- * In Open vSwitch, in-band control is implemented as "hidden" flows (in
- * that they are not visible through OpenFlow) and at a higher priority
- * than wildcarded flows can be set up by the controller. This is done
- * so that the controller cannot interfere with them and possibly break
- * connectivity with its switches. It is possible to see all flows,
- * including in-band ones, with the ovs-appctl "bridge/dump-flows"
- * command.
+ * In Open vSwitch, in-band control is implemented as "hidden" flows (in that
+ * they are not visible through OpenFlow) and at a higher priority than
+ * wildcarded flows can be set up by through OpenFlow. This is done so that
+ * the OpenFlow controller cannot interfere with them and possibly break
+ * connectivity with its switches. It is possible to see all flows, including
+ * in-band ones, with the ovs-appctl "bridge/dump-flows" command.
+ *
+ * The Open vSwitch implementation of in-band control can hide traffic to
+ * arbitrary "remotes", where each remote is one TCP port on one IP address.
+ * Currently the remotes are automatically configured as the in-band OpenFlow
+ * controllers plus the OVSDB managers, if any. (The latter is a requirement
+ * because OVSDB managers are responsible for configuring OpenFlow controllers,
+ * so if the manager cannot be reached then OpenFlow cannot be reconfigured.)
+ *
+ * The following rules (with the OFPP_NORMAL action) are set up on any bridge
+ * that has any remotes:
+ *
+ * (a) DHCP requests sent from the local port.
+ * (b) ARP replies to the local port's MAC address.
+ * (c) ARP requests from the local port's MAC address.
+ *
+ * In-band also sets up the following rules for each unique next-hop MAC
+ * address for the remotes' IPs (the "next hop" is either the remote
+ * itself, if it is on a local subnet, or the gateway to reach the remote):
+ *
+ * (d) ARP replies to the next hop's MAC address.
+ * (e) ARP requests from the next hop's MAC address.
+ *
+ * In-band also sets up the following rules for each unique remote IP address:
+ *
+ * (f) ARP replies containing the remote's IP address as a target.
+ * (g) ARP requests containing the remote's IP address as a source.