <p>
          This filter is applied after <ref column="select_all"/>, <ref
          column="select_dst_port"/>, <ref column="select_src_port"/>, and
          <ref column="select_vlan"/>.
        </p>
      </column>
    </group>

    <group title="Mirroring Destination Configuration">
      <p>
        These columns are mutually exclusive.  Exactly one of them must be
        nonempty.
      </p>

      <column name="output_port">
        <p>Output port for selected packets, if nonempty.</p>
        <p>Specifying a port for mirror output reserves that port exclusively
        for mirroring.  No frames other than those selected for mirroring
        via this column
        will be forwarded to the port, and any frames received on the port
        will be discarded.</p>
        <p>
          The output port may be any kind of port supported by Open vSwitch.
          It may be, for example, a physical port (sometimes called SPAN) or a
          GRE tunnel.
        </p>
      </column>

      <column name="output_vlan">
        <p>Output VLAN for selected packets, if nonempty.</p>
        <p>The frames will be sent out all ports that trunk
        <ref column="output_vlan"/>, as well as any ports with implicit VLAN
        <ref column="output_vlan"/>.  When a mirrored frame is sent out a
        trunk port, the frame's VLAN tag will be set to
        <ref column="output_vlan"/>, replacing any existing tag; when it is
        sent out an implicit VLAN port, the frame will not be tagged.  This
        type of mirroring is sometimes called RSPAN.</p>
        <p>
          See the documentation for
          <ref column="other_config" key="forward-bpdu"/> in the
          <ref table="Interface"/> table for a list of destination MAC
          addresses which will not be mirrored to a VLAN to avoid confusing
          switches that interpret the protocols that they represent.
        </p>
        <p><em>Please note:</em> Mirroring to a VLAN can disrupt a network that
        contains unmanaged switches.  Consider an unmanaged physical switch
        with two ports: port 1, connected to an end host, and port 2,
        connected to an Open vSwitch configured to mirror received packets
        into VLAN 123 on port 2.  Suppose that the end host sends a packet on
        port 1 that the physical switch forwards to port 2.  The Open vSwitch
        forwards this packet to its destination and then reflects it back on
        port 2 in VLAN 123.  This reflected packet causes the unmanaged
        physical switch to replace the MAC learning table entry, which
        correctly pointed to port 1, with one that incorrectly points to port
        2.  Afterward, the physical switch will direct packets destined for
        the end host to the Open vSwitch on port 2, instead of to the end
        host on port 1, disrupting connectivity.  If mirroring to a VLAN is
        desired in this scenario, then the physical switch must be replaced
        by one that learns Ethernet addresses on a per-VLAN basis.  In
        addition, learning should be disabled on the VLAN containing mirrored
        traffic. If this is not done then intermediate switches will learn
        the MAC address of each end host from the mirrored traffic.  If
        packets being sent to that end host are also mirrored, then they will
        be dropped since the switch will attempt to send them out the input
        port. Disabling learning for the VLAN will cause the switch to
        correctly send the packet out all ports configured for that VLAN.  If
        Open vSwitch is being used as an intermediate switch, learning can be
        disabled by adding the mirrored VLAN to <ref column="flood_vlans"/>
        in the appropriate <ref table="Bridge"/> table or tables.</p>
        <p>
          Mirroring to a GRE tunnel has fewer caveats than mirroring to a
          VLAN and should generally be preferred.
        </p>
      </column>

      <column name="snaplen">
        <p>Maximum per-packet number of bytes to mirror.</p>
        <p>A mirrored packet with size larger than <ref column="snaplen"/>
           will be truncated in datapath to <ref column="snaplen"/> bytes
           before sending to the mirror output port.  If omitted, packets
           are not truncated.
        </p>
      </column>
    </group>

    <group title="Statistics: Mirror counters">
      <p>
        Key-value pairs that report mirror statistics.  The update period
        is controlled by <ref column="other_config"
        key="stats-update-interval"/> in the <code>Open_vSwitch</code> table.
      </p>
      <column name="statistics" key="tx_packets">
        Number of packets transmitted through this mirror.
      </column>
      <column name="statistics" key="tx_bytes">
        Number of bytes transmitted through this mirror.
      </column>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
    </group>
  </table>

  <table name="Controller" title="OpenFlow controller configuration.">
    <p>An OpenFlow controller.</p>

    <group title="Core Features">
      <column name="type">
        <p>
          Open vSwitch supports two kinds of OpenFlow controllers.  A bridge
          may have any number of each kind:
        </p>

        <dl>
          <dt>Primary controllers</dt>
          <dd>
            <p>
              This is the kind of controller envisioned by the OpenFlow
              specifications.  Usually, a primary controller implements a
              network policy by taking charge of the switch's flow table.
            </p>

            <p>
              The <ref table="Bridge" column="fail_mode"/> column in the <ref
              table="Bridge"/> table applies to primary controllers.
            </p>

            <p>
              When multiple primary controllers are configured, Open vSwitch
              connects to all of them simultaneously.  OpenFlow provides few
              facilities to allow multiple controllers to coordinate in
              interacting with a single switch, so more than one primary
              controller should be specified only if the controllers are
              themselves designed to coordinate with each other.
            </p>
          </dd>
          <dt>Service controllers</dt>
          <dd>
            <p>
              These kinds of OpenFlow controller connections are intended for
              occasional support and maintenance use, e.g. with
              <code>ovs-ofctl</code>.  Usually a service controller connects
              only briefly to inspect or modify some of a switch's state.
            </p>

            <p>
              The <ref table="Bridge" column="fail_mode"/> column in the <ref
              table="Bridge"/> table does not apply to service controllers.
            </p>
          </dd>
        </dl>

        <p>
          By default, Open vSwitch treats controllers with active connection
          methods as primary controllers and those with passive connection
          methods as service controllers.  Set this column to the desired type
          to override this default.
        </p>
      </column>

      <column name="target">
        <p>Connection method for controller.</p>
        <p>
          The following active connection methods are currently supported:
        </p>
        <dl>
          <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
          <dd>
            <p>The specified SSL/TLS <var>port</var> on the host at the
            given <var>host</var>, which can either be a DNS name (if built
            with unbound library) or an IP address.  The <ref table="Open_vSwitch"
            column="ssl"/> column in the <ref table="Open_vSwitch"/> table must
            point to a valid SSL/TLS configuration when this form is used.</p>
            <p>If <var>port</var> is not specified, it defaults to 6653.</p>
            <p>SSL/TLS support is an optional feature that is not always built
            as part of Open vSwitch.</p>
          </dd>
          <dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
          <dd>
            <p>
              The specified TCP <var>port</var> on the host at the given
              <var>host</var>, which can either be a DNS name (if built with
              unbound library) or an IP address (IPv4 or IPv6). If <var>host</var>
              is an IPv6 address, wrap it in square brackets, e.g.
              <code>tcp:[::1]:6653</code>.
            </p>
            <p>
              If <var>port</var> is not specified, it defaults to 6653.
            </p>
          </dd>
        </dl>
        <p>
          The following passive connection methods are currently supported:
        </p>
        <dl>
          <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
          <dd>
            <p>
              Listens for SSL/TLS connections on the specified TCP
              <var>port</var>.
              If <var>host</var>, which can either be a DNS name (if built with
              unbound library) or an IP address, is specified, then connections
              are restricted to the resolved or specified local IP address
              (either IPv4 or IPv6).  If <var>host</var> is an IPv6 address,
              wrap it in square brackets, e.g. <code>pssl:6653:[::1]</code>.
            </p>
            <p>
              If <var>port</var> is not specified, it defaults to
              6653.  If <var>host</var> is not specified then it listens only on
              IPv4 (but not IPv6) addresses.  The
              <ref table="Open_vSwitch" column="ssl"/>
              column in the <ref table="Open_vSwitch"/> table must point to a
              valid SSL/TLS configuration when this form is used.
            </p>
            <p>
              If <var>port</var> is not specified, it currently to 6653.
            </p>
            <p>
              SSL/TLS support is an optional feature that is not always built
              as part of Open vSwitch.
            </p>
          </dd>
          <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
          <dd>
            <p>
              Listens for connections on the specified TCP <var>port</var>.  If
              <var>host</var>, which can either be a DNS name (if built with
              unbound library) or an IP address, is specified, then connections
              are restricted to the resolved or specified local IP address
              (either IPv4 or IPv6).  If <var>host</var> is an IPv6 address, wrap
              it in square brackets, e.g. <code>ptcp:6653:[::1]</code>. If
              <var>host</var> is not specified then it listens only on IPv4
              addresses.
            </p>
            <p>
              If <var>port</var> is not specified, it defaults to 6653.
            </p>
          </dd>
        </dl>
        <p>When multiple controllers are configured for a single bridge, the
        <ref column="target"/> values must be unique.  Duplicate
        <ref column="target"/> values yield unspecified results.</p>
      </column>

      <column name="connection_mode">
        <p>If it is specified, this setting must be one of the following
        strings that describes how Open vSwitch contacts this OpenFlow
        controller over the network:</p>

        <dl>
          <dt><code>in-band</code></dt>
          <dd>In this mode, this controller's OpenFlow traffic travels over the
          bridge associated with the controller.  With this setting, Open
          vSwitch allows traffic to and from the controller regardless of the
          contents of the OpenFlow flow table.  (Otherwise, Open vSwitch
          would never be able to connect to the controller, because it did
          not have a flow to enable it.)  This is the most common connection
          mode because it is not necessary to maintain two independent
          networks.</dd>
          <dt><code>out-of-band</code></dt>
          <dd>In this mode, OpenFlow traffic uses a control network separate
          from the bridge associated with this controller, that is, the
          bridge does not use any of its own network devices to communicate
          with the controller.  The control network must be configured
          separately, before or after <code>ovs-vswitchd</code> is started.
          </dd>
        </dl>

        <p>If not specified, the default is implementation-specific.</p>
      </column>
    </group>

    <group title="Controller Failure Detection and Handling">
      <column name="max_backoff">
        Maximum number of milliseconds to wait between connection attempts.
        Default is implementation-specific.
      </column>

      <column name="inactivity_probe">
        Maximum number of milliseconds of idle time on connection to
        controller before sending an inactivity probe message.  If Open
        vSwitch does not communicate with the controller for the specified
        number of seconds, it will send a probe.  If a response is not
        received for the same additional amount of time, Open vSwitch
        assumes the connection has been broken and attempts to reconnect.
        Default is implementation-specific.  A value of 0 disables
        inactivity probes.
      </column>
    </group>

    <group title="Asynchronous Messages">
      <p>
        OpenFlow switches send certain messages to controllers spontanenously,
        that is, not in response to any request from the controller.  These
        messages are called ``asynchronous messages.''  These columns allow
        asynchronous messages to be limited or disabled to ensure the best use
        of network resources.
      </p>

      <column name="enable_async_messages">
        The OpenFlow protocol enables asynchronous messages at time of
        connection establishment, which means that a controller can receive
        asynchronous messages, potentially many of them, even if it turns them
        off immediately after connecting.  Set this column to
        <code>false</code> to change Open vSwitch behavior to disable, by
        default, all asynchronous messages.  The controller can use the
        <code>NXT_SET_ASYNC_CONFIG</code> Nicira extension to OpenFlow to turn
        on any messages that it does want to receive, if any.
      </column>

      <group title="Controller Rate Limiting">
        <p>
          A switch can forward packets to a controller over the OpenFlow
          protocol.  Forwarding packets this way at too high a rate can
          overwhelm a controller, frustrate use of the OpenFlow connection for
          other purposes, increase the latency of flow setup, and use an
          unreasonable amount of bandwidth.  Therefore, Open vSwitch supports
          limiting the rate of packet forwarding to a controller.
        </p>

        <p>
          There are two main reasons in OpenFlow for a packet to be sent to a
          controller: either the packet ``misses'' in the flow table, that is,
          there is no matching flow, or a flow table action says to send the
          packet to the controller.  Open vSwitch limits the rate of each kind
          of packet separately at the configured rate.  Therefore, the actual
          rate that packets are sent to the controller can be up to twice the
          configured rate, when packets are sent for both reasons.
        </p>

        <p>
          This feature is specific to forwarding packets over an OpenFlow
          connection.  It is not general-purpose QoS.  See the <ref
          table="QoS"/> table for quality of service configuration, and <ref
          column="ingress_policing_rate" table="Interface"/> in the <ref
          table="Interface"/> table for ingress policing configuration.
        </p>

      <column name="controller_queue_size">
        <p>
           This sets the maximum size of the queue of packets that need to be
           sent to this OpenFlow controller. The value must be less than 512.
           If not specified the queue size is limited to the value set for
           the management controller in <ref table="Bridge"
           column="other_config" key="controller-queue-size"/> if present or
           100 packets by default. Note: increasing the queue size might
           have a negative impact on latency.
        </p>
      </column>

        <column name="controller_rate_limit">
          <p>
            The maximum rate at which the switch will forward packets to the
            OpenFlow controller, in packets per second.  If no value is
            specified, rate limiting is disabled.
          </p>
        </column>

        <column name="controller_burst_limit">
          <p>
            When a high rate triggers rate-limiting, Open vSwitch queues
            packets to the controller for each port and transmits them to the
            controller at the configured rate.  This value limits the number of
            queued packets.  Ports on a bridge share the packet queue fairly.
          </p>

          <p>
            This value has no effect unless <ref
            column="controller_rate_limit"/> is configured.  The current
            default when this value is not specified is one-quarter of <ref
            column="controller_rate_limit"/>, meaning that queuing can delay
            forwarding a packet to the controller by up to 250 ms.
          </p>
        </column>

        <group title="Controller Rate Limiting Statistics">
          <p>
            These values report the effects of rate limiting.  Their values are
            relative to establishment of the most recent OpenFlow connection,
            or since rate limiting was enabled, whichever happened more
            recently.  Each consists of two values, one with <code>TYPE</code>
            replaced by <code>miss</code> for rate limiting flow table misses,
            and the other with <code>TYPE</code> replaced by
            <code>action</code> for rate limiting packets sent by OpenFlow
            actions.
          </p>

          <p>
            These statistics are reported only when controller rate limiting is
            enabled.
          </p>

          <column name="status" key="packet-in-TYPE-bypassed"
                  type='{"type": "integer", "minInteger": 0}'>
            Number of packets sent directly to the controller, without queuing,
            because the rate did not exceed the configured maximum.
          </column>

          <column name="status" key="packet-in-TYPE-queued"
                  type='{"type": "integer", "minInteger": 0}'>
            Number of packets added to the queue to send later.
          </column>

          <column name="status" key="packet-in-TYPE-dropped"
                  type='{"type": "integer", "minInteger": 0}'>
            Number of packets added to the queue that were later dropped due to
            overflow.  This value is less than or equal to <ref column="status"
            key="packet-in-TYPE-queued"/>.
          </column>

          <column name="status" key="packet-in-TYPE-backlog"
                  type='{"type": "integer", "minInteger": 0}'>
            Number of packets currently queued.  The other statistics increase
            monotonically, but this one fluctuates between 0 and the <ref
            column="controller_burst_limit"/> as conditions change.
          </column>
        </group>
      </group>
    </group>

    <group title="Additional In-Band Configuration">
      <p>These values are considered only in in-band control mode (see
      <ref column="connection_mode"/>).</p>

      <p>When multiple controllers are configured on a single bridge, there
      should be only one set of unique values in these columns.  If different
      values are set for these columns in different controllers, the effect
      is unspecified.</p>

      <column name="local_ip">
        The IP address to configure on the local port,
        e.g. <code>192.168.0.123</code>.  If this value is unset, then
        <ref column="local_netmask"/> and <ref column="local_gateway"/> are
        ignored.
      </column>

      <column name="local_netmask">
        The IP netmask to configure on the local port,
        e.g. <code>255.255.255.0</code>.  If <ref column="local_ip"/> is set
        but this value is unset, then the default is chosen based on whether
        the IP address is class A, B, or C.
      </column>

      <column name="local_gateway">
        The IP address of the gateway to configure on the local port, as a
        string, e.g. <code>192.168.0.1</code>.  Leave this column unset if
        this network has no gateway.
      </column>
    </group>

    <group title="Controller Status">
      <column name="is_connected">
        <code>true</code> if currently connected to this controller,
        <code>false</code> otherwise.
      </column>

      <column name="role"
              type='{"type": "string", "enum": ["set", ["other", "master", "slave"]]}'>
        <p>The level of authority this controller has on the associated
        bridge. Possible values are:</p>
        <dl>
          <dt><code>other</code></dt>
          <dd>Allows the controller access to all OpenFlow features.</dd>
          <dt><code>master</code></dt>
          <dd>
            Equivalent to <code>other</code>, except that there may be at
            most one such controller at a time.  If a given controller
            promotes itself to this role, <code>ovs-vswitchd</code>
            demotes any existing controller with the role to <code>slave</code>.
          </dd>

          <dt><code>slave</code></dt>
          <dd>
            Allows the controller read-only access to OpenFlow features.
            Attempts to modify the flow table will be rejected with an
            error.  Such controllers do not receive OFPT_PACKET_IN or
            OFPT_FLOW_REMOVED messages, but they do receive OFPT_PORT_STATUS
            messages.
          </dd>
        </dl>
      </column>

      <column name="status" key="last_error">
        A human-readable description of the last error on the connection
        to the controller; i.e. <code>strerror(errno)</code>.  This key
        will exist only if an error has occurred.
      </column>

      <column name="status" key="state"
              type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
        <p>
          The state of the connection to the controller:
        </p>
        <dl>
          <dt><code>VOID</code></dt>
          <dd>Connection is disabled.</dd>

          <dt><code>BACKOFF</code></dt>
          <dd>Attempting to reconnect at an increasing period.</dd>

          <dt><code>CONNECTING</code></dt>
          <dd>Attempting to connect.</dd>

          <dt><code>ACTIVE</code></dt>
          <dd>Connected, remote host responsive.</dd>

          <dt><code>IDLE</code></dt>
          <dd>Connection is idle.  Waiting for response to keep-alive.</dd>
        </dl>
        <p>
          These values may change in the future.  They are provided only for
          human consumption.
        </p>
      </column>

      <column name="status" key="sec_since_connect"
              type='{"type": "integer", "minInteger": 0}'>
        The amount of time since this controller last successfully connected to
        the switch (in seconds).  Value is empty if controller has never
        successfully connected.
      </column>

      <column name="status" key="sec_since_disconnect"
              type='{"type": "integer", "minInteger": 1}'>
        The amount of time since this controller last disconnected from
        the switch (in seconds). Value is empty if controller has never
        disconnected.
      </column>
    </group>

    <group title="Connection Parameters">
      <p>
        Additional configuration for a connection between the controller
        and the Open vSwitch.
      </p>

      <column name="other_config" key="dscp"
              type='{"type": "integer"}'>
        The Differentiated Service Code Point (DSCP) is specified using 6 bits
        in the Type of Service (TOS) field in the IP header. DSCP provides a
        mechanism to classify the network traffic and provide Quality of
        Service (QoS) on IP networks.

        The DSCP value specified here is used when establishing the connection
        between the controller and the Open vSwitch.  If no value is specified,
        a default value of 48 is chosen.  Valid DSCP values must be in the
        range 0 to 63.
      </column>
    </group>


    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
      <column name="other_config"/>
    </group>
  </table>

  <table name="Manager" title="OVSDB management connection.">
    <p>
      Configuration for a database connection to an Open vSwitch database
      (OVSDB) client.
    </p>

    <p>
      This table primarily configures the Open vSwitch database
      (<code>ovsdb-server</code>), not the Open vSwitch switch
      (<code>ovs-vswitchd</code>).  The switch does read the table to determine
      what connections should be treated as in-band.
    </p>

    <p>
      The Open vSwitch database server can initiate and maintain active
      connections to remote clients.  It can also listen for database
      connections.
    </p>

    <group title="Core Features">
      <column name="target">
        <p>Connection method for managers.</p>
        <p>
          The following connection methods are currently supported:
        </p>
        <dl>
          <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
          <dd>
            <p>
              The specified SSL/TLS <var>port</var> on the host at the given
              <var>host</var>, which can either be a DNS name (if built with
              unbound library) or an IP address.  The <ref table="Open_vSwitch"
              column="ssl"/> column in the <ref table="Open_vSwitch"/>
              table must point to a valid SSL/TLS configuration when this
              form is used.
            </p>
            <p>
              If <var>port</var> is not specified, it defaults to 6640.
            </p>
            <p>
              SSL/TLS support is an optional feature that is not always
              built as part of Open vSwitch.
            </p>
          </dd>

          <dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
          <dd>
            <p>
              The specified TCP <var>port</var> on the host at the given
              <var>host</var>, which can either be a DNS name (if built with
              unbound library) or an IP address (IPv4 or IPv6).  If <var>host</var>
              is an IPv6 address, wrap it in square brackets, e.g.
              <code>tcp:[::1]:6640</code>.
            </p>
            <p>
              If <var>port</var> is not specified, it defaults to 6640.
            </p>
          </dd>
          <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
          <dd>
            <p>
              Listens for SSL/TLS connections on the specified TCP
              <var>port</var>.
              Specify 0 for <var>port</var> to have the kernel automatically
              choose an available port.  If <var>host</var>, which can either
              be a DNS name (if built with unbound library) or an IP address,
              is specified, then connections are restricted to the resolved or
              specified local IP address (either IPv4 or IPv6 address).  If
              <var>host</var> is an IPv6 address, wrap in square brackets,
              e.g. <code>pssl:6640:[::1]</code>.  If <var>host</var> is not
              specified then it listens only on IPv4 (but not IPv6) addresses.
              The <ref table="Open_vSwitch" column="ssl"/> column in the <ref
              table="Open_vSwitch"/> table must point to a valid SSL/TLS
              configuration when this form is used.
            </p>
            <p>
              If <var>port</var> is not specified, it defaults to 6640.
            </p>
            <p>
              SSL/TLS support is an optional feature that is not always built
              as part of Open vSwitch.
            </p>
          </dd>
          <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
          <dd>
            <p>
              Listens for connections on the specified TCP <var>port</var>.
              Specify 0 for <var>port</var> to have the kernel automatically
              choose an available port.  If <var>host</var>, which can either
              be a DNS name (if built with unbound library) or an IP address,
              is specified, then connections are restricted to the resolved or
              specified local IP address (either IPv4 or IPv6 address).  If
              <var>host</var> is an IPv6 address, wrap it in square brackets,
              e.g. <code>ptcp:6640:[::1]</code>.  If <var>host</var> is not
              specified then it listens only on IPv4 addresses.
            </p>
            <p>
              If <var>port</var> is not specified, it defaults to 6640.
            </p>
          </dd>
        </dl>
        <p>When multiple managers are configured, the <ref column="target"/>
        values must be unique.  Duplicate <ref column="target"/> values yield
        unspecified results.</p>
      </column>

      <column name="connection_mode">
        <p>
          If it is specified, this setting must be one of the following strings
          that describes how Open vSwitch contacts this OVSDB client over the
          network:
        </p>

        <dl>
          <dt><code>in-band</code></dt>
          <dd>
            In this mode, this connection's traffic travels over a bridge
            managed by Open vSwitch.  With this setting, Open vSwitch allows
            traffic to and from the client regardless of the contents of the
            OpenFlow flow table.  (Otherwise, Open vSwitch would never be able
            to connect to the client, because it did not have a flow to enable
            it.)  This is the most common connection mode because it is not
            necessary to maintain two independent networks.
          </dd>
          <dt><code>out-of-band</code></dt>
          <dd>
            In this mode, the client's traffic uses a control network separate
            from that managed by Open vSwitch, that is, Open vSwitch does not
            use any of its own network devices to communicate with the client.
            The control network must be configured separately, before or after
            <code>ovs-vswitchd</code> is started.
          </dd>
        </dl>

        <p>
          If not specified, the default is implementation-specific.
        </p>
      </column>
    </group>

    <group title="Client Failure Detection and Handling">
      <column name="max_backoff">
        Maximum number of milliseconds to wait between connection attempts.
        Default is implementation-specific.
      </column>

      <column name="inactivity_probe">
        Maximum number of milliseconds of idle time on connection to the client
        before sending an inactivity probe message.  If Open vSwitch does not
        communicate with the client for the specified number of seconds, it
        will send a probe.  If a response is not received for the same
        additional amount of time, Open vSwitch assumes the connection has been
        broken and attempts to reconnect.  Default is implementation-specific.
        A value of 0 disables inactivity probes.
      </column>
    </group>

    <group title="Status">
      <p>
        Key-value pair of <ref column="is_connected"/> is always updated.
        Other key-value pairs in the status columns may be updated depends
        on the <ref column="target"/> type.
      </p>

      <p>
        When <ref column="target"/> specifies a connection method that
        listens for inbound connections (e.g. <code>ptcp:</code> or
        <code>punix:</code>), both <ref column="n_connections"/> and
        <ref column="is_connected"/> may also be updated while the
        remaining key-value pairs are omitted.
      </p>

      <p>
        On the other hand, when <ref column="target"/> specifies an
        outbound connection, all key-value pairs may be updated, except
        the above-mentioned two key-value pairs associated with inbound
        connection targets. They are omitted.
      </p>

    <column name="is_connected">
        <code>true</code> if currently connected to this manager,
        <code>false</code> otherwise.
      </column>

      <column name="status" key="last_error">
        A human-readable description of the last error on the connection
        to the manager; i.e. <code>strerror(errno)</code>.  This key
        will exist only if an error has occurred.
      </column>

      <column name="status" key="state"
              type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
        <p>
          The state of the connection to the manager:
        </p>
        <dl>
          <dt><code>VOID</code></dt>
          <dd>Connection is disabled.</dd>

          <dt><code>BACKOFF</code></dt>
          <dd>Attempting to reconnect at an increasing period.</dd>

          <dt><code>CONNECTING</code></dt>
          <dd>Attempting to connect.</dd>

          <dt><code>ACTIVE</code></dt>
          <dd>Connected, remote host responsive.</dd>

          <dt><code>IDLE</code></dt>
          <dd>Connection is idle.  Waiting for response to keep-alive.</dd>
        </dl>
        <p>
          These values may change in the future.  They are provided only for
          human consumption.
        </p>
      </column>

      <column name="status" key="sec_since_connect"
              type='{"type": "integer", "minInteger": 0}'>
        The amount of time since this manager last successfully connected
        to the database (in seconds). Value is empty if manager has never
        successfully connected.
      </column>

      <column name="status" key="sec_since_disconnect"
              type='{"type": "integer", "minInteger": 0}'>
        The amount of time since this manager last disconnected from the
        database (in seconds). Value is empty if manager has never
        disconnected.
      </column>

      <column name="status" key="locks_held">
        Space-separated list of the names of OVSDB locks that the connection
        holds.  Omitted if the connection does not hold any locks.
      </column>

      <column name="status" key="locks_waiting">
        Space-separated list of the names of OVSDB locks that the connection is
        currently waiting to acquire.  Omitted if the connection is not waiting
        for any locks.
      </column>

      <column name="status" key="locks_lost">
        Space-separated list of the names of OVSDB locks that the connection
        has had stolen by another OVSDB client.  Omitted if no locks have been
        stolen from this connection.
      </column>

      <column name="status" key="n_connections"
              type='{"type": "integer", "minInteger": 2}'>
        When <ref column="target"/> specifies a connection method that
        listens for inbound connections (e.g. <code>ptcp:</code> or
        <code>pssl:</code>) and more than one connection is actually active,
        the value is the number of active connections.  Otherwise, this
        key-value pair is omitted.
      </column>

      <column name="status" key="bound_port" type='{"type": "integer"}'>
        When <ref column="target"/> is <code>ptcp:</code> or
        <code>pssl:</code>, this is the TCP port on which the OVSDB server is
        listening.  (This is particularly useful when <ref
        column="target"/> specifies a port of 0, allowing the kernel to
        choose any available port.)
      </column>
    </group>

    <group title="Connection Parameters">
      <p>
        Additional configuration for a connection between the manager
        and the Open vSwitch Database.
      </p>

      <column name="other_config" key="dscp"
              type='{"type": "integer"}'>
        The Differentiated Service Code Point (DSCP) is specified using 6 bits
        in the Type of Service (TOS) field in the IP header. DSCP provides a
        mechanism to classify the network traffic and provide Quality of
        Service (QoS) on IP networks.

        The DSCP value specified here is used when establishing the connection
        between the manager and the Open vSwitch.  If no value is specified, a
        default value of 48 is chosen.  Valid DSCP values must be in the range
        0 to 63.
      </column>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
      <column name="other_config"/>
    </group>
  </table>

  <table name="NetFlow">
    A NetFlow target.  NetFlow is a protocol that exports a number of
    details about terminating IP flows, such as the principals involved
    and duration.

    <column name="targets">
      NetFlow targets in the form
      <code><var>ip</var>:<var>port</var></code>.  The <var>ip</var>
      must be specified numerically, not as a DNS name.
    </column>

    <column name="engine_id">
      Engine ID to use in NetFlow messages.  Defaults to datapath index
      if not specified.
    </column>

    <column name="engine_type">
      Engine type to use in NetFlow messages.  Defaults to datapath
      index if not specified.
    </column>

    <column name="active_timeout">
      <p>
        The interval at which NetFlow records are sent for flows that
        are still active, in seconds.  A value of <code>0</code>
        requests the default timeout (currently 600 seconds); a value
        of <code>-1</code> disables active timeouts.
      </p>

      <p>
        The NetFlow passive timeout, for flows that become inactive,
        is not configurable.  It will vary depending on the Open
        vSwitch version, the forms and contents of the OpenFlow flow
        tables, CPU and memory usage, and network activity.  A typical
        passive timeout is about a second.
      </p>
    </column>

    <column name="add_id_to_interface">
      <p>If this column's value is <code>false</code>, the ingress and egress
      interface fields of NetFlow flow records are derived from OpenFlow port
      numbers.  When it is <code>true</code>, the 7 most significant bits of
      these fields will be replaced by the least significant 7 bits of the
      engine id.  This is useful because many NetFlow collectors do not
      expect multiple switches to be sending messages from the same host, so
      they do not store the engine information which could be used to
      disambiguate the traffic.</p>
      <p>When this option is enabled, a maximum of 508 ports are supported.</p>
    </column>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
    </group>
  </table>

  <table name="Datapath">
    <p>
      Configuration for a datapath within <ref table="Open_vSwitch"/>.
    </p>
    <p>
      A datapath is responsible for providing the packet handling in Open
      vSwitch.  There are two primary datapath implementations used by
      Open vSwitch: kernel and userspace.  Kernel datapath
      implementations are available for Linux and Hyper-V, and selected
      as <code>system</code> in the <ref column="datapath_type"/> column
      of the <ref table="Bridge"/> table.  The userspace datapath is used
      by DPDK and AF-XDP, and is selected as <code>netdev</code> in the
      <ref column="datapath_type"/> column of the <ref table="Bridge"/>
      table.
    </p>
    <p>
      A datapath of a particular type is shared by all the bridges that use
      that datapath.  Thus, configurations applied to this table affect
      all bridges that use this datapath.
    </p>

    <column name="datapath_version">
      <p>
        Reports the version number of the Open vSwitch datapath in use.
        This allows management software to detect and report discrepancies
        between Open vSwitch userspace and datapath versions.  (The <ref
        column="ovs_version" table="Open_vSwitch"/> column in the <ref
        table="Open_vSwitch"/> reports the Open vSwitch userspace version.)
        The version reported depends on the datapath in use:
      </p>

      <ul>
        <li>
          When the kernel module included in the Open vSwitch source tree is
          used, this column reports the Open vSwitch version from which the
          module was taken.
        </li>

        <li>
          When the kernel module that is part of the upstream Linux kernel is
          used, this column reports <code>&lt;unknown&gt;</code>.
        </li>

        <li>
          When the datapath is built into the <code>ovs-vswitchd</code>
          binary, this column reports <code>&lt;built-in&gt;</code>.  A
          built-in datapath is by definition the same version as the rest of
          the Open vSwitch userspace.
        </li>

        <li>
          Other datapaths (such as the Hyper-V kernel datapath) currently
          report <code>&lt;unknown&gt;</code>.
        </li>
      </ul>

      <p>
        A version discrepancy between <code>ovs-vswitchd</code> and the
        datapath in use is not normally cause for alarm.  The Open vSwitch
        kernel datapaths for Linux and Hyper-V, in particular, are designed
        for maximum inter-version compatibility: any userspace version works
        with with any kernel version.  Some reasons do exist to insist on
        particular user/kernel pairings.  First, newer kernel versions add
        new features, that can only be used by new-enough userspace, e.g.
        VXLAN tunneling requires certain minimal userspace and kernel
        versions.  Second, as an extension to the first reason, some newer
        kernel versions add new features for enhancing performance that only
        new-enough userspace versions can take advantage of.
      </p>
    </column>

    <column name="ct_zones">
      Configuration for connection tracking zones.  Each pair maps from a
      zone id to a configuration for that zone.  Zone <code>0</code> applies
      to the default zone (ie, the one used if a zone is not specified in
      connection tracking-related OpenFlow matches and actions).
    </column>

    <group title="Capabilities">
      <p>
        The <ref column="capabilities"/> column reports a datapath's
        features.  For the <code>netdev</code> datapath, the
        capabilities are fixed for a given version of Open vSwitch
        because this datapath is built into the
        <code>ovs-vswitchd</code> binary.  The Linux kernel and
        Windows and other datapaths, which are external to OVS
        userspace, can vary in version and capabilities independently
        from <code>ovs-vswitchd</code>.
      </p>

      <p>
        Some of these features indicate whether higher-level Open vSwitch
        features are available.  For example, OpenFlow features for
        connection-tracking are available only when <ref column="capabilities"
        key="ct_state"/> is <code>true</code>.  A controller that wishes to
        determine whether a feature is supported could, therefore, consult the
        relevant capabilities in this table.  However, as a general rule, it is
        better for a controller to try to use the higher-level feature and use
        the result as an indication of support, since the low-level
        capabilities are more likely to shift over time than the high-level
        features that rely on them.
      </p>

      <column name="capabilities" key="max_vlan_headers"
              type='{"type": "integer", "minInteger": 0}'>
        Number of 802.1q VLAN headers supported by the datapath, as probed by
        the <code>ovs-vswitchd</code> slow path.  If the datapath supports more
        VLAN headers than the slow path, this reports the slow path's limit.
        The value of <ref column="other-config" key="vlan-limit"/> in the <ref
        table="Open_vSwitch"/> table does not influence the number reported
        here.
      </column>
      <column name="capabilities" key="recirc" type='{"type": "boolean"}'>
        If this is true, then the datapath supports recirculation,
        specifically OVS_KEY_ATTR_RECIRC_ID.  Recirculation enables
        higher performance for MPLS and active-active load balancing
        bonding modes.
      </column>
      <column name="capabilities" key="lb_output_action"
              type='{"type": "boolean"}'>
        If this is true, then the datapath supports optimized balance-tcp
        bond mode. This capability replaces existing <code>hash</code> and
        <code>recirc</code> actions with new action <code>lb_output</code>
        and avoids recirculation of packet in datapath. It is supported
        only for balance-tcp bond mode in netdev datapath. The new action
        gives higher performance by using bond buckets instead of post
        recirculation flows for selection of member port from bond. By default
        this new action is disabled, however it can be enabled by setting
        <ref column="other-config" key="lb-output-action"/> in
        <ref table="Port"/> table.
      </column>
      <group title="Connection-Tracking Capabilities">
        <p>
          These capabilities are granular because Open vSwitch and its
          datapaths added support for connection tracking over several
          releases, with features added individually over that time.
        </p>

        <column name="capabilities" key="ct_state" type='{"type": "boolean"}'>
          <p>
            If true, datapath supports OVS_KEY_ATTR_CT_STATE, which indicates
            support for the bits in the OpenFlow <code>ct_state</code> field
            (see <code>ovs-fields</code>(7)) other than <code>snat</code> and
            <code>dnat</code>, which have a separate capability.
          </p>

          <p>
            If this is false, the datapath does not support connection-tracking
            at all and the remaining connection-tracking capabilities should
            all be false.  In this case, Open vSwitch will reject flows that
            match on the <code>ct_state</code> field or use the <code>ct</code>
            action.
          </p>
        </column>
        <column name="capabilities" key="ct_state_nat"
                type='{"type": "boolean"}'>
          <p>
            If true, it means that the datapath supports the <code>snat</code>
            and <code>dnat</code> flags in the OpenFlow <code>ct_state</code>
            field.  The <code>ct_state</code> capability must be true for this
            to make sense.
          </p>

          <p>
            If false, Open vSwitch will reject flows that match on the
            <code>snat</code> or <code>dnat</code> bits in
            <code>ct_state</code> or use <code>nat</code> in the
            <code>ct</code> action.
          </p>
        </column>
        <column name="capabilities" key="ct_zone" type='{"type": "boolean"}'>
          If true, datapath supports OVS_KEY_ATTR_CT_ZONE.  If false, Open
          vSwitch rejects flows that match on the <code>ct_zone</code> field or
          that specify a nonzero zone or a zone field on the <code>ct</code>
          action.
        </column>
        <column name="capabilities" key="ct_mark" type='{"type": "boolean"}'>
          If true, datapath supports OVS_KEY_ATTR_CT_MARK.  If false, Open
          vSwitch rejects flows that match on the <code>ct_mark</code> field or
          that set <code>ct_mark</code> in the <code>ct</code> action.
        </column>
        <column name="capabilities" key="ct_label" type='{"type": "boolean"}'>
          If true, datapath supports OVS_KEY_ATTR_CT_LABEL.  If false, Open
          vSwitch rejects flows that match on the <code>ct_label</code> field
          or that set <code>ct_label</code> in the <code>ct</code> action.
        </column>
        <column name="capabilities" key="ct_orig_tuple"
                type='{"type": "boolean"}'>
          <p>
            If true, the datapath supports matching the 5-tuple from the
            connection's original direction for IPv4 traffic.  If false, Open
            vSwitch rejects flows that match on <code>ct_nw_src</code> or
            <code>ct_nw_dst</code>, that use the <code>ct</code> feature of the
            <code>resubmit</code> action, or the <code>force</code> keyword in
            the <code>ct</code> action.  (The latter isn't tied to connection
            tracking support of original tuples in any technical way.  They are
            conflated because all current datapaths implemented the two
            features at the same time.)
          </p>

          <p>
            If this and <ref column="capabilities" key="ct_orig_tuple6"/> are
            both false, Open vSwitch rejects flows that match on
            <code>ct_nw_proto</code>, <code>ct_tp_src</code>, or
            <code>ct_tp_dst</code>.
          </p>
        </column>
        <column name="capabilities" key="ct_orig_tuple6"
                type='{"type": "boolean"}'>
          If true, the datapath supports matching the 5-tuple from the
          connection's original direction for IPv6 traffic.  If false, Open
          vSwitch rejects flows that match on <code>ct_ipv6_src</code> or
          <code>ct_ipv6_dst</code>.
        </column>
      </group>
      <column name="capabilities" key="masked_set_action"
              type='{"type": "boolean"}'>
        True if the datapath supports masked data in OVS_ACTION_ATTR_SET
        actions.  Masked data can improve performance by allowing megaflows to
        match on fewer fields.
      </column>
      <column name="capabilities" key="tnl_push_pop"
              type='{"type": "boolean"}'>
        True if the datapath supports tnl_push and pop actions.  This is a
        prerequisite for a datapath to support native tunneling.
      </column>
      <column name="capabilities" key="ufid" type='{"type": "boolean"}'>
        True if the datapath supports OVS_FLOW_ATTR_UFID.  UFID support
        improves revalidation performance by transferring less data between
        the slow path and the datapath.
      </column>
      <column name="capabilities" key="trunc" type='{"type": "boolean"}'>
        True if the datapath supports OVS_ACTION_ATTR_TRUNC action.  If false,
        the <code>output</code> action with packet truncation requires every
        packet to be sent to the Open vSwitch slow path, which is likely to
        make it too slow for mirroring traffic in bulk.
      </column>
      <column name="capabilities" key="nd_ext" type='{"type": "boolean"}'>
        True if the datapath supports OVS_KEY_ATTR_ND_EXTENSIONS to match on
        ICMPv6 "ND reserved" and "ND option type" header fields. If false,
        the datapath reports error if the feature is used.
      </column>
      <group title="Clone Actions">
        <p>
          When Open vSwitch translates actions from OpenFlow into the datapath
          representation, some of the datapath actions may modify the packet or
          have other side effects that later datapath actions can't undo.  The
          OpenFlow <code>ct</code>, <code>meter</code>, <code>output</code>
          with truncation, <code>encap</code>, <code>decap</code>, and
          <code>dec_nsh_ttl</code> actions fall into this category.  Often,
          this is not a problem because nothing later on needs the original
          packet.
        </p>

        <p>
          Such actions can, however, occur in circumstances where the
          translation does require the original packet.  For example, an
          OpenFlow <code>output</code> action might direct a packet to a patch
          port, which might in turn lead to a <code>ct</code> action that NATs
          the packet (which cannot be undone), and then afterward when control
          flow pops back across the patch port some other action might need to
          act on the original packet.
        </p>

        <p>
          Open vSwitch has two different ways to implement this ``save and
          restore'' via datapath actions.  These capabilities indicate which
          one Open vSwitch will choose.  When neither is available, Open
          vSwitch simply fails in situations that require this feature.
        </p>

        <column name="capabilities" key="clone" type='{"type": "boolean"}'>
          <p>
            True if the datapath supports OVS_ACTION_ATTR_CLONE action.  This
            is the preferred option for saving and restoring packets, since it
            is intended for the purpose, but old datapaths do not support it.
            Open vSwitch will use it whenever it is available.
          </p>

          <p>
            (The OpenFlow <code>clone</code> action does not always yield a
            OVS_ACTION_ATTR_CLONE action.  It only does so when the datapath
            supports it and the <code>clone</code> brackets actions that
            otherwise cannot be undone.)
          </p>
        </column>
        <column name="capabilities" key="sample_nesting"
                type='{"type": "integer", "minInteger": 0}'>
          Maximum level of nesting allowed by OVS_ACTION_ATTR_SAMPLE action.
          Open vSwitch misuses this action for saving and restoring packets
          when the datapath supports more than 3 levels of nesting and
          OVS_ACTION_ATTR_CLONE is not available.
        </column>
      </group>
      <column name="capabilities" key="ct_eventmask"
              type='{"type": "boolean"}'>
        True if the datapath's OVS_ACTION_ATTR_CT action implements the
        OVS_CT_ATTR_EVENTMASK attribute.  When this is true, Open vSwitch uses
        the event mask feature to limit the kinds of events reported to
        conntrack update listeners.  When Open vSwitch doesn't limit the event
        mask, listeners receive reports of numerous usually unimportant events,
        such as TCP state machine changes, which can waste CPU time.
      </column>
      <column name="capabilities" key="ct_clear" type='{"type": "boolean"}'>
        True if the datapath supports OVS_ACTION_ATTR_CT_CLEAR action.
        If false, the OpenFlow <code>ct_clear</code> action has no effect
        on the datapath.
      </column>
      <column name="capabilities" key="max_hash_alg"
              type='{"type": "integer", "minInteger": 0}'>
        Highest supported dp_hash algorithm.  This allows Open vSwitch to avoid
        requesting a packet hash that the datapath does not support.
      </column>
      <column name="capabilities" key="check_pkt_len"
              type='{"type": "boolean"}'>
        True if the datapath supports OVS_ACTION_ATTR_CHECK_PKT_LEN.  If false,
        Open vSwitch implements the <code>check_pkt_larger</code> action by
        sending every packet through the Open vSwitch slow path, which is
        likely to make it too slow for handling traffic in bulk.
      </column>
      <column name="capabilities" key="ct_timeout" type='{"type": "boolean"}'>
        True if the datapath supports OVS_CT_ATTR_TIMEOUT in the
        OVS_ACTION_ATTR_CT action.  If false, Open vswitch cannot implement
        timeout policies based on connection tracking zones, as configured
        through the <code>CT_Timeout_Policy</code> table.
      </column>
      <column name="capabilities" key="explicit_drop_action"
              type='{"type": "boolean"}'>
        True if the datapath supports OVS_ACTION_ATTR_DROP.  If false,
        explicit drop action will not be sent to the datapath.
      </column>
      <column name="capabilities" key="ct_zero_snat"
              type='{"type": "boolean"}'>
        True if the datapath supports all-zero SNAT. This is a special case
        if the <code>src</code> IP address is configured as all 0's, i.e.,
        <code>nat(src=0.0.0.0)</code>. In this case, when a source port
        collision is detected during the commit, the source port will be
        translated to an ephemeral port. If there is no collision, no SNAT
        is performed.
      </column>
      <column name="capabilities" key="ct_flush"
              type='{"type": "boolean"}'>
        True if the datapath supports CT flush OpenFlow Nicira extension
        called <code>NXT_CT_FLUSH</code>. The <code>NXT_CT_FLUSH</code>
        extensions allows to flush CT entries based on specified parameters.
      </column>
      <column name="capabilities" key="psample"
              type='{"type": "boolean"}'>
        True if the datapath supports OVS_ACTION_ATTR_PSAMPLE.  If false,
        local sampling will not be supported with the Linux kernel datapath.
      </column>
    </group>

    <column name="ct_zone_default_limit">
        Default connection tracking zone limit that is applied to all zones
        that didn't specify the <ref table="CT_Zone" column="limit"/>
        explicitly. If the limit is unspecified the default limit
        configuration for the datapath is left intact. The value 0 means
        unlimited.
    </column>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
    </group>
  </table>

  <table name="CT_Zone">
    Connection tracking zone configuration

    <column name="timeout_policy">
      Connection tracking timeout policy for this zone. If a timeout policy
      is not specified, it defaults to the timeout policy in the system.
    </column>

    <column name="limit">
      Connection tracking limit for this zone. If the limit is unspecified
      the <ref table="Datapath" column="ct_zone_default_limit"/> will be used.
      The value 0 means unlimited.
    </column>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
    </group>
  </table>

  <table name="CT_Timeout_Policy">
    Connection tracking timeout policy configuration

    <group title="Timeouts">
      <column name="timeouts">
        The <code>timeouts</code> column contains key-value pairs used
        to configure connection tracking timeouts in a datapath.
        Key-value pairs that are not supported by a datapath are
        ignored.  The timeout value is in seconds.
      </column>

      <group title="TCP Timeouts">
        <column name="timeouts" key="tcp_syn_sent">
          The timeout for the connection after the first TCP SYN packet has
          been seen by conntrack.
        </column>

        <column name="timeouts" key="tcp_syn_recv">
          The timeout of the connection after the first TCP SYN-ACK packet
          has been seen by conntrack.
        </column>

        <column name="timeouts" key="tcp_established">
          The timeout of the connection after the connection has been fully
          established.
        </column>

        <column name="timeouts" key="tcp_fin_wait">
          The timeout of the connection after the first TCP FIN packet
          has been seen by conntrack.
        </column>

        <column name="timeouts" key="tcp_close_wait">
          The timeout of the connection after the first TCP ACK packet
          has been seen after it receives TCP FIN packet.  This timeout
          is only supported by the Linux kernel datapath.
        </column>

        <column name="timeouts" key="tcp_last_ack">
          The timeout of the connection after TCP FIN packets have been
          seen by conntrack from both directions.  This timeout is only
          supported by the Linux kernel datapath.
        </column>

        <column name="timeouts" key="tcp_time_wait">
          The timeout of the connection after conntrack has seen the
          TCP ACK packet for the second TCP FIN packet.
        </column>

        <column name="timeouts" key="tcp_close">
          The timeout of the connection after the first TCP RST packet
          has been seen by conntrack.
        </column>

        <column name="timeouts" key="tcp_syn_sent2">
          The timeout of the connection when only a TCP SYN packet has been
          seen by conntrack from both directions (simultaneous open).
          This timeout is only supported by the Linux kernel datapath.
        </column>

        <column name="timeouts" key="tcp_retransmit">
          The timeout of the connection when it exceeds the maximum
          number of retransmissions.  This timeout is only supported by
          the Linux kernel datapath.
        </column>

        <column name="timeouts" key="tcp_unack">
          The timeout of the connection when non-SYN packets create an
          established connection in TCP loose tracking mode.  This timeout
          is only supported by the Linux kernel datapath.
        </column>
      </group>

      <group title="UDP Timeouts">
        <column name="timeouts" key="udp_first">
          The timeout of the connection after the first UDP packet has
          been seen by conntrack.  This timeout is only supported by the
          userspace datapath.
        </column>

        <column name="timeouts" key="udp_single">
          The timeout of the connection when conntrack only seen UDP
          packet from the source host, but the destination host has never
          sent one back.
        </column>

        <column name="timeouts" key="udp_multiple">
          The timeout of the connection when UDP packets have been seen in
          both directions.
        </column>
      </group>

      <group title="ICMP Timeouts">
        <column name="timeouts" key="icmp_first">
          The timeout of the connection after the first ICMP packet has
          been seen by conntrack.
        </column>

        <column name="timeouts" key="icmp_reply">
          The timeout of the connection when ICMP packets have been seen in
          both direction.  This timeout is only supported by the userspace
          datapath.
        </column>
      </group>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
    </group>
  </table>

  <table name="SSL">
    SSL/TLS configuration for an Open_vSwitch.

    <column name="private_key">
      Name of a PEM file containing the private key used as the switch's
      identity for SSL/TLS connections to the controller.
    </column>

    <column name="certificate">
      Name of a PEM file containing a certificate, signed by the
      certificate authority (CA) used by the controller and manager,
      that certifies the switch's private key, identifying a trustworthy
      switch.
    </column>

    <column name="ca_cert">
      Name of a PEM file containing the CA certificate used to verify
      that the switch is connected to a trustworthy controller.
    </column>

    <column name="bootstrap_ca_cert">
      If set to <code>true</code>, then Open vSwitch will attempt to
      obtain the CA certificate from the controller on its first SSL/TLS
      connection and save it to the named PEM file. If it is successful,
      it will immediately drop the connection and reconnect, and from then
      on all SSL/TLS connections must be authenticated by a certificate signed
      by the CA certificate thus obtained.  <em>This option exposes the
      SSL/TLS connection to a man-in-the-middle attack obtaining the initial
      CA certificate.</em>  It may still be useful for bootstrapping.
    </column>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
    </group>
  </table>

  <table name="sFlow">
    <p>A set of sFlow(R) targets.  sFlow is a protocol for remote
    monitoring of switches.</p>

    <column name="agent">
      <p>
        Determines the agent address, that is, the IP address reported to
        collectors as the source of the sFlow data.  It may be an IP address or
        the name of a network device.  In the latter case, the network device's
        IP address is used,
      </p>

      <p>
        If not specified, the agent device is figured from the first target
        address and the routing table.  If the routing table does not contain a
        route to the target, the IP address defaults to the <ref
        table="Controller" column="local_ip"/> in the collector's <ref
        table="Controller"/>.
      </p>

      <p>
        If an agent IP address cannot be determined, sFlow is disabled.
      </p>
    </column>

    <column name="header">
      Number of bytes of a sampled packet to send to the collector.
      If not specified, the default is 128 bytes.
    </column>

    <column name="polling">
      Polling rate in seconds to send port statistics to the collector.
      If not specified, defaults to 30 seconds.
    </column>

    <column name="sampling">
      Rate at which packets should be sampled and sent to the collector.
      If not specified, defaults to 400, which means one out of 400
      packets, on average, will be sent to the collector.
    </column>

    <column name="targets">
      sFlow targets in the form
      <code><var>ip</var>:<var>port</var></code>.
    </column>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
    </group>
  </table>

  <table name="IPFIX">
    <p>Configuration for sending packets to IPFIX collectors.</p>

    <p>
      IPFIX is a protocol that exports a number of details about flows.  The
      IPFIX implementation in Open vSwitch samples packets at a configurable
      rate, extracts flow information from those packets, optionally caches and
      aggregates the flow information, and sends the result to one or more
      collectors.
    </p>

    <p>
      IPFIX in Open vSwitch can be configured two different ways:
    </p>

    <ul>
      <li>
        With <em>per-bridge sampling</em>, Open vSwitch performs IPFIX sampling
        automatically on all packets that pass through a bridge.  To configure
        per-bridge sampling, create an <ref table="IPFIX"/> record and point a
        <ref table="Bridge"/> table's <ref table="Bridge" column="ipfix"/>
        column to it.  The <ref table="Flow_Sample_Collector_Set"/> table is
        not used for per-bridge sampling.
      </li>

      <li>
        <p>
          With <em>flow-based sampling</em>, <code>sample</code> actions in the
          OpenFlow flow table drive IPFIX sampling.  See
          <code>ovs-actions</code>(7) for a description of the
          <code>sample</code> action.
        </p>

        <p>
          Flow-based sampling also requires database configuration: create a
          <ref table="IPFIX"/> record that describes the IPFIX configuration
          and a <ref table="Flow_Sample_Collector_Set"/> record that points to
          the <ref table="Bridge"/> whose flow table holds the
          <code>sample</code> actions and to <ref table="IPFIX"/> record.  The
          <ref table="Bridge" column="ipfix"/> in the <ref table="Bridge"/>
          table is not used for flow-based sampling.
        </p>
      </li>
    </ul>

    <column name="targets">
      IPFIX target collectors in the form
      <code><var>ip</var>:<var>port</var></code>.
    </column>

    <column name="cache_active_timeout">
      The maximum period in seconds for which an IPFIX flow record is
      cached and aggregated before being sent.  If not specified,
      defaults to 0.  If 0, caching is disabled.
    </column>

    <column name="cache_max_flows">
      The maximum number of IPFIX flow records that can be cached at a
      time.  If not specified, defaults to 0.  If 0, caching is
      disabled.
    </column>

    <column name="stats_interval">
      <p>
          Interval (in seconds) for sending IPFIX exporting process statistics
          according to IETF RFC 5101 Section 4.3.
      </p>
      <p>
          Default value is 600
      </p>
    </column>

    <column name="template_interval">
      <p>
          Interval (in seconds) for sending IPFIX Template information for each
          Observation Domain ID.
      </p>
      <p>
          Default value is 600
      </p>
    </column>

    <column name="other_config" key="enable-tunnel-sampling"
            type='{"type": "boolean"}'>
      <p>
        Set to <code>true</code> to enable sampling and reporting tunnel
        header 7-tuples in IPFIX flow records.  Tunnel sampling is enabled
        by default.
      </p>

      <p>
        The following enterprise entities report the sampled tunnel info:
      </p>

      <dl>
        <dt>tunnelType:</dt>
        <dd>
          <p>ID: 891, and enterprise ID 6876 (VMware).</p>
          <p>type: unsigned 8-bit integer.</p>
          <p>data type semantics: identifier.</p>
          <p>description: Identifier of the layer 2 network overlay network
          encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x07 GENEVE.</p>
        </dd>
        <dt>tunnelKey:</dt>
        <dd>
          <p>ID: 892, and enterprise ID 6876 (VMware).</p>
          <p>type: variable-length octetarray.</p>
          <p>data type semantics: identifier.</p>
          <p>description: Key which is used for identifying an individual
          traffic flow within a VxLAN (24-bit VNI), GENEVE (24-bit VNI),
          GRE (32-bit key), or LISP (24-bit instance ID) tunnel. The
          key is encoded in this octetarray as a 3-, 4-, or 8-byte integer
          ID in network byte order.</p>
        </dd>
        <dt>tunnelSourceIPv4Address:</dt>
        <dd>
          <p>ID: 893, and enterprise ID 6876 (VMware).</p>
          <p>type: unsigned 32-bit integer.</p>
          <p>data type semantics: identifier.</p>
          <p>description: The IPv4 source address in the tunnel IP packet
          header.</p>
        </dd>
        <dt>tunnelDestinationIPv4Address:</dt>
        <dd>
          <p>ID: 894, and enterprise ID 6876 (VMware).</p>
          <p>type: unsigned 32-bit integer.</p>
          <p>data type semantics: identifier.</p>
          <p>description: The IPv4 destination address in the tunnel IP
          packet header.</p>
        </dd>
        <dt>tunnelProtocolIdentifier:</dt>
        <dd>
          <p>ID: 895, and enterprise ID 6876 (VMware).</p>
          <p>type: unsigned 8-bit integer.</p>
          <p>data type semantics: identifier.</p>
          <p>description: The value of the protocol number in the tunnel
          IP packet header. The protocol number identifies the tunnel IP
          packet payload type.</p>
        </dd>
        <dt>tunnelSourceTransportPort:</dt>
        <dd>
          <p>ID: 896, and enterprise ID 6876 (VMware).</p>
          <p>type: unsigned 16-bit integer.</p>
          <p>data type semantics: identifier.</p>
          <p>description: The source port identifier in the tunnel transport
          header. For the transport protocols UDP, TCP, and SCTP, this is
          the source port number given in the respective header.</p>
        </dd>
        <dt>tunnelDestinationTransportPort:</dt>
        <dd>
          <p>ID: 897, and enterprise ID 6876 (VMware).</p>
          <p>type: unsigned 16-bit integer.</p>
          <p>data type semantics: identifier.</p>
          <p>description: The destination port identifier in the tunnel
          transport header. For the transport protocols UDP, TCP, and SCTP,
          this is the destination port number given in the respective header.
          </p>
        </dd>
      </dl>

      <p>
        Before Open vSwitch 2.5.90, <ref column="other_config"
        key="enable-tunnel-sampling"/> was only supported with per-bridge
        sampling, and ignored otherwise.  Open vSwitch 2.5.90 and later support
        <ref column="other_config" key="enable-tunnel-sampling"/> for
        per-bridge and per-flow sampling.
      </p>
    </column>

    <column name="other_config" key="virtual_obs_id"
            type='{"type": "string"}'>
      <p>
        A string that accompanies each IPFIX flow record.  Its intended use is
        for the ``virtual observation ID,'' an identifier of a virtual
        observation point that is locally unique in a virtual network.  It
        describes a location in the virtual network where IP packets can be
        observed.  The maximum length is 254 bytes.  If not specified, the
        field is omitted from the IPFIX flow record.
      </p>

      <p>
        The following enterprise entity reports the specified virtual
        observation ID:
      </p>

      <dl>
        <dt>virtualObsID:</dt>
        <dd>
          <p>ID: 898, and enterprise ID 6876 (VMware).</p>
          <p>type: variable-length string.</p>
          <p>data type semantics: identifier.</p>
          <p>description: A virtual observation domain ID that is locally
          unique in a virtual network.
          </p>
        </dd>
      </dl>

      <p>
        This feature was introduced in Open vSwitch 2.5.90.
      </p>
    </column>

    <group title="Per-Bridge Sampling">
      <p>
        These values affect only per-bridge sampling.  See above for a
        description of the differences between per-bridge and flow-based
        sampling.
      </p>

      <column name="sampling">
        The rate at which packets should be sampled and sent to each target
        collector.  If not specified, defaults to 400, which means one out of
        400 packets, on average, will be sent to each target collector.
      </column>

      <column name="obs_domain_id">
        The IPFIX Observation Domain ID sent in each IPFIX packet.  If not
        specified, defaults to 0.
      </column>

      <column name="obs_point_id">
        The IPFIX Observation Point ID sent in each IPFIX flow record.  If not
        specified, defaults to 0.
      </column>

      <column name="other_config" key="enable-input-sampling"
              type='{"type": "boolean"}'>
        By default, Open vSwitch samples and reports flows at bridge port input
        in IPFIX flow records.  Set this column to <code>false</code> to
        disable input sampling.
      </column>

      <column name="other_config" key="enable-output-sampling"
              type='{"type": "boolean"}'>
        By default, Open vSwitch samples and reports flows at bridge port
        output in IPFIX flow records.  Set this column to <code>false</code> to
        disable output sampling.
      </column>
    </group>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
    </group>
  </table>

  <table name="Flow_Sample_Collector_Set">
    <p>
      A set of IPFIX or local sampling collectors of packet samples generated
      by OpenFlow <code>sample</code> actions.
    </p>

    <p>
      If the column <code>ipfix</code> contains a reference to a
      valid IPFIX entry, samples will be emitted via IPFIX.  This mechanism
      is known as flow-based IPFIX sampling, as opposed to bridge-based
      sampling (see the <ref table="IPFIX"/> table for a description of the
      two forms).
    </p>

    <p>
      If the column <code>local_group_id</code> contains an integer and the
      running datapath supports local sample emission, packets will be sent
      to some local sample collector.  Samples will contain the group number
      specified by <code>local_group_id</code> which helps identify their
      source as well as a 64-bit cookie result from the concatenation of the
      observation_domain_id an the observation_point_id in network byte order.

      The way the sample is emitted and made available for local collectors
      is datapath-specific.

      Currently only Linux kernel datapath supports local sampling which is
      implemented by sending the packet to the <code>psample</code> netlink
      multicast group.
    </p>

    <p>
      Note: both <code>local_group_id</code> and <code>ipfix</code> can be
      configured simultaneously.
    </p>

    <column name="id">
      The ID of this collector set, unique among the bridge's
      collector sets, to be used as the <code>collector_set_id</code>
      in OpenFlow <code>sample</code> actions.
    </column>

    <column name="bridge">
      The bridge into which OpenFlow <code>sample</code> actions can
      be added to send packet samples to this set of IPFIX collectors.
    </column>

    <column name="ipfix">
      Configuration of the set of IPFIX collectors to send one flow
      record per sampled packet to.
    </column>

    <column name="local_group_id"
            type='{"type": "integer", "minInteger": 0,
                   "maxInteger": 4294967295}'>
      Configuration of the sample group id to be used in local sampling.
    </column>

    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.

      <column name="external_ids"/>
    </group>
  </table>

  <table name="AutoAttach">
    <p>
      Auto Attach configuration within a bridge.  The IETF Auto-Attach SPBM
      draft standard describes a compact method of using IEEE 802.1AB Link
      Layer Discovery Protocol (LLDP) together with a IEEE 802.1aq Shortest
      Path Bridging (SPB) network to automatically attach network devices
      to individual services in a SPB network.  The intent here is to allow
      network applications and devices using OVS to be able to easily take
      advantage of features offered by industry standard SPB networks.
    </p>

    <p>
      Auto Attach (AA) uses LLDP to communicate between a directly connected
      Auto Attach Client (AAC) and Auto Attach Server (AAS). The LLDP protocol
      is extended to add two new Type-Length-Value tuples (TLVs). The first
      new TLV supports the ongoing discovery of directly connected AA
      correspondents. Auto Attach operates by regularly transmitting AA
      discovery TLVs between the AA client and AA server. By exchanging these
      discovery messages, both the AAC and AAS learn the system name and
      system description of their peer. In the OVS context, OVS operates as
      the AA client and the AA server resides on a switch at the edge of the
      SPB network.
    </p>

    <p>
      Once AA discovery has been completed the AAC then uses the second new TLV
      to deliver identifier mappings from the AAC to the AAS. A primary feature
      of Auto Attach is to facilitate the mapping of VLANs defined outside the
      SPB network onto service ids (ISIDs) defined within the SPM network. By
      doing so individual external VLANs can be mapped onto specific SPB
      network services. These VLAN id to ISID mappings can be configured and
      managed locally using new options added to the ovs-vsctl command.
    </p>

    <p>
      The Auto Attach OVS feature does not provide a full implementation of
      the LLDP protocol. Support for the mandatory TLVs as defined by the LLDP
      standard and support for the AA TLV extensions is provided. LLDP
      protocol support in OVS can be enabled or disabled on a port by port
      basis. LLDP support is disabled by default.
    </p>

    <column name="system_name">
      The system_name string is exported in LLDP messages.  It should uniquely
      identify the bridge in the network.
    </column>

    <column name="system_description">
      The system_description string is exported in LLDP messages.  It should
      describe the type of software and hardware.
    </column>

    <column name="mappings">
      A mapping from SPB network Individual Service Identifier (ISID) to VLAN
      id.
    </column>
  </table>
</database>