From 7b948a309cbb014f952e5f14a251773a5d846c57 Mon Sep 17 00:00:00 2001
From: Vladimir Lavor <vlavor@cisco.com>
Date: Wed, 17 Feb 2016 14:18:38 +0100
Subject: [PATCH] Bug5427: Added JavaDoc for OfOverlay rendeder (flow
 description)

Signed-off-by: Vladimir Lavor <vlavor@cisco.com>
Change-Id: Ifd26bcf2abc3be211adeaf7369c7f93f8e59de7e
---
 .../ofoverlay/flow/ChainActionFlows.java      | 75 ++++++++++++++++
 .../ofoverlay/flow/DestinationMapper.java     | 86 ++++++++++++++++++-
 .../ofoverlay/flow/EgressNatMapper.java       | 15 +++-
 .../ofoverlay/flow/ExternalMapper.java        | 34 +++++++-
 .../ofoverlay/flow/IngressNatMapper.java      | 81 ++++++++++++++---
 .../ofoverlay/flow/PolicyEnforcer.java        | 50 ++++++++++-
 .../renderer/ofoverlay/flow/PortSecurity.java | 72 +++++++++++++++-
 .../renderer/ofoverlay/flow/SourceMapper.java | 45 ++++++++--
 .../renderer/ofoverlay/sf/ChainAction.java    |  8 +-
 9 files changed, 433 insertions(+), 33 deletions(-)

diff --git a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/ChainActionFlows.java b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/ChainActionFlows.java
index 5e5970196..2730cf3e8 100755
--- a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/ChainActionFlows.java
+++ b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/ChainActionFlows.java
@@ -43,6 +43,7 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.ta
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.Match;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.instruction.go.to.table._case.GoToTable;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.ofoverlay.rev140528.OfOverlayContext;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeConnectorId;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeId;
@@ -58,6 +59,80 @@ import org.slf4j.LoggerFactory;
 
 import com.google.common.annotations.VisibleForTesting;
 
+/**
+ * <h1>Creation of flows related to service chain</h1>
+ *
+ * These flows are built across most of gbp of tables and have higher priority than basic flows. It ensures, that
+ * packet redirected to chain will be sent to tunnel output
+ * <p>
+ *
+ * Flow that allows ALL traffic incoming from chain last hop
+ * <p>
+ * <i>Allow from chain flow</i><br>
+ * Table = 0<br>
+ * Priority = 1200<br>
+ * Matches:<br>
+ *      - Nshc1<br>
+ *      - Nsp<br>
+ *      - Nsi<br>
+ *      - in_port (tunnel port) {@link NodeConnectorId}<br>
+ * Actions:<br>
+ *      - {@link GoToTable} SOURCE MAPPER table
+ * <p>
+ * TODO: looks like duplicity, the same flow is created in policy enforcer
+ * <i>Allow from chain tunnel</i>
+ * Table = 4<br>
+ * Priority = 65000<br>
+ * Matches:<br>
+ *      - in_port (tunnel port) {@link NodeConnectorId}<br>
+ *      - Reg7 (fixed value 0xffffff) {@link NxmNxReg7}
+ * Actions:<br>
+ *      - {@link GoToTable} SOURCE MAPPER table
+ * <p>
+ * <i>Create external flow</i>
+ * Table = 6<br>
+ * Priority = 1000 (if dst node == src node, priority = 1500)<br>
+ * Matches:<br>
+ *      - Reg6 {@link NxmNxReg6}<br>
+ *      - tunnel ID<br>
+ *      - nsp<br>
+ *      - nsi<br>
+ *      - tun_dst (only if dst node == src node)<br>
+ * Actions:<br>
+ *      - set nshc1<br>
+ *      - set nshc2<br>
+ *      - load tunnel ID<br>
+ *      - load tunnel ipv4<br>
+ *      - output:(tunnel port)<br>
+ * <p>
+ * <i>Chain tunnel flow</i><br>
+ * Table = 2<br>
+ * Priority = 150<br>
+ * Matches:<br>
+ *      - in_port (tunnel port) {@link NodeConnectorId}<br>
+ *      - tunnel ID<br>
+ *      - nsp<br>
+ *      - nsi<br>
+ * Actions:<br>
+ *      - Reg0 {@link NxmNxReg0}<br>
+ *      - Reg1 {@link NxmNxReg1}<br>
+ *      - Reg4 {@link NxmNxReg4}<br>
+ *      - Reg5 {@link NxmNxReg5}<br>
+ *      - Reg6 {@link NxmNxReg6}<br>
+ *      - {@link GoToTable} DESTINATION MAPPER table<br>
+ * <p>
+ * <i>Chain broadcast flow</i><br>
+ * Table = 2<br>
+ * Priority = 150<br>
+ * Matches:<br>
+ *      - in_port (tunnel port) {@link NodeConnectorId}<br>
+ *      - tunnel ID<br>
+ *      - nsp<br>
+ *      - nsi<br>
+ * Actions:<br>
+ *      - load Reg5 {@link NxmNxReg5}<br>
+ *      - {@link GoToTable} DESTINATION MAPPER table<br>
+ */
 public class ChainActionFlows {
 
     private static final Logger LOG = LoggerFactory.getLogger(ChainAction.class);
diff --git a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/DestinationMapper.java b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/DestinationMapper.java
index d819c8b3f..1e8fa2a28 100755
--- a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/DestinationMapper.java
+++ b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/DestinationMapper.java
@@ -69,6 +69,7 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.ta
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.Match;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.instruction.go.to.table._case.GoToTable;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.EndpointGroupId;
@@ -85,7 +86,6 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.r
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.ofoverlay.rev140528.OfOverlayContext;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.Tenant;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.ForwardingContext;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.forwarding.context.L2FloodDomain;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.forwarding.context.L3Context;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.forwarding.context.Subnet;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeConnectorId;
@@ -96,6 +96,7 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026
 import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._3.match.ArpMatchBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._3.match.Ipv4MatchBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._3.match.Ipv6MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.action.dec.nw.ttl._case.DecNwTtl;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg2;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg3;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg4;
@@ -114,8 +115,87 @@ import com.google.common.collect.SetMultimap;
 import com.google.common.collect.Sets;
 
 /**
- * Manage the table that maps the destination address to the next hop for the
- * path as well as applies any relevant routing transformations.
+ * <h1>Manage the table that maps the destination address to the next hop for the
+ * path as well as applies any relevant routing transformations (table=3)</h1>
+ *
+ * Sync Ep flows, every endpoint pair creates L2 and L3 flow<br>
+ * <ul><li>Flow is external, when any {@link Endpoint} is external</li>
+ * <li>Flow is local, when src and dst endpoint {@link EndpointFwdCtxOrdinals} are the same</li>
+ * <li>Flow is local, when src and dst endpoint ordinals are not the same and {@link OfOverlayContext} is missing</li></ul>
+ * Also applies to L3
+ * <p>
+ * L2 Flows:
+ * <p>
+ * <i>External, local and remote L2 flows</i><br>
+ * Priority = 50<br>
+ * Matches:<br>
+ *      - dl_dst mac address {@link MacAddress}<br>
+ *      - loadReg4 {@link NxmNxReg4}<br>
+ * Actions:<br>
+ *      - load tunnel Ipv4 (local and remote only)<br>
+ *      - loadReg2 {@link NxmNxReg2}<br>
+ *      - loadReg3 {@link NxmNxReg3}<br>
+ *      - loadReg7 (next hop) {@link NxmNxReg7}<br>
+ *      - {@link GoToTable} POLICY ENFORCER table<br>
+ * <p>
+ * L3 flows:
+ * <p>
+ * <i>External, local and remote L3 routed flows:</i><br>
+ * Priority = 50<br>
+ * Matches:<br>
+ *      - ip (ethertype)
+ *      - dl_dst mac address {@link MacAddress}<br>
+ *      - setReg6 {@link NxmNxReg6}<br>
+ * Actions:<br>
+ *      - loadReg2 {@link NxmNxReg2}<br>
+ *      - loadReg3 {@link NxmNxReg3}<br>
+ *      - loadReg4 (tunnel destination) {@link NxmNxReg4} (remote only)<br>
+ *      - loadReg7 (next hop) {@link NxmNxReg7}<br>
+ *      - set dst mac to eth_dst {@link MacAddress}<br>
+ *      - dec_ttl {@link DecNwTtl} (local only)<br>
+ *      - {@link GoToTable} POLICY ENFORCER table
+ * <p>
+ * If virtual router ip is present in subnet, and subnet contains L3 context, arp flow is created<br>
+ * <p>
+ * <i>Router Arp flow</i><br>
+ * Priority = 150<br>
+ * Matches:<br>
+ *      - arp (ethertype)<br>
+ *      - arp target transport address<br>
+ *      - setReg6 {@link NxmNxReg6}<br>
+ * Actions:<br>
+ *      - move eth_src = eth_dst<br>
+ *      - set dl_src {@link MacAddress}<br>
+ *      - load arp_op<br>
+ *      - move arp_sha = arp_tha<br>
+ *      - load arp_sha<br>
+ *      - move arp_spa = arp_tpa<br>
+ *      - load arp_spa<br>
+ *      - output:port {@link NodeConnectorId}<br>
+ * <p>
+ * <i>Broadcast flow (per flood domain)</i>
+ * Priority = 140<br>
+ * Matches:<br>
+ *      - ethernet destination {@link MacAddress}
+ *      - setReg5 {@link NxmNxReg5}<br>
+ * Actions:<br>
+ *      - load tunnel ID<br>
+ *      - group action<br>
+ * <p>
+ * <i>L3 Prefix flow</i><br>
+ * Priority = 140<br>
+ * Matches:<br>
+ *      - ethernet destination {@link MacAddress}
+ *      - setReg5 {@link NxmNxReg5}<br>
+ * Actions:<br>
+ *      - dl_dst {@link MacAddress}<br>
+ *      - dec_ttl<br>
+ *      - loadReg2 {@link NxmNxReg2}<br>
+ *      - loadReg3 {@link NxmNxReg3}<br>
+ *      - loadReg4 (next hop) {@link NxmNxReg4}<br>
+ *      - loadReg7 (if internal, port_num == {@link NodeConnectorId of L2 EP} ) {@link NxmNxReg7}<br>
+ *      - loadReg7 (if external, port_num = external port) {@link NxmNxReg7}<br>
+ *      - {@link GoToTable} POLICY ENFORCER table
  */
 public class DestinationMapper extends FlowTable {
 
diff --git a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/EgressNatMapper.java b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/EgressNatMapper.java
index ff85d1ac8..65e58e07c 100755
--- a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/EgressNatMapper.java
+++ b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/EgressNatMapper.java
@@ -29,6 +29,7 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.Fl
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.Flow;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.instruction.go.to.table._case.GoToTable;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.L3ContextId;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.TenantId;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.rev140421.endpoints.EndpointL3;
@@ -42,8 +43,18 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Manage the table that assigns source endpoint group, bridge domain, and
- * router domain to registers to be used by other tables.
+ * <h1>Manage the table that assigns source endpoint group, bridge domain, and
+ * router domain to registers to be used by other tables</h1>
+ *
+ * <i>NAT flow</i><br>
+ * Priority = 100<br>
+ * Matches:<br>
+ *      - ipv4/ipv6 inside address<br>
+ *      - ethernet type<br>
+ *      - Reg6 {@link NxmNxReg6}<br>
+ * Actions:<br>
+ *      - set_src ip address<br>
+ *      - {@link GoToTable} EXTERNAL MAPPER table<br>
  */
 public class EgressNatMapper extends FlowTable {
 
diff --git a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/ExternalMapper.java b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/ExternalMapper.java
index 40265483e..93f8c838d 100755
--- a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/ExternalMapper.java
+++ b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/ExternalMapper.java
@@ -48,8 +48,38 @@ import org.slf4j.LoggerFactory;
 import com.google.common.base.Preconditions;
 
 /**
- * Manage the table that assigns source endpoint group, bridge domain, and
- * router domain to registers to be used by other tables.
+ * <h1>Manage the table that assigns source endpoint group, bridge domain, and
+ * router domain to registers to be used by other tables</h1>
+ *
+ * <i>Push VLAN flow</i><br>
+ * Priority = 222<br>
+ * see {@link #buildPushVlanFlow(Ipv4Address, Integer, int)}<br>
+ * Matches:<br>
+ *      - ethernet type<br>
+ *      - L3 match<br>
+ *      - VLAN match<br>
+ * Actions:<br>
+ *      - set_ethertype (VLAN)<br>
+ *      - output:port (Reg7) {@link NxmNxReg7}<br>
+ * <p>
+ * <i>Push VLAN flow - external domain</i><br>
+ * Priority = 220<br>
+ * see {@link #buildPushVlanFlow(NodeId, int, Integer, int)}<br>
+ * Matches:<br>
+ *      - ethernet type<br>
+ *      - Reg7 {@link NxmNxReg7}<br>
+ *      - Reg5 {@link NxmNxReg5}<br>
+ *      - VLAN match<br>
+ * Actions:<br>
+ *      - set_ethertype (VLAN)<br>
+ *      - output:port (Reg7) {@link NxmNxReg7}<br>
+ * <p>
+ * <i>Default flow</i><br>
+ * Priority = 100<br>
+ * Matches:<br>
+ *      - none<br>
+ * Actions:<br>
+ *      - output:port (Reg7) {@link NxmNxReg7}<br>
  */
 public class ExternalMapper extends FlowTable {
 
diff --git a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/IngressNatMapper.java b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/IngressNatMapper.java
index 29c6dffae..51c6257ff 100755
--- a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/IngressNatMapper.java
+++ b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/IngressNatMapper.java
@@ -47,7 +47,7 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.Fl
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.Flow;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.Instruction;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.instruction.go.to.table._case.GoToTable;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.TenantId;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.rev140421.endpoint.fields.L3Address;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.rev140421.endpoints.Endpoint;
@@ -58,9 +58,6 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.forwarding.context.Subnet;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeConnectorId;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeId;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.l2.types.rev130827.EtherType;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.ethernet.match.fields.EthernetTypeBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.EthernetMatchBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Layer3Match;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._3.match.ArpMatchBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._3.match.Ipv4MatchBuilder;
@@ -70,15 +67,74 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev14
 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg4;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg5;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg6;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.nx.action.reg.load.grouping.NxRegLoad;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.nx.action.reg.move.grouping.NxRegMove;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.google.common.base.Preconditions;
 import com.google.common.collect.Sets;
 
 /**
- * Manage the table that assigns source endpoint group, bridge domain, and
- * router domain to registers to be used by other tables.
+ * <h1>Manage the table processing NAT translation (table=1)</h1>
+ *
+ * Ingress NAT translation flows, created for every L3 endpoints with NAT which also contain L2 context
+ * <p>
+ * <i>Nat flow:</i><br>
+ * Priority = 100<br>
+ * Matches:<br>
+ *      - nw_dst (destination ip address)<br>
+ * Actions:<br>
+ *      - loadReg0 {@link NxmNxReg0}<br>
+ *      - loadReg1 {@link NxmNxReg1}<br>
+ *      - loadReg4 {@link NxmNxReg4}<br>
+ *      - loadReg5 {@link NxmNxReg5}<br>
+ *      - loadReg6 {@link NxmNxReg6}<br>
+ *      - loadTunnelId<br>
+ *      - {@link GoToTable} DESTINATION MAPPER table
+ * <p>
+ * <i>Outside Arp flow:</i><br>
+ * Priority = 150<br>
+ * Matches:<br>
+ *      - arp, (ethertype)<br>
+ *      - set arp target transport address<br>
+ * Actions:<br>
+ *      - move eth_src = eth_dst {@link NxRegMove}<br>
+ *      - set dl src_mac {@link MacAddress}<br>
+ *      - load arp_op {@link NxRegLoad}<br>
+ *      - move arp_sha = arp_tha {@link NxRegMove}<br>
+ *      - load arp_sha {@link NxRegLoad}<br>
+ *      - move arp_spa = arp_tpa {@link NxRegMove}<br>
+ *      - load arp_spa {@link NxRegLoad}<br>
+ *      - output:port {@link NodeConnectorId}
+ * <p>
+ * Flows for ingress traffic. Created for every external endpoint without location<br>
+ * <p>
+ * <i>Ingress external IP flow</i><br>
+ * Priority = 90<br>
+ * Matches:<br>
+ *      - nw_src (source ip address)<br>
+ * Actions:<br>
+ *      - loadReg0 {@link NxmNxReg0}<br>
+ *      - loadReg1 {@link NxmNxReg1}<br>
+ *      - loadReg4 {@link NxmNxReg4}<br>
+ *      - loadReg5 {@link NxmNxReg5}<br>
+ *      - loadReg6 {@link NxmNxReg6}<br>
+ *      - loadTunnelId<br>
+ *      - {@link GoToTable} DESTINATION MAPPER table
+ * <p>
+ * <i>Ingress external Arp flow</i><br>
+ * Priority = 80<br>
+ * Matches:<br>
+ *      - arp_spa (source arp address)<br>
+ * Actions:<br>
+ *      - loadReg0 {@link NxmNxReg0}<br>
+ *      - loadReg1 {@link NxmNxReg1}<br>
+ *      - loadReg4 {@link NxmNxReg4}<br>
+ *      - loadReg5 {@link NxmNxReg5}<br>
+ *      - loadReg6 {@link NxmNxReg6}<br>
+ *      - loadTunnelId<br>
+ *      - {@link GoToTable} DESTINATION MAPPER table
+ *
  */
 public class IngressNatMapper extends FlowTable {
 
@@ -100,7 +156,7 @@ public class IngressNatMapper extends FlowTable {
     @Override
     public void sync(NodeId nodeId, OfWriter ofWriter) throws Exception {
 
-        /**
+        /*
          * To support provider networks, all external ingress traffic is currently passed here and
          * if no match is foud - no NAT is performed and processing continues in DestinationMapper.
          */
@@ -204,7 +260,7 @@ public class IngressNatMapper extends FlowTable {
         }
         MatchBuilder mb = createMatchOnDstIpAddress(outsideDestAddress);
         Action[] dstIpMacAction = {setDestIp, setDestMac};
-        FlowBuilder flowb = base().setPriority(Integer.valueOf(100))
+        FlowBuilder flowb = base().setPriority(100)
             .setId(flowid)
             .setMatch(mb.build())
             .setInstructions(
@@ -218,7 +274,7 @@ public class IngressNatMapper extends FlowTable {
         String ikey = outsideDestAddress.getIpv4Address().getValue();
         BigInteger intMac = new BigInteger(1, bytesFromHexString(toMac.getValue()));
         MatchBuilder mb = new MatchBuilder().setEthernetMatch(ethernetMatch(null, null, ARP)).setLayer3Match(
-                new ArpMatchBuilder().setArpOp(Integer.valueOf(1))
+                new ArpMatchBuilder().setArpOp(1)
                     .setArpTargetTransportAddress(new Ipv4Prefix(ikey + "/32"))
                     .build());
         Action[] outsideArpActions = {
@@ -262,7 +318,7 @@ public class IngressNatMapper extends FlowTable {
         if (mb == null) {
             return null;
         }
-        FlowBuilder flowb = base().setPriority(Integer.valueOf(90))
+        FlowBuilder flowb = base().setPriority(90)
             .setId(FlowIdUtils.newFlowId(TABLE_ID, "inbound-external-ip", mb.build()))
             .setMatch(mb.build())
             .setInstructions(
@@ -343,8 +399,7 @@ public class IngressNatMapper extends FlowTable {
         Action fdReg = nxLoadRegAction(NxmNxReg5.class, BigInteger.valueOf(fdId));
         Action vrfReg = nxLoadRegAction(NxmNxReg6.class, BigInteger.valueOf(l3Id));
         Action tunIdAction = nxLoadTunIdAction(BigInteger.valueOf(tunnelId), false);
-        Action[] outsideArpActions = {segReg, scgReg, bdReg, fdReg, vrfReg, tunIdAction};
-        return outsideArpActions;
+        return new Action[]{segReg, scgReg, bdReg, fdReg, vrfReg, tunIdAction};
     }
 
     static byte[] bytesFromHexString(String values) {
diff --git a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/PolicyEnforcer.java b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/PolicyEnforcer.java
index bc4d66e8d..d43372aa2 100755
--- a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/PolicyEnforcer.java
+++ b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/PolicyEnforcer.java
@@ -57,6 +57,7 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.ta
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.Instructions;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.Match;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.instruction.go.to.table._case.GoToTable;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ClassifierDefinitionId;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ConditionName;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.TenantId;
@@ -98,8 +99,53 @@ import com.google.common.collect.Ordering;
 import com.google.common.collect.Table.Cell;
 
 /**
- * Manage the table that enforces policy on the traffic. Traffic is denied
- * unless specifically allowed by policy
+ * <h1>Manage the table that enforces policy on the traffic. Traffic is denied
+ * unless specifically allowed by policy (table=4)</h1>
+ *
+ * In policy enforcer, according to current {@link Policy} specific traffic is sent to SFC (nsp and nsi is set), or from SFC
+ * to some {@link Endpoint} or to another classifier.
+ * <p>
+ * <i>Tunnel/overlay flows</i><br>
+ * Priority = 65000 (if more flows, decrements)<br>
+ * Matches:<br>
+ *      - ethertype (tcp, tcp6, ipv6, icmp or missing)<br>
+ *      - Reg0 {@link NxmNxReg0}<br>
+ *      - Reg1 {@link NxmNxReg1}<br>
+ *      - Reg2 {@link NxmNxReg2}<br>
+ *      - Reg3 {@link NxmNxReg3}<br>
+ *      - L3 for src_ip_prefix (if exists)<br>
+ *      - L3 for dst_ip_prefix (if exists)<br>
+ * Actions:<br>
+ *      - set nsi (only chain action)<br>
+ *      - set nsp (only chain action)<br>
+ *      - {@link GoToTable} EXTERNAL MAPPER table<br>
+ *<p>
+ * <i>Allow from tunnel flow</i><br>
+ * Priority = 65000<br>
+ * Matches:<br>
+ *      - Reg1 (set to 0xffffff) {@link NxmNxReg1}<br>
+ *      - in_port (should be tunnel port) {@link NodeConnectorId}<br>
+ * Actions:<br>
+ *      - output:port (Reg7) {@link NxmNxReg7}<br>
+ * <p>
+ * Traffic is sent from one {@link EndpointGroup} to the same EPG
+ * <p>
+ * <i>Allow from same EPG flow</i><br>
+ * Priority = 65000<br>
+ * Matches:<br>
+ *      - Reg0 {@link NxmNxReg0}<br>
+ *      - Reg2 {@link NxmNxReg2}<br>
+ * Actions:<br>
+ *      - output:port (Reg7) {@link NxmNxReg7}
+ * <p>
+ * <i>Arp flow</i><br>
+ * Priority = 20000<br>
+ * Matches:<br>
+ *      - ethernet match (arp)<br>
+ *      - Reg5 {@link NxmNxReg5}<br>
+ * Actions:<br>
+ *      - output:port (Reg7) {@link NxmNxReg7}
+ *
  */
 public class PolicyEnforcer extends FlowTable {
 
diff --git a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/PortSecurity.java b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/PortSecurity.java
index affbb3a72..f919f1b67 100755
--- a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/PortSecurity.java
+++ b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/PortSecurity.java
@@ -50,7 +50,71 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Manage the table that enforces port security
+ * <h1>Manage the table that enforces port security. Initial flows in group-based policy pipeline (table=0)</h1>
+ *
+ * Lower-priority flows are leading flows for all traffic incoming from endpoints associated to gbp classifier.<br>
+ * Created when an {@link Endpoint} is internal and contains {@link OfOverlayContext} augmentation. Several flows of
+ * this kind are produced.
+ *<p>
+ * <i>L2 flow:</i><br>
+ * Priority = 100<br>
+ * Matches:<br>
+ *      - in_port, {@link NodeConnectorId}
+ *      - dl_src {@link org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress}<br>
+ * Actions:<br>
+ *      - {@link GoToTable} SOURCE MAPPER table
+ *<p>
+ * <i>L3 flow:</i><br>
+ * Priority = 120<br>
+ * Matches:<br>
+ *      - ip, (ethertype)<br>
+ *      - in_port, {@link NodeConnectorId}<br>
+ *      - dl_src {@link org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress}<br>
+ *      - nw_src (source ip address)<br>
+ * Actions:<br>
+ *      - {@link GoToTable} SOURCE MAPPER table
+ *<p>
+ * <i>L3 Arp flow:</i><br>
+ * Priority = 121<br>
+ * Matches:<br>
+ *      - arp, (ethertype)<br>
+ *      - in_port, {@link NodeConnectorId}<br>
+ *      - dl_src {@link org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress}<br>
+ *      - arp_spa (arp source transport address)<br>
+ * Actions:<br>
+ *      - {@link GoToTable} SOURCE MAPPER table
+ *<p>
+ * <i>L3 Dhcp dora flow:</i><br>
+ * Priority = 115<br>
+ * Matches:<br>
+ *      - ip, (ethertype)<br>
+ *      - in_port, {@link NodeConnectorId}<br>
+ *      - dl_src {@link org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress}<br>
+ *      - nw_dst (destination ip address)<br>
+ * Actions:<br>
+ *      - {@link GoToTable} SOURCE MAPPER table
+ *<p>
+ * Higher-priority flows providing VLAN support for external networks. Created when node contains external ports
+ *<p>
+ * <i>Allow from external:</i><br>
+ * Priority = 200<br>
+ * Matches:<br>
+ *      - in_port, {@link NodeConnectorId}<br>
+ * Actions:<br>
+ *      - {@link GoToTable} INGRESS NAT table
+ *<p>
+ * <i>Flow that pops VLAN tag for inbound traffic:</i><br>
+ * Priority = 210<br>
+ * See {@link #popVlanTagsOnExternalPort}
+ *<p>
+ * Highest priority flows used to direct traffic coming from tunnel (SFC). These flows are created always
+ *<p>
+ * <i>Allow from tunnel:</i><br>
+ * Priority = 300<br>
+ * Matches:<br>
+ *      - in_port (has to be tunnel port), {@link NodeConnectorId}<br>
+ * Actions:<br>
+ *      - {@link GoToTable} SOURCE MAPPER table
  *
  */
 public class PortSecurity extends FlowTable {
@@ -61,7 +125,7 @@ public class PortSecurity extends FlowTable {
 
     public PortSecurity(OfContext ctx, short tableId) {
         super(ctx);
-        TABLE_ID=tableId;
+        TABLE_ID = tableId;
     }
 
     @Override
@@ -120,10 +184,10 @@ public class PortSecurity extends FlowTable {
             for (NodeConnectorId nc : ctx.getSwitchManager().getExternalPorts(nodeId)) {
                 // TODO Bug 3546 - Difficult: External port is unrelated to Tenant, L3C, L2BD..
                 for (Flow flow : popVlanTagsOnExternalPort(nc, tenantId, 210)) {
-                    // tagged frames have to be untagged when entering policy domain
+                    // Tagged frames have to be untagged when entering policy domain
                     ofWriter.writeFlow(nodeId, TABLE_ID, flow);
                 }
-                // allowing untagged frames entering policy domain
+                // Allowing untagged frames entering policy domain
                 ofWriter.writeFlow(nodeId, TABLE_ID, allowFromExternalPort(nc, 200));
             }
         }
diff --git a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/SourceMapper.java b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/SourceMapper.java
index 60384d41d..dc5f626de 100755
--- a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/SourceMapper.java
+++ b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/flow/SourceMapper.java
@@ -33,6 +33,7 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.ta
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.Match;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.instruction.go.to.table._case.GoToTable;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.EndpointGroupId;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.rev140421.endpoints.Endpoint;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.ofoverlay.rev140528.OfOverlayContext;
@@ -50,8 +51,43 @@ import org.slf4j.LoggerFactory;
 import com.google.common.collect.Sets;
 
 /**
- * Manage the table that assigns source endpoint group, bridge domain, and
- * router domain to registers to be used by other tables.
+ * <h1>Manage the table that assigns source endpoint group, bridge domain, and
+ * router domain to registers to be used by other tables</h1>
+ *
+ * <i>Remote tunnel flow:</i><br>
+ * Priority = 150<br>
+ * Matches:<br>
+ *      - in_port (should be tunnel port), {@link NodeConnectorId}
+ *      - tunnel ID match {@link org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxTunId}<br>
+ * Actions:<br>
+ *      - loadReg1 fixed value 0xffffff {@link NxmNxReg1}<br>
+ *      - loadReg4 {@link NxmNxReg4}<br>
+ *      - loadReg5 {@link NxmNxReg5}<br>
+ *      - loadReg6 {@link NxmNxReg6}<br>
+ *      - {@link GoToTable} DESTINATION MAPPER table
+ * <p>
+ * <i>Remote broadcast flow:</i><br>
+ * Priority = 150<br>
+ * Matches:<br>
+ *      - in_port (should be tunnel port), {@link NodeConnectorId}
+ *      - tunnel ID match {@link org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxTunId}<br>
+ * Actions:<br>
+ *      - loadReg5 {@link NxmNxReg5}<br>
+ *      - {@link GoToTable} DESTINATION MAPPER table
+ * <p>
+ * <i>Local EP flow:</i><br>
+ * Priority = 100<br>
+ * Matches:<br>
+ *      - dl_src (source mac address) {@link org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress}<br>
+ *      - in_port (node connector ID) {@link NodeConnectorId}<br>
+ * Actions:<br>
+ *      - loadReg0 {@link NxmNxReg0}<br>
+ *      - loadReg1 {@link NxmNxReg1}<br>
+ *      - loadReg4 {@link NxmNxReg4}<br>
+ *      - loadReg5 {@link NxmNxReg5}<br>
+ *      - loadReg6 {@link NxmNxReg6}<br>
+ *      - loadTunnelId<br>
+ *      - {@link GoToTable} DESTINATION MAPPER table
  */
 public class SourceMapper extends FlowTable {
 
@@ -96,9 +132,8 @@ public class SourceMapper extends FlowTable {
             OfOverlayContext ofc = ep.getAugmentation(OfOverlayContext.class);
             if (ofc != null && ofc.getNodeConnectorId() != null
                     && (EndpointManager.isInternal(ep, ctx.getTenant(ep.getTenant()).getExternalImplicitGroups()))) {
-                /**
-                 * Sync the local EP information.
-                 */
+
+                // Sync the local EP information
                 syncEP(ofWriter, nodeId, ep, ofc.getNodeConnectorId(), epFwdCtxOrds);
             }
         }
diff --git a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/sf/ChainAction.java b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/sf/ChainAction.java
index dfb2712b9..02c779f3e 100755
--- a/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/sf/ChainAction.java
+++ b/renderers/ofoverlay/src/main/java/org/opendaylight/groupbasedpolicy/renderer/ofoverlay/sf/ChainAction.java
@@ -62,9 +62,13 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Iterables;
 
 /**
- * Chain action for the OpenFlow Overlay renderer
- * TODO: separate the generic definition from the concrete
+ * <h1>Chain action for the OpenFlow Overlay renderer</h1>
+ * TODO: separate the generic definition from the concrete<br>
  * implementation for the OpenFlow Overlay renderer
+ * <p>
+ *
+ * see {@link org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.ChainActionFlows}
+ *
  */
 public class ChainAction extends Action {
 
-- 
2.36.6