Abstract: Some embodiments provide a method for identifying unnecessary firewall rules for a distributed firewall of a logical network. The method identifies a firewall policy for network traffic of the logical network. The firewall policy includes a set of firewall rules. The method generates a set of data for implementing the firewall policy on a set of managed forwarding elements that implement the logical network. The method analyzes potential network traffic based on the generated set of data to identify a subset of unnecessary data. The method identifies a subset of unnecessary firewall rules of the set of firewall rules that corresponds to the subset of unnecessary data.

Abstract: Some embodiments provide a novel method for managing hardware forwarding elements (MHFEs) that facilitate the creation of multiple logical networks on a set of shared physical forwarding elements. The method uses a set of logical controllers that generate data that defines a set of logical networks, and a set physical controllers to distribute the generated data to the hardware forwarding elements. In some embodiments, each MHFE can serve as either a master WIFE or a slave MHFE for one set of computing end nodes (e.g., VMs, containers, etc.) in a logical network. To ensure proper routing of data packets to the computing end nodes, each MHFE sends to its physical controller an inventory (e.g., a table, a list, etc.) of the set of computing end nodes for which it serves as the master MHFE or the slave MHFE. Each physical controller forwards the inventory for each logical network to the logical controller for the logical network.

Abstract: Described herein are systems, methods, and software to enhance inline processing of data packets by a virtual switch. In at least one implementation, a virtual switch receives a data packet and initiates a flow process with a plurality of flow operations on the data packet. In a flow operation of the plurality of flow operations, the virtual switch will determine whether the data packet qualifies for a learn action and, if the packet fails to qualify, forwards the data packet to a next flow operation in the plurality of flow operations, and if the packet does qualify, applies the learn action and forwards the data packet to a next flow operation.

Abstract: Some embodiments provide a novel method of configuring a managed hardware forwarding element (MHFE) that implements a logical forwarding element (LFE) of a logical network to handle address resolution requests (e.g., Address Resolution Protocol (ARP) requests) for multiple addresses (e.g., IP addresses) associated with a single network interface of the logical network. The method identifies a physical port of the MHFE with which the multiple addresses are to be associated. The physical port is coupled to an end machine (e.g., a virtual machine, server, container, etc.) of the logical network. The method then modifies associations stored at the MHFE to associate the physical port with the multiple addresses.

Abstract: The network control system of some embodiments implements logical port classifications to implement different features of logical networks onto a physical network. The network control system of some embodiments modifies flow entries at forwarding elements of the physical network to implement the logical network. The network control system classifies logical source and destination ports into disjoint equivalence classes for logical network flows in a virtualized network, and encodes this information in the tunneled traffic carrying the logical flow. The network control system of some such embodiments provides logical port classifications to minimize the necessary flow entries at each forwarding element of the physical network.

Abstract: For a network with host machines that are hosting virtual machines, a method for facilitating BUM (broadcast, unknown unicast, and multicast) traffic between a hardware switch (e.g., ToR switch) and the host machines is provided. The network has a set of host machines configured as a cluster of replicators for replicating BUM traffic from the hardware switch to the host machines. A set of network controllers establishes failure-detection tunnels for links between the hardware switch and the replicator cluster. The replicator cluster informs the set of controllers of a change in the membership of the replicator cluster to initiate an update to the active failure-detection sessions. The set of network controllers communicates with the replicator cluster and a ToR switch to establish bidirectional forwarding detection (BFD) sessions between one or more replicator nodes in the replicator cluster and the ToR switch.

Abstract: A method for configuring a managed forwarding element (MFE) to perform logical routing operations in a logical network on behalf of a hardware switch is described. The method of some embodiments receives data that defines a logical router that logically connects several different end machines operating on several different host machines to different physical machines that are connected to the hardware switch. The method, based on the received data, defines a number of routing components for the logical router. In some embodiments, the method then configures the MFE to implement the routing components in order to enable the MFE to perform logical routing operations on behalf of the hardware switch.

Abstract: Some embodiments provide novel methods for controllers to communicate with managed hardware forwarding elements (MHFEs) in a transactional manner. The transactional communication methods of some embodiments ensure that an MHFE receives the entirety of a control plane update that a controller supplies to it, before the MHFE starts to modify its data plane forwarding data and operations. The transactional communication methods of some embodiments provide one or more transactional boundary controls to the controllers to define complete control plane data set updates. In some embodiments, the transactional controls ensure that an MHFE receives all of a control plane update before it starts to modify its data plane forwarding data. Controllers use one transactional control in some embodiments when they define logical forwarding elements (e.g., logical switches or routers) on the MHFEs.

Abstract: Some embodiments provide a method for a network controller that manages several logical networks. The method receives a specification of a logical network that includes at least one logical forwarding element attached to a logical service (e.g., DHCP). The method selects at least one host machine to host the specified logical service from several host machines designated for hosting logical services. The method generates logical service configuration information for distribution to the selected host machine. In some embodiments, the method selects a master host machine and a backup host machine for hosting logical service. In some embodiments, a particular one of the designated host machines hosts at least two DHCP services for two different logical networks as separate processes operating on the particular host machine.

Abstract: Some embodiments provide novel methods for controllers to communicate with managed hardware forwarding elements (MHFEs) in a transactional manner. The transactional communication methods of some embodiments ensure that an MHFE receives the entirety of a control plane update that a controller supplies to it, before the MHFE starts to modify its data plane forwarding data and operations. The transactional communication methods of some embodiments provide one or more transactional boundary controls to the controllers to define complete control plane data set updates. In some embodiments, the transactional controls ensure that an MHFE receives all of a control plane update before it starts to modify its data plane forwarding data. Controllers use one transactional control in some embodiments when they define logical forwarding elements (e.g., logical switches or routers) on the MHFEs.

Abstract: Certain embodiments described herein are generally directed to a hypervisor-wide data structure that holds service rule address information for multiple VIFs in a compact way, which can later be processed per-VIF, in order to perform VIF-specific address group updates. For example, certain embodiments described herein provide a network controller that maintains a global hash table for multiple VIFs that maps network addresses to groups of one or more service rules. In certain embodiments, a network address to service rules table for each VIF may be derived based on the global hash table by using set intersections.

Abstract: A method for learning a MAC address of an end machine that is logically connected to a logical network is described. The method receives configuration data for implementing a distributed logical router having different logical ports each of which is associated with a logical port of a logical switch. The method receives a packet through a first logical port of the logical router that has a destination IP address associated with a particular logical switch that is associated with a second logical port of the logical router. In order to learn the MAC address of the end machine, the method sends a first broadcast packet with a first source MAC address to a first set of forwarding elements that implements the particular logical switch, and sends a second broadcast packet with a second source MAC address to a second set of forwarding elements that also implements the particular logical switch.

Abstract: Some embodiments provide a network control system with techniques for handling failover of network controllers with minimal churn in the network state distributed to the forwarding elements of the network. Specifically, in some embodiments, the local controller designates a waiting period before computing output network state data entries based on the new version of the input network state data entries. Alternatively, or conjunctively, the local controller of some embodiments calculates the changes between the new version of input state data entries and its stored existing version of the input state data entries, and only generates new output network state data entries based on the calculated changes, in order to minimize unnecessary recalculations of the output network state data entries. The new output network state data entries may then be used by the local controller to provision its managed forwarding element.

Abstract: A managed hardware forwarding element (MHFE) that performs packet forwarding operations for a logical network is described. The MHFE receives configuration data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines to several physical machines that are connected to the MHFE. The logical router also includes multiple routing components. The MHFE also receives a first forwarding table and a second forwarding table. The first forwarding table stores linking data for each logical port of each logical switch in the set of logical switches that identifies a corresponding routing component in the logical router. The second forwarding table stores a set of routes for each routing component of the logical router. The MHFE uses the first and second forwarding tables to perform packet forwarding operations at the MHFE.

Abstract: Certain embodiments described herein are generally directed to media access control (MAC) address learning for packets sent between end points (EPs) in a network (e.g., overlay network). For example, in some embodiments, VTEPs may be used to provide packet forwarding services, load balancing services, gateway services, etc., to EPs in the network. In certain embodiments, the VTEPs may be assigned unique labels, which are used by the VTEPs to map MAC addresses of packets to destination addresses for the packets.

Abstract: Some embodiments provide a method for an application operating on a host machine. The method receives a configuration of a Dynamic Host Configuration Protocol (DHCP) service for implementation within a virtualized container on the host machine. The configuration includes several database table entries. The method converts the several database table entries into a configuration file for use by a process that operates in the virtualized container. the method initializes the process in the virtualized container. The process in the virtualized container reads the configuration file in order to perform DHCP services for machines connected to at least one logical forwarding element of a logical network.

Abstract: Some embodiments provide a novel method of configuring a managed hardware forwarding element (MHFE) that implements a logical forwarding element (LFE) of a logical network to handle address resolution requests (e.g., Address Resolution Protocol (ARP) requests) for multiple addresses (e.g., IP addresses) associated with a single network interface of the logical network. The method identifies a physical port of the MHFE with which the multiple addresses are to be associated. The physical port is coupled to an end machine (e.g., a virtual machine, server, container, etc.) of the logical network. The method then modifies associations stored at the MHFE to associate the physical port with the multiple addresses.

Abstract: Some embodiments provide a novel method for managing hardware forwarding elements (MHFEs) that facilitate the creation of multiple logical networks on a set of shared physical forwarding elements. The method uses a set of logical controllers that generate data that defines a set of logical networks, and a set physical controllers to distribute the generated data to the hardware forwarding elements. In some embodiments, each MHFE can serve as either a master MHFE or a slave MHFE for one set of computing end nodes (e.g., VMs, containers, etc.) in a logical network. To ensure proper routing of data packets to the computing end nodes, each MHFE sends to its physical controller an inventory (e.g., a table, a list, etc.) of the set of computing end nodes for which it serves as the master MHFE or the slave MHFE. Each physical controller forwards the inventory for each logical network to the logical controller for the logical network.

Abstract: Described herein are systems, methods, and software to enhance inline processing of data packets by a virtual switch. In at least one implementation, a virtual switch receives a data packet and initiates a flow process with a plurality of flow operations on the data packet. In a flow operation of the plurality of flow operations, the virtual switch will determine whether the data packet qualifies for a learn action and, if the packet fails to qualify, forwards the data packet to a next flow operation in the plurality of flow operations, and if the packet does qualify, applies the learn action and forwards the data packet to a next flow operation.

Abstract: Some embodiments provide a network control system with techniques for handling failover of network controllers with minimal churn in the network state distributed to the forwarding elements of the network. Specifically, in some embodiments, the local controller designates a waiting period before computing output network state data entries based on the new version of the input network state data entries. Alternatively, or conjunctively, the local controller of some embodiments calculates the changes between the new version of input state data entries and its stored existing version of the input state data entries, and only generates new output network state data entries based on the calculated changes, in order to minimize unnecessary recalculations of the output network state data entries. The new output network state data entries may then be used by the local controller to provision its managed forwarding element.