ovn-northd.8.xml

<?xml version="1.0" encoding="utf-8"?>
<manpage program="ovn-northd" section="8" title="ovn-northd">
    <h1>Name</h1>
    <p>ovn-northd and ovn-northd-ddlog -- Open Virtual Network central control daemon</p>

    <h1>Synopsis</h1>
    <p><code>ovn-northd</code> [<var>options</var>]</p>

    <h1>Description</h1>
    <p>
      <code>ovn-northd</code> is a centralized daemon responsible for
      translating the high-level OVN configuration into logical
      configuration consumable by daemons such as
      <code>ovn-controller</code>.  It translates the logical network
      configuration in terms of conventional network concepts, taken
      from the OVN Northbound Database (see <code>ovn-nb</code>(5)),
      into logical datapath flows in the OVN Southbound Database (see
      <code>ovn-sb</code>(5)) below it.
    </p>

    <p>
      <code>ovn-northd</code> is implemented in C.
      <code>ovn-northd-ddlog</code> is a compatible implementation written in
      DDlog, a language for incremental database processing.  This
      documentation applies to both implementations, with differences indicated
      where relevant.
    </p>

    <h1>Options</h1>
    <dl>
      <dt><code>--ovnnb-db=<var>database</var></code></dt>
      <dd>
        The OVSDB database containing the OVN Northbound Database.  If the
        <env>OVN_NB_DB</env> environment variable is set, its value is used
        as the default.  Otherwise, the default is
        <code>unix:@RUNDIR@/ovnnb_db.sock</code>.
      </dd>
      <dt><code>--ovnsb-db=<var>database</var></code></dt>
      <dd>
        The OVSDB database containing the OVN Southbound Database.  If the
        <env>OVN_SB_DB</env> environment variable is set, its value is used
        as the default.  Otherwise, the default is
        <code>unix:@RUNDIR@/ovnsb_db.sock</code>.
      </dd>
      <dt><code>--ddlog-record=<var>file</var></code></dt>
      <dd>
        This option is for <code>ovn-north-ddlog</code> only.  It causes the
        daemon to record the initial database state and later changes to
        <var>file</var> in the text-based DDlog command format.  The
        <code>ovn_northd_cli</code> program can later replay these changes for
        debugging purposes.  This option has a performance impact.  See
        <code>debugging-ddlog.rst</code> in the OVN documentation for more
        details.
      </dd>
      <dt><code>--dry-run</code></dt>
      <dd>
        <p>
          Causes <code>ovn-northd</code> to start paused.  In the paused state,
          <code>ovn-northd</code> does not apply any changes to the databases,
          although it continues to monitor them.  For more information, see the
          <code>pause</code> command, under <code>Runtime Management
          Commands</code> below.
        </p>

        <p>
          For <code>ovn-northd-ddlog</code>, one could use this option with
          <code>--ddlog-record</code> to generate a replay log without
          restarting a process or disturbing a running system.
        </p>
      </dd>
      <dt><code>n-threads N</code></dt>
      <dd>
        <p>
          In certain situations, it may be desirable to enable parallelization
          on a system to decrease latency (at the potential cost of increasing
          CPU usage).
        </p>

        <p>
          This option will cause ovn-northd to use N threads when building
          logical flows, when N is within [2-256].
          If N is 1, parallelization is disabled (default behavior).
          If N is less than 1, then N is set to 1, parallelization is disabled
          and a warning is logged.
          If N is more than 256, then N is set to 256, parallelization is
          enabled (with 256 threads) and a warning is logged.
        </p>

        <p>
          ovn-northd-ddlog does not support this option.
        </p>
      </dd>
    </dl>
    <p>
      <var>database</var> in the above options must be an OVSDB active or
      passive connection method, as described in <code>ovsdb</code>(7).
    </p>

    <h2>Daemon Options</h2>
    <xi:include href="lib/daemon.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>

    <h2>Logging Options</h2>
    <xi:include href="lib/vlog.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>

    <h2>PKI Options</h2>
    <p>
      PKI configuration is required in order to use SSL for the connections to
      the Northbound and Southbound databases.
    </p>
    <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>

    <h2>Other Options</h2>
    <xi:include href="lib/unixctl.xml"
     xmlns:xi="http://www.w3.org/2003/XInclude"/>
    <h3></h3>
    <xi:include href="lib/common.xml"
     xmlns:xi="http://www.w3.org/2003/XInclude"/>

    <h1>Runtime Management Commands</h1>
    <p>
      <code>ovs-appctl</code> can send commands to a running
      <code>ovn-northd</code> process.  The currently supported commands
      are described below.
      <dl>
      <dt><code>exit</code></dt>
      <dd>
        Causes <code>ovn-northd</code> to gracefully terminate.
      </dd>

      <dt><code>pause</code></dt>
      <dd>
        Pauses <code>ovn-northd</code>.  When it is paused,
        <code>ovn-northd</code> receives changes from the Northbound and
        Southbound database changes as usual, but it does not send any updates.
        A paused <code>ovn-northd</code> also drops database locks, which
        allows any other non-paused instance of <code>ovn-northd</code> to take
        over.
      </dd>

      <dt><code>resume</code></dt>
      <dd>
        Resumes the ovn-northd operation to process Northbound and
        Southbound database contents and generate logical flows.  This will
        also instruct ovn-northd to aspire for the lock on SB DB.
      </dd>

      <dt><code>is-paused</code></dt>
      <dd>
        Returns "true" if ovn-northd is currently paused, "false" otherwise.
      </dd>

      <dt><code>status</code></dt>
      <dd>
        Prints this server's status.  Status will be "active" if ovn-northd has
        acquired OVSDB lock on SB DB, "standby" if it has not or "paused" if
        this instance is paused.
      </dd>

      <dt><code>sb-cluster-state-reset</code></dt>
      <dd>
      <p>
        Reset southbound database cluster status when databases are destroyed
        and rebuilt.
      </p>
      <p>
        If all databases in a clustered southbound database are removed from
        disk, then the stored index of all databases will be reset to zero.
        This will cause ovn-northd to be unable to read or write to the
        southbound database, because it will always detect the data as stale.
        In such a case, run this command so that ovn-northd will reset its
        local index so that it can interact with the southbound database again.
      </p>
      </dd>

      <dt><code>nb-cluster-state-reset</code></dt>
      <dd>
      <p>
        Reset northbound database cluster status when databases are destroyed
        and rebuilt.
      </p>
      <p>
        This performs the same task as <code>sb-cluster-state-reset</code>
        except for the northbound database client.
      </p>
      </dd>


      <dt><code>set-n-threads N</code></dt>
      <dd>
      <p>
        Set the number of threads used for building logical flows.
        When N is within [2-256], parallelization is enabled.
        When N is 1 parallelization is disabled.
        When N is less than 1 or more than 256, an error is returned.
        If ovn-northd fails to start parallelization (e.g. fails to setup
        semaphores, parallelization is disabled and an error is returned.
      </p>
      </dd>

      <dt><code>get-n-threads</code></dt>
      <dd>
      <p>
        Return the number of threads used for building logical flows.
      </p>
      </dd>

      <dt><code>inc-engine/show-stats</code></dt>
      <dd>
      <p>
        Display <code>ovn-northd</code> engine counters. For each engine
        node the following counters have been added:
        <ul>
          <li>
            <code>recompute</code>
          </li>
          <li>
            <code>compute</code>
          </li>
          <li>
            <code>abort</code>
          </li>
        </ul>
      </p>
      </dd>

      <dt><code>inc-engine/show-stats <var>engine_node_name</var> <var>counter_name</var></code></dt>
      <dd>
      <p>
        Display the <code>ovn-northd</code> engine counter(s) for the specified
        <var>engine_node_name</var>.  <var>counter_name</var> is optional and
        can be one of <code>recompute</code>, <code>compute</code> or
        <code>abort</code>.
      </p>
      </dd>

      <dt><code>inc-engine/clear-stats</code></dt>
      <dd>
        <p> Reset <code>ovn-northd</code> engine counters. </p>
      </dd>

      </dl>
    </p>

    <p>
      Only <code>ovn-northd-ddlog</code> supports the following commands:
    </p>

    <dl>
      <dt><code>enable-cpu-profiling</code></dt>
      <dt><code>disable-cpu-profiling</code></dt>
      <dd>
        Enables or disables profiling of CPU time used by the DDlog engine.
        When CPU profiling is enabled, the <code>profile</code> command (see
        below) will include DDlog CPU usage statistics in its output.  Enabling
        CPU profiling will slow <code>ovn-northd-ddlog</code>.  Disabling CPU
        profiling does not clear any previously recorded statistics.
      </dd>

      <dt><code>profile</code></dt>
      <dd>
        Outputs a profile of the current and peak sizes of arrangements inside
        DDlog.  This profiling data can be useful for optimizing DDlog code.
        If CPU profiling was previously enabled (even if it was later
        disabled), the output also includes a CPU time profile.  See
        <code>Profiling</code> inside the tutorial in the DDlog repository for
        an introduction to profiling DDlog.
      </dd>
    </dl>

    <h1>Active-Standby for High Availability</h1>
    <p>
      You may run <code>ovn-northd</code> more than once in an OVN deployment.
      When connected to a standalone or clustered DB setup, OVN will
      automatically ensure that only one of them is active at a time.
      If multiple instances of <code>ovn-northd</code> are running and the
      active <code>ovn-northd</code> fails, one of the hot standby instances
      of <code>ovn-northd</code> will automatically take over.
    </p>

    <h2> Active-Standby with multiple OVN DB servers</h2>
    <p>
      You may run multiple OVN DB servers in an OVN deployment with:
      <ul>
        <li>
          OVN DB servers deployed in active/passive mode with one active
          and multiple passive ovsdb-servers.
        </li>

        <li>
          <code>ovn-northd</code> also deployed on all these nodes,
          using unix ctl sockets to connect to the local OVN DB servers.
        </li>
      </ul>
    </p>

    <p>
      In such deployments, the ovn-northds on the passive nodes will process
      the DB changes and compute logical flows to be thrown out later,
      because write transactions are not allowed by the passive ovsdb-servers.
      It results in unnecessary CPU usage.
    </p>

    <p>
      With the help of runtime management command <code>pause</code>, you can
      pause <code>ovn-northd</code> on these nodes. When a passive node
      becomes master, you can use the runtime management command
      <code>resume</code> to resume the <code>ovn-northd</code> to process the
      DB changes.
    </p>

    <h1>Logical Flow Table Structure</h1>

    <p>
      One of the main purposes of <code>ovn-northd</code> is to populate the
      <code>Logical_Flow</code> table in the <code>OVN_Southbound</code>
      database.  This section describes how <code>ovn-northd</code> does this
      for switch and router logical datapaths.
    </p>

    <h2>Logical Switch Datapaths</h2>

    <h3>Ingress Table 0: Admission Control and Ingress Port Security check</h3>

    <p>
      Ingress table 0 contains these logical flows:
    </p>

    <ul>
      <li>
        Priority 100 flows to drop packets with VLAN tags or multicast Ethernet
        source addresses.
      </li>

      <li>
        For each disabled logical port, a priority 100 flow is added which
        matches on all packets and applies the action
        <code>REGBIT_PORT_SEC_DROP" = 1; next;"</code> so that the packets are
        dropped in the next stage.
      </li>

      <li>
        For each (enabled) vtep logical port, a priority 70 flow is added which
        matches on all packets and applies the action
        <code>next(pipeline=ingress, table=S_SWITCH_IN_L2_LKUP) = 1;</code>
        to skip most stages of ingress pipeline and go directly to ingress L2
        lookup table to determine the output port. Packets from VTEP (RAMP)
        switch should not be subjected to any ACL checks. Egress pipeline will
        do the ACL checks.
      </li>

      <li>
        For each enabled logical port configured with qdisc queue id in the
        <ref column="options:qdisc_queue_id" table="Logical_Switch_Port"
        db="OVN_Northbound"/> column of <ref table="Logical_Switch_Port"
        db="OVN_Northbound"/>, a priority 70 flow is added which
        matches on all packets and applies the action
        <code>set_queue(id);
        REGBIT_PORT_SEC_DROP" = check_in_port_sec(); next;"</code>.
      </li>

      <li>
        A priority 1 flow is added which matches on all packets for all the
        logical ports and applies the action
        <code>REGBIT_PORT_SEC_DROP" = check_in_port_sec(); next;</code> to
        evaluate the port security.  The action <code>check_in_port_sec</code>
        applies the port security rules defined in the
        <ref column="port_security" table="Logical_Switch_Port"
        db="OVN_Northbound"/> column of <ref table="Logical_Switch_Port"
        db="OVN_Northbound"/> table.
      </li>
    </ul>

    <h3>Ingress Table 1: Ingress Port Security - Apply</h3>

    <p>
      This table drops the packets if the port security check failed
      in the previous stage i.e the register bit
      <code>REGBIT_PORT_SEC_DROP</code> is set to 1.
    </p>

    <p>
      Ingress table 1 contains these logical flows:
    </p>

    <ul>
      <li>
        A priority-50 fallback flow that drops the packet if the register
        bit <code>REGBIT_PORT_SEC_DROP</code> is set to 1.
      </li>

      <li>
        One priority-0 fallback flow that matches all packets and advances to
        the next table.
      </li>
    </ul>

    <h3>Ingress Table 2: Lookup MAC address learning table</h3>

    <p>
      This table looks up the MAC learning table of the logical switch
      datapath to check if the <code>port-mac</code> pair is present
      or not. MAC is learnt only for logical switch VIF ports whose
      port security is disabled and 'unknown' address set.
    </p>

    <ul>
      <li>
        <p>
          For each such logical port <var>p</var> whose port security
          is disabled and 'unknown' address set following flow
          is added.
        </p>

        <ul>
          <li>
            Priority 100 flow with the match
            <code>inport == <var>p</var></code> and action
            <code>reg0[11] = lookup_fdb(inport, eth.src); next;</code>
          </li>
        </ul>
      </li>

      <li>
        One priority-0 fallback flow that matches all packets and advances to
        the next table.
      </li>
    </ul>

    <h3>Ingress Table 3: Learn MAC of 'unknown' ports.</h3>

    <p>
      This table learns the MAC addresses seen on the logical ports
      whose port security is disabled and 'unknown' address set
      if the <code>lookup_fdb</code> action returned false in the
      previous table.
    </p>

    <ul>
      <li>
        <p>
          For each such logical port <var>p</var> whose port security
          is disabled and 'unknown' address set following flow
          is added.
        </p>

        <ul>
          <li>
            Priority 100 flow with the match
            <code>inport == <var>p</var> &amp;&amp; reg0[11] == 0</code> and
            action <code>put_fdb(inport, eth.src); next;</code> which stores
            the <code>port-mac</code> in the mac learning table of the
            logical switch datapath and advances the packet to the next table.
          </li>
        </ul>
      </li>

      <li>
        One priority-0 fallback flow that matches all packets and advances to
        the next table.
      </li>
    </ul>

    <h3>Ingress Table 4: <code>from-lport</code> Pre-ACLs</h3>

    <p>
      This table prepares flows for possible stateful ACL processing in
      ingress table <code>ACLs</code>.  It contains a priority-0 flow that
      simply moves traffic to the next table.  If stateful ACLs are used in the
      logical datapath, a priority-100 flow is added that sets a hint
      (with <code>reg0[0] = 1; next;</code>) for table
      <code>Pre-stateful</code> to send IP packets to the connection tracker
      before eventually advancing to ingress table <code>ACLs</code>. If
      special ports such as route ports or localnet ports can't use ct(), a
      priority-110 flow is added to skip over stateful ACLs. Multicast, IPv6
      Neighbor Discovery and MLD traffic also skips stateful ACLs. For
      "allow-stateless" ACLs, a flow is added to bypass setting the hint for
      connection tracker processing when there are stateful ACLs or LB rules;
      <code>REGBIT_ACL_STATELESS</code> is set for traffic matching stateless
      ACL flows.
    </p>

    <p>
      This table also has a priority-110 flow with the match
      <code>eth.dst == <var>E</var></code> for all logical switch
      datapaths to move traffic to the next table. Where <var>E</var>
      is the service monitor mac defined in the
      <ref column="options:svc_monitor_mac" table="NB_Global"
      db="OVN_Northbound"/> column of <ref table="NB_Global"
      db="OVN_Northbound"/> table.
    </p>

    <h3>Ingress Table 5: Pre-LB</h3>

    <p>
      This table prepares flows for possible stateful load balancing processing
      in ingress table <code>LB</code> and <code>Stateful</code>.  It contains
      a priority-0 flow that simply moves traffic to the next table. Moreover
      it contains two priority-110 flows to move multicast, IPv6 Neighbor
      Discovery and MLD traffic to the next table. It also contains two
      priority-110 flows to move stateless traffic, i.e traffic for which
      <code>REGBIT_ACL_STATELESS</code> is set, to the next table. If load
      balancing rules with virtual IP addresses (and ports) are configured in
      <code>OVN_Northbound</code> database for a logical switch datapath, a
      priority-100 flow is added with the match <code>ip</code> to match on IP
      packets and sets the action <code>reg0[2] = 1; next;</code> to act as a
      hint for table <code>Pre-stateful</code> to send IP packets to the
      connection tracker for packet de-fragmentation (and to possibly do DNAT
      for already established load balanced traffic) before eventually
      advancing to ingress table <code>Stateful</code>.
      If controller_event has been enabled and load balancing rules with
      empty backends have been added in <code>OVN_Northbound</code>, a 130 flow
      is added to trigger ovn-controller events whenever the chassis receives a
      packet for that particular VIP. If <code>event-elb</code> meter has been
      previously created, it will be associated to the empty_lb logical flow
    </p>

    <p>
      Prior to <code>OVN 20.09</code> we were setting the
      <code>reg0[0] = 1</code> only if the IP destination matches the load
      balancer VIP. However this had few issues cases where a logical switch
      doesn't have any ACLs with <code>allow-related</code> action.
      To understand the issue lets a take a TCP load balancer -
      <code>10.0.0.10:80=10.0.0.3:80</code>. If a logical port - p1 with
      IP - 10.0.0.5 opens a TCP connection with the VIP - 10.0.0.10, then the
      packet in the ingress pipeline of 'p1' is sent to the p1's conntrack zone
      id and the packet is load balanced to the backend - 10.0.0.3. For the
      reply packet from the backend lport, it is not sent to the conntrack of
      backend lport's zone id. This is fine as long as the packet is valid.
      Suppose the backend lport sends an invalid TCP packet (like incorrect
      sequence number), the packet gets delivered to the lport 'p1' without
      unDNATing the packet to the VIP - 10.0.0.10. And this causes the
      connection to be reset by the lport p1's VIF.
    </p>

    <p>
      We can't fix this issue by adding a logical flow to drop ct.inv packets
      in the egress pipeline since it will drop all other connections not
      destined to the load balancers. To fix this issue, we send all the
      packets to the conntrack in the ingress pipeline if a load balancer is
      configured. We can now add a lflow to drop ct.inv packets.
    </p>

    <p>
      This table also has priority-120 flows that punt all IGMP/MLD packets to
      <code>ovn-controller</code> if the switch is an interconnect switch
      with multicast snooping enabled.
    </p>

    <p>
      This table also has a priority-110 flow with the match
      <code>eth.dst == <var>E</var></code> for all logical switch
      datapaths to move traffic to the next table. Where <var>E</var>
      is the service monitor mac defined in the
      <ref column="options:svc_monitor_mac" table="NB_Global"
      db="OVN_Northbound"/> column of <ref table="NB_Global"
      db="OVN_Northbound"/> table.
    </p>

    <p>
      This table also has a priority-110 flow with the match
      <code>inport == <var>I</var></code> for all logical switch
      datapaths to move traffic to the next table. Where <var>I</var>
      is the peer of a logical router port. This flow is added to
      skip the connection tracking of packets which enter from
      logical router datapath to logical switch datapath.
    </p>

    <h3>Ingress Table 6: Pre-stateful</h3>

    <p>
      This table prepares flows for all possible stateful processing
      in next tables.  It contains a priority-0 flow that simply moves
      traffic to the next table.
    </p>
    <ul>
      <li>
        Priority-120 flows that send the packets to connection tracker using
        <code>ct_lb_mark;</code> as the action so that the already established
        traffic destined to the load balancer VIP gets DNATted. These flows
        match each VIPs IP and port. For IPv4 traffic the flows also load the
        original destination IP and transport port in registers
        <code>reg1</code> and <code>reg2</code>.  For IPv6 traffic the flows
        also load the original destination IP and transport port in
        registers <code>xxreg1</code> and <code>reg2</code>.
      </li>

      <li>
         A priority-110 flow sends the packets that don't match the above flows
         to connection tracker based on a hint provided by the previous tables
         (with a match for <code>reg0[2] == 1</code>) by using the
         <code>ct_lb_mark;</code> action.
      </li>

      <li>
         A priority-100 flow sends the packets to connection tracker based
         on a hint provided by the previous tables
         (with a match for <code>reg0[0] == 1</code>) by using the
         <code>ct_next;</code> action.
      </li>
    </ul>

    <h3>Ingress Table 7: <code>from-lport</code> ACL hints</h3>

    <p>
      This table consists of logical flows that set hints
      (<code>reg0</code> bits) to be used in the next stage, in the ACL
      processing table, if stateful ACLs or load balancers are configured.
      Multiple hints can be set for the same packet.
      The possible hints are:
    </p>
    <ul>
      <li>
        <code>reg0[7]</code>: the packet might match an
        <code>allow-related</code> ACL and might have to commit the
        connection to conntrack.
      </li>
      <li>
        <code>reg0[8]</code>: the packet might match an
        <code>allow-related</code> ACL but there will be no need to commit
        the connection to conntrack because it already exists.
      </li>
      <li>
        <code>reg0[9]</code>: the packet might match a
        <code>drop/reject</code>.
      </li>
      <li>
        <code>reg0[10]</code>: the packet might match a
        <code>drop/reject</code> ACL but the connection was previously
        allowed so it might have to be committed again with
        <code>ct_label=1/1</code>.
      </li>
    </ul>

    <p>
      The table contains the following flows:
    </p>
    <ul>
      <li>
        A priority-65535 flow to advance to the next table if the logical
        switch has <code>no</code> ACLs configured, otherwise a
        priority-0 flow to advance to the next table.
      </li>
    </ul>

    <ul>
      <li>
        A priority-7 flow that matches on packets that initiate a new session.
        This flow sets <code>reg0[7]</code> and <code>reg0[9]</code> and
        then advances to the next table.
      </li>
      <li>
        A priority-6 flow that matches on packets that are in the request
        direction of an already existing session that has been marked
        as blocked. This flow sets <code>reg0[7]</code> and
        <code>reg0[9]</code> and then advances to the next table.
      </li>
      <li>
        A priority-5 flow that matches untracked packets. This flow sets
        <code>reg0[8]</code> and <code>reg0[9]</code> and then advances to
        the next table.
      </li>
      <li>
        A priority-4 flow that matches on packets that are in the request
        direction of an already existing session that has not been marked
        as blocked. This flow sets <code>reg0[8]</code> and
        <code>reg0[10]</code> and then advances to the next table.
      </li>
      <li>
        A priority-3 flow that matches on packets that are in not part of
        established sessions. This flow sets <code>reg0[9]</code> and then
        advances to the next table.
      </li>
      <li>
        A priority-2 flow that matches on packets that are part of an
        established session that has been marked as blocked.
        This flow sets <code>reg0[9]</code> and then advances to the next
        table.
      </li>
      <li>
        A priority-1 flow that matches on packets that are part of an
        established session that has not been marked as blocked.
        This flow sets <code>reg0[10]</code> and then advances to the next
        table.
      </li>
    </ul>

    <h3>Ingress table 8: <code>from-lport</code> ACLs before LB</h3>

    <p>
      Logical flows in this table closely reproduce those in the
      <code>ACL</code> table in the <code>OVN_Northbound</code> database
      for the <code>from-lport</code> direction without the option
      <code>apply-after-lb</code> set or set to <code>false</code>.
      The <code>priority</code> values from the <code>ACL</code> table have a
      limited range and have 1000 added to them to leave room for OVN default
      flows at both higher and lower priorities.
    </p>
    <ul>
      <li>
        <code>allow</code> ACLs translate into logical flows with
        the <code>next;</code> action.  If there are any stateful ACLs
        on this datapath, then <code>allow</code> ACLs translate to
        <code>ct_commit; next;</code> (which acts as a hint for the next tables
        to commit the connection to conntrack). In case the <code>ACL</code>
        has a label then <code>reg3</code> is loaded with the label value and
        <code>reg0[13]</code> bit is set to 1 (which acts as a hint for the
        next tables to commit the label to conntrack).
      </li>
      <li>
        <code>allow-related</code> ACLs translate into logical
        flows with the <code>ct_commit(ct_label=0/1); next;</code> actions
        for new connections and <code>reg0[1] = 1; next;</code> for existing
        connections.  In case the <code>ACL</code> has a label then
        <code>reg3</code> is loaded with the label value and
        <code>reg0[13]</code> bit is set to 1 (which acts as a hint for the
        next tables to commit the label to conntrack).
      </li>
      <li>
        <code>allow-stateless</code> ACLs translate into logical
        flows with the <code>next;</code> action.
      </li>
      <li>
        <code>reject</code> ACLs translate into logical
        flows with the
        <code>tcp_reset { output &lt;-&gt; inport;
        next(pipeline=egress,table=5);}</code>
        action for TCP connections,<code>icmp4/icmp6</code> action
        for UDP connections, and <code>sctp_abort {output &lt;-%gt; inport;
        next(pipeline=egress,table=5);}</code> action for SCTP associations.
      </li>
      <li>
        Other ACLs translate to <code>drop;</code> for new or untracked
        connections and <code>ct_commit(ct_label=1/1);</code> for known
        connections.  Setting <code>ct_label</code> marks a connection
        as one that was previously allowed, but should no longer be
        allowed due to a policy change.
      </li>
    </ul>

    <p>
      This table contains a priority-65535 flow to advance to the next table
      if the logical switch has <code>no</code> ACLs configured, otherwise a
      priority-0 flow to advance to the next table so that ACLs allow
      packets by default if <ref column="options:default_acl_drop"
      table="NB_Global" db="OVN_Northbound"/> column of <ref table="NB_Global"
      db="OVN_Northbound"/> is <code>false</code> or not set.  Otherwise
      the flow action is set to <code>drop;</code> to implement a default
      drop behavior.
    </p>

    <p>
      If the logical datapath has a stateful ACL or a load balancer with VIP
      configured, the following flows will also be added:
    </p>

    <ul>
      <li>
        If <ref column="options:default_acl_drop" table="NB_Global"
        db="OVN_Northbound"/> column of <ref table="NB_Global"
        db="OVN_Northbound"/> is <code>false</code> or not set, a priority-1
        flow that sets the hint to commit IP traffic that is not part of
        established sessions to the connection tracker (with action
        <code>reg0[1] = 1; next;</code>).  This is needed for
        the default allow policy because, while the initiator's direction
        may not have any stateful rules, the server's may and then
        its return traffic would not be known and marked as invalid.
      </li>

      <li>
        If <ref column="options:default_acl_drop" table="NB_Global"
        db="OVN_Northbound"/> column of <ref table="NB_Global"
        db="OVN_Northbound"/> is <code>true</code>, a priority-1
        flow that drops IP traffic that is not part of established
        sessions.
      </li>

      <li>
        A priority-1 flow that sets the hint to commit IP traffic to the
        connection tracker (with action <code>reg0[1] = 1; next;</code>).  This
        is needed for the default allow policy because, while the initiator's
        direction may not have any stateful rules, the server's may and then
        its return traffic would not be known and marked as invalid.
      </li>

      <li>
        A priority-65532 flow that allows any traffic in the reply
        direction for a connection that has been committed to the
        connection tracker (i.e., established flows), as long as
        the committed flow does not have <code>ct_mark.blocked</code> set.
        We only handle traffic in the reply direction here because
        we want all packets going in the request direction to still
        go through the flows that implement the currently defined
        policy based on ACLs.  If a connection is no longer allowed by
        policy, <code>ct_mark.blocked</code> will get set and packets in the
        reply direction will no longer be allowed, either. This flow also
        clears the register bits <code>reg0[9]</code> and
        <code>reg0[10]</code>.  If ACL logging and logging of related packets
        is enabled, then a companion priority-65533 flow will be installed that
        accomplishes the same thing but also logs the traffic.
      </li>

      <li>
        A priority-65532 flow that allows any traffic that is considered
        related to a committed flow in the connection tracker (e.g., an
        ICMP Port Unreachable from a non-listening UDP port), as long
        as the committed flow does not have <code>ct_mark.blocked</code> set.
        This flow also applies NAT to the related traffic so that ICMP headers
        and the inner packet have correct addresses.
        If ACL logging and logging of related packets is enabled, then a
        companion priority-65533 flow will be installed that accomplishes the
        same thing but also logs the traffic.
      </li>

      <li>
        A priority-65532 flow that drops all traffic marked by the
        connection tracker as invalid.
      </li>

      <li>
        A priority-65532 flow that drops all traffic in the reply direction
        with <code>ct_mark.blocked</code> set meaning that the connection
        should no longer be allowed due to a policy change.  Packets
        in the request direction are skipped here to let a newly created
        ACL re-allow this connection.
      </li>

      <li>
        A priority-65532 flow that allows IPv6 Neighbor solicitation,
        Neighbor discover, Router solicitation, Router advertisement and MLD
        packets.
      </li>
    </ul>

    <p>
      If the logical datapath has any ACL or a load balancer with VIP
      configured, the following flow will also be added:
    </p>

    <ul>
      <li>
        A priority 34000 logical flow is added for each logical switch datapath
        with the match <code>eth.dst = <var>E</var></code> to allow the service
        monitor reply packet destined to <code>ovn-controller</code>
        with the action <code>next</code>, where <var>E</var> is the
        service monitor mac defined in the
        <ref column="options:svc_monitor_mac" table="NB_Global"
        db="OVN_Northbound"/> column of <ref table="NB_Global"
        db="OVN_Northbound"/> table.
      </li>
    </ul>

    <h3>Ingress Table 9: <code>from-lport</code> QoS Marking</h3>

    <p>
      Logical flows in this table closely reproduce those in the
      <code>QoS</code> table with the <code>action</code> column set in
      the <code>OVN_Northbound</code> database for the
      <code>from-lport</code> direction.
    </p>

    <ul>
      <li>
        For every qos_rules entry in a logical switch with DSCP marking
        enabled, a flow will be added at the priority mentioned in the
        QoS table.
      </li>

      <li>
        One priority-0 fallback flow that matches all packets and advances to
        the next table.
      </li>
    </ul>

    <h3>Ingress Table 10: <code>from-lport</code> QoS Meter</h3>

    <p>
      Logical flows in this table closely reproduce those in the
      <code>QoS</code> table with the  <code>bandwidth</code> column set
      in the <code>OVN_Northbound</code> database for the
      <code>from-lport</code> direction.
    </p>

    <ul>
      <li>
        For every qos_rules entry in a logical switch with metering
        enabled, a flow will be added at the priority mentioned in the
        QoS table.
      </li>

      <li>
        One priority-0 fallback flow that matches all packets and advances to
        the next table.
      </li>
    </ul>

    <h3>Ingress Table 11: Load balancing affinity check</h3>

    <p>
      Load balancing affinity check table contains the following
      logical flows:
    </p>

    <ul>
      <li>
        For all the configured load balancing rules for a switch in
        <code>OVN_Northbound</code> database where a positive affinity timeout
        is specified in <code>options</code> column, that includes a L4 port
        <var>PORT</var> of protocol <var>P</var> and IP address <var>VIP</var>,
        a priority-100 flow is added. For IPv4 <var>VIPs</var>, the flow
        matches <code>ct.new &amp;&amp; ip &amp;&amp; ip4.dst == <var>VIP</var>
        &amp;&amp; <var>P</var>.dst == <var>PORT</var></code>. For IPv6
        <var>VIPs</var>, the flow matches <code>ct.new &amp;&amp; ip &amp;&amp;
        ip6.dst == <var>VIP</var>&amp;&amp; <var>P</var> &amp;&amp;
        <var>P</var>.dst == <var> PORT</var></code>. The flow's action is
        <code>reg9[6] = chk_lb_aff(); next;</code>.
      </li>

      <li>
        A priority 0 flow is added which matches on all packets and applies
        the action <code>next;</code>.
      </li>
    </ul>

    <h3>Ingress Table 12: LB</h3>

    <ul>
      <li>
        For all the configured load balancing rules for a switch in
        <code>OVN_Northbound</code> database where a positive affinity timeout
        is specified in <code>options</code> column, that includes a L4 port
        <var>PORT</var> of protocol <var>P</var> and IP address <var>VIP</var>,
        a priority-150 flow is added. For IPv4 <var>VIPs</var>, the flow
        matches <code>reg9[6] == 1 &amp;&amp; ct.new &amp;&amp; ip &amp;&amp;
        ip4.dst == <var>VIP</var> &amp;&amp; <var>P</var>.dst == <var>PORT
        </var></code>. For IPv6 <var>VIPs</var>, the flow matches
        <code>reg9[6] == 1 &amp;&amp; ct.new &amp;&amp; ip &amp;&amp;
        ip6.dst == <var> VIP </var>&amp;&amp; <var>P</var> &amp;&amp;
        <var>P</var>.dst == <var> PORT</var></code>.
        The flow's action is <code>ct_lb_mark(<var>args</var>)</code>, where
        <var>args</var> contains comma separated IP addresses (and optional
        port numbers) to load balance to.  The address family of the IP
        addresses of <var>args</var> is the same as the address family
        of <var>VIP</var>.
      </li>

      <li>
        For all the configured load balancing rules for a switch in
        <code>OVN_Northbound</code> database that includes a L4 port
        <var>PORT</var> of protocol <var>P</var> and IP address
        <var>VIP</var>, a priority-120 flow is added.  For IPv4 <var>VIPs
        </var>, the flow matches <code>ct.new &amp;&amp; ip &amp;&amp;
        ip4.dst == <var>VIP</var> &amp;&amp;
        <var>P</var>.dst == <var>PORT</var></code>.  For IPv6 <var>VIPs</var>,
        the flow matches <code>ct.new &amp;&amp; ip &amp;&amp; ip6.dst == <var>
        VIP </var>&amp;&amp; <var>P</var> &amp;&amp; <var>P</var>.dst == <var>
        PORT</var></code>. The flow's action is <code>ct_lb_mark(<var>args</var>)
        </code>, where <var>args</var> contains comma separated IP addresses
        (and optional port numbers) to load balance to.  The address family of
        the IP addresses of <var>args</var> is the same as the address family
        of <var>VIP</var>. If health check is enabled, then <var>args</var>
        will only contain those endpoints whose service monitor status entry
        in <code>OVN_Southbound</code> db is either <code>online</code> or
        empty.  For IPv4 traffic the flow also loads the original destination
        IP and transport port in registers <code>reg1</code> and
        <code>reg2</code>.  For IPv6 traffic the flow also loads the original
        destination IP and transport port in registers <code>xxreg1</code> and
        <code>reg2</code>.
        The above flow is created even if the load balancer is attached to a
        logical router connected to the current logical switch and
        the <code>install_ls_lb_from_router</code> variable in
        <ref table="NB_Global" column="options"/> is set to true.
      </li>
      <li>
        For all the configured load balancing rules for a switch in
        <code>OVN_Northbound</code> database that includes just an IP address
        <var>VIP</var> to match on, OVN adds a priority-110 flow.  For IPv4
        <var>VIPs</var>, the flow matches <code>ct.new &amp;&amp; ip &amp;&amp;
        ip4.dst == <var>VIP</var></code>. For IPv6 <var>VIPs</var>,
        the flow matches <code>ct.new &amp;&amp; ip &amp;&amp; ip6.dst == <var>
        VIP</var></code>. The action on this flow is <code>
        ct_lb_mark(<var>args</var>)</code>, where <var>args</var> contains comma
        separated IP addresses of the same address family as <var>VIP</var>.
        For IPv4 traffic the flow also loads the original destination
        IP and transport port in registers <code>reg1</code> and
        <code>reg2</code>.  For IPv6 traffic the flow also loads the original
        destination IP and transport port in registers <code>xxreg1</code> and
        <code>reg2</code>.
        The above flow is created even if the load balancer is attached to a
        logical router connected to the current logical switch and
        the <code>install_ls_lb_from_router</code> variable in
        <ref table="NB_Global" column="options"/> is set to true.
      </li>

      <li>
        If the load balancer is created with <code>--reject</code> option and
        it has no active backends, a TCP reset segment (for tcp) or an ICMP
        port unreachable packet (for all other kind of traffic) will be sent
        whenever an incoming packet is received for this load-balancer.
        Please note using <code>--reject</code> option will disable
        empty_lb SB controller event for this load balancer.
      </li>
    </ul>

    <h3>Ingress Table 13: Load balancing affinity learn</h3>

    <p>
      Load balancing affinity learn table contains the following
      logical flows:
    </p>

    <ul>
      <li>
        For all the configured load balancing rules for a switch in
        <code>OVN_Northbound</code> database where a positive affinity timeout
        <var>T</var> is specified in <code>options</code> column, that includes
        a L4 port <var>PORT</var> of protocol <var>P</var> and IP address
        <var>VIP</var>, a priority-100 flow is added. For IPv4 <var>VIPs</var>,
        the flow matches <code>reg9[6] == 0 &amp;&amp; ct.new &amp;&amp; ip
        &amp;&amp; ip4.dst == <var>VIP</var> &amp;&amp; <var>P</var>.dst ==
        <var>PORT</var></code>. For IPv6 <var>VIPs</var>, the flow matches
        <code>ct.new &amp;&amp; ip &amp;&amp; ip6.dst == <var>VIP</var>
        &amp;&amp; <var>P</var> &amp;&amp; <var>P</var>.dst == <var>PORT</var>
        </code>. The flow's action is <code>commit_lb_aff(vip =
        <var>VIP</var>:<var>PORT</var>, backend = <var>backend ip</var>:
        <var>backend port</var>, proto = <var>P</var>, timeout = <var>T</var>);
        </code>.
      </li>

      <li>
        A priority 0 flow is added which matches on all packets and applies
        the action <code>next;</code>.
      </li>
    </ul>

    <h3>Ingress Table 14: Pre-Hairpin</h3>
    <ul>
      <li>
        If the logical switch has load balancer(s) configured, then a
        priority-100 flow is added with the match
        <code>ip &amp;&amp; ct.trk</code> to check if the
        packet needs to be hairpinned (if after load balancing the destination
        IP matches the source IP) or not by executing the actions
        <code>reg0[6] = chk_lb_hairpin();</code> and
        <code>reg0[12] = chk_lb_hairpin_reply();</code> and advances the packet
        to the next table.
      </li>

      <li>
        A priority-0 flow that simply moves traffic to the next table.
      </li>
    </ul>

    <h3>Ingress Table 15: Nat-Hairpin</h3>
    <ul>
      <li>
         If the logical switch has load balancer(s) configured, then a
         priority-100 flow is added with the match
         <code>ip &amp;&amp; ct.new &amp;&amp; ct.trk &amp;&amp;
         reg0[6] == 1</code> which hairpins the traffic by
         NATting source IP to the load balancer VIP by executing the action
         <code>ct_snat_to_vip</code> and advances the packet to the next table.
      </li>

      <li>
         If the logical switch has load balancer(s) configured, then a
         priority-100 flow is added with the match
         <code>ip &amp;&amp; ct.est &amp;&amp; ct.trk &amp;&amp;
         reg0[6] == 1</code> which hairpins the traffic by
         NATting source IP to the load balancer VIP by executing the action
         <code>ct_snat</code> and advances the packet to the next table.
      </li>

      <li>
         If the logical switch has load balancer(s) configured, then a
         priority-90 flow is added with the match
         <code>ip &amp;&amp; reg0[12] == 1</code> which matches on the replies
         of hairpinned traffic (i.e., destination IP is VIP,
         source IP is the backend IP and source L4 port is backend port for L4
         load balancers) and executes <code>ct_snat</code> and advances the
         packet to the next table.
      </li>

      <li>
        A priority-0 flow that simply moves traffic to the next table.
      </li>
    </ul>

    <h3>Ingress Table 16: Hairpin</h3>
    <ul>
      <li>
        <p>
          For each distributed gateway router port <var>RP</var> attached to
          the logical switch, a priority-2000 flow is added with the match
          <code>reg0[14] == 1 &amp;&amp; is_chassis_resident(<var>RP</var>)
          </code> and action <code>next;</code> to pass the traffic to the
          next table to respond to the ARP requests for the router port IPs.
        </p>

        <p>
          <code>reg0[14]</code> register bit is set in the ingress L2 port
           security check table for traffic received from HW VTEP (ramp)
           ports.
        </p>
      </li>

      <li>
        A priority-1000 flow that matches on <code>reg0[14]</code> register
        bit for the traffic received from HW VTEP (ramp) ports.  This traffic
        is passed to ingress table ls_in_l2_lkup.
      </li>
      <li>
        A priority-1 flow that hairpins traffic matched by non-default
        flows in the Pre-Hairpin table. Hairpinning is done at L2, Ethernet
        addresses are swapped and the packets are looped back on the input
        port.
      </li>
      <li>
        A priority-0 flow that simply moves traffic to the next table.
      </li>
    </ul>

    <h3>Ingress table 17: <code>from-lport</code> ACLs after LB</h3>

    <p>
      Logical flows in this table closely reproduce those in the
      <code>ACL</code> table in the <code>OVN_Northbound</code> database
      for the <code>from-lport</code> direction with the option
      <code>apply-after-lb</code> set to <code>true</code>.
      The <code>priority</code> values from the <code>ACL</code> table have a
      limited range and have 1000 added to them to leave room for OVN default
      flows at both higher and lower priorities.
    </p>

    <ul>
      <li>
        <code>allow</code> apply-after-lb ACLs translate into logical flows
        with the <code>next;</code> action.  If there are any stateful ACLs
        (including both before-lb and after-lb ACLs)
        on this datapath, then <code>allow</code> ACLs translate to
        <code>ct_commit; next;</code> (which acts as a hint for the next tables
        to commit the connection to conntrack). In case the <code>ACL</code>
        has a label then <code>reg3</code> is loaded with the label value and
        <code>reg0[13]</code> bit is set to 1 (which acts as a hint for the
        next tables to commit the label to conntrack).
      </li>
      <li>
        <code>allow-related</code> apply-after-lb ACLs translate into logical
        flows with the <code>ct_commit(ct_label=0/1); next;</code> actions
        for new connections and <code>reg0[1] = 1; next;</code> for existing
        connections.  In case the <code>ACL</code> has a label then
        <code>reg3</code> is loaded with the label value and
        <code>reg0[13]</code> bit is set to 1 (which acts as a hint for the
        next tables to commit the label to conntrack).
      </li>
      <li>
        <code>allow-stateless</code> apply-after-lb ACLs translate into logical
        flows with the <code>next;</code> action.
      </li>
      <li>
        <code>reject</code> apply-after-lb ACLs translate into logical
        flows with the
        <code>tcp_reset { output &lt;-&gt; inport;
        next(pipeline=egress,table=5);}</code>
        action for TCP connections,<code>icmp4/icmp6</code> action
        for UDP connections, and <code>sctp_abort {output &lt;-%gt; inport;
        next(pipeline=egress,table=5);}</code> action for SCTP associations.
      </li>
      <li>
        Other apply-after-lb ACLs translate to <code>drop;</code> for new
        or untracked connections and <code>ct_commit(ct_label=1/1);</code> for
        known connections.  Setting <code>ct_label</code> marks a connection
        as one that was previously allowed, but should no longer be
        allowed due to a policy change.
      </li>
    </ul>

    <ul>
      <li>
        One priority-0 fallback flow that matches all packets and advances to
        the next table.
      </li>
    </ul>

    <h3>Ingress Table 18: Stateful</h3>

    <ul>
      <li>
        A priority 100 flow is added which commits the packet to the conntrack
        and sets the most significant 32-bits of <code>ct_label</code> with the
        <code>reg3</code> value based on the hint provided by previous tables
        (with a match for <code>reg0[1] == 1 &amp;&amp; reg0[13] == 1</code>).
        This is used by the <code>ACLs</code> with label to commit the label
        value to conntrack.
      </li>

      <li>
        For <code>ACLs</code> without label, a second priority-100 flow commits
        packets to connection tracker using <code>ct_commit; next;</code>
        action based on a hint provided by the previous tables (with a match
        for <code>reg0[1] == 1 &amp;&amp; reg0[13] == 0</code>).
      </li>
      <li>
        A priority-0 flow that simply moves traffic to the next table.
      </li>
    </ul>

    <h3>Ingress Table 19: ARP/ND responder</h3>

    <p>
      This table implements ARP/ND responder in a logical switch for known
      IPs.  The advantage of the ARP responder flow is to limit ARP
      broadcasts by locally responding to ARP requests without the need to
      send to other hypervisors.  One common case is when the inport is a
      logical port associated with a VIF and the broadcast is responded to
      on the local hypervisor rather than broadcast across the whole
      network and responded to by the destination VM.  This behavior is
      proxy ARP.
    </p>

    <p>
      ARP requests arrive from VMs from a logical switch inport of type
      default.  For this case, the logical switch proxy ARP rules can be
      for other VMs or logical router ports.  Logical switch proxy ARP
      rules may be programmed both for mac binding of IP addresses on
      other logical switch VIF ports (which are of the default logical
      switch port type, representing connectivity to VMs or containers),
      and for mac binding of IP addresses on logical switch router type
      ports, representing their logical router port peers.  In order to
      support proxy ARP for logical router ports, an IP address must be
      configured on the logical switch router type port, with the same
      value as the peer logical router port.  The configured MAC addresses
      must match as well.  When a VM sends an ARP request for a distributed
      logical router port and if the peer router type port of the attached
      logical switch does not have an IP address configured, the ARP request
      will be broadcast on the logical switch.  One of the copies of the ARP
      request will go through the logical switch router type port to the
      logical router datapath, where the logical router ARP responder will
      generate a reply.  The MAC binding of a distributed logical router,
      once learned by an associated VM, is used for all that VM's
      communication needing routing.  Hence, the action of a VM re-arping for
      the mac binding of the logical router port should be rare.
    </p>

    <p>
      Logical switch ARP responder proxy ARP rules can also be hit when
      receiving ARP requests externally on a L2 gateway port.  In this case,
      the hypervisor acting as an L2 gateway, responds to the ARP request on
      behalf of a destination VM.
    </p>

    <p>
      Note that ARP requests received from <code>localnet</code> logical
      inports can either go directly to VMs, in which case the VM responds or
      can hit an ARP responder for a logical router port if the packet is used
      to resolve a logical router port next hop address.  In either case,
      logical switch ARP responder rules will not be hit.  It contains these
      logical flows:
     </p>

    <ul>
      <li>
        Priority-100 flows to skip the ARP responder if inport is of type
        <code>localnet</code> advances directly to the next table.  ARP
        requests sent to <code>localnet</code> ports can be received by
        multiple hypervisors.  Now, because the same mac binding rules are
        downloaded to all hypervisors, each of the multiple hypervisors will
        respond.  This will confuse L2 learning on the source of the ARP
        requests.  ARP requests received on an inport of type
        <code>router</code> are not expected to hit any logical switch ARP
        responder flows.  However, no skip flows are installed for these
        packets, as there would be some additional flow cost for this and the
        value appears limited.
      </li>

      <li>
        <p>
          If inport <code>V</code> is of type <code>virtual</code> adds a
          priority-100 logical flows for each <var>P</var> configured in the
          <ref table="Logical_Switch_Port" column="options:virtual-parents"/>
          column with the match
        </p>
        <pre>
<code>inport == <var>P</var> &amp;&amp; &amp;&amp; ((arp.op == 1 &amp;&amp; arp.spa == <var>VIP</var> &amp;&amp; arp.tpa == <var>VIP</var>) || (arp.op == 2 &amp;&amp; arp.spa == <var>VIP</var>))</code>
<code>inport == <var>P</var> &amp;&amp; &amp;&amp; ((nd_ns &amp;&amp; ip6.dst == <var>{VIP, NS_MULTICAST_ADDR}</var> &amp;&amp; nd.target == <var>VIP</var>) || (nd_na &amp;&amp; nd.target == <var>VIP</var>))</code>
        </pre>

        <p>
          and applies the action
        </p>
        <pre>
<code>bind_vport(<var>V</var>, inport);</code>
        </pre>

        <p>
         and advances the packet to the next table.
        </p>

        <p>
          Where <var>VIP</var> is the virtual ip configured in the column
          <ref table="Logical_Switch_Port" column="options:virtual-ip"/> and
          NS_MULTICAST_ADDR is solicited-node multicast address corresponding
          to the VIP.
        </p>
      </li>

      <li>
        <p>
          Priority-50 flows that match ARP requests to each known IP address
          <var>A</var> of every logical switch port, and respond with ARP
          replies directly with corresponding Ethernet address <var>E</var>:
        </p>

        <pre>
eth.dst = eth.src;
eth.src = <var>E</var>;
arp.op = 2; /* ARP reply. */
arp.tha = arp.sha;
arp.sha = <var>E</var>;
arp.tpa = arp.spa;
arp.spa = <var>A</var>;
outport = inport;
flags.loopback = 1;
output;
        </pre>

        <p>
          These flows are omitted for logical ports (other than router ports or
          <code>localport</code> ports) that are down (unless <code>
          ignore_lsp_down</code> is configured as true in <code>options</code>
          column of <code>NB_Global</code> table of the <code>Northbound</code>
          database), for logical ports of type <code>virtual</code>, for
          logical ports with 'unknown' address set and for logical ports of
          a logical switch configured with
          <code>other_config:vlan-passthru=true</code>.
        </p>

      <p>
        The above ARP responder flows are added for the list of IPv4 addresses
        if defined in <code>options:arp_proxy</code> column of
        <code>Logical_Switch_Port</code> table for logical switch ports of
        type <code>router</code>.
      </p>
      </li>

      <li>
        <p>
          Priority-50 flows that match IPv6 ND neighbor solicitations to
          each known IP address <var>A</var> (and <var>A</var>'s
          solicited node address) of every logical switch port except of type
          router, and respond with neighbor advertisements directly with
          corresponding Ethernet address <var>E</var>:
        </p>

        <pre>
nd_na {
    eth.src = <var>E</var>;
    ip6.src = <var>A</var>;
    nd.target = <var>A</var>;
    nd.tll = <var>E</var>;
    outport = inport;
    flags.loopback = 1;
    output;
};
        </pre>

        <p>
          Priority-50 flows that match IPv6 ND neighbor solicitations to
          each known IP address <var>A</var> (and <var>A</var>'s
          solicited node address) of logical switch port of type router, and
          respond with neighbor advertisements directly with
          corresponding Ethernet address <var>E</var>:
        </p>

        <pre>
nd_na_router {
    eth.src = <var>E</var>;
    ip6.src = <var>A</var>;
    nd.target = <var>A</var>;
    nd.tll = <var>E</var>;
    outport = inport;
    flags.loopback = 1;
    output;
};
        </pre>

        <p>
          These flows are omitted for logical ports (other than router ports or
          <code>localport</code> ports) that are down (unless <code>
          ignore_lsp_down</code> is configured as true in <code>options</code>
          column of <code>NB_Global</code> table of the <code>Northbound</code>
          database), for logical ports of type <code>virtual</code> and for
          logical ports with 'unknown' address set.
        </p>
      </li>

      <li>
        <p>
          Priority-100 flows with match criteria like the ARP and ND flows
          above, except that they only match packets from the
          <code>inport</code> that owns the IP addresses in question, with
          action <code>next;</code>.  These flows prevent OVN from replying to,
          for example, an ARP request emitted by a VM for its own IP address.
          A VM only makes this kind of request to attempt to detect a duplicate
          IP address assignment, so sending a reply will prevent the VM from
          accepting the IP address that it owns.
        </p>

        <p>
          In place of <code>next;</code>, it would be reasonable to use
          <code>drop;</code> for the flows' actions.  If everything is working
          as it is configured, then this would produce equivalent results,
          since no host should reply to the request.  But ARPing for one's own
          IP address is intended to detect situations where the network is not
          working as configured, so dropping the request would frustrate that
          intent.
        </p>
      </li>

      <li>
        <p>
          For each <var>SVC_MON_SRC_IP</var> defined in the value of
          the <ref column="ip_port_mappings:ENDPOINT_IP"
          table="Load_Balancer" db="OVN_Northbound"/> column of
          <ref table="Load_Balancer" db="OVN_Northbound"/> table, priority-110
          logical flow is added with the match
          <code>arp.tpa == <var>SVC_MON_SRC_IP</var>
          &amp;&amp; &amp;&amp; arp.op == 1</code> and applies the action
        </p>

        <pre>
eth.dst = eth.src;
eth.src = <var>E</var>;
arp.op = 2; /* ARP reply. */
arp.tha = arp.sha;
arp.sha = <var>E</var>;
arp.tpa = arp.spa;
arp.spa = <var>A</var>;
outport = inport;
flags.loopback = 1;
output;
        </pre>

        <p>
          where <var>E</var> is the service monitor source mac defined in
          the <ref column="options:svc_monitor_mac" table="NB_Global"
          db="OVN_Northbound"/> column in the <ref table="NB_Global"
          db="OVN_Northbound"/> table. This mac is used as the source mac
          in the service monitor packets for the load balancer endpoint IP
          health checks.
        </p>

        <p>
          <var>SVC_MON_SRC_IP</var> is used as the source ip in the
          service monitor IPv4 packets for the load balancer endpoint IP
          health checks.
        </p>

        <p>
          These flows are required if an ARP request is sent for the IP
          <var>SVC_MON_SRC_IP</var>.
        </p>
      </li>

      <li>
        <p>
          For each <var>VIP</var> configured in the table
          <ref table="Forwarding_Group" db="OVN_Northbound"/>
          a priority-50 logical flow is added with the match
          <code>arp.tpa == <var>vip</var> &amp;&amp; &amp;&amp; arp.op == 1
          </code> and applies the action
        </p>

        <pre>
eth.dst = eth.src;
eth.src = <var>E</var>;
arp.op = 2; /* ARP reply. */
arp.tha = arp.sha;
arp.sha = <var>E</var>;
arp.tpa = arp.spa;
arp.spa = <var>A</var>;
outport = inport;
flags.loopback = 1;
output;
        </pre>

        <p>
          where <var>E</var> is the forwarding group's mac defined in
          the <ref column="vmac" table="Forwarding_Group"
          db="OVN_Northbound"/>.
        </p>

        <p>
          <var>A</var> is used as either the destination ip for load balancing
          traffic to child ports or as nexthop to hosts behind the child ports.
        </p>

        <p>
          These flows are required to respond to an ARP request if an ARP
          request is sent for the IP <var>vip</var>.
        </p>
      </li>

      <li>
        One priority-0 fallback flow that matches all packets and advances to
        the next table.
      </li>
    </ul>

    <h3>Ingress Table 20: DHCP option processing</h3>

    <p>
      This table adds the DHCPv4 options to a DHCPv4 packet from the
      logical ports configured with IPv4 address(es) and DHCPv4 options,
      and similarly for DHCPv6 options. This table also adds flows for the
      logical ports of type <code>external</code>.
    </p>

    <ul>
      <li>
        <p>
          A priority-100 logical flow is added for these logical ports
          which matches the IPv4 packet with <code>udp.src</code> = 68 and
          <code>udp.dst</code> = 67 and applies the action
          <code>put_dhcp_opts</code> and advances the packet to the next table.
        </p>

        <pre>
reg0[3] = put_dhcp_opts(offer_ip = <var>ip</var>, <var>options</var>...);
next;
        </pre>

        <p>
          For DHCPDISCOVER and DHCPREQUEST, this transforms the packet into a
          DHCP reply, adds the DHCP offer IP <var>ip</var> and options to the
          packet, and stores 1 into reg0[3].  For other kinds of packets, it
          just stores 0 into reg0[3].  Either way, it continues to the next
          table.
        </p>

      </li>

      <li>
        <p>
          A priority-100 logical flow is added for these logical ports
          which matches the IPv6 packet with <code>udp.src</code> = 546 and
          <code>udp.dst</code> = 547 and applies the action
          <code>put_dhcpv6_opts</code> and advances the packet to the next
          table.
        </p>

        <pre>
reg0[3] = put_dhcpv6_opts(ia_addr = <var>ip</var>, <var>options</var>...);
next;
        </pre>

        <p>
          For DHCPv6 Solicit/Request/Confirm packets, this transforms the
          packet into a DHCPv6 Advertise/Reply, adds the DHCPv6 offer IP
          <var>ip</var> and options to the packet, and stores 1 into reg0[3].
          For other kinds of packets, it just stores 0 into reg0[3]. Either
          way, it continues to the next table.
        </p>
      </li>

      <li>
        A priority-0 flow that matches all packets to advances to table 16.
      </li>
    </ul>

    <h3>Ingress Table 21: DHCP responses</h3>

    <p>
      This table implements DHCP responder for the DHCP replies generated by
      the previous table.
    </p>

    <ul>
      <li>
        <p>
          A priority 100 logical flow is added for the logical ports configured
          with DHCPv4 options which matches IPv4 packets with <code>udp.src == 68
          &amp;&amp; udp.dst == 67 &amp;&amp; reg0[3] == 1</code> and
          responds back to the <code>inport</code> after applying these
          actions.  If <code>reg0[3]</code> is set to 1, it means that the
          action <code>put_dhcp_opts</code> was successful.
        </p>

        <pre>
eth.dst = eth.src;
eth.src = <var>E</var>;
ip4.src = <var>S</var>;
udp.src = 67;
udp.dst = 68;
outport = <var>P</var>;
flags.loopback = 1;
output;
        </pre>

        <p>
          where <var>E</var> is the server MAC address and <var>S</var> is the
          server IPv4 address defined in the DHCPv4 options. Note that
          <code>ip4.dst</code> field is handled by <code>put_dhcp_opts</code>.
        </p>

        <p>
          (This terminates ingress packet processing; the packet does not go
           to the next ingress table.)
        </p>
      </li>

      <li>
        <p>
          A priority 100 logical flow is added for the logical ports configured
          with DHCPv6 options which matches IPv6 packets with <code>udp.src == 546
          &amp;&amp; udp.dst == 547 &amp;&amp; reg0[3] == 1</code> and
          responds back to the <code>inport</code> after applying these
          actions.  If <code>reg0[3]</code> is set to 1, it means that the
          action <code>put_dhcpv6_opts</code> was successful.
        </p>

        <pre>
eth.dst = eth.src;
eth.src = <var>E</var>;
ip6.dst = <var>A</var>;
ip6.src = <var>S</var>;
udp.src = 547;
udp.dst = 546;
outport = <var>P</var>;
flags.loopback = 1;
output;
        </pre>

        <p>
          where <var>E</var> is the server MAC address and <var>S</var> is the
          server IPv6 LLA address  generated from the <code>server_id</code>
          defined in the DHCPv6 options and <var>A</var> is
          the IPv6 address defined in the logical port's addresses column.
        </p>

        <p>
          (This terminates packet processing; the packet does not go on the
          next ingress table.)
        </p>
      </li>

      <li>
        A priority-0 flow that matches all packets to advances to table 17.
      </li>
    </ul>

    <h3>Ingress Table 22 DNS Lookup</h3>

    <p>
      This table looks up and resolves the DNS names to the corresponding
      configured IP address(es).
    </p>

    <ul>
      <li>
        <p>
          A priority-100 logical flow for each logical switch datapath
          if it is configured with DNS records, which matches the IPv4 and IPv6
          packets with <code>udp.dst</code> = 53 and applies the action
          <code>dns_lookup</code> and advances the packet to the next table.
        </p>

        <pre>
reg0[4] = dns_lookup(); next;
        </pre>

        <p>
          For valid DNS packets, this transforms the packet into a DNS
          reply if the DNS name can be resolved, and stores 1 into reg0[4].
          For failed DNS resolution or other kinds of packets, it just stores
          0 into reg0[4]. Either way, it continues to the next table.
        </p>
      </li>
    </ul>

    <h3>Ingress Table 23 DNS Responses</h3>

    <p>
      This table implements DNS responder for the DNS replies generated by
      the previous table.
    </p>

    <ul>
      <li>
        <p>
          A priority-100 logical flow for each logical switch datapath
          if it is configured with DNS records, which matches the IPv4 and IPv6
          packets with <code>udp.dst = 53 &amp;&amp; reg0[4] == 1</code>
          and responds back to the <code>inport</code> after applying these
          actions.  If <code>reg0[4]</code> is set to 1, it means that the
          action <code>dns_lookup</code> was successful.
        </p>

        <pre>
eth.dst &lt;-&gt; eth.src;
ip4.src &lt;-&gt; ip4.dst;
udp.dst = udp.src;
udp.src = 53;
outport = <var>P</var>;
flags.loopback = 1;
output;
        </pre>

        <p>
          (This terminates ingress packet processing; the packet does not go
           to the next ingress table.)
        </p>
      </li>
    </ul>

    <h3>Ingress table 24 External ports</h3>

    <p>
      Traffic from the <code>external</code> logical ports enter the ingress
      datapath pipeline via the <code>localnet</code> port. This table adds the
      below logical flows to handle the traffic from these ports.
    </p>

    <ul>
      <li>
        <p>
          A priority-100 flow is added for each <code>external</code> logical
          port which doesn't reside on a chassis to drop the ARP/IPv6 NS
          request to the router IP(s) (of the logical switch) which matches
          on the <code>inport</code> of the <code>external</code> logical port
          and the valid <code>eth.src</code> address(es) of the
          <code>external</code> logical port.
        </p>

        <p>
          This flow guarantees that the ARP/NS request to the router IP
          address from the external ports is responded by only the chassis
          which has claimed these external ports. All the other chassis,
          drops these packets.
        </p>

        <p>
          A priority-100 flow is added for each <code>external</code> logical
          port which doesn't reside on a chassis to drop any packet destined
          to the router mac - with the match
          <code>inport == <var>external</var> &amp;&amp;
          eth.src == <var>E</var> &amp;&amp; eth.dst == <var>R</var>
          &amp;&amp; !is_chassis_resident("<var>external</var>")</code>
          where <var>E</var> is the external port mac and <var>R</var> is the
          router port mac.
        </p>
      </li>

      <li>
        A priority-0 flow that matches all packets to advances to table 20.
      </li>
    </ul>

    <h3>Ingress Table 25 Destination Lookup</h3>

    <p>
      This table implements switching behavior.  It contains these logical
      flows:
    </p>

    <ul>
      <li>
        A priority-110 flow with the match
        <code>eth.src == <var>E</var></code> for all logical switch
        datapaths and applies the action <code>handle_svc_check(inport)</code>.
        Where <var>E</var> is the service monitor mac defined in the
        <ref column="options:svc_monitor_mac" table="NB_Global"
        db="OVN_Northbound"/> column of <ref table="NB_Global"
        db="OVN_Northbound"/> table.
      </li>

      <li>
        A priority-100 flow that punts all IGMP/MLD packets to
        <code>ovn-controller</code> if multicast snooping is enabled on the
        logical switch.
      </li>

      <li>
        Priority-90 flows that forward registered IP multicast traffic to
        their corresponding multicast group, which <code>ovn-northd</code>
        creates based on learnt <ref table="IGMP_Group" db="OVN_Southbound"/>
        entries.  The flows also forward packets to the
        <code>MC_MROUTER_FLOOD</code> multicast group, which
        <code>ovn-nortdh</code> populates with all the logical ports that
        are connected to logical routers with
        <ref column="options" table="Logical_Router"/>:mcast_relay='true'.
      </li>

      <li>
        A priority-85 flow that forwards all IP multicast traffic destined to
        224.0.0.X to the <code>MC_FLOOD_L2</code> multicast group, which
        <code>ovn-northd</code> populates with all non-router logical ports.
      </li>

      <li>
        A priority-85 flow that forwards all IP multicast traffic destined to
        reserved multicast IPv6 addresses (RFC 4291, 2.7.1, e.g.,
        Solicited-Node multicast) to the <code>MC_FLOOD</code> multicast
        group, which <code>ovn-northd</code> populates with all enabled
        logical ports.
      </li>

      <li>
        A priority-80 flow that forwards all unregistered IP multicast traffic
        to the <code>MC_STATIC</code> multicast group, which
        <code>ovn-northd</code> populates with all the logical ports that
        have <ref column="options" table="Logical_Switch_Port"/>
        <code>:mcast_flood='true'</code>. The flow also forwards
        unregistered IP multicast traffic to the <code>MC_MROUTER_FLOOD</code>
        multicast group, which <code>ovn-northd</code> populates with all the
        logical ports connected to logical routers that have
        <ref column="options" table="Logical_Router"/>
        <code>:mcast_relay='true'</code>.
      </li>

      <li>
        A priority-80 flow that drops all unregistered IP multicast traffic
        if <ref column="other_config" table="Logical_Switch"/>
        <code>:mcast_snoop='true'</code> and
        <ref column="other_config" table="Logical_Switch"/>
        <code>:mcast_flood_unregistered='false'</code> and the switch is
        not connected to a logical router that has
        <ref column="options" table="Logical_Router"/>
        <code>:mcast_relay='true'</code> and the switch doesn't have any
        logical port with <ref column="options" table="Logical_Switch_Port"/>
        <code>:mcast_flood='true'</code>.
      </li>

      <li>
        Priority-80 flows for each IP address/VIP/NAT address owned by a
        router port connected to the switch. These flows match ARP requests
        and ND packets for the specific IP addresses.  Matched packets are
        forwarded only to the router that owns the IP address and to the
        <code>MC_FLOOD_L2</code> multicast group which contains all non-router
        logical ports.
      </li>

      <li>
        Priority-75 flows for each port connected to a logical router
        matching self originated ARP request/RARP request/ND packets.  These
        packets are flooded to the <code>MC_FLOOD_L2</code> which contains all
        non-router logical ports.
      </li>

      <li>
        A priority-70 flow that outputs all packets with an Ethernet broadcast
        or multicast <code>eth.dst</code> to the <code>MC_FLOOD</code>
        multicast group.
      </li>

      <li>
        <p>
          One priority-50 flow that matches each known Ethernet address against
          <code>eth.dst</code>.  Action of this flow outputs the packet to the
          single associated output port if it is enabled. <code>drop;</code>
          action is applied if LSP is disabled.
        </p>

        <p>
          For the Ethernet address on a logical switch port of type
          <code>router</code>, when that logical switch port's
          <ref column="addresses" table="Logical_Switch_Port"
          db="OVN_Northbound"/> column is set to <code>router</code> and
          the connected logical router port has a gateway chassis:
        </p>

        <ul>
          <li>
            The flow for the connected logical router port's Ethernet
            address is only programmed on the gateway chassis.
          </li>

          <li>
            If the logical router has rules specified in
            <ref column="nat" table="Logical_Router" db="OVN_Northbound"/> with
            <ref column="external_mac" table="NAT" db="OVN_Northbound"/>, then
            those addresses are also used to populate the switch's destination
            lookup on the chassis where
            <ref column="logical_port" table="NAT" db="OVN_Northbound"/> is
            resident.
          </li>
        </ul>

        <p>
          For the Ethernet address on a logical switch port of type
          <code>router</code>, when that logical switch port's
          <ref column="addresses" table="Logical_Switch_Port"
          db="OVN_Northbound"/> column is set to <code>router</code> and
          the connected logical router port specifies a
          <code>reside-on-redirect-chassis</code> and the logical router
          to which the connected logical router port belongs to has a
          distributed gateway LRP:
        </p>

        <ul>
          <li>
            The flow for the connected logical router port's Ethernet
            address is only programmed on the gateway chassis.
          </li>
        </ul>

        <p>
          For each forwarding group configured on the logical switch datapath,
          a priority-50 flow that matches on <code>eth.dst == <var>VIP</var>
          </code> with an action of <code>fwd_group(childports=<var>args
          </var>)</code>, where <var>args</var> contains comma separated
          logical switch child ports to load balance to.
          If <code>liveness</code> is enabled, then action also includes
          <code> liveness=true</code>.
        </p>
      </li>

      <li>
        One priority-0 fallback flow that matches all packets with the
        action <code>outport = get_fdb(eth.dst); next;</code>. The action
        <code>get_fdb</code> gets the port for the <code>eth.dst</code>
        in the MAC learning table of the logical switch datapath. If there
        is no entry for <code>eth.dst</code> in the MAC learning table,
        then it stores <code>none</code> in the <code>outport</code>.
      </li>
    </ul>

    <h3>Ingress Table 26 Destination unknown</h3>

    <p>
      This table handles the packets whose destination was not found or
      and looked up in the MAC learning table of the logical switch
      datapath. It contains the following flows.
    </p>

    <ul>
      <li>
        <p>
          Priority 50 flow with the match <code>outport == <var>P</var></code>
          is added for each disabled Logical Switch Port <code>P</code>.  This
          flow has action <code>drop;</code>.
        </p>
      </li>
      <li>
        <p>
          If the logical switch has logical ports with 'unknown' addresses set,
          then the below logical flow is added
        </p>

        <ul>
          <li>
            Priority 50 flow with the match <code>outport == "none"</code> then
            outputs them to the <code>MC_UNKNOWN</code> multicast group, which
            <code>ovn-northd</code> populates with all enabled logical ports
            that accept unknown destination packets.  As a small optimization,
            if no logical ports accept unknown destination packets,
            <code>ovn-northd</code> omits this multicast group and logical
            flow.
          </li>
        </ul>

        <p>
          If the logical switch has no logical ports with 'unknown' address
          set, then the below logical flow is added
        </p>

        <ul>
          <li>
            Priority 50 flow with the match <code>outport == none</code>
            and drops the packets.
          </li>
        </ul>
      </li>

      <li>
        One priority-0 fallback flow that outputs the packet to the egress
        stage with the outport learnt from <code>get_fdb</code> action.
      </li>
    </ul>

    <h3>Egress Table 0: <code>to-lport</code> Pre-ACLs</h3>

    <p>
      This is similar to ingress table <code>Pre-ACLs</code> except for
     <code>to-lport</code> traffic.
    </p>

    <p>
      This table also has a priority-110 flow with the match
      <code>eth.src == <var>E</var></code> for all logical switch
      datapaths to move traffic to the next table. Where <var>E</var>
      is the service monitor mac defined in the
      <ref column="options:svc_monitor_mac" table="NB_Global"
      db="OVN_Northbound"/> column of <ref table="NB_Global"
      db="OVN_Northbound"/> table.
    </p>

    <p>
      This table also has a priority-110 flow with the match
      <code>outport == <var>I</var></code> for all logical switch
      datapaths to move traffic to the next table. Where <var>I</var>
      is the peer of a logical router port. This flow is added to
      skip the connection tracking of packets which will be entering
      logical router datapath from logical switch datapath for routing.
    </p>


    <h3>Egress Table 1: Pre-LB</h3>

    <p>
      This table is similar to ingress table <code>Pre-LB</code>.  It
      contains a priority-0 flow that simply moves traffic to the next table.
      Moreover it contains two priority-110 flows to move multicast, IPv6
      Neighbor Discovery and MLD traffic to the next table. If any load
      balancing rules exist for the datapath, a priority-100 flow is added with
      a match of <code>ip</code> and action of <code>reg0[2] = 1; next;</code>
      to act as a hint for table <code>Pre-stateful</code> to send IP packets
      to the connection tracker for packet de-fragmentation and possibly DNAT
      the destination VIP to one of the selected backend for already committed
      load balanced traffic.
    </p>

    <p>
      This table also has a priority-110 flow with the match
      <code>eth.src == <var>E</var></code> for all logical switch
      datapaths to move traffic to the next table. Where <var>E</var>
      is the service monitor mac defined in the
      <ref column="options:svc_monitor_mac" table="NB_Global"
      db="OVN_Northbound"/> column of <ref table="NB_Global"
      db="OVN_Northbound"/> table.
    </p>

    <h3>Egress Table 2: Pre-stateful</h3>

    <p>
      This is similar to ingress table <code>Pre-stateful</code>.  This table
      adds the below 3 logical flows.
    </p>

    <ul>
      <li>
        A Priority-120 flow that send the packets to connection tracker using
        <code>ct_lb_mark;</code> as the action so that the already established
        traffic gets unDNATted from the backend IP to the load balancer VIP
        based on a hint provided by the previous tables with a match
        for <code>reg0[2] == 1</code>.  If the packet was not DNATted earlier,
        then <code>ct_lb_mark</code> functions like <code>ct_next</code>.
      </li>

      <li>
        A priority-100 flow sends the packets to connection tracker based
        on a hint provided by the previous tables
        (with a match for <code>reg0[0] == 1</code>) by using the
        <code>ct_next;</code> action.
      </li>

      <li>
        A priority-0 flow that matches all packets to advance to the next
        table.
      </li>
    </ul>

    <h3>Egress Table 3: <code>from-lport</code> ACL hints</h3>
    <p>
      This is similar to ingress table <code>ACL hints</code>.
    </p>

    <h3>Egress Table 4: <code>to-lport</code> ACLs</h3>

    <p>
      This is similar to ingress table <code>ACLs</code> except for
      <code>to-lport</code> ACLs.
    </p>

    <p>
      In addition, the following flows are added.
    </p>
    <ul>
      <li>
        A priority 34000 logical flow is added for each logical port which
        has DHCPv4 options defined to allow the DHCPv4 reply packet and which has
        DHCPv6 options defined to allow the DHCPv6 reply packet from the
        <code>Ingress Table 18: DHCP responses</code>.
      </li>

      <li>
        A priority 34000 logical flow is added for each logical switch datapath
        configured with DNS records with the match <code>udp.dst = 53</code>
        to allow the DNS reply packet from the
        <code>Ingress Table 20: DNS responses</code>.
      </li>

      <li>
        A priority 34000 logical flow is added for each logical switch datapath
        with the match <code>eth.src = <var>E</var></code> to allow the service
        monitor request packet generated by <code>ovn-controller</code>
        with the action <code>next</code>, where <var>E</var> is the
        service monitor mac defined in the
        <ref column="options:svc_monitor_mac" table="NB_Global"
        db="OVN_Northbound"/> column of <ref table="NB_Global"
        db="OVN_Northbound"/> table.
      </li>
    </ul>

    <h3>Egress Table 5: <code>to-lport</code> QoS Marking</h3>

    <p>
      This is similar to ingress table <code>QoS marking</code> except
      they apply to <code>to-lport</code> QoS rules.
    </p>

    <h3>Egress Table 6: <code>to-lport</code> QoS Meter</h3>

    <p>
      This is similar to ingress table <code>QoS meter</code> except
      they apply to <code>to-lport</code> QoS rules.
    </p>

    <h3>Egress Table 7: Stateful</h3>

    <p>
      This is similar to ingress table <code>Stateful</code> except that
      there are no rules added for load balancing new connections.
    </p>

    <h3>Egress Table 8: Egress Port Security - check</h3>

    <p>
      This is similar to the port security logic in table
      <code>Ingress Port Security check</code> except that action
      <code>check_out_port_sec</code> is used to check the port security
      rules.  This table adds the below logical flows.
    </p>

    <ul>
      <li>
        A priority 100 flow which matches on the multicast traffic and applies
        the action <code>REGBIT_PORT_SEC_DROP" = 0; next;"</code> to skip
        the out port security checks.
      </li>

      <li>
        A priority 0 logical flow is added which matches on all the packets
        and applies the action
        <code>REGBIT_PORT_SEC_DROP" = check_out_port_sec(); next;"</code>.
        The action <code>check_out_port_sec</code> applies the port security
        rules based on the addresses defined in the
        <ref column="port_security" table="Logical_Switch_Port"
        db="OVN_Northbound"/> column of <ref table="Logical_Switch_Port"
        db="OVN_Northbound"/> table before delivering the packet to the
        <code>outport</code>.
      </li>
    </ul>

    <h3>Egress Table 9: Egress Port Security - Apply</h3>

    <p>
      This is similar to the ingress port security logic in ingress table
      <code>A Ingress Port Security - Apply</code>.  This table drops the
      packets if the port security check failed in the previous stage i.e
      the register bit <code>REGBIT_PORT_SEC_DROP</code> is set to 1.
    </p>

    <p>
      The following flows are added.
    </p>

    <ul>
      <li>
        <p>
        For each localnet port configured with egress qos in the
        <ref column="options:qdisc_queue_id" table="Logical_Switch_Port"
        db="OVN_Northbound"/> column of <ref table="Logical_Switch_Port"
        db="OVN_Northbound"/>, a priority 100 flow is added which
        matches on the localnet <code>outport</code> and applies the action
        <code>set_queue(id); output;"</code>.
        </p>

        <p>
          Please remember to mark the corresponding physical interface with
          <code>ovn-egress-iface</code> set to true in
          <ref column="external_ids" table="Interface" db="Open_vSwitch"/>.
        </p>
      </li>

      <li>
        A priority-50 flow that drops the packet if the register
        bit <code>REGBIT_PORT_SEC_DROP</code> is set to 1.
      </li>

      <li>
        A priority-0 flow that outputs the packet to the <code>outport</code>.
      </li>
    </ul>

    <h2>Logical Router Datapaths</h2>

    <p>
      Logical router datapaths will only exist for <ref table="Logical_Router"
      db="OVN_Northbound"/> rows in the <ref db="OVN_Northbound"/> database
      that do not have <ref column="enabled" table="Logical_Router"
      db="OVN_Northbound"/> set to <code>false</code>
    </p>

    <h3>Ingress Table 0: L2 Admission Control</h3>

    <p>
      This table drops packets that the router shouldn't see at all based on
      their Ethernet headers.  It contains the following flows:
    </p>

    <ul>
      <li>
        Priority-100 flows to drop packets with VLAN tags or multicast Ethernet
        source addresses.
      </li>

      <li>
        <p>
          For each enabled router port <var>P</var> with Ethernet address
          <var>E</var>, a priority-50 flow that matches <code>inport ==
          <var>P</var> &amp;&amp; (eth.mcast || eth.dst ==
          <var>E</var></code>), stores the router port ethernet address
          and advances to next table, with action
          <code>xreg0[0..47]=E; next;</code>.
        </p>

        <p>
          For the gateway port on a distributed logical router (where
          one of the logical router ports specifies a
          gateway chassis), the above flow matching
          <code>eth.dst == <var>E</var></code> is only programmed on
          the gateway port instance on the gateway chassis.
          If LRP's logical switch has attached LSP of <code>vtep</code> type,
          the <code>is_chassis_resident()</code> part is not added to lflow to
          allow traffic originated from logical switch to reach LR services
          (LBs, NAT).
        </p>

        <p>
          For a distributed logical router or for gateway router where
          the port is configured with <code>options:gateway_mtu</code>
          the action of the above flow is modified adding
          <code>check_pkt_larger</code> in order to mark the packet
          setting <code>REGBIT_PKT_LARGER</code> if the size is greater
          than the MTU.

          If the port is also configured with
          <code>options:gateway_mtu_bypass</code> then another flow is
          added, with priority-55, to bypass the <code>check_pkt_larger</code>
          flow.  This is useful for traffic that normally doesn't need to be
          fragmented and for which check_pkt_larger, which might not be
          offloadable, is not really needed.  One such example is TCP traffic.
        </p>
      </li>

      <li>
        <p>
          For each <code>dnat_and_snat</code> NAT rule on a distributed
          router that specifies an external Ethernet address <var>E</var>,
          a priority-50 flow that matches <code>inport == <var>GW</var>
          &amp;&amp; eth.dst == <var>E</var></code>, where <var>GW</var>
          is the logical router distributed gateway port corresponding to the
          NAT rule (specified or inferred), with action
          <code>xreg0[0..47]=E; next;</code>.
        </p>

        <p>
          This flow is only programmed on the gateway port instance on
          the chassis where the <code>logical_port</code> specified in
          the NAT rule resides.
        </p>
      </li>

      <li>
        A priority-0 logical flow that matches all packets not already handled
        (match <code>1</code>) and drops them (action <code>drop;</code>).
      </li>
    </ul>

    <p>
      Other packets are implicitly dropped.
    </p>

    <h3>Ingress Table 1: Neighbor lookup</h3>

    <p>
      For ARP and IPv6 Neighbor Discovery packets, this table looks into the
      <ref db="OVN_Southbound" table="MAC_Binding"/> records to determine
      if OVN needs to learn the mac bindings. Following flows are added:
    </p>

    <ul>
      <li>
        <p>
          For each router port <var>P</var> that owns IP address <var>A</var>,
          which belongs to subnet <var>S</var> with prefix length <var>L</var>,
          if the option <code>always_learn_from_arp_request</code> is
          <code>true</code> for this router, a priority-100 flow is added which
          matches <code>inport == <var>P</var> &amp;&amp; arp.spa ==
          <var>S</var>/<var>L</var> &amp;&amp; arp.op == 1</code> (ARP request)
          with the following actions:
        </p>

        <pre>
reg9[2] = lookup_arp(inport, arp.spa, arp.sha);
next;
        </pre>

        <p>
          If the option <code>always_learn_from_arp_request</code> is
          <code>false</code>, the following two flows are added.
        </p>

        <p>
          A priority-110 flow is added which matches <code>inport ==
          <var>P</var> &amp;&amp; arp.spa == <var>S</var>/<var>L</var>
          &amp;&amp; arp.tpa == <var>A</var> &amp;&amp; arp.op == 1</code>
          (ARP request) with the following actions:
        </p>

        <pre>
reg9[2] = lookup_arp(inport, arp.spa, arp.sha);
reg9[3] = 1;
next;
        </pre>

        <p>
          A priority-100 flow is added which matches <code>inport ==
          <var>P</var> &amp;&amp; arp.spa == <var>S</var>/<var>L</var>
          &amp;&amp; arp.op == 1</code> (ARP request) with the following
          actions:
        </p>

        <pre>
reg9[2] = lookup_arp(inport, arp.spa, arp.sha);
reg9[3] = lookup_arp_ip(inport, arp.spa);
next;
        </pre>

        <p>
          If the logical router port <var>P</var> is a distributed gateway
          router port, additional match
          <code>is_chassis_resident(cr-<var>P</var>)</code> is added for all
          these flows.
        </p>
      </li>

      <li>
        <p>
          A priority-100 flow which matches on ARP reply packets and applies
          the actions if the option <code>always_learn_from_arp_request</code>
          is <code>true</code>:
        </p>

        <pre>
reg9[2] = lookup_arp(inport, arp.spa, arp.sha);
next;
        </pre>

        <p>
          If the option <code>always_learn_from_arp_request</code>
          is <code>false</code>, the above actions will be:
        </p>

        <pre>
reg9[2] = lookup_arp(inport, arp.spa, arp.sha);
reg9[3] = 1;
next;
        </pre>

      </li>

      <li>
        <p>
          A priority-100 flow which matches on IPv6 Neighbor Discovery
          advertisement packet and applies the actions if the option
          <code>always_learn_from_arp_request</code> is <code>true</code>:
        </p>

        <pre>
reg9[2] = lookup_nd(inport, nd.target, nd.tll);
next;
        </pre>

        <p>
          If the option <code>always_learn_from_arp_request</code>
          is <code>false</code>, the above actions will be:
        </p>

        <pre>
reg9[2] = lookup_nd(inport, nd.target, nd.tll);
reg9[3] = 1;
next;
        </pre>
      </li>

      <li>
        <p>
          A priority-100 flow which matches on IPv6 Neighbor Discovery
          solicitation packet and applies the actions if the option
          <code>always_learn_from_arp_request</code> is <code>true</code>:
        </p>

        <pre>
reg9[2] = lookup_nd(inport, ip6.src, nd.sll);
next;
        </pre>

        <p>
          If the option <code>always_learn_from_arp_request</code>
          is <code>false</code>, the above actions will be:
        </p>

        <pre>
reg9[2] = lookup_nd(inport, ip6.src, nd.sll);
reg9[3] = lookup_nd_ip(inport, ip6.src);
next;
        </pre>
      </li>

      <li>
        A priority-0 fallback flow that matches all packets and applies
        the action <code>reg9[2] = 1; next;</code>
        advancing the packet to the next table.
      </li>
    </ul>

    <h3>Ingress Table 2: Neighbor learning</h3>

    <p>
      This table adds flows to learn the mac bindings from the ARP and
      IPv6 Neighbor Solicitation/Advertisement packets if it is needed
      according to the lookup results from the previous stage.
    </p>

    <p>
      reg9[2] will be <code>1</code> if the <code>lookup_arp/lookup_nd</code>
      in the previous table was successful or skipped, meaning no need
      to learn mac binding from the packet.
    </p>

    <p>
      reg9[3] will be <code>1</code> if the
      <code>lookup_arp_ip/lookup_nd_ip</code> in the previous table was
      successful or skipped, meaning it is ok to learn mac binding from
      the packet (if reg9[2] is 0).
    </p>

    <ul>
      <li>
        A priority-100 flow with the match <code>reg9[2] == 1 || reg9[3] ==
        0</code> and advances the packet to the next table as there is no need
        to learn the neighbor.
      </li>

      <li>
        A priority-95 flow with the match <code>nd_ns &amp;&amp;
          (ip6.src == 0 || nd.sll == 0)</code> and applies the action
        <code>next;</code>
      </li>

      <li>
        A priority-90 flow with the match <code>arp</code> and
        applies the action
        <code>put_arp(inport, arp.spa, arp.sha); next;</code>
      </li>

      <li>
        A priority-95 flow with the match <code>nd_na  &amp;&amp;
        nd.tll == 0</code> and applies the action
        <code>put_nd(inport, nd.target, eth.src); next;</code>
      </li>

      <li>
        A priority-90 flow with the match <code>nd_na</code> and
        applies the action
        <code>put_nd(inport, nd.target, nd.tll); next;</code>
      </li>

      <li>
        A priority-90 flow with the match <code>nd_ns</code> and
        applies the action
        <code>put_nd(inport, ip6.src, nd.sll); next;</code>
      </li>

      <li>
        A priority-0 logical flow that matches all packets not already handled
        (match <code>1</code>) and drops them (action <code>drop;</code>).
      </li>
    </ul>

    <h3>Ingress Table 3: IP Input</h3>

    <p>
      This table is the core of the logical router datapath functionality.  It
      contains the following flows to implement very basic IP host
      functionality.
    </p>

    <ul>
      <li>
        <p>
          For each <code>dnat_and_snat</code> NAT rule on a distributed
          logical routers or gateway routers with gateway port
          configured with <code>options:gateway_mtu</code> to a valid integer
          value <var>M</var>, a priority-160 flow with the match
          <code>inport == <var>LRP</var> &amp;&amp; REGBIT_PKT_LARGER
          &amp;&amp; REGBIT_EGRESS_LOOPBACK == 0</code>, where <var>LRP</var>
          is the logical router port and applies the following action for ipv4
          and ipv6 respectively:
        </p>

    <pre>
icmp4_error {
    icmp4.type = 3; /* Destination Unreachable. */
    icmp4.code = 4;  /* Frag Needed and DF was Set. */
    icmp4.frag_mtu = <var>M</var>;
    eth.dst = eth.src;
    eth.src = <var>E</var>;
    ip4.dst = ip4.src;
    ip4.src = <var>I</var>;
    ip.ttl = 255;
    REGBIT_EGRESS_LOOPBACK = 1;
    REGBIT_PKT_LARGER 0;
    outport = <var>LRP</var>;
    flags.loopback = 1;
    output;
};

icmp6_error {
    icmp6.type = 2;
    icmp6.code = 0;
    icmp6.frag_mtu = <var>M</var>;
    eth.dst = eth.src;
    eth.src = <var>E</var>;
    ip6.dst = ip6.src;
    ip6.src = <var>I</var>;
    ip.ttl = 255;
    REGBIT_EGRESS_LOOPBACK = 1;
    REGBIT_PKT_LARGER 0;
    outport = <var>LRP</var>;
    flags.loopback = 1;
    output;
};
    </pre>
        <p>
          where <var>E</var> and <var>I</var> are the NAT rule external mac
          and IP respectively.
        </p>
      </li>

      <li>
        <p>
          For distributed logical routers or gateway routers with gateway port
          configured with <code>options:gateway_mtu</code> to a valid integer
          value, a priority-150 flow with the match <code>inport ==
          <var>LRP</var> &amp;&amp; REGBIT_PKT_LARGER &amp;&amp;
          REGBIT_EGRESS_LOOPBACK == 0</code>, where <var>LRP</var> is the
          logical router port and applies the following action for ipv4
          and ipv6 respectively:
        </p>

    <pre>
icmp4_error {
    icmp4.type = 3; /* Destination Unreachable. */
    icmp4.code = 4;  /* Frag Needed and DF was Set. */
    icmp4.frag_mtu = <var>M</var>;
    eth.dst = <var>E</var>;
    ip4.dst = ip4.src;
    ip4.src = <var>I</var>;
    ip.ttl = 255;
    REGBIT_EGRESS_LOOPBACK = 1;
    REGBIT_PKT_LARGER 0;
    next(pipeline=ingress, table=0);
};

icmp6_error {
    icmp6.type = 2;
    icmp6.code = 0;
    icmp6.frag_mtu = <var>M</var>;
    eth.dst = <var>E</var>;
    ip6.dst = ip6.src;
    ip6.src = <var>I</var>;
    ip.ttl = 255;
    REGBIT_EGRESS_LOOPBACK = 1;
    REGBIT_PKT_LARGER 0;
    next(pipeline=ingress, table=0);
};
    </pre>
      </li>

      <li>
        <p>
          For each NAT entry of a distributed logical router  (with
          distributed gateway router port(s)) of type <code>snat</code>,
          a priority-120 flow with the match <code>inport == <var>P</var>
          &amp;&amp; ip4.src == <var>A</var></code> advances the packet to
          the next pipeline, where <var>P</var> is the distributed logical
          router port corresponding to the NAT entry (specified or inferred)
          and <var>A</var> is the <code>external_ip</code> set
          in the NAT entry. If <var>A</var> is an IPv6 address, then
          <code>ip6.src</code> is used for the match.
        </p>

        <p>
          The above flow is required to handle the routing of the East/west NAT
          traffic.
        </p>
      </li>

      <li>
        <p>
            For each BFD port the two following priority-110 flows are added
            to manage BFD traffic:

            <ul>
              <li>
               if <code>ip4.src</code> or <code>ip6.src</code> is any IP
               address owned by the router port and <code>udp.dst == 3784
               </code>, the packet is advanced to the next pipeline stage.
              </li>

              <li>
               if <code>ip4.dst</code> or <code>ip6.dst</code> is any IP
               address owned by the router port and <code>udp.dst == 3784
               </code>, the <code>handle_bfd_msg</code> action is executed.
              </li>
            </ul>
        </p>
      </li>

      <li>
        <p>
          L3 admission control: Priority-120 flows allows IGMP and MLD packets
          if the router has logical ports that have
          <ref column="options" table="Logical_Router_Port"/>
          <code>:mcast_flood='true'</code>.
        </p>
      </li>

      <li>
        <p>
          L3 admission control: A priority-100 flow drops packets that match
          any of the following:
        </p>

        <ul>
          <li>
            <code>ip4.src[28..31] == 0xe</code> (multicast source)
          </li>
          <li>
            <code>ip4.src == 255.255.255.255</code> (broadcast source)
          </li>
          <li>
            <code>ip4.src == 127.0.0.0/8 || ip4.dst == 127.0.0.0/8</code>
            (localhost source or destination)
          </li>
          <li>
            <code>ip4.src == 0.0.0.0/8 || ip4.dst == 0.0.0.0/8</code> (zero
            network source or destination)
          </li>
          <li>
            <code>ip4.src</code> or <code>ip6.src</code> is any IP
            address owned by the router, unless the packet was recirculated
            due to egress loopback as indicated by
            <code>REGBIT_EGRESS_LOOPBACK</code>.
          </li>
          <li>
            <code>ip4.src</code> is the broadcast address of any IP network
            known to the router.
          </li>
        </ul>
      </li>

      <li>
          A priority-100 flow parses DHCPv6 replies from IPv6 prefix
          delegation routers (<code>udp.src == 547 &amp;&amp;
          udp.dst == 546</code>). The <code>handle_dhcpv6_reply</code>
          is used to send IPv6 prefix delegation messages to the delegation
          router.
      </li>

      <li>
        <p>
          ICMP echo reply.  These flows reply to ICMP echo requests received
          for the router's IP address.  Let <var>A</var> be an IP address
          owned by a router port.  Then, for each <var>A</var> that is
          an IPv4 address, a priority-90 flow matches on
          <code>ip4.dst == <var>A</var></code> and
          <code>icmp4.type == 8 &amp;&amp; icmp4.code == 0</code>
          (ICMP echo request).  For each <var>A</var> that is an IPv6
          address, a priority-90 flow matches on
          <code>ip6.dst == <var>A</var></code> and
          <code>icmp6.type == 128 &amp;&amp; icmp6.code == 0</code>
          (ICMPv6 echo request).  The port of the router that receives the
          echo request does not matter. Also, the <code>ip.ttl</code> of
          the echo request packet is not checked, so it complies with
          RFC 1812, section 4.2.2.9. Flows for ICMPv4 echo requests use the
          following actions:
        </p>

        <pre>
ip4.dst &lt;-&gt; ip4.src;
ip.ttl = 255;
icmp4.type = 0;
flags.loopback = 1;
next;
        </pre>

        <p>
          Flows for ICMPv6 echo requests use the following actions:
        </p>

        <pre>
ip6.dst &lt;-&gt; ip6.src;
ip.ttl = 255;
icmp6.type = 129;
flags.loopback = 1;
next;
        </pre>
      </li>

      <li>
        <p>
          Reply to ARP requests.
        </p>

        <p>
          These flows reply to ARP requests for the router's own IP address.
          The ARP requests are handled only if the requestor's IP belongs
          to the same subnets of the logical router port.
          For each router port <var>P</var> that owns IP address <var>A</var>,
          which belongs to subnet <var>S</var> with prefix length <var>L</var>,
          and Ethernet address <var>E</var>, a priority-90 flow matches
          <code>inport == <var>P</var> &amp;&amp;
          arp.spa == <var>S</var>/<var>L</var> &amp;&amp; arp.op == 1
          &amp;&amp; arp.tpa == <var>A</var></code> (ARP request) with the
          following actions:
        </p>

        <pre>
eth.dst = eth.src;
eth.src = xreg0[0..47];
arp.op = 2; /* ARP reply. */
arp.tha = arp.sha;
arp.sha = xreg0[0..47];
arp.tpa = arp.spa;
arp.spa = <var>A</var>;
outport = inport;
flags.loopback = 1;
output;
        </pre>

        <p>
          For the gateway port on a distributed logical router (where
          one of the logical router ports specifies a
          gateway chassis), the above flows are only
          programmed on the gateway port instance on the
          gateway chassis.  This behavior avoids generation
          of multiple ARP responses from different chassis, and allows
          upstream MAC learning to point to the gateway chassis.
        </p>

        <p>
          For the logical router port with the option
          <code>reside-on-redirect-chassis</code> set (which is centralized),
          the above flows are only programmed on the gateway port instance on
          the gateway chassis (if the logical router has a
          distributed gateway port). This behavior avoids generation
          of multiple ARP responses from different chassis, and allows
          upstream MAC learning to point to the gateway chassis.
        </p>
      </li>

      <li>
        <p>
          Reply to IPv6 Neighbor Solicitations.  These flows reply to
          Neighbor Solicitation requests for the router's own IPv6
          address and populate the logical router's mac binding table.
        </p>

        <p>
          For each router port <var>P</var> that
          owns IPv6 address <var>A</var>, solicited node address <var>S</var>,
          and Ethernet address <var>E</var>, a priority-90 flow matches
          <code>inport == <var>P</var> &amp;&amp;
          nd_ns &amp;&amp; ip6.dst == {<var>A</var>, <var>E</var>} &amp;&amp;
          nd.target == <var>A</var></code> with the following actions:
        </p>

        <pre>
nd_na_router {
    eth.src = xreg0[0..47];
    ip6.src = <var>A</var>;
    nd.target = <var>A</var>;
    nd.tll = xreg0[0..47];
    outport = inport;
    flags.loopback = 1;
    output;
};
        </pre>

        <p>
          For the gateway port on a distributed logical router (where
          one of the logical router ports specifies a
          gateway chassis), the above flows replying to
          IPv6 Neighbor Solicitations are only programmed on the
          gateway port instance on the gateway chassis.
          This behavior avoids generation of multiple replies from
          different chassis, and allows upstream MAC learning to point
          to the gateway chassis.
        </p>
      </li>

      <li>
        <p>
          These flows reply to ARP requests or IPv6 neighbor solicitation
          for the virtual IP addresses configured in the router for NAT
          (both DNAT and SNAT) or load balancing.
        </p>

        <p>
          IPv4: For a configured NAT (both DNAT and SNAT) IP address or a
          load balancer IPv4 VIP <var>A</var>, for each router port
          <var>P</var> with Ethernet address <var>E</var>, a priority-90 flow
          matches <code>arp.op == 1 &amp;&amp; arp.tpa == <var>A</var></code>
          (ARP request) with the following actions:
        </p>

        <pre>
eth.dst = eth.src;
eth.src = xreg0[0..47];
arp.op = 2; /* ARP reply. */
arp.tha = arp.sha;
arp.sha = xreg0[0..47];
arp.tpa &lt;-&gt; arp.spa;
outport = inport;
flags.loopback = 1;
output;
        </pre>

        <p>
          IPv4: For a configured load balancer IPv4 VIP, a similar flow is
          added with the additional match <code>inport == <var>P</var></code>
          if the VIP is reachable from any logical router port of the logical
          router.
        </p>

        <p>
          If the router port <var>P</var> is a distributed gateway router
          port, then the <code>is_chassis_resident(<var>P</var>)</code> is
          also added in the match condition for the load balancer IPv4
          VIP <var>A</var>.
        </p>

        <p>
          IPv6: For a configured NAT (both DNAT and SNAT) IP address or a
          load balancer IPv6 VIP <var>A</var> (if the VIP is reachable from any
          logical router port of the logical router), solicited node address
          <var>S</var>, for each router port <var>P</var> with
          Ethernet address <var>E</var>, a priority-90 flow matches
          <code>inport == <var>P</var> &amp;&amp; nd_ns &amp;&amp;
          ip6.dst == {<var>A</var>, <var>S</var>} &amp;&amp;
          nd.target == <var>A</var></code>
          with the following actions:
        </p>

        <pre>
eth.dst = eth.src;
nd_na {
    eth.src = xreg0[0..47];
    nd.tll = xreg0[0..47];
    ip6.src = <var>A</var>;
    nd.target = <var>A</var>;
    outport = inport;
    flags.loopback = 1;
    output;
}
        </pre>

        <p>
          If the router port <var>P</var> is a distributed gateway router
          port, then the <code>is_chassis_resident(<var>P</var>)</code>
          is also added in the match condition for the load balancer IPv6
          VIP <var>A</var>.
        </p>

        <p>
          For the gateway port on a distributed logical router with NAT
          (where one of the logical router ports specifies a
          gateway chassis):
        </p>

        <ul>
          <li>
            If the corresponding NAT rule cannot be handled in a
            distributed manner, then a priority-92 flow is programmed on
            the gateway port instance on the
            gateway chassis.  A priority-91 drop flow is
            programmed on the other chassis when ARP requests/NS packets
            are received on the gateway port. This behavior avoids
            generation of multiple ARP responses from different chassis,
            and allows upstream MAC learning to point to the
            gateway chassis.
          </li>

          <li>
            <p>
              If the corresponding NAT rule can be handled in a distributed
              manner, then this flow is only programmed on the gateway port
              instance where the <code>logical_port</code> specified in the
              NAT rule resides.
            </p>

            <p>
              Some of the actions are different for this case, using the
              <code>external_mac</code> specified in the NAT rule rather
              than the gateway port's Ethernet address <var>E</var>:
            </p>

            <pre>
eth.src = <var>external_mac</var>;
arp.sha = <var>external_mac</var>;
            </pre>

            <p>
              or in the case of IPv6 neighbor solicition:
            </p>

            <pre>
eth.src = <var>external_mac</var>;
nd.tll = <var>external_mac</var>;
            </pre>

            <p>
              This behavior avoids generation of multiple ARP responses
              from different chassis, and allows upstream MAC learning to
              point to the correct chassis.
            </p>
          </li>
        </ul>
      </li>

      <li>
        Priority-85 flows which drops the ARP and IPv6 Neighbor Discovery
        packets.
      </li>

      <li>
        <p>
          A priority-84 flow explicitly allows IPv6 multicast traffic that is
          supposed to reach the router pipeline (i.e., router solicitation
          and router advertisement packets).
        </p>
      </li>

      <li>
        <p>
          A priority-83 flow explicitly drops IPv6 multicast traffic that is
          destined to reserved multicast groups.
        </p>
      </li>

      <li>
        <p>
          A priority-82 flow allows IP multicast traffic if
          <ref column="options" table="Logical_Router"/>:mcast_relay='true',
          otherwise drops it.
        </p>
      </li>

      <li>
        <p>
          UDP port unreachable.  Priority-80 flows generate ICMP port
          unreachable messages in reply to UDP datagrams directed to the
          router's IP address, except in the special case of gateways,
          which accept traffic directed to a router IP for load balancing
          and NAT purposes.
        </p>

        <p>
          These flows should not match IP fragments with nonzero offset.
        </p>
      </li>

      <li>
        <p>
          TCP reset.  Priority-80 flows generate TCP reset messages in reply
          to TCP datagrams directed to the router's IP address, except in
          the special case of gateways, which accept traffic directed to a
          router IP for load balancing and NAT purposes.
        </p>

        <p>
          These flows should not match IP fragments with nonzero offset.
        </p>
      </li>

      <li>
        <p>
          Protocol or address unreachable. Priority-70 flows generate ICMP
          protocol or address unreachable messages for IPv4 and IPv6
          respectively in reply to packets directed to the router's IP
          address on IP protocols other than UDP, TCP, and ICMP, except in the
          special case of gateways, which accept traffic directed to a router
          IP for load balancing purposes.
        </p>

        <p>
          These flows should not match IP fragments with nonzero offset.
        </p>
      </li>

      <li>
        Drop other IP traffic to this router.  These flows drop any other
        traffic destined to an IP address of this router that is not already
        handled by one of the flows above, which amounts to ICMP (other than
        echo requests) and fragments with nonzero offsets.  For each IP address
        <var>A</var> owned by the router, a priority-60 flow matches
        <code>ip4.dst == <var>A</var></code> or
        <code>ip6.dst == <var>A</var></code>
        and drops the traffic.  An exception is made and the above flow
        is not added if the router port's own IP address is used to SNAT
        packets passing through that router or if it is used as a
        load balancer VIP.
      </li>
    </ul>

    <p>
      The flows above handle all of the traffic that might be directed to the
      router itself.  The following flows (with lower priorities) handle the
      remaining traffic, potentially for forwarding:
    </p>

    <ul>
      <li>
        Drop Ethernet local broadcast.  A priority-50 flow with match
        <code>eth.bcast</code> drops traffic destined to the local Ethernet
        broadcast address.  By definition this traffic should not be forwarded.
      </li>

      <li>
        <p>
          ICMP time exceeded.  For each router port <var>P</var>, whose IP
          address is <var>A</var>, a priority-100 flow with match <code>inport
          == <var>P</var> &amp;&amp; ip.ttl == {0, 1} &amp;&amp;
          !ip.later_frag</code> matches packets whose TTL has expired, with the
          following actions to send an ICMP time exceeded reply for IPv4 and
          IPv6 respectively:
        </p>

        <pre>
icmp4 {
    icmp4.type = 11; /* Time exceeded. */
    icmp4.code = 0;  /* TTL exceeded in transit. */
    ip4.dst = ip4.src;
    ip4.src = <var>A</var>;
    ip.ttl = 254;
    next;
};

icmp6 {
    icmp6.type = 3; /* Time exceeded. */
    icmp6.code = 0;  /* TTL exceeded in transit. */
    ip6.dst = ip6.src;
    ip6.src = <var>A</var>;
    ip.ttl = 254;
    next;
};
        </pre>
      </li>

      <li>
        TTL discard.  A priority-30 flow with match <code>ip.ttl == {0,
        1}</code> and actions <code>drop;</code> drops other packets whose TTL
        has expired, that should not receive a ICMP error reply (i.e. fragments
        with nonzero offset).
      </li>

      <li>
        Next table.  A priority-0 flows match all packets that aren't already
        handled and uses actions <code>next;</code> to feed them to the next
        table.
      </li>
    </ul>



    <h3>Ingress Table 4: UNSNAT</h3>

    <p>
      This is for already established connections' reverse traffic.
      i.e., SNAT has already been done in egress pipeline and now the
      packet has entered the ingress pipeline as part of a reply.  It is
      unSNATted here.
    </p>

    <p>Ingress Table 4: UNSNAT on Gateway and Distributed Routers</p>
    <ul>
      <li>
        <p>
          If the Router (Gateway or Distributed) is configured with
          load balancers, then below lflows are added:
        </p>

        <p>
          For each IPv4 address <var>A</var> defined as load balancer
          VIP with the protocol <var>P</var> (and the protocol port
          <var>T</var> if defined) is also present as an
          <code>external_ip</code> in the NAT table,
          a priority-120 logical flow is added with the match
          <code>ip4 &amp;&amp; ip4.dst == <var>A</var> &amp;&amp;
          <var>P</var></code> with the action <code>next;</code> to
          advance the packet to the next table. If the load balancer
          has protocol port <code>B</code> defined, then the match also has
          <code><var>P</var>.dst == <var>B</var></code>.
        </p>

        <p>
          The above flows are also added for IPv6 load balancers.
        </p>
      </li>
    </ul>

    <p>Ingress Table 4: UNSNAT on Gateway Routers</p>

    <ul>
      <li>
        <p>
          If the Gateway router has been configured to force SNAT any
          previously DNATted packets to <var>B</var>, a priority-110 flow
          matches <code>ip &amp;&amp; ip4.dst == <var>B</var></code> or
          <code>ip &amp;&amp; ip6.dst == <var>B</var></code>
          with an action <code>ct_snat; </code>.
        </p>

        <p>
          If the Gateway router is configured with
          <code>lb_force_snat_ip=router_ip</code> then for every logical router
          port <var>P</var> attached to the Gateway router with the router ip
          <var>B</var>, a priority-110 flow is added with the match
          <code>inport == <var>P</var> &amp;&amp;
          ip4.dst == <var>B</var></code> or <code>inport == <var>P</var>
          &amp;&amp; ip6.dst == <var>B</var></code> with an action
          <code>ct_snat; </code>.
        </p>

        <p>
          If the Gateway router has been configured to force SNAT any
          previously load-balanced packets to <var>B</var>, a priority-100 flow
          matches <code>ip &amp;&amp; ip4.dst == <var>B</var></code> or
          <code>ip &amp;&amp; ip6.dst == <var>B</var></code>
          with an action <code>ct_snat; </code>.
        </p>

        <p>
          For each NAT configuration in the OVN Northbound database, that asks
          to change the source IP address of a packet from <var>A</var> to
          <var>B</var>, a priority-90 flow matches
          <code>ip &amp;&amp; ip4.dst == <var>B</var></code> or
          <code>ip &amp;&amp; ip6.dst == <var>B</var></code>
          with an action <code>ct_snat; </code>. If the NAT rule is of type
          dnat_and_snat and has <code>stateless=true</code> in the
          options, then the action would be <code>next;</code>.
        </p>

        <p>
          A priority-0 logical flow with match <code>1</code> has actions
          <code>next;</code>.
        </p>
      </li>
    </ul>

    <p>Ingress Table 4: UNSNAT on Distributed Routers</p>

    <ul>
      <li>
        <p>
          For each configuration in the OVN Northbound database, that asks
          to change the source IP address of a packet from <var>A</var> to
          <var>B</var>, two priority-100 flows are added.
        </p>

        <p>
          If the NAT rule cannot be handled in a distributed manner, then
          the below priority-100 flows are only programmed on the
          gateway chassis.
        </p>

        <ul>
          <li>
            <p>
              The first flow matches <code>ip &amp;&amp;
              ip4.dst == <var>B</var> &amp;&amp; inport == <var>GW</var>
              &amp;&amp; flags.loopback == 0</code> or
              <code>ip &amp;&amp;
              ip6.dst == <var>B</var> &amp;&amp; inport == <var>GW</var>
              &amp;&amp; flags.loopback == 0</code>
              where <var>GW</var> is the distributed gateway port
              corresponding to the NAT rule (specified or inferred), with an
              action <code>ct_snat_in_czone;</code> to unSNAT in the common
              zone.  If the NAT rule is of type dnat_and_snat and has
              <code>stateless=true</code> in the options, then the action
              would be <code>next;</code>.
            </p>

            <p>
              If the NAT entry is of type <code>snat</code>, then there is an
              additional match <code>is_chassis_resident(<var>cr-GW</var>)
              </code> where <var>cr-GW</var> is the chassis resident port of
              <var>GW</var>.
            </p>
          </li>

          <li>
            <p>
              The second flow matches <code>ip &amp;&amp;
              ip4.dst == <var>B</var> &amp;&amp; inport == <var>GW</var>
              &amp;&amp; flags.loopback == 1 &amp;&amp;
              flags.use_snat_zone == 1</code> or
              <code>ip &amp;&amp;
              ip6.dst == <var>B</var> &amp;&amp; inport == <var>GW</var>
              &amp;&amp; flags.loopback == 0 &amp;&amp;
              flags.use_snat_zone == 1</code>
              where <var>GW</var> is the distributed gateway port
              corresponding to the NAT rule (specified or inferred), with an
              action <code>ct_snat;</code> to unSNAT in the snat zone. If the
              NAT rule is of type dnat_and_snat and has
              <code>stateless=true</code> in the options, then the action
              would be <code>ip4/6.dst=(<var>B</var>)</code>.
            </p>

            <p>
              If the NAT entry is of type <code>snat</code>, then there is an
              additional match <code>is_chassis_resident(<var>cr-GW</var>)
              </code> where <var>cr-GW</var> is the chassis resident port of
              <var>GW</var>.
            </p>
          </li>
        </ul>

        <p>
          A priority-0 logical flow with match <code>1</code> has actions
          <code>next;</code>.
        </p>
      </li>
    </ul>

    <h3>Ingress Table 5: DEFRAG</h3>

    <p>
      This is to send packets to connection tracker for tracking and
      defragmentation.  It contains a priority-0 flow that simply moves traffic
      to the next table.
    </p>

    <p>
      If load balancing rules with only virtual IP addresses are configured in
      <code>OVN_Northbound</code> database for a Gateway router,
      a priority-100 flow is added for each configured virtual IP address
      <var>VIP</var>. For IPv4 <var>VIPs</var> the flow matches
      <code>ip &amp;&amp; ip4.dst == <var>VIP</var></code>.  For IPv6
      <var>VIPs</var>, the flow matches <code>ip &amp;&amp; ip6.dst ==
      <var>VIP</var></code>. The flow applies the action <code>reg0 =
      <var>VIP</var>; ct_dnat;</code>  (or <code>xxreg0</code> for IPv6) to
      send IP packets to the connection tracker for packet de-fragmentation and
      to dnat the destination IP for the committed connection before sending it
      to the next table.
    </p>

    <p>
      If load balancing rules with virtual IP addresses and ports are
      configured in <code>OVN_Northbound</code> database for a Gateway router,
      a priority-110 flow is added for each configured virtual IP address
      <var>VIP</var>, protocol <var>PROTO</var> and port <var>PORT</var>.
      For IPv4 <var>VIPs</var> the flow matches
      <code>ip &amp;&amp; ip4.dst == <var>VIP</var> &amp;&amp;
      <var>PROTO</var> &amp;&amp; <var>PROTO</var>.dst ==
      <var>PORT</var></code>. For IPv6 <var>VIPs</var>, the flow matches
      <code>ip &amp;&amp; ip6.dst == <var>VIP</var> &amp;&amp;
      <var>PROTO</var> &amp;&amp; <var>PROTO</var>.dst ==
      <var>PORT</var></code>. The flow applies the action <code>reg0 =
      <var>VIP</var>; reg9[16..31] = <var>PROTO</var>.dst; ct_dnat;</code>
      (or <code>xxreg0</code> for IPv6) to send IP packets to the connection
      tracker for packet de-fragmentation and to dnat the destination IP for
      the committed connection before sending it to the next table.
    </p>

    <p>
      If ECMP routes with symmetric reply are configured in the
      <code>OVN_Northbound</code> database for a gateway router, a priority-100
      flow is added for each router port on which symmetric replies are
      configured. The matching logic for these ports essentially reverses the
      configured logic of the ECMP route. So for instance, a route with a
      destination routing policy will instead match if the source IP address
      matches the static route's prefix. The flow uses the actions
      <code>chk_ecmp_nh_mac(); ct_next</code> or
      <code>chk_ecmp_nh(); ct_next</code> to send IP packets to table
      <code>76</code> or to table <code>77</code> in order to check if source
      info are already stored by OVN and then to the connection tracker for
      packet de-fragmentation and tracking before sending it to the next table.
    </p>

    <p>
      If load balancing rules are configured in <code>OVN_Northbound</code>
      database for a Gateway router, a priority 50 flow that matches
      <code>icmp || icmp6</code> with an action of <code>ct_dnat;</code>,
      this allows potentially related ICMP traffic to pass through CT.
    </p>

    <h3>Ingress Table 6: Load balancing affinity check</h3>

    <p>
      Load balancing affinity check table contains the following
      logical flows:
    </p>

    <ul>
      <li>
        For all the configured load balancing rules for a logical router where
        a positive affinity timeout is specified in <code>options</code>
        column, that includes a L4 port <var>PORT</var> of protocol
        <var>P</var> and IPv4 or IPv6 address <var>VIP</var>, a priority-100
        flow that matches on <code>ct.new &amp;&amp; ip &amp;&amp;
        reg0 == <var>VIP</var> &amp;&amp; <var>P</var> &amp;&amp; reg9[16..31]
        == </code> <code><var>PORT</var></code> (<code>xxreg0 == <var>VIP
        </var></code> in the IPv6 case) with an action of <code>reg9[6] =
        chk_lb_aff(); next;</code>
      </li>

      <li>
        A priority 0 flow is added which matches on all packets and applies
        the action <code>next;</code>.
      </li>
    </ul>

    <h3>Ingress Table 7: DNAT</h3>

    <p>
      Packets enter the pipeline with destination IP address that needs to
      be DNATted from a virtual IP address to a real IP address.  Packets
      in the reverse direction needs to be unDNATed.
    </p>

    <p>Ingress Table 7: Load balancing DNAT rules</p>

    <p>
      Following load balancing DNAT flows are added for Gateway router or
      Router with gateway port. These flows are programmed only on the
      gateway chassis.  These flows do not get programmed for
      load balancers with IPv6 <var>VIPs</var>.
    </p>

    <ul>
      <li>
        For all the configured load balancing rules for a logical router where
        a positive affinity timeout is specified in <code>options</code>
        column, that includes a L4 port <var>PORT</var> of protocol
        <var>P</var> and IPv4 or IPv6 address <var>VIP</var>, a priority-150
        flow that matches on <code>reg9[6] == 1 &amp;&amp; ct.new &amp;&amp;
        ip &amp;&amp; reg0 == <var>VIP</var> &amp;&amp; <var>P</var> &amp;&amp;
        reg9[16..31] == </code> <code><var>PORT</var></code> (<code>xxreg0
        == <var>VIP</var></code> in the IPv6 case) with an action of
        <code>ct_lb_mark(<var>args</var>) </code>, where <var>args</var>
        contains comma separated IP addresses (and optional port numbers)
        to load balance to.  The address family of the IP addresses of
        <var>args</var> is the same as the address family of <var>VIP</var>.
      </li>

      <li>
        If controller_event has been enabled for all the configured load
        balancing rules for a Gateway router or Router with gateway port
        in <code>OVN_Northbound</code> database that does not have configured
        backends, a priority-130 flow is added to trigger ovn-controller events
        whenever the chassis receives a packet for that particular VIP.
        If <code>event-elb</code> meter has been previously created, it will be
        associated to the empty_lb logical flow
      </li>

      <li>
        <p>
          For all the configured load balancing rules for a Gateway router or
          Router with gateway port in <code>OVN_Northbound</code> database that
          includes a L4 port <var>PORT</var> of protocol <var>P</var> and IPv4
          or IPv6 address <var>VIP</var>, a priority-120 flow that matches on
          <code>ct.new &amp;&amp; !ct.rel &amp;&amp; ip &amp;&amp; reg0 ==
          <var>VIP</var> &amp;&amp; <var>P</var> &amp;&amp; reg9[16..31] ==
          </code> <code><var>PORT</var></code> (<code>xxreg0 == <var>VIP</var>
          </code> in the IPv6 case) with an action of
          <code>ct_lb_mark(<var>args</var>)</code>, where <var>args</var> contains
          comma separated IPv4 or IPv6 addresses (and optional port numbers) to
          load balance to.  If the router is configured to force SNAT any
          load-balanced packets, the above action will be replaced by
          <code>flags.force_snat_for_lb = 1; ct_lb_mark(<var>args</var>);</code>.
          If the load balancing rule is configured with <code>skip_snat</code>
          set to true, the above action will be replaced by
          <code>flags.skip_snat_for_lb = 1; ct_lb_mark(<var>args</var>);</code>.
          If health check is enabled, then
          <var>args</var> will only contain those endpoints whose service
          monitor status entry in <code>OVN_Southbound</code> db is
          either <code>online</code> or empty.
        </p>

        <p>
          The previous table <code>lr_in_defrag</code> sets the register
          <code>reg0</code> (or <code>xxreg0</code> for IPv6) and does
          <code>ct_dnat</code>.  Hence for established traffic, this
          table just advances the packet to the next stage.
        </p>
      </li>

      <li>
        <p>
          For all the configured load balancing rules for a router in
          <code>OVN_Northbound</code> database that includes a L4 port
          <var>PORT</var> of protocol <var>P</var> and IPv4 or IPv6 address
          <var>VIP</var>, a priority-120 flow that matches on
          <code>ct.est &amp;&amp; !ct.rel &amp;&amp; ip4 &amp;&amp; reg0 ==
          <var>VIP</var> &amp;&amp; <var>P</var> &amp;&amp; reg9[16..31] ==
          </code> <code><var>PORT</var></code> (<code>ip6</code> and
          <code>xxreg0 == <var>VIP</var></code> in the IPv6 case) with an
          action of <code>next;</code>. If the router is configured to force
          SNAT any load-balanced packets, the above action will be replaced by
          <code>flags.force_snat_for_lb = 1; next;</code>. If the load
          balancing rule is configured with <code>skip_snat</code> set to true,
          the above action will be replaced by
          <code>flags.skip_snat_for_lb = 1; next;</code>.
        </p>

        <p>
          The previous table <code>lr_in_defrag</code> sets the register
          <code>reg0</code> (or <code>xxreg0</code> for IPv6) and does
          <code>ct_dnat</code>.  Hence for established traffic, this
          table just advances the packet to the next stage.
        </p>
      </li>

      <li>
        <p>
          For all the configured load balancing rules for a router in
          <code>OVN_Northbound</code> database that includes just an IP address
          <var>VIP</var> to match on, a priority-110 flow that matches on
          <code>ct.new &amp;&amp; !ct.rel &amp;&amp; ip4 &amp;&amp; reg0 ==
          <var>VIP</var></code> (<code>ip6</code> and <code>xxreg0 ==
          <var>VIP</var></code> in the IPv6 case) with an action of
          <code>ct_lb_mark(<var>args</var>)</code>, where <var>args</var> contains
          comma separated IPv4 or IPv6 addresses.  If the router is configured
          to force SNAT any load-balanced packets, the above action will be
          replaced by <code>flags.force_snat_for_lb = 1;
          ct_lb_mark(<var>args</var>);</code>.
          If the load balancing rule is configured with <code>skip_snat</code>
          set to true, the above action will be replaced by
          <code>flags.skip_snat_for_lb = 1; ct_lb_mark(<var>args</var>);</code>.
        </p>

        <p>
          The previous table <code>lr_in_defrag</code> sets the register
          <code>reg0</code> (or <code>xxreg0</code> for IPv6) and does
          <code>ct_dnat</code>.  Hence for established traffic, this
          table just advances the packet to the next stage.
        </p>
      </li>


      <li>
        <p>
          For all the configured load balancing rules for a router in
          <code>OVN_Northbound</code> database that includes just an IP address
          <var>VIP</var> to match on, a priority-110 flow that matches on
          <code>ct.est &amp;&amp; !ct.rel &amp;&amp; ip4 &amp;&amp; reg0 ==
          <var>VIP</var></code> (or <code>ip6</code> and
          <code>xxreg0 == <var>VIP</var></code>) with an action of
          <code>next;</code>. If the router is configured to force SNAT any
          load-balanced packets, the above action will be replaced by
          <code>flags.force_snat_for_lb = 1; next;</code>.
          If the load balancing rule is configured with <code>skip_snat</code>
          set to true, the above action will be replaced by
          <code>flags.skip_snat_for_lb = 1; next;</code>.
        </p>

        <p>
          The previous table <code>lr_in_defrag</code> sets the register
          <code>reg0</code> (or <code>xxreg0</code> for IPv6) and does
          <code>ct_dnat</code>.  Hence for established traffic, this
          table just advances the packet to the next stage.
        </p>
      </li>

      <li>
        If the load balancer is created with <code>--reject</code> option and
        it has no active backends, a TCP reset segment (for tcp) or an ICMP
        port unreachable packet (for all other kind of traffic) will be sent
        whenever an incoming packet is received for this load-balancer.
        Please note using <code>--reject</code> option will disable
        empty_lb SB controller event for this load balancer.
      </li>

      <li>
        <p>
            For the related traffic, a priority 50 flow that matches
            <code>ct.rel &amp;&amp; !ct.est &amp;&amp; !ct.new </code>
            with an action of <code>ct_commit_nat;</code>, if the router
            has load balancer assigned to it. Along with two priority 70 flows
            that match <code>skip_snat</code> and <code>force_snat</code>
            flags.
        </p>
      </li>
    </ul>

    <p>Ingress Table 7: DNAT on Gateway Routers</p>

    <ul>
      <li>
        For each configuration in the OVN Northbound database, that asks
        to change the destination IP address of a packet from <var>A</var> to
        <var>B</var>, a priority-100 flow matches <code>ip &amp;&amp;
        ip4.dst == <var>A</var></code> or <code>ip &amp;&amp;
        ip6.dst == <var>A</var></code> with an action
        <code>flags.loopback = 1; ct_dnat(<var>B</var>);</code>.  If the
        Gateway router is configured to force SNAT any DNATed packet,
        the above action will be replaced by
        <code>flags.force_snat_for_dnat = 1; flags.loopback = 1;
        ct_dnat(<var>B</var>);</code>. If the NAT rule is of type
        dnat_and_snat and has <code>stateless=true</code> in the
        options, then the action would be <code>ip4/6.dst=
        (<var>B</var>)</code>.

        <p>
          If the NAT rule has <code>allowed_ext_ips</code> configured, then
          there is an additional match <code>ip4.src == <var>allowed_ext_ips
          </var></code>. Similarly, for IPV6, match would be <code>ip6.src ==
          <var>allowed_ext_ips</var></code>.
        </p>

        <p>
          If the NAT rule has <code>exempted_ext_ips</code> set, then
          there is an additional flow configured at priority 101.
          The flow matches if source ip is an <code>exempted_ext_ip</code>
          and the action is <code>next; </code>. This flow is used to
          bypass the ct_dnat action for a packet originating from
          <code>exempted_ext_ips</code>.
        </p>

      </li>

      <li>
        A priority-0 logical flow with match <code>1</code> has actions
        <code>next;</code>.
      </li>
    </ul>

    <p>Ingress Table 7: DNAT on Distributed Routers</p>

    <p>
      On distributed routers, the DNAT table only handles packets
      with destination IP address that needs to be DNATted from a
      virtual IP address to a real IP address.  The unDNAT processing
      in the reverse direction is handled in a separate table in the
      egress pipeline.
    </p>

    <ul>
      <li>
        <p>
          For each configuration in the OVN Northbound database, that asks
          to change the destination IP address of a packet from <var>A</var> to
          <var>B</var>, a priority-100 flow matches <code>ip &amp;&amp;
          ip4.dst == <var>B</var> &amp;&amp; inport == <var>GW</var></code>,
          where <var>GW</var> is the logical router gateway port corresponding
          to the NAT rule (specified or inferred), with an action
          <code>ct_dnat(<var>B</var>);</code>.  The match will include
          <code>ip6.dst == <var>B</var></code> in the IPv6 case.
          If the NAT rule is of type dnat_and_snat and has
          <code>stateless=true</code> in the options, then the action
          would be <code>ip4/6.dst=(<var>B</var>)</code>.
        </p>

        <p>
          If the NAT rule cannot be handled in a distributed manner, then
          the priority-100 flow above is only programmed on the
          gateway chassis.
        </p>

        <p>
          If the NAT rule has <code>allowed_ext_ips</code> configured, then
          there is an additional match <code>ip4.src == <var>allowed_ext_ips
          </var></code>. Similarly, for IPV6, match would be <code>ip6.src ==
          <var>allowed_ext_ips</var></code>.
        </p>

        <p>
          If the NAT rule has <code>exempted_ext_ips</code> set, then
          there is an additional flow configured at priority 101.
          The flow matches if source ip is an <code>exempted_ext_ip</code>
          and the action is <code>next; </code>. This flow is used to
          bypass the ct_dnat action for a packet originating from
          <code>exempted_ext_ips</code>.
        </p>

        <p>
          A priority-0 logical flow with match <code>1</code> has actions
          <code>next;</code>.
        </p>
      </li>
    </ul>

    <h3>Ingress Table 8: Load balancing affinity learn</h3>

    <p>
      Load balancing affinity learn table contains the following
      logical flows:
    </p>

    <ul>
      <li>
        For all the configured load balancing rules for a logical router where
        a positive affinity timeout <var>T</var> is specified in <code>options
        </code> column, that includes a L4 port <var>PORT</var> of protocol
        <var>P</var> and IPv4 or IPv6 address <var>VIP</var>, a priority-100
        flow that matches on <code>reg9[6] == 0 &amp;&amp; ct.new &amp;&amp;
        ip &amp;&amp; reg0 == <var>VIP</var> &amp;&amp; <var>P</var> &amp;&amp;
        reg9[16..31] == </code> <code><var>PORT</var></code> (<code>xxreg0 ==
        <var>VIP</var> </code> in the IPv6 case) with an action of
        <code>commit_lb_aff(vip = <var>VIP</var>:<var>PORT</var>, backend =
        <var>backend ip</var>: <var>backend port</var>, proto = <var>P</var>,
        timeout = <var>T</var>);</code>.
      </li>

      <li>
        A priority 0 flow is added which matches on all packets and applies
        the action <code>next;</code>.
      </li>
    </ul>

    <h3>Ingress Table 9: ECMP symmetric reply processing</h3>
    <ul>
      <li>
        If ECMP routes with symmetric reply are configured in the
        <code>OVN_Northbound</code> database for a gateway router, a
        priority-100 flow is added for each router port on which symmetric
        replies are configured. The matching logic for these ports essentially
        reverses the configured logic of the ECMP route. So for instance, a
        route with a destination routing policy will instead match if the
        source IP address matches the static route's prefix. The flow uses
        the action <code>ct_commit { ct_label.ecmp_reply_eth = eth.src;"
        " ct_mark.ecmp_reply_port = <var>K</var>;}; commit_ecmp_nh(); next;
        </code> to commit the connection and storing <code>eth.src</code> and
        the ECMP reply port binding tunnel key <var>K</var> in the
        <code>ct_label</code> and the traffic pattern to table
        <code>76</code> or <code>77</code>.
      </li>
    </ul>

    <h3>Ingress Table 10: IPv6 ND RA option processing</h3>

    <ul>
      <li>
        <p>
          A priority-50 logical flow is added for each logical router port
          configured with IPv6 ND RA options which matches IPv6 ND Router
          Solicitation packet and applies the action
          <code>put_nd_ra_opts</code> and advances the packet to the next
          table.
        </p>

        <pre>
reg0[5] = put_nd_ra_opts(<var>options</var>);next;
        </pre>

        <p>
          For a valid IPv6 ND RS packet, this transforms the packet into an
          IPv6 ND RA reply and sets the RA options to the packet and stores 1
          into reg0[5]. For other kinds of packets, it just stores 0 into
          reg0[5]. Either way, it continues to the next table.
        </p>
      </li>

      <li>
        A priority-0 logical flow with match <code>1</code> has actions
        <code>next;</code>.
      </li>
    </ul>

    <h3>Ingress Table 11: IPv6 ND RA responder</h3>

    <p>
      This table implements IPv6 ND RA responder for the IPv6 ND RA replies
      generated by the previous table.
    </p>

    <ul>
      <li>
        <p>
          A priority-50 logical flow is added for each logical router port
          configured with IPv6 ND RA options which matches IPv6 ND RA
          packets and <code>reg0[5] == 1</code> and responds back to the
          <code>inport</code> after applying these actions.
          If <code>reg0[5]</code> is set to 1, it means that the action
          <code>put_nd_ra_opts</code> was successful.
        </p>

        <pre>
eth.dst = eth.src;
eth.src = <var>E</var>;
ip6.dst = ip6.src;
ip6.src = <var>I</var>;
outport = <var>P</var>;
flags.loopback = 1;
output;
        </pre>

        <p>
          where <var>E</var> is the MAC address and <var>I</var> is the IPv6
          link local address of the logical router port.
        </p>

        <p>
          (This terminates packet processing in ingress pipeline; the packet
          does not go to the next ingress table.)
        </p>
      </li>

      <li>
        A priority-0 logical flow with match <code>1</code> has actions
        <code>next;</code>.
      </li>
    </ul>

    <h3>Ingress Table 12: IP Routing Pre</h3>

    <p>
      If a packet arrived at this table from Logical Router Port <var>P</var>
      which has <code>options:route_table</code> value set, a logical flow with
      match <code>inport == "<var>P</var>"</code> with priority 100 and action
      setting unique-generated per-datapath 32-bit value (non-zero) in OVS
      register 7.  This register's value is checked in next table.  If packet
      didn't match any configured inport (<var>&lt;main&gt;</var> route table),
      register 7 value is set to 0.
    </p>

    <p>
      This table contains the following logical flows:
    </p>

    <ul>
      <li>
        <p>
          Priority-100 flow with match <code>inport == "LRP_NAME"</code> value
          and action, which set route table identifier in reg7.
        </p>

        <p>
          A priority-0 logical flow with match <code>1</code> has actions
          <code>reg7 = 0; next;</code>.
        </p>
      </li>
    </ul>

    <h3>Ingress Table 13: IP Routing</h3>

    <p>
      A packet that arrives at this table is an IP packet that should be
      routed to the address in <code>ip4.dst</code> or
      <code>ip6.dst</code>.  This table implements IP routing, setting
      <code>reg0</code> (or <code>xxreg0</code> for IPv6) to the next-hop IP
      address (leaving <code>ip4.dst</code> or <code>ip6.dst</code>, the
      packet's final destination, unchanged) and advances to the next
      table for ARP resolution.  It also sets <code>reg1</code> (or
      <code>xxreg1</code>) to the IP address owned by the selected router
      port (ingress table <code>ARP Request</code> will generate an ARP
      request, if needed, with <code>reg0</code> as the target protocol
      address and <code>reg1</code> as the source protocol address).
    </p>

    <p>
      For ECMP routes, i.e. multiple static routes with same policy and
      prefix but different nexthops, the above actions are deferred to next
      table.  This table, instead, is responsible for determine the ECMP
      group id and select a member id within the group based on 5-tuple
      hashing.  It stores group id in <code>reg8[0..15]</code> and member id in
      <code>reg8[16..31]</code>. This step is skipped with a priority-10300
      rule if the traffic going out the ECMP route is reply traffic, and the
      ECMP route was configured to use symmetric replies. Instead, the stored
      values in conntrack is used to choose the destination. The
      <code>ct_label.ecmp_reply_eth</code> tells the destination MAC address to
      which the packet should be sent. The <code>ct_mark.ecmp_reply_port</code>
      tells the logical router port on which the packet should be sent. These
      values saved to the conntrack fields when the initial ingress traffic is
      received over the ECMP route and committed to conntrack.
      If <code>REGBIT_KNOWN_ECMP_NH</code> is set, the priority-10300
      flows in this stage set the <code>outport</code>, while the
      <code>eth.dst</code> is set by flows at the ARP/ND Resolution stage.
    </p>

    <p>
      This table contains the following logical flows:
    </p>

    <ul>
      <li>
        <p>
          Priority-10550 flow that drops IPv6 Router Solicitation/Advertisement
          packets that were not processed in previous tables.
        </p>
      </li>

      <li>
        <p>
          Priority-10550 flows that drop IGMP and MLD packets with source MAC
          address owned by the router.  These are used to prevent looping
          statically forwarded IGMP and MLD packets for which TTL is not
          decremented (it is always 1).
        </p>
      </li>

      <li>
        <p>
          Priority-10500 flows that match IP multicast traffic destined to
          groups registered on any of the attached switches and sets
          <code>outport</code> to the associated multicast group that will
          eventually flood the traffic to all interested attached logical
          switches. The flows also decrement TTL.
        </p>
      </li>

      <li>
        <p>
          Priority-10460 flows that match IGMP and MLD control packets,
          set <code>outport</code> to the <code>MC_STATIC</code>
          multicast group, which <code>ovn-northd</code>
          populates with the logical ports that have
          <ref column="options" table="Logical_Router_Port"/>
          <code>:mcast_flood='true'</code>. If no router ports are configured
          to flood multicast traffic the packets are dropped.
        </p>
      </li>

      <li>
        <p>
          Priority-10450 flow that matches unregistered IP multicast traffic
          decrements TTL and sets <code>outport</code> to the
          <code>MC_STATIC</code> multicast group, which <code>ovn-northd</code>
          populates with the logical ports that have
          <ref column="options" table="Logical_Router_Port"/>
          <code>:mcast_flood='true'</code>. If no router ports are configured
          to flood multicast traffic the packets are dropped.
        </p>
      </li>

      <li>
        <p>
          IPv4 routing table.  For each route to IPv4 network <var>N</var> with
          netmask <var>M</var>, on router port <var>P</var> with IP address
          <var>A</var> and Ethernet
          address <var>E</var>, a logical flow with match <code>ip4.dst ==
          <var>N</var>/<var>M</var></code>, whose priority is the number of
          1-bits in <var>M</var>, has the following actions:
        </p>

        <pre>
ip.ttl--;
reg8[0..15] = 0;
reg0 = <var>G</var>;
reg1 = <var>A</var>;
eth.src = <var>E</var>;
outport = <var>P</var>;
flags.loopback = 1;
next;
        </pre>

        <p>
          (Ingress table 1 already verified that <code>ip.ttl--;</code> will
          not yield a TTL exceeded error.)
        </p>

        <p>
          If the route has a gateway, <var>G</var> is the gateway IP address.
          Instead, if the route is from a configured static route, <var>G</var>
          is the next hop IP address.  Else it is <code>ip4.dst</code>.
        </p>
      </li>

      <li>
        <p>
          IPv6 routing table.  For each route to IPv6 network
          <var>N</var> with netmask <var>M</var>, on router port
          <var>P</var> with IP address <var>A</var> and Ethernet address
          <var>E</var>, a logical flow with match in CIDR notation
          <code>ip6.dst == <var>N</var>/<var>M</var></code>,
          whose priority is the integer value of <var>M</var>, has the
          following actions:
        </p>

        <pre>
ip.ttl--;
reg8[0..15] = 0;
xxreg0 = <var>G</var>;
xxreg1 = <var>A</var>;
eth.src = <var>E</var>;
outport = inport;
flags.loopback = 1;
next;
        </pre>

        <p>
          (Ingress table 1 already verified that <code>ip.ttl--;</code> will
          not yield a TTL exceeded error.)
        </p>

        <p>
          If the route has a gateway, <var>G</var> is the gateway IP address.
          Instead, if the route is from a configured static route, <var>G</var>
          is the next hop IP address.  Else it is <code>ip6.dst</code>.
        </p>

        <p>
          If the address <var>A</var> is in the link-local scope, the
          route will be limited to sending on the ingress port.
        </p>

        <p>
          For each static route the <code>reg7 == id &amp;&amp;</code> is
          prefixed in logical flow match portion.  For routes with
          <code>route_table</code> value set a unique non-zero id is used.
          For routes within <code>&lt;main&gt;</code> route table (no route
          table set), this id value is 0.
        </p>
        <p>
          For each <var>connected</var> route (route to the LRP's subnet CIDR)
          the logical flow match portion has no
          <code>reg7 == id &amp;&amp;</code> prefix to have route to LRP's
          subnets in all routing tables.
        </p>
      </li>

      <li>
        <p>
          For ECMP routes, they are grouped by policy and prefix.  An unique id
          (non-zero) is assigned to each group, and each member is also
          assigned an unique id (non-zero) within each group.
        </p>

        <p>
          For each IPv4/IPv6 ECMP group with group id <var>GID</var> and member
          ids <var>MID1</var>, <var>MID2</var>, ..., a logical flow with match
          in CIDR notation <code>ip4.dst == <var>N</var>/<var>M</var></code>,
          or <code>ip6.dst == <var>N</var>/<var>M</var></code>, whose priority
          is the integer value of <var>M</var>, has the following actions:
        </p>

        <pre>
ip.ttl--;
flags.loopback = 1;
reg8[0..15] = <var>GID</var>;
select(reg8[16..31], <var>MID1</var>, <var>MID2</var>, ...);
        </pre>
      </li>

      <li>
        A priority-0 logical flow that matches all packets not already handled
        (match <code>1</code>) and drops them (action <code>drop;</code>).
      </li>
    </ul>

    <h3>Ingress Table 14: IP_ROUTING_ECMP</h3>

    <p>
      This table implements the second part of IP routing for ECMP routes
      following the previous table.  If a packet matched a ECMP group in the
      previous table, this table matches the group id and member id stored
      from the previous table, setting <code>reg0</code>
      (or <code>xxreg0</code> for IPv6) to the next-hop IP address
      (leaving <code>ip4.dst</code> or <code>ip6.dst</code>, the
      packet's final destination, unchanged) and advances to the next
      table for ARP resolution.  It also sets <code>reg1</code> (or
      <code>xxreg1</code>) to the IP address owned by the selected router
      port (ingress table <code>ARP Request</code> will generate an ARP
      request, if needed, with <code>reg0</code> as the target protocol
      address and <code>reg1</code> as the source protocol address).
    </p>

    <p>
      This processing is skipped for reply traffic being sent out of an ECMP
      route if the route was configured to use symmetric replies.
    </p>

    <p>
      This table contains the following logical flows:
    </p>

    <ul>
      <li>
        <p>
          A priority-150 flow that matches <code>reg8[0..15] == 0</code>
          with action <code>next;</code> directly bypasses packets of non-ECMP
          routes.
        </p>
      </li>

      <li>
        <p>
          For each member with ID <var>MID</var> in each ECMP group with ID
          <var>GID</var>, a priority-100 flow with match
          <code>reg8[0..15] == <var>GID</var> &amp;&amp; reg8[16..31] == <var>MID</var></code>
          has following actions:
        </p>

        <pre>
[xx]reg0 = <var>G</var>;
[xx]reg1 = <var>A</var>;
eth.src = <var>E</var>;
outport = <var>P</var>;
        </pre>
      </li>

      <li>
        A priority-0 logical flow that matches all packets not already handled
        (match <code>1</code>) and drops them (action <code>drop;</code>).
      </li>
    </ul>

    <h3>Ingress Table 15: Router policies</h3>
    <p>
      This table adds flows for the logical router policies configured
      on the logical router. Please see the
      <code>OVN_Northbound</code> database <code>Logical_Router_Policy</code>
      table documentation in <code>ovn-nb</code> for supported actions.
    </p>

    <ul>
      <li>
        <p>
          For each router policy configured on the logical router, a
          logical flow is added with specified priority, match and
          actions.
        </p>
      </li>

      <li>
        <p>
          If the policy action is <code>reroute</code> with 2 or more nexthops
          defined, then the logical flow is added with the following actions:
        </p>

         <pre>
reg8[0..15] = <var>GID</var>;
reg8[16..31] = select(1,..n);
        </pre>

        <p>
          where <var>GID</var> is the ECMP group id generated by
          <code>ovn-northd</code> for this policy and <var>n</var>
          is the number of nexthops. <code>select</code> action
          selects one of the nexthop member id, stores it in the register
          <code>reg8[16..31]</code> and advances the packet to the
          next stage.
        </p>
      </li>

      <li>
        <p>
          If the policy action is <code>reroute</code> with just one nexhop,
          then the logical flow is added with the following actions:
        </p>

         <pre>
[xx]reg0 = <var>H</var>;
eth.src = <var>E</var>;
outport = <var>P</var>;
reg8[0..15] = 0;
flags.loopback = 1;
next;
        </pre>

        <p>
          where <var>H</var> is the <code>nexthop </code> defined in the
          router policy, <var>E</var> is the ethernet address of the
          logical router port from which the <code>nexthop</code> is
          reachable and <var>P</var> is the logical router port from
          which the <code>nexthop</code> is reachable.
        </p>
      </li>

      <li>
        <p>
          If a router policy has the option <code>pkt_mark=<var>m</var></code>
          set and if the action is <code>not</code> drop, then the action also
          includes <code>pkt.mark = <var>m</var></code> to mark the packet
          with the marker <var>m</var>.
        </p>
      </li>
    </ul>

    <h3>Ingress Table 16: ECMP handling for router policies</h3>
    <p>
      This table handles the ECMP for the router policies configured
      with multiple nexthops.
    </p>

    <ul>
      <li>
        <p>
          A priority-150 flow is added to advance the packet to the next stage
          if the ECMP group id register <code>reg8[0..15]</code> is 0.
        </p>
      </li>

      <li>
        <p>
          For each ECMP reroute router policy with multiple nexthops,
          a priority-100 flow is added for each nexthop <var>H</var>
          with the match <code>reg8[0..15] == <var>GID</var> &amp;&amp;
          reg8[16..31] == <var>M</var></code> where <var>GID</var>
          is the router policy group id generated by <code>ovn-northd</code>
          and <var>M</var> is the member id of the nexthop <var>H</var>
          generated by <code>ovn-northd</code>. The following actions are added
          to the flow:
        </p>

        <pre>
[xx]reg0 = <var>H</var>;
eth.src = <var>E</var>;
outport = <var>P</var>
"flags.loopback = 1; "
"next;"
        </pre>

        <p>
          where <var>H</var> is the <code>nexthop </code> defined in the
          router policy, <var>E</var> is the ethernet address of the
          logical router port from which the <code>nexthop</code> is
          reachable and <var>P</var> is the logical router port from
          which the <code>nexthop</code> is reachable.
        </p>
      </li>

      <li>
        A priority-0 logical flow that matches all packets not already handled
        (match <code>1</code>) and drops them (action <code>drop;</code>).
      </li>
    </ul>

    <h3>Ingress Table 17: ARP/ND Resolution</h3>

    <p>
      Any packet that reaches this table is an IP packet whose next-hop
      IPv4 address is in <code>reg0</code> or IPv6 address is in
      <code>xxreg0</code>.  (<code>ip4.dst</code> or
      <code>ip6.dst</code> contains the final destination.)  This table
      resolves the IP address in <code>reg0</code> (or
      <code>xxreg0</code>) into an output port in <code>outport</code>
      and an Ethernet address in <code>eth.dst</code>, using the
      following flows:
    </p>

    <ul>
      <li>
        <p>
          A priority-500 flow that matches IP multicast traffic that was
          allowed in the routing pipeline. For this kind of traffic the
          <code>outport</code> was already set so the flow just advances to
          the next table.
        </p>
      </li>

      <li>
        <p>
          Priority-200 flows that match ECMP reply traffic for the routes
          configured to use symmetric replies, with actions
          <code>push(xxreg1); xxreg1 = ct_label; eth.dst = xxreg1[32..79]; pop(xxreg1); next;</code>.
          <code>xxreg1</code> is used here to avoid masked access to ct_label,
          to make the flow HW-offloading friendly.
        </p>
      </li>

      <li>
        <p>
          Static MAC bindings.  MAC bindings can be known statically based on
          data in the <code>OVN_Northbound</code> database.  For router ports
          connected to logical switches, MAC bindings can be known statically
          from the <code>addresses</code> column in the
          <code>Logical_Switch_Port</code> table.  For router ports
          connected to other logical routers, MAC bindings can be known
          statically from the <code>mac</code> and <code>networks</code>
          column in the <code>Logical_Router_Port</code> table.  (Note: the
          flow is NOT installed for the IP addresses that belong to a neighbor
          logical router port if the current router has the
          <code>options:dynamic_neigh_routers</code> set to <code>true</code>)
        </p>

        <p>
          For each IPv4 address <var>A</var> whose host is known to have
          Ethernet address <var>E</var> on router port <var>P</var>, a
          priority-100 flow with match <code>outport === <var>P</var>
          &amp;&amp; reg0 == <var>A</var></code> has actions
          <code>eth.dst = <var>E</var>; next;</code>.
        </p>

        <p>
          For each virtual ip <var>A</var> configured on a logical port
          of type <code>virtual</code> and its virtual parent set in
          its corresponding <ref db="OVN_Southbound" table="Port_Binding"/>
          record and the virtual parent with the Ethernet address <var>E</var>
          and the virtual ip is reachable via the router port <var>P</var>, a
          priority-100 flow with match <code>outport === <var>P</var>
          &amp;&amp; xxreg0/reg0 == <var>A</var></code> has actions
          <code>eth.dst = <var>E</var>; next;</code>.
        </p>

        <p>
          For each virtual ip <var>A</var> configured on a logical port
          of type <code>virtual</code> and its virtual parent <code>not</code>
          set in its corresponding
          <ref db="OVN_Southbound" table="Port_Binding"/>
          record and the virtual ip <var>A</var> is reachable via the
          router port <var>P</var>, a
          priority-100 flow with match <code>outport === <var>P</var>
          &amp;&amp; xxreg0/reg0 == <var>A</var></code> has actions
          <code>eth.dst = <var>00:00:00:00:00:00</var>; next;</code>.
          This flow is added so that the ARP is always resolved for the
          virtual ip <var>A</var> by generating ARP request and
          <code>not</code> consulting the MAC_Binding table as it can have
          incorrect value for the virtual ip <var>A</var>.
        </p>

        <p>
          For each IPv6 address <var>A</var> whose host is known to have
          Ethernet address <var>E</var> on router port <var>P</var>, a
          priority-100 flow with match <code>outport === <var>P</var>
          &amp;&amp; xxreg0 == <var>A</var></code> has actions
          <code>eth.dst = <var>E</var>; next;</code>.
        </p>

        <p>
          For each logical router port with an IPv4 address <var>A</var> and
          a mac address of <var>E</var> that is reachable via a different
          logical router port <var>P</var>, a priority-100 flow with
          match <code>outport === <var>P</var> &amp;&amp; reg0 ==
          <var>A</var></code> has actions <code>eth.dst = <var>E</var>;
          next;</code>.
        </p>

        <p>
          For each logical router port with an IPv6 address <var>A</var> and
          a mac address of <var>E</var> that is reachable via a different
          logical router port <var>P</var>, a priority-100 flow with
          match <code>outport === <var>P</var> &amp;&amp; xxreg0 ==
          <var>A</var></code> has actions <code>eth.dst = <var>E</var>;
          next;</code>.
        </p>
      </li>

      <li>
        <p>
          Static MAC bindings from NAT entries.  MAC bindings can also be known
          for the entries in the <code>NAT</code> table. Below flows are
          programmed for distributed logical routers i.e with a distributed
          router port.
        </p>

        <p>
          For each row in the <code>NAT</code> table with IPv4 address
          <var>A</var> in the <ref column="external_ip"
          table="NAT" db="OVN_Northbound"/> column of
          <ref table="NAT" db="OVN_Northbound"/> table, below two flows are
          programmed:
        </p>

        <p>
          A priority-100 flow with the match <code>outport == <var>P</var>
          &amp;&amp; reg0 == <var>A</var></code> has actions <code>eth.dst =
          <var>E</var>; next;</code>, where <code>P</code> is the distributed
          logical router port, <var>E</var> is the Ethernet address if set in
          the <ref column="external_mac" table="NAT" db="OVN_Northbound"/>
          column of <ref table="NAT" db="OVN_Northbound"/> table for of type
          <code>dnat_and_snat</code>, otherwise the Ethernet address of the
          distributed logical router port. Note that if the
          <ref column="external_ip" table="NAT" db="OVN_Northbound"/> is not
          within a subnet on the owning logical router, then OVN will only
          create ARP resolution flows if the <ref column="options:add_route"/>
          is set to <code>true</code>. Otherwise, no ARP resolution flows
          will be added.
        </p>

        <p>
          Corresponding to the above flow, a priority-150 flow with the match
          <code>inport == <var>P</var> &amp;&amp; outport == <var>P</var>
          &amp;&amp; ip4.dst == <var>A</var></code> has actions
          <code>drop;</code> to exclude packets that have gone through
          DNAT/unSNAT stage but failed to convert the destination, to avoid
          loop.
        </p>

        <p>
          For IPv6 NAT entries, same flows are added, but using the register
          <code>xxreg0</code> and field <code>ip6</code> for the match.
        </p>
      </li>

      <li>
        <p>
          If the router datapath runs a port with <code>redirect-type</code>
          set to <code>bridged</code>, for each distributed NAT rule with IP
          <var>A</var> in the
          <ref column="logical_ip" table="NAT" db="OVN_Northbound"/> column
          and logical port <var>P</var> in the
          <ref column="logical_port" table="NAT" db="OVN_Northbound"/> column
          of <ref table="NAT" db="OVN_Northbound"/> table, a priority-90 flow
          with the match <code>outport == <var>Q</var> &amp;&amp; ip.src ===
          <var>A</var> &amp;&amp; is_chassis_resident(<var>P</var>)</code>,
          where <code>Q</code> is the distributed logical router port and
          action <code>get_arp(outport, reg0); next;</code> for IPv4 and
          <code>get_nd(outport, xxreg0); next;</code> for IPv6.
        </p>
      </li>

      <li>
        <p>
          Traffic with IP destination an address owned by the router should be
          dropped. Such traffic is normally dropped in ingress table
          <code>IP Input</code> except for IPs that are also shared with SNAT
          rules. However, if there was no unSNAT operation that happened
          successfully until this point in the pipeline and the destination IP
          of the packet is still a router owned IP, the packets can be safely
          dropped.
        </p>

        <p>
          A priority-2 logical flow with match <code>ip4.dst = {..}</code>
          matches on traffic destined to router owned IPv4 addresses which are
          also SNAT IPs. This flow has action <code>drop;</code>.
        </p>

        <p>
          A priority-2 logical flow with match <code>ip6.dst = {..}</code>
          matches on traffic destined to router owned IPv6 addresses which are
          also SNAT IPs. This flow has action <code>drop;</code>.
        </p>

        <p>
          A priority-0 logical that flow matches all packets not already
          handled (match <code>1</code>) and drops them
          (action <code>drop;</code>).
        </p>
      </li>

      <li>
        <p>
          Dynamic MAC bindings.  These flows resolve MAC-to-IP bindings
          that have become known dynamically through ARP or neighbor
          discovery.  (The ingress table <code>ARP Request</code> will
          issue an ARP or neighbor solicitation request for cases where
          the binding is not yet known.)
        </p>

        <p>
          A priority-0 logical flow with match <code>ip4</code> has actions
          <code>get_arp(outport, reg0); next;</code>.
        </p>

        <p>
          A priority-0 logical flow with match <code>ip6</code> has actions
          <code>get_nd(outport, xxreg0); next;</code>.
        </p>
      </li>

      <li>
        <p>
          For a distributed gateway LRP with <code>redirect-type</code>
          set to <code>bridged</code>, a priority-50 flow will match
          <code>outport == "ROUTER_PORT" and !is_chassis_resident
          ("cr-ROUTER_PORT")</code> has actions <code>eth.dst = <var>E</var>;
          next;</code>, where <var>E</var> is the ethernet address of the
          logical router port.
        </p>
      </li>

    </ul>

    <h3>Ingress Table 18: Check packet length</h3>

    <p>
      For distributed logical routers or gateway routers with gateway
      port configured with <code>options:gateway_mtu</code> to a valid
      integer value, this table adds a priority-50 logical flow with
      the match <code>outport == <var>GW_PORT</var></code> where
      <var>GW_PORT</var> is the gateway router port and applies the
      action <code>check_pkt_larger</code> and advances the packet to
      the next table.
    </p>

    <pre>
REGBIT_PKT_LARGER = check_pkt_larger(<var>L</var>); next;
    </pre>

    <p>
      where <var>L</var> is the packet length to check for. If the packet
      is larger than <var>L</var>, it stores 1 in the register bit
      <code>REGBIT_PKT_LARGER</code>. The value of
      <var>L</var> is taken from <ref column="options:gateway_mtu"
      table="Logical_Router_Port" db="OVN_Northbound"/> column of
      <ref table="Logical_Router_Port" db="OVN_Northbound"/> row.
    </p>

    <p>
      If the port is also configured with
      <code>options:gateway_mtu_bypass</code> then another flow is
      added, with priority-55, to bypass the <code>check_pkt_larger</code>
      flow.
    </p>

    <p>
      This table adds one priority-0 fallback flow that matches all packets
      and advances to the next table.
    </p>

    <h3>Ingress Table 19: Handle larger packets</h3>

    <p>
      For distributed logical routers or gateway routers with gateway port
      configured with <code>options:gateway_mtu</code> to a valid integer
      value, this table adds the following priority-150 logical flow for each
      logical router port with the match <code>inport == <var>LRP</var>
      &amp;&amp; outport == <var>GW_PORT</var> &amp;&amp; REGBIT_PKT_LARGER
      &amp;&amp; !REGBIT_EGRESS_LOOPBACK</code>, where <var>LRP</var> is the
      logical router port and <var>GW_PORT</var> is the gateway port and
      applies the following action for ipv4 and ipv6 respectively:
    </p>

    <pre>
icmp4 {
    icmp4.type = 3; /* Destination Unreachable. */
    icmp4.code = 4;  /* Frag Needed and DF was Set. */
    icmp4.frag_mtu = <var>M</var>;
    eth.dst = <var>E</var>;
    ip4.dst = ip4.src;
    ip4.src = <var>I</var>;
    ip.ttl = 255;
    REGBIT_EGRESS_LOOPBACK = 1;
    REGBIT_PKT_LARGER = 0;
    next(pipeline=ingress, table=0);
};

icmp6 {
    icmp6.type = 2;
    icmp6.code = 0;
    icmp6.frag_mtu = <var>M</var>;
    eth.dst = <var>E</var>;
    ip6.dst = ip6.src;
    ip6.src = <var>I</var>;
    ip.ttl = 255;
    REGBIT_EGRESS_LOOPBACK = 1;
    REGBIT_PKT_LARGER = 0;
    next(pipeline=ingress, table=0);
};
    </pre>

    <ul>
      <li>
        Where <var>M</var> is the (fragment MTU - 58) whose value is taken from
        <ref column="options:gateway_mtu" table="Logical_Router_Port"
        db="OVN_Northbound"/> column of
        <ref table="Logical_Router_Port" db="OVN_Northbound"/> row.
      </li>

      <li>
        <var>E</var> is the Ethernet address of the logical router port.
      </li>

      <li>
        <var>I</var> is the IPv4/IPv6 address of the logical router port.
      </li>
    </ul>

    <p>
      This table adds one priority-0 fallback flow that matches all packets
      and advances to the next table.
    </p>

    <h3>Ingress Table 20: Gateway Redirect</h3>

    <p>
      For distributed logical routers where one or more of the logical router
      ports specifies a gateway chassis, this table redirects
      certain packets to the distributed gateway port instances on the
      gateway chassises.  This table has the following flows:
    </p>

    <ul>
      <li>
        For each NAT rule in the OVN Northbound database that can
        be handled in a distributed manner, a priority-100 logical
        flow with match <code>ip4.src == <var>B</var> &amp;&amp;
        outport == <var>GW</var></code> &amp;&amp;
        is_chassis_resident(<var>P</var>), where <var>GW</var> is
        the distributed gateway port specified in the
        NAT rule and <var>P</var> is the NAT logical port. IP traffic
        matching the above rule will be managed locally setting
        <code>reg1</code> to <var>C</var> and
        <code>eth.src</code> to <var>D</var>, where <var>C</var> is NAT
        external ip and <var>D</var> is NAT external mac.
      </li>

      <li>
        For each <code>dnat_and_snat</code> NAT rule with
        <code>stateless=true</code> and <code>allowed_ext_ips</code>
        configured, a priority-75 flow is programmed with match
        <code>ip4.dst == <var>B</var></code> and action
        <code>outport = <var>CR</var>; next;</code> where <var>B</var>
        is the NAT rule external IP and <var>CR</var> is the
        <code>chassisredirect</code> port representing the instance
        of the logical router distributed gateway port on the
        gateway chassis. Moreover a priority-70 flow is programmed
        with same match and action <code>drop;</code>.
        For each <code>dnat_and_snat</code> NAT rule with
        <code>stateless=true</code> and <code>exempted_ext_ips</code>
        configured, a priority-75 flow is programmed with match
        <code>ip4.dst == <var>B</var></code> and action
        <code>drop;</code> where <var>B</var> is the NAT rule
        external IP.
        A similar flow is added for IPv6 traffic.
      </li>

      <li>
        For each NAT rule in the OVN Northbound database that can
        be handled in a distributed manner, a priority-80 logical flow
        with drop action if the NAT logical port is a virtual port not
        claimed by any chassis yet.
      </li>

      <li>
        A priority-50 logical flow with match
        <code>outport == <var>GW</var></code> has actions
        <code>outport = <var>CR</var>; next;</code>, where
        <var>GW</var> is the logical router distributed gateway
        port and <var>CR</var> is the <code>chassisredirect</code>
        port representing the instance of the logical router
        distributed gateway port on the
        gateway chassis.
      </li>

      <li>
        A priority-0 logical flow with match <code>1</code> has actions
        <code>next;</code>.
      </li>
    </ul>

    <h3>Ingress Table 21: ARP Request</h3>

    <p>
      In the common case where the Ethernet destination has been resolved, this
      table outputs the packet.  Otherwise, it composes and sends an ARP or
      IPv6 Neighbor Solicitation request.  It holds the following flows:
    </p>

    <ul>
      <li>
        <p>
          Unknown MAC address.  A priority-100 flow for IPv4 packets with match
          <code>eth.dst == 00:00:00:00:00:00</code> has the following actions:
        </p>

        <pre>
arp {
    eth.dst = ff:ff:ff:ff:ff:ff;
    arp.spa = reg1;
    arp.tpa = reg0;
    arp.op = 1;  /* ARP request. */
    output;
};
        </pre>

        <p>
          Unknown MAC address.  For each IPv6 static route associated with the
          router with the nexthop IP: <var>G</var>, a priority-200 flow
          for IPv6 packets with match
          <code>eth.dst == 00:00:00:00:00:00 &amp;&amp;
          xxreg0 == <var>G</var></code>
          with the following actions is added:
        </p>

        <pre>
nd_ns {
    eth.dst = <var>E</var>;
    ip6.dst = <var>I</var>
    nd.target = <var>G</var>;
    output;
};
        </pre>

        <p>
          Where <var>E</var> is the multicast mac derived from the Gateway IP,
          <var>I</var> is the solicited-node multicast address corresponding
          to the target address <var>G</var>.
        </p>

        <p>
          Unknown MAC address.  A priority-100 flow for IPv6 packets with match
          <code>eth.dst == 00:00:00:00:00:00</code> has the following actions:
        </p>

        <pre>
nd_ns {
    nd.target = xxreg0;
    output;
};
        </pre>

        <p>
          (Ingress table <code>IP Routing</code> initialized <code>reg1</code>
          with the IP address owned by <code>outport</code> and
          <code>(xx)reg0</code> with the next-hop IP address)
        </p>

        <p>
          The IP packet that triggers the ARP/IPv6 NS request is dropped.
        </p>
      </li>

      <li>
        Known MAC address.  A priority-0 flow with match <code>1</code> has
        actions <code>output;</code>.
      </li>
    </ul>

    <h3>Egress Table 0: Check DNAT local </h3>

    <p>
      This table checks if the packet needs to be DNATed in the router ingress
      table <code>lr_in_dnat</code> after it is SNATed  and looped back
      to the ingress pipeline.  This check is done only for routers configured
      with distributed gateway ports and NAT entries.  This check is done
      so that SNAT and DNAT is done in different zones instead of a common
      zone.
    </p>

    <ul>
      <li>
        <p>
          For each NAT rule in the OVN Northbound database on a
          distributed router, a priority-50 logical flow with match
          <code>ip4.dst == <var>E</var> &amp;&amp;
          is_chassis_resident(<var>P</var>)</code>, where <var>E</var> is the
          external IP address specified in the NAT rule, <var>GW</var>
          is the logical router distributed gateway port. For dnat_and_snat
          NAT rule, <var>P</var> is the logical port specified in the NAT rule.
          If <ref column="logical_port"
          table="NAT" db="OVN_Northbound"/> column of
          <ref table="NAT" db="OVN_Northbound"/> table is NOT set, then
          <var>P</var> is the <code>chassisredirect port</code> of
          <var>GW</var> with the actions:
          <code>REGBIT_DST_NAT_IP_LOCAL = 1; next; </code>
        </p>
      </li>

      <li>
        A priority-0 logical flow with match <code>1</code> has actions
        <code>REGBIT_DST_NAT_IP_LOCAL = 0; next;</code>.
      </li>
    </ul>

    <p>
      This table also installs a priority-50 logical flow for each logical
      router that has NATs configured on it. The flow has match
      <code>ip &amp;&amp; ct_label.natted == 1</code> and action
      <code>REGBIT_DST_NAT_IP_LOCAL = 1; next;</code>. This is intended
      to ensure that traffic that was DNATted locally will use a separate
      conntrack zone for SNAT if SNAT is required later in the egress
      pipeline. Note that this flow checks the value of
      <code>ct_label.natted</code>, which is set in the ingress pipeline.
      This means that ovn-northd assumes that this value is carried over
      from the ingress pipeline to the egress pipeline and is not altered
      or cleared. If conntrack label values are ever changed to be cleared
      between the ingress and egress pipelines, then the match conditions
      of this flow will be updated accordingly.
    </p>

    <h3>Egress Table 1: UNDNAT</h3>

    <p>
      This is for already established connections' reverse traffic.
      i.e., DNAT has already been done in ingress pipeline and now the
      packet has entered the egress pipeline as part of a reply.  This traffic
      is unDNATed here.
    </p>

    <ul>
      <li>
        A priority-0 logical flow with match <code>1</code> has actions
        <code>next;</code>.
      </li>
    </ul>

    <h3>Egress Table 1: UNDNAT on Gateway Routers</h3>

    <ul>
      <li>
        For all IP packets, a priority-50 flow with an action
        <code>flags.loopback = 1; ct_dnat;</code>.
      </li>
    </ul>

    <h3>Egress Table 1: UNDNAT on Distributed Routers</h3>
    <ul>
      <li>
        <p>
          For all the configured load balancing rules for a router with gateway
          port in <code>OVN_Northbound</code> database that includes an IPv4
          address <code>VIP</code>, for every backend IPv4 address <var>B</var>
          defined for the <code>VIP</code> a priority-120 flow is programmed on
          gateway chassis that matches
          <code>ip &amp;&amp; ip4.src == <var>B</var> &amp;&amp;
          outport == <var>GW</var></code>, where <var>GW</var> is the logical
          router gateway port with an action <code>ct_dnat_in_czone;</code>.
          If the backend IPv4 address <var>B</var> is also configured with
          L4 port <var>PORT</var> of protocol <var>P</var>, then the
          match also includes <code>P.src</code> == <var>PORT</var>.  These
          flows are not added for load balancers with IPv6 <var>VIPs</var>.
        </p>

        <p>
          If the router is configured to force SNAT  any load-balanced packets,
          above action will be replaced by
          <code>flags.force_snat_for_lb = 1; ct_dnat;</code>.
        </p>
      </li>

      <li>
        <p>
          For each configuration in the OVN Northbound database that asks
          to change the destination IP address of a packet from an IP
          address of <var>A</var> to <var>B</var>, a priority-100 flow
          matches <code>ip &amp;&amp; ip4.src == <var>B</var>
          &amp;&amp; outport == <var>GW</var></code>, where <var>GW</var>
          is the logical router gateway port, with an action
          <code>ct_dnat_in_czone;</code>. If the NAT rule is of type
          dnat_and_snat and has <code>stateless=true</code> in the
          options, then the action would be <code>next;</code>.
        </p>

        <p>
          If the NAT rule cannot be handled in a distributed manner, then
          the priority-100 flow above is only programmed on the
          gateway chassis with the action <code>ct_dnat_in_czone</code>.
        </p>

        <p>
          If the NAT rule can be handled in a distributed manner, then
          there is an additional action
          <code>eth.src = <var>EA</var>;</code>, where <var>EA</var>
          is the ethernet address associated with the IP address
          <var>A</var> in the NAT rule.  This allows upstream MAC
          learning to point to the correct chassis.
        </p>
      </li>

    </ul>

    <h3>Egress Table 2: Post UNDNAT</h3>

    <p>
      <ul>
        <li>
          A priority-50 logical flow is added that commits any untracked flows
          from the previous table <code>lr_out_undnat</code> for Gateway
          routers.  This flow matches on <code>ct.new &amp;&amp; ip</code>
          with action <code>ct_commit { } ; next; </code>.
        </li>

        <li>
          A priority-0 logical flow with match <code>1</code> has actions
        <code>next;</code>.
        </li>

      </ul>
    </p>

    <h3>Egress Table 3: SNAT</h3>

    <p>
      Packets that are configured to be SNATed get their source IP address
      changed based on the configuration in the OVN Northbound database.
    </p>

    <ul>
      <li>
        A priority-120 flow to advance the IPv6 Neighbor solicitation packet
        to next table to skip SNAT. In the case where ovn-controller injects
        an IPv6 Neighbor Solicitation packet (for <code>nd_ns</code> action)
        we don't want the packet to go through conntrack.
      </li>
    </ul>

    <p>Egress Table 3: SNAT on Gateway Routers</p>

    <ul>
      <li>
        <p>
          If the Gateway router in the OVN Northbound database has been
          configured to force SNAT a packet (that has been previously DNATted)
          to <var>B</var>, a priority-100 flow matches
          <code>flags.force_snat_for_dnat == 1 &amp;&amp; ip</code> with an
          action <code>ct_snat(<var>B</var>);</code>.
        </p>
      </li>

      <li>
        <p>
          If a load balancer configured to skip snat has been applied to
          the Gateway router pipeline, a priority-120 flow matches
          <code>flags.skip_snat_for_lb == 1 &amp;&amp; ip</code> with an
          action <code>next;</code>.
        </p>
      </li>

      <li>
        <p>
          If the Gateway router in the OVN Northbound database has been
          configured to force SNAT a packet (that has been previously
          load-balanced) using router IP (i.e <ref column="options"
          table="Logical_Router"/>:lb_force_snat_ip=router_ip), then for
          each logical router port <var>P</var> attached to the Gateway
          router, a priority-110 flow matches
          <code>flags.force_snat_for_lb == 1 &amp;&amp; outport == <var>P</var>
          </code> with an action <code>ct_snat(<var>R</var>);</code>
          where <var>R</var> is the IP configured on the router port.
          If <code>R</code> is an IPv4 address then the match will also
          include <code>ip4</code> and if it is an IPv6 address, then the
          match will also include <code>ip6</code>.
        </p>

        <p>
          If the logical router port <var>P</var> is configured with multiple
          IPv4 and multiple IPv6 addresses, only the first IPv4 and first IPv6
          address is considered.
        </p>
      </li>

      <li>
        <p>
          If the Gateway router in the OVN Northbound database has been
          configured to force SNAT a packet (that has been previously
          load-balanced) to <var>B</var>, a priority-100 flow matches
          <code>flags.force_snat_for_lb == 1 &amp;&amp; ip</code> with an
          action <code>ct_snat(<var>B</var>);</code>.
        </p>
      </li>

      <li>
        <p>
          For each configuration in the OVN Northbound database, that asks
          to change the source IP address of a packet from an IP address of
          <var>A</var> or to change the source IP address of a packet that
          belongs to network <var>A</var> to <var>B</var>, a flow matches
          <code>ip &amp;&amp; ip4.src == <var>A</var> &amp;&amp;
          (!ct.trk || !ct.rpl)</code> with an action
          <code>ct_snat(<var>B</var>);</code>.  The priority of the flow
          is calculated based on the mask of <var>A</var>, with matches
          having larger masks getting higher priorities. If the NAT rule is
          of type dnat_and_snat and has <code>stateless=true</code> in the
          options, then the action would be <code>ip4/6.src=
          (<var>B</var>)</code>.
        </p>
      </li>

      <li>
        <p>
          If the NAT rule has <code>allowed_ext_ips</code> configured, then
          there is an additional match <code>ip4.dst == <var>allowed_ext_ips
          </var></code>. Similarly, for IPV6, match would be <code>ip6.dst ==
          <var>allowed_ext_ips</var></code>.
        </p>
      </li>

      <li>
        <p>
          If the NAT rule has <code>exempted_ext_ips</code> set, then
          there is an additional flow configured at the priority + 1 of
          corresponding NAT rule. The flow matches if destination ip
          is an <code>exempted_ext_ip</code> and the action is <code>next;
          </code>. This flow is used to bypass the ct_snat action for a packet
          which is destinted to <code>exempted_ext_ips</code>.
        </p>
      </li>

      <li>
        <p>
          A priority-0 logical flow with match <code>1</code> has actions
          <code>next;</code>.
        </p>
      </li>
    </ul>

    <p>Egress Table 3: SNAT on Distributed Routers</p>

    <ul>
      <li>
        <p>
          For each configuration in the OVN Northbound database, that asks
          to change the source IP address of a packet from an IP address of
          <var>A</var> or to change the source IP address of a packet that
          belongs to network <var>A</var> to <var>B</var>, two flows are
          added.  The priority <var>P</var> of these flows are calculated
          based on the mask of <var>A</var>, with matches having larger
          masks getting higher priorities.
        </p>

        <p>
          If the NAT rule cannot be handled in a distributed manner, then
          the below flows are only programmed on the gateway chassis increasing
          flow priority by 128 in order to be run first.
        </p>

        <ul>
          <li>
            The first flow is added with the calculated priority <var>P</var>
            and match <code>ip &amp;&amp; ip4.src == <var>A</var> &amp;&amp;
            outport == <var>GW</var></code>, where <var>GW</var> is the
            logical router gateway port, with an action
            <code>ct_snat_in_czone(<var>B</var>);</code> to SNATed in the
            common zone.  If the NAT rule is of type dnat_and_snat and has
            <code>stateless=true</code> in the options, then the action
            would be <code>ip4/6.src=(<var>B</var>)</code>.
          </li>

          <li>
            The second flow is added with the calculated priority
            <code><var>P</var> + 1 </code> and match
            <code>ip &amp;&amp; ip4.src == <var>A</var> &amp;&amp;
            outport == <var>GW</var> &amp;&amp;
            REGBIT_DST_NAT_IP_LOCAL == 0</code>, where <var>GW</var> is the
            logical router gateway port, with an action
            <code>ct_snat(<var>B</var>);</code> to SNAT in the snat zone.
            If the NAT rule is of type dnat_and_snat and has
            <code>stateless=true</code> in the options, then the action would
            be <code>ip4/6.src=(<var>B</var>)</code>.
          </li>
        </ul>

        <p>
          If the NAT rule can be handled in a distributed manner, then
          there is an additional action (for both the flows)
          <code>eth.src = <var>EA</var>;</code>, where <var>EA</var>
          is the ethernet address associated with the IP address
          <var>A</var> in the NAT rule.  This allows upstream MAC
          learning to point to the correct chassis.
        </p>

        <p>
          If the NAT rule has <code>allowed_ext_ips</code> configured, then
          there is an additional match <code>ip4.dst == <var>allowed_ext_ips
          </var></code>. Similarly, for IPV6, match would be <code>ip6.dst ==
          <var>allowed_ext_ips</var></code>.
        </p>

        <p>
          If the NAT rule has <code>exempted_ext_ips</code> set, then
          there is an additional flow configured at the priority
          <code><var>P</var> + 2 </code> of
          corresponding NAT rule. The flow matches if destination ip
          is an <code>exempted_ext_ip</code> and the action is <code>next;
          </code>. This flow is used to bypass the ct_snat action for a flow
          which is destinted to <code>exempted_ext_ips</code>.
        </p>

      </li>

      <li>
        A priority-0 logical flow with match <code>1</code> has actions
        <code>next;</code>.
      </li>
    </ul>

    <h3>Egress Table 4: Egress Loopback</h3>

    <p>
      For distributed logical routers where one of the logical router
      ports specifies a gateway chassis.
    </p>

    <p>
      While UNDNAT and SNAT processing have already occurred by this
      point, this traffic needs to be forced through egress loopback on
      this distributed gateway port instance, in order for UNSNAT and
      DNAT processing to be applied, and also for IP routing and ARP
      resolution after all of the NAT processing, so that the packet can
      be forwarded to the destination.
    </p>

    <p>
      This table has the following flows:
    </p>

    <ul>
      <li>
        <p>
          For each NAT rule in the OVN Northbound database on a
          distributed router, a priority-100 logical flow with match
          <code>ip4.dst == <var>E</var> &amp;&amp;
          outport == <var>GW</var> &amp;&amp;
          is_chassis_resident(<var>P</var>)</code>, where <var>E</var> is the
          external IP address specified in the NAT rule, <var>GW</var>
          is the distributed gateway port corresponding to the NAT rule
          (specified or inferred).
          For dnat_and_snat NAT rule, <var>P</var> is the logical port
          specified in the NAT rule.
          If <ref column="logical_port"
          table="NAT" db="OVN_Northbound"/> column of
          <ref table="NAT" db="OVN_Northbound"/> table is NOT set, then
          <var>P</var> is the <code>chassisredirect port</code> of
          <var>GW</var> with the following actions:
        </p>

        <pre>
clone {
    ct_clear;
    inport = outport;
    outport = "";
    flags = 0;
    flags.loopback = 1;
    flags.use_snat_zone = REGBIT_DST_NAT_IP_LOCAL;
    reg0 = 0;
    reg1 = 0;
    ...
    reg9 = 0;
    REGBIT_EGRESS_LOOPBACK = 1;
    next(pipeline=ingress, table=0);
};
        </pre>

        <p>
          <code>flags.loopback</code> is set since in_port is unchanged
          and the packet may return back to that port after NAT processing.
          <code>REGBIT_EGRESS_LOOPBACK</code> is set to indicate that
          egress loopback has occurred, in order to skip the source IP
          address check against the router address.
        </p>
      </li>

      <li>
        A priority-0 logical flow with match <code>1</code> has actions
        <code>next;</code>.
      </li>
    </ul>

    <h3>Egress Table 5: Delivery</h3>

    <p>
      Packets that reach this table are ready for delivery.  It contains:
      <ul>
        <li>
          Priority-110 logical flows that match IP multicast packets on each
          enabled logical router port and modify the Ethernet source address
          of the packets to the Ethernet address of the port and then execute
          action <code>output;</code>.
        </li>
        <li>
          Priority-100 logical flows that match packets on each enabled
          logical router port, with action <code>output;</code>.
        </li>
        <li>
          A priority-0 logical flow that matches all packets not already
          handled (match <code>1</code>) and drops them
          (action <code>drop;</code>).
        </li>
      </ul>
    </p>

    <h1>Drop sampling</h1>

    <p>
      As described in the previous section, there are several places where
      ovn-northd might decided to drop a packet by explicitly creating a
      <code>Logical_Flow</code> with the <code>drop;</code> action.
    </p>

    <p>
      When debug drop-sampling has been cofigured in the OVN Northbound
      database, the ovn-northd will replace all the <code>drop;</code>
      actions with a <code>sample(priority=65535, collector_set=<var>id</var>,
      obs_domain=<var>obs_id</var>, obs_point=@cookie)</code> action, where:
      <ul>
        <li>
        <var>id</var> is the value the <code>debug_drop_collector_set</code>
        option configured in the OVN Northbound.
        </li>
        <li>
        <var>obs_id</var> has it's 8 most significant bits equal to the value
        of the <code>debug_drop_domain_id</code> option in the OVN Northbound
        and it's 24 least significant bits equal to the datapath's tunnel key.
        </li>
      </ul>
    </p>

</manpage>