1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
6 ovn-nb - OVN_Northbound database schema
7 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces
10 almost all of the contents of the database. The ovn-northd program mon‐
11 itors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32 Table Purpose
34 NB_Global Northbound configuration
35 Logical_Switch
36 L2 logical switch
37 Logical_Switch_Port
38 L2 logical switch port
39 Address_Set
40 Address Sets
41 Port_Group
42 Port Groups
43 Load_Balancer
44 load balancer
45 ACL Access Control List (ACL) rule
46 Logical_Router
47 L3 logical router
48 QoS QoS rule
49 Meter Meter entry
50 Meter_Band
51 Band for meter entries
52 Logical_Router_Port
53 L3 logical router port
54 Logical_Router_Static_Route
55 Logical router static routes
56 NAT NAT rules
57 DHCP_Options
58 DHCP options
59 Connection
60 OVSDB client connections.
61 DNS Native DNS resolution
62 SSL SSL configuration.
63 Gateway_Chassis
64 Gateway_Chassis configuration.
65
67 Northbound configuration for an OVN system. This table must have
68 exactly one row.
69 Summary:
71 Status:
72 nb_cfg integer
73 sb_cfg integer
74 hv_cfg integer
75 Common Columns:
76 external_ids map of string-string pairs
77 Connection Options:
78 connections set of Connections
79 ssl optional SSL
80 Details:
82 Status:
83 These columns allow a client to track the overall configuration state
85 of the system.
86 nb_cfg: integer
88 Sequence number for client to increment. When a client modifies
89 any part of the northbound database configuration and wishes to
90 wait for ovn-northd and possibly all of the hypervisors to fin‐
91 ish applying the changes, it may increment this sequence number.
92 sb_cfg: integer
94 Sequence number that ovn-northd sets to the value of nb_cfg
95 after it finishes applying the corresponding configuration
96 changes to the OVN_Southbound database.
97 hv_cfg: integer
99 Sequence number that ovn-northd sets to the smallest sequence
100 number of all the chassis in the system, as reported in the
101 Chassis table in the southbound database. Thus, hv_cfg equals
102 nb_cfg if all chassis are caught up with the northbound configu‐
103 ration (which may never happen, if any chassis is down). This
104 value can regress, if a chassis was removed from the system and
105 rejoins before catching up.
106 Common Columns:
108 external_ids: map of string-string pairs
110 See External IDs at the beginning of this document.
111 Connection Options:
113 connections: set of Connections
115 Database clients to which the Open vSwitch database server
116 should connect or on which it should listen, along with options
117 for how these connections should be configured. See the Connec‐
118 tion table for more information.
119 ssl: optional SSL
121 Global SSL configuration.
122
124 Each row represents one L2 logical switch.
125 There are two kinds of logical switches, that is, ones that fully vir‐
127 tualize the network (overlay logical switches) and ones that provide
128 simple connectivity to a physical network (bridged logical switches).
129 They work in the same way when providing connectivity between logical
130 ports on same chasis, but differently when connecting remote logical
131 ports. Overlay logical switches connect remote logical ports by tun‐
132 nels, while bridged logical switches provide connectivity to remote
133 ports by bridging the packets to directly connected physical L2 segment
134 with the help of localnet ports. Each bridged logical switch has one
135 and only one localnet port, which has only one special address unknown.
136 Summary:
138 ports set of Logical_Switch_Ports
139 load_balancer set of Load_Balancers
140 acls set of ACLs
141 qos_rules set of QoSs
142 dns_records set of weak reference to DNSs
143 Naming:
144 name string
145 external_ids : neutron:network_name
146 optional string
147 IP Address Assignment:
148 other_config : subnet optional string
149 other_config : exclude_ips optional string
150 other_config : ipv6_prefix optional string
151 Common Columns:
152 external_ids map of string-string pairs
153 Details:
155 ports: set of Logical_Switch_Ports
156 The logical ports connected to the logical switch.
157 It is an error for multiple logical switches to include the same
159 logical port.
160 load_balancer: set of Load_Balancers
162 Load balance a virtual ip address to a set of logical port end‐
163 point ip addresses.
164 acls: set of ACLs
166 Access control rules that apply to packets within the logical
167 switch.
168 qos_rules: set of QoSs
170 QoS marking and metering rules that apply to packets within the
171 logical switch.
172 dns_records: set of weak reference to DNSs
174 This column defines the DNS records to be used for resolving
175 internal DNS queries within the logical switch by the native DNS
176 resolver. Please see the DNS table.
177 Naming:
179 These columns provide names for the logical switch. From OVN’s perspec‐
181 tive, these names have no special meaning or purpose other than to pro‐
182 vide convenience for human interaction with the database. There is no
183 requirement for the name to be unique. (For a unique identifier for a
184 logical switch, use its row UUID.)
185 (Originally, name was intended to serve the purpose of a human-friendly
187 name, but the Neutron integration used it to uniquely identify its own
188 switch object, in the format neutron-uuid. Later on, Neutron started
189 propagating the friendly name of a switch as external_ids:neutron:net‐
190 work_name. Perhaps this can be cleaned up someday.)
191 name: string
193 A name for the logical switch.
194 external_ids : neutron:network_name: optional string
196 Another name for the logical switch.
197 IP Address Assignment:
199 These options control automatic IP address management (IPAM) for ports
201 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
202 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
203 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled
204 together or separately.
205 To request dynamic address assignment for a particular port, use the
207 dynamic keyword in the addresses column of the port’s Logi‐
208 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
209 IPAM for IPv4 and IPv6 are both enabled.
210 other_config : subnet: optional string
212 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
213 ovn-northd to automatically assign IP addresses within that sub‐
214 net.
215 other_config : exclude_ips: optional string
217 To exclude some addresses from automatic IP address management,
218 set this to a list of the IPv4 addresses or ..-delimited ranges
219 to exclude. The addresses or ranges should be a subset of those
220 in other_config:subnet.
221 Whether listed or not, ovn-northd will never allocate the first
223 or last address in a subnet, such as 192.168.0.0 or
224 192.168.0.255 in 192.168.0.0/24.
225 Examples:
227 · 192.168.0.2 192.168.0.10
229 · 192.168.0.4 192.168.0.30..192.168.0.60
231 192.168.0.110..192.168.0.120
232 · 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
234 192.168.0.144
235 other_config : ipv6_prefix: optional string
237 Set this to an IPv6 prefix to enable ovn-northd to automatically
238 assign IPv6 addresses using this prefix. The assigned IPv6
239 address will be generated using the IPv6 prefix and the MAC
240 address (converted to an IEEE EUI64 identifier) of the port. The
241 IPv6 prefix defined here should be a valid IPv6 address ending
242 with ::.
243 Examples:
245 · aef0::
247 · bef0:1234:a890:5678::
249 · 8230:5678::
251 Common Columns:
253 external_ids: map of string-string pairs
255 See External IDs at the beginning of this document.
256
258 A port within an L2 logical switch.
259 Summary:
261 Core Features:
262 name string (must be unique within table)
263 type string
264 Options:
265 options map of string-string pairs
266 Options for router ports:
267 options : router-port optional string
268 options : nat-addresses optional string
269 Options for localnet ports:
270 options : network_name optional string
271 Options for l2gateway ports:
272 options : network_name optional string
273 options : l2gateway-chassis
274 optional string
275 Options for vtep ports:
276 options : vtep-physical-switch
277 optional string
278 options : vtep-logical-switch
279 optional string
280 VMI (or VIF) Options:
281 options : requested-chassis
282 optional string
283 options : qos_max_rate optional string
284 options : qos_burst optional string
285 Containers:
286 parent_name optional string
287 tag_request optional integer, in range 0 to 4,095
288 tag optional integer, in range 1 to 4,095
289 Port State:
290 up optional boolean
291 enabled optional boolean
292 Addressing:
293 addresses set of strings
294 dynamic_addresses optional string
295 port_security set of strings
296 DHCP:
297 dhcpv4_options optional weak reference to DHCP_Options
298 dhcpv6_options optional weak reference to DHCP_Options
299 Naming:
300 external_ids : neutron:port_name
301 optional string
302 Common Columns:
303 external_ids map of string-string pairs
304 Details:
306 Core Features:
307 name: string (must be unique within table)
309 The logical port name.
310 For entities (VMs or containers) that are spawned in the hyper‐
312 visor, the name used here must match those used in the exter‐
313 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
314 because hypervisors use external_ids:iface-id as a lookup key to
315 identify the network interface of that entity.
316 For containers that share a VIF within a VM, the name can be any
318 unique identifier. See Containers, below, for more information.
319 type: string
321 Specify a type for this logical port. Logical ports can be used
322 to model other types of connectivity into an OVN logical switch.
323 The following types are defined:
324 (empty string)
326 A VM (or VIF) interface.
327 router A connection to a logical router.
329 localnet
331 A connection to a locally accessible network from each
332 ovn-controller instance. A logical switch can only have a
333 single localnet port attached. This is used to model
334 direct connectivity to an existing network.
335 localport
337 A connection to a local VIF. Traffic that arrives on a
338 localport is never forwarded over a tunnel to another
339 chassis. These ports are present on every chassis and
340 have the same address in all of them. This is used to
341 model connectivity to local services that run on every
342 hypervisor.
343 l2gateway
345 A connection to a physical network.
346 vtep A port to a logical switch on a VTEP gateway.
348 Options:
350 options: map of string-string pairs
352 This column provides key/value settings specific to the logical
353 port type. The type-specific options are described individually
354 below.
355 Options for router ports:
357 These options apply when type is router.
359 options : router-port: optional string
361 Required. The name of the Logical_Router_Port to which this log‐
362 ical switch port is connected.
363 options : nat-addresses: optional string
365 This is used to send gratuitous ARPs for SNAT and DNAT IP
366 addresses via the localnet port that is attached to the same
367 logical switch as this type router port. This option is speci‐
368 fied on a logical switch port that is connected to a gateway
369 router, or a logical switch port that is connected to a distrib‐
370 uted gateway port on a logical router.
371 This must take one of the following forms:
373 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
375 nal IP addresses and for all load balancer IP addresses
376 defined on the options:router-port’s logical router,
377 using the options:router-port’s MAC address.
378 This form of options:nat-addresses is valid for logical
380 switch ports where options:router-port is the name of a
381 port on a gateway router, or the name of a distributed
382 gateway port.
383 Supported only in OVN 2.8 and later. Earlier versions
385 required NAT addresses to be manually synchronized.
386 Ethernet address followed by one or more IPv4 addresses
388 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
389 This would result in generation of gratuitous ARPs for IP
390 addresses 158.36.44.22 and 158.36.44.24 with a MAC
391 address of 80:fa:5b:06:72:b7.
392 This form of options:nat-addresses is only valid for log‐
394 ical switch ports where options:router-port is the name
395 of a port on a gateway router.
396 Options for localnet ports:
398 These options apply when type is localnet.
400 options : network_name: optional string
402 Required. The name of the network to which the localnet port is
403 connected. Each hypervisor, via ovn-controller, uses its local
404 configuration to determine exactly how to connect to this
405 locally accessible network.
406 Options for l2gateway ports:
408 These options apply when type is l2gateway.
410 options : network_name: optional string
412 Required. The name of the network to which the l2gateway port is
413 connected. The L2 gateway, via ovn-controller, uses its local
414 configuration to determine exactly how to connect to this net‐
415 work.
416 options : l2gateway-chassis: optional string
418 Required. The chassis on which the l2gateway logical port should
419 be bound to. ovn-controller running on the defined chassis will
420 connect this logical port to the physical network.
421 Options for vtep ports:
423 These options apply when type is vtep.
425 options : vtep-physical-switch: optional string
427 Required. The name of the VTEP gateway.
428 options : vtep-logical-switch: optional string
430 Required. A logical switch name connected by the VTEP gateway.
431 VMI (or VIF) Options:
433 These options apply to logical ports with type having (empty string)
435 options : requested-chassis: optional string
437 If set, identifies a specific chassis (by name or hostname) that
438 is allowed to bind this port. Using this option will prevent
439 thrashing between two chassis trying to bind the same port dur‐
440 ing a live migration. It can also prevent similar thrashing due
441 to a mis-configuration, if a port is accidentally created on
442 more than one chassis.
443 options : qos_max_rate: optional string
445 If set, indicates the maximum rate for data sent from this
446 interface, in bit/s. The traffic will be shaped according to
447 this limit.
448 options : qos_burst: optional string
450 If set, indicates the maximum burst size for data sent from this
451 interface, in bits.
452 Containers:
454 When a large number of containers are nested within a VM, it may be too
456 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
457 support such cases. Each container is assigned a VLAN ID and each
458 packet that passes between the hypervisor and the VM is tagged with the
459 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
460 ical wire, even inside a tunnel, so they need not be unique except rel‐
461 ative to a single VM on a hypervisor.
462 These columns are used for VIFs that represent nested containers using
464 shared VIFs. For VMs and for containers that have dedicated VIFs, they
465 are empty.
466 parent_name: optional string
468 The VM interface through which the nested container sends its
469 network traffic. This must match the name column for some other
470 Logical_Switch_Port.
471 tag_request: optional integer, in range 0 to 4,095
473 The VLAN tag in the network traffic associated with a con‐
474 tainer’s network interface. The client can request ovn-northd to
475 allocate a tag that is unique within the scope of a specific
476 parent (specified in parent_name) by setting a value of 0 in
477 this column. The allocated value is written by ovn-northd in the
478 tag column. (Note that these tags are allocated and managed
479 locally in ovn-northd, so they cannot be reconstructed in the
480 event that the database is lost.) The client can also request a
481 specific non-zero tag and ovn-northd will honor it and copy that
482 value to the tag column.
483 When type is set to localnet or l2gateway, this can be set to
485 indicate that the port represents a connection to a specific
486 VLAN on a locally accessible network. The VLAN ID is used to
487 match incoming traffic and is also added to outgoing traffic.
488 tag: optional integer, in range 1 to 4,095
490 The VLAN tag allocated by ovn-northd based on the contents of
491 the tag_request column.
492 Port State:
494 up: optional boolean
496 This column is populated by ovn-northd, rather than by the CMS
497 plugin as is most of this database. When a logical port is bound
498 to a physical location in the OVN Southbound database Binding
499 table, ovn-northd sets this column to true; otherwise, or if the
500 port becomes unbound later, it sets it to false. This allows the
501 CMS to wait for a VM’s (or container’s) networking to become
502 active before it allows the VM (or container) to start.
503 Logical ports of router type are an exception to this rule. They
505 are considered to be always up, that is this column is always
506 set to true.
507 enabled: optional boolean
509 This column is used to administratively set port state. If this
510 column is empty or is set to true, the port is enabled. If this
511 column is set to false, the port is disabled. A disabled port
512 has all ingress and egress traffic dropped.
513 Addressing:
515 addresses: set of strings
517 Addresses owned by the logical port.
518 Each element in the set must take one of the following forms:
520 Ethernet address followed by zero or more IPv4 or IPv6 addresses
522 (or both)
523 An Ethernet address defined is owned by the logical port.
524 Like a physical Ethernet NIC, a logical port ordinarily
525 has a single fixed Ethernet address.
526 When a OVN logical switch processes a unicast Ethernet
528 frame whose destination MAC address is in a logical
529 port’s addresses column, it delivers it only to that
530 port, as if a MAC learning process had learned that MAC
531 address on the port.
532 If IPv4 or IPv6 address(es) (or both) are defined, it
534 indicates that the logical port owns the given IP
535 addresses.
536 If IPv4 address(es) are defined, the OVN logical switch
538 uses this information to synthesize responses to ARP
539 requests without traversing the physical network. The OVN
540 logical router connected to the logical switch, if any,
541 uses this information to avoid issuing ARP requests for
542 logical switch ports.
543 Note that the order here is important. The Ethernet
545 address must be listed before the IP address(es) if
546 defined.
547 Examples:
549 80:fa:5b:06:72:b7
551 This indicates that the logical port owns the
552 above mac address.
553 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
555 This indicates that the logical port owns the mac
556 address and two IPv4 addresses.
557 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
559 This indicates that the logical port owns the mac
560 address and 1 IPv6 address.
561 80:fa:5b:06:72:b7 10.0.0.4
563 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
564 This indicates that the logical port owns the mac
565 address and 1 IPv4 address and 1 IPv6 address.
566 unknown
568 This indicates that the logical port has an unknown set
569 of Ethernet addresses. When an OVN logical switch pro‐
570 cesses a unicast Ethernet frame whose destination MAC
571 address is not in any logical port’s addresses column, it
572 delivers it to the port (or ports) whose addresses col‐
573 umns include unknown.
574 dynamic
576 Use this keyword to make ovn-northd generate a globally
577 unique MAC address and choose an unused IPv4 address with
578 the logical port’s subnet and store them in the port’s
579 dynamic_addresses column. ovn-northd will use the subnet
580 specified in other_config:subnet in the port’s Logi‐
581 cal_Switch.
582 Ethernet address followed by keyword "dynamic"
584 The keyword dynamic after the MAC address indicates that
585 ovn-northd should choose an unused IPv4 address from the
586 logical port’s subnet and store it with the specified MAC
587 in the port’s dynamic_addresses column. ovn-northd will
588 use the subnet specified in other_config:subnet in the
589 port’s Logical_Switch table.
590 Examples:
592 80:fa:5b:06:72:b7 dynamic
594 This indicates that the logical port owns the
595 specified MAC address and ovn-northd should allo‐
596 cate an unused IPv4 address for the logical port
597 from the corresponding logical switch subnet.
598 router Accepted only when type is router. This indicates that
600 the Ethernet, IPv4, and IPv6 addresses for this logical
601 switch port should be obtained from the connected logical
602 router port, as specified by router-port in options.
603 The resulting addresses are used to populate the logical
605 switch’s destination lookup, and also for the logical
606 switch to generate ARP and ND replies.
607 If the connected logical router port has a redirect-chas‐
609 sis specified and the logical router has rules specified
610 in nat with external_mac, then those addresses are also
611 used to populate the switch’s destination lookup.
612 Supported only in OVN 2.7 and later. Earlier versions
614 required router addresses to be manually synchronized.
615 dynamic_addresses: optional string
617 Addresses assigned to the logical port by ovn-northd, if dynamic
618 is specified in addresses. Addresses will be of the same format
619 as those that populate the addresses column. Note that dynami‐
620 cally assigned addresses are constructed and managed locally in
621 ovn-northd, so they cannot be reconstructed in the event that
622 the database is lost.
623 port_security: set of strings
625 This column controls the addresses from which the host attached
626 to the logical port (``the host’’) is allowed to send packets
627 and to which it is allowed to receive packets. If this column is
628 empty, all addresses are permitted.
629 Each element in the set must begin with one Ethernet address.
631 This would restrict the host to sending packets from and receiv‐
632 ing packets to the ethernet addresses defined in the logical
633 port’s port_security column. It also restricts the inner source
634 MAC addresses that the host may send in ARP and IPv6 Neighbor
635 Discovery packets. The host is always allowed to receive packets
636 to multicast and broadcast Ethernet addresses.
637 Each element in the set may additionally contain one or more
639 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
640 is given, it must be a CIDR mask. In addition to the restric‐
641 tions described for Ethernet addresses above, such an element
642 restricts the IPv4 or IPv6 addresses from which the host may
643 send and to which it may receive packets to the specified
644 addresses. A masked address, if the host part is zero, indicates
645 that the host is allowed to use any address in the subnet; if
646 the host part is nonzero, the mask simply indicates the size of
647 the subnet. In addition:
648 · If any IPv4 address is given, the host is also allowed to
650 receive packets to the IPv4 local broadcast address
651 255.255.255.255 and to IPv4 multicast addresses
652 (224.0.0.0/4). If an IPv4 address with a mask is given,
653 the host is also allowed to receive packets to the broad‐
654 cast address in that specified subnet.
655 If any IPv4 address is given, the host is additionally
657 restricted to sending ARP packets with the specified
658 source IPv4 address. (RARP is not restricted.)
659 · If any IPv6 address is given, the host is also allowed to
661 receive packets to IPv6 multicast addresses (ff00::/8).
662 If any IPv6 address is given, the host is additionally
664 restricted to sending IPv6 Neighbor Discovery Solicita‐
665 tion or Advertisement packets with the specified source
666 address or, for solicitations, the unspecified address.
667 If an element includes an IPv4 address, but no IPv6 addresses,
669 then IPv6 traffic is not allowed. If an element includes an IPv6
670 address, but no IPv4 address, then IPv4 and ARP traffic is not
671 allowed.
672 This column uses the same lexical syntax as the match column in
674 the OVN Southbound database’s Pipeline table. Multiple addresses
675 within an element may be space or comma separated.
676 This column is provided as a convenience to cloud management
678 systems, but all of the features that it implements can be
679 implemented as ACLs using the ACL table.
680 Examples:
682 80:fa:5b:06:72:b7
684 The host may send traffic from and receive traffic to the
685 specified MAC address, and to receive traffic to Ethernet
686 multicast and broadcast addresses, but not otherwise. The
687 host may not send ARP or IPv6 Neighbor Discovery packets
688 with inner source Ethernet addresses other than the one
689 specified.
690 80:fa:5b:06:72:b7 192.168.1.10/24
692 This adds further restrictions to the first example. The
693 host may send IPv4 packets from or receive IPv4 packets
694 to only 192.168.1.10, except that it may also receive
695 IPv4 packets to 192.168.1.255 (based on the subnet mask),
696 255.255.255.255, and any address in 224.0.0.0/4. The host
697 may not send ARPs with a source Ethernet address other
698 than 80:fa:5b:06:72:b7 or source IPv4 address other than
699 192.168.1.10. The host may not send or receive any IPv6
700 (including IPv6 Neighbor Discovery) traffic.
701 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
703 The host may send traffic from and receive traffic to the
704 specified MAC addresses, and to receive traffic to Ether‐
705 net multicast and broadcast addresses, but not otherwise.
706 With MAC 80:fa:5b:12:42:ba, the host may send traffic
707 from and receive traffic to any L3 address. With MAC
708 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
709 receive IPv4 packets to only 192.168.1.10, except that it
710 may also receive IPv4 packets to 192.168.1.255 (based on
711 the subnet mask), 255.255.255.255, and any address in
712 224.0.0.0/4. The host may not send or receive any IPv6
713 (including IPv6 Neighbor Discovery) traffic.
714 DHCP:
716 dhcpv4_options: optional weak reference to DHCP_Options
718 This column defines the DHCPv4 Options to be included by the
719 ovn-controller when it replies to the DHCPv4 requests. Please
720 see the DHCP_Options table.
721 dhcpv6_options: optional weak reference to DHCP_Options
723 This column defines the DHCPv6 Options to be included by the
724 ovn-controller when it replies to the DHCPv6 requests. Please
725 see the DHCP_Options table.
726 Naming:
728 external_ids : neutron:port_name: optional string
730 This column gives an optional human-friendly name for the port.
731 This name has no special meaning or purpose other than to pro‐
732 vide convenience for human interaction with the northbound data‐
733 base.
734 Neutron copies this from its own port object’s name. (Neutron
736 ports do are not assigned human-friendly names by default, so it
737 will often be empty.)
738 Common Columns:
740 external_ids: map of string-string pairs
742 See External IDs at the beginning of this document.
743 The ovn-northd program copies all these pairs into the exter‐
745 nal_ids column of the Port_Binding table in OVN_Southbound data‐
746 base.
747
749 Each row in this table represents a named set of addresses. An address
750 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
751 or CIDR masks. Address set may ultimately be used in ACLs to compare
752 against fields such as ip4.src or ip6.src. A single address set must
753 contain addresses of the same type. As an example, the following would
754 create an address set with three IP addresses:
755 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
757 Address sets may be used in the match column of the ACL table. For syn‐
760 tax information, see the details of the expression language used for
761 the match column in the Logical_Flow table of the OVN_Southbound data‐
762 base.
763 Summary:
765 name string (must be unique within table)
766 addresses set of strings
767 Common Columns:
768 external_ids map of string-string pairs
769 Details:
771 name: string (must be unique within table)
772 A name for the address set. Names are ASCII and must match
773 [a-zA-Z_.][a-zA-Z_.0-9]*.
774 addresses: set of strings
776 The set of addresses in string form.
777 Common Columns:
779 external_ids: map of string-string pairs
781 See External IDs at the beginning of this document.
782
784 Each row in this table represents a named group of logical switch
785 ports.
786 Port groups may be used in the match column of the ACL table. For syn‐
788 tax information, see the details of the expression language used for
789 the match column in the Logical_Flow table of the OVN_Southbound data‐
790 base.
791 For each port group, there are two address sets generated to the
793 Address_Set table of the OVN_Southbound database, containing the IP
794 addresses of the group of ports, one for IPv4, and the other for IPv6,
795 with name being the name of the Port_Group followed by a suffix _ip4
796 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
797 the same way as regular address sets in the match column of the ACL ta‐
798 ble. For syntax information, see the details of the expression language
799 used for the match column in the Logical_Flow table of the OVN_South‐
800 bound database.
801 Summary:
803 name string (must be unique within table)
804 ports set of weak reference to Logi‐
805 cal_Switch_Ports
806 acls set of ACLs
807 Common Columns:
808 external_ids map of string-string pairs
809 Details:
811 name: string (must be unique within table)
812 A name for the port group. Names are ASCII and must match
813 [a-zA-Z_.][a-zA-Z_.0-9]*.
814 ports: set of weak reference to Logical_Switch_Ports
816 The logical switch ports belonging to the group in uuids.
817 acls: set of ACLs
819 Access control rules that apply to the port group. Applying an
820 ACL to a port group has the same effect as applying the ACL to
821 all logical lswitches that the ports of the port group belong
822 to.
823 Common Columns:
825 external_ids: map of string-string pairs
827 See External IDs at the beginning of this document.
828
830 Each row represents one load balancer.
831 Summary:
833 name string
834 vips map of string-string pairs
835 protocol optional string, either tcp or udp
836 Common Columns:
837 external_ids map of string-string pairs
838 Details:
840 name: string
841 A name for the load balancer. This name has no special meaning
842 or purpose other than to provide convenience for human interac‐
843 tion with the ovn-nb database.
844 vips: map of string-string pairs
846 A map of virtual IP addresses (and an optional port number with
847 : as a separator) associated with this load balancer and their
848 corresponding endpoint IP addresses (and optional port numbers
849 with : as separators) separated by commas. If the destination IP
850 address (and port number) of a packet leaving a container or a
851 VM matches the virtual IP address (and port number) provided
852 here as a key, then OVN will statefully replace the destination
853 IP address by one of the provided IP address (and port number)
854 in this map as a value. IPv4 and IPv6 addresses are supported
855 for load balancing; however a VIP of one address family may not
856 be mapped to a destination IP address of a different family. If
857 specifying an IPv6 address with a port, the address portion must
858 be enclosed in square brackets. Examples for keys are
859 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
860 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
861 When the Load_Balancer is added to the logical_switch, the VIP
863 has to be in a different subnet than the one used for the logi‐
864 cal_switch. Since VIP is in a different subnet, you should con‐
865 nect your logical switch to either a OVN logical router or a
866 real router (this is because the client can now send a packet
867 with VIP as the destination IP address and router’s mac address
868 as the destination MAC address).
869 protocol: optional string, either tcp or udp
871 Valid protocols are tcp or udp. This column is useful when a
872 port number is provided as part of the vips column. If this col‐
873 umn is empty and a port number is provided as part of vips col‐
874 umn, OVN assumes the protocol to be tcp.
875 Common Columns:
877 external_ids: map of string-string pairs
879 See External IDs at the beginning of this document.
880
882 Each row in this table represents one ACL rule for a logical switch or
883 a port group that points to it through its acls column. The action col‐
884 umn for the highest-priority matching row in this table determines a
885 packet’s treatment. If no row matches, packets are allowed by default.
886 (Default-deny treatment is possible: add a rule with priority 0, 0 as
887 match, and deny as action.)
888 Summary:
890 priority integer, in range 0 to 32,767
891 direction string, either from-lport or to-lport
892 match string
893 action string, one of allow-related, allow,
894 drop, or reject
895 Logging:
896 log boolean
897 name optional string, at most 63 characters
898 long
899 severity optional string, one of alert, debug,
900 info, notice, or warning
901 meter optional string
902 Common Columns:
903 external_ids map of string-string pairs
904 Details:
906 priority: integer, in range 0 to 32,767
907 The ACL rule’s priority. Rules with numerically higher priority
908 take precedence over those with lower. If two ACL rules with the
909 same priority both match, then the one actually applied to a
910 packet is undefined.
911 Return traffic from an allow-related flow is always allowed and
913 cannot be changed through an ACL.
914 direction: string, either from-lport or to-lport
916 Direction of the traffic to which this rule should apply:
917 · from-lport: Used to implement filters on traffic arriving
919 from a logical port. These rules are applied to the logi‐
920 cal switch’s ingress pipeline.
921 · to-lport: Used to implement filters on traffic forwarded
923 to a logical port. These rules are applied to the logical
924 switch’s egress pipeline.
925 match: string
927 The packets that the ACL should match, in the same expression
928 language used for the match column in the OVN Southbound data‐
929 base’s Logical_Flow table. The outport logical port is only
930 available in the to-lport direction (the inport is available in
931 both directions).
932 By default all traffic is allowed. When writing a more restric‐
934 tive policy, it is important to remember to allow flows such as
935 ARP and IPv6 neighbor discovery packets.
936 Note that you can not create an ACL matching on a port with
938 type=router or type=localnet.
939 action: string, one of allow-related, allow, drop, or reject
941 The action to take when the ACL rule matches:
942 · allow: Forward the packet.
944 · allow-related: Forward the packet and related traffic
946 (e.g. inbound replies to an outbound connection).
947 · drop: Silently drop the packet.
949 · reject: Drop the packet, replying with a RST for TCP or
951 ICMPv4/ICMPv6 unreachable message for other
952 IPv4/IPv6-based protocols.
953 Logging:
955 These columns control whether and how OVN logs packets that match an
957 ACL.
958 log: boolean
960 If set to true, packets that match the ACL will trigger a log
961 message on the transport node or nodes that perform ACL process‐
962 ing. Logging may be combined with any action.
963 If set to false, the remaining columns in this group have no
965 significance.
966 name: optional string, at most 63 characters long
968 This name, if it is provided, is included in log records. It
969 provides the administrator and the cloud management system a way
970 to associate a log record with a particular ACL.
971 severity: optional string, one of alert, debug, info, notice, or warn‐
973 ing
974 The severity of the ACL. The severity levels match those of sys‐
975 log, in decreasing level of severity: alert, warning, notice,
976 info, or debug. When the column is empty, the default is info.
977 meter: optional string
979 The name of a meter to rate-limit log messages for the ACL. The
980 string must match the name column of a row in the Meter table.
981 By default, log messages are not rate-limited.
982 Common Columns:
984 external_ids: map of string-string pairs
986 See External IDs at the beginning of this document.
987
989 Each row represents one L3 logical router.
990 Summary:
992 ports set of Logical_Router_Ports
993 static_routes set of Logical_Router_Static_Routes
994 enabled optional boolean
995 nat set of NATs
996 load_balancer set of Load_Balancers
997 Naming:
998 name string
999 external_ids : neutron:router_name
1000 optional string
1001 Options:
1002 options : chassis optional string
1003 options : dnat_force_snat_ip
1004 optional string
1005 options : lb_force_snat_ip optional string
1006 Common Columns:
1007 external_ids map of string-string pairs
1008 Details:
1010 ports: set of Logical_Router_Ports
1011 The router’s ports.
1012 static_routes: set of Logical_Router_Static_Routes
1014 One or more static routes for the router.
1015 enabled: optional boolean
1017 This column is used to administratively set router state. If
1018 this column is empty or is set to true, the router is enabled.
1019 If this column is set to false, the router is disabled. A dis‐
1020 abled router has all ingress and egress traffic dropped.
1021 nat: set of NATs
1023 One or more NAT rules for the router. NAT rules only work on
1024 Gateway routers, and on distributed routers with one logical
1025 router port with a redirect-chassis specified.
1026 load_balancer: set of Load_Balancers
1028 Load balance a virtual ip address to a set of logical port ip
1029 addresses. Load balancer rules only work on the Gateway routers.
1030 Naming:
1032 These columns provide names for the logical router. From OVN’s perspec‐
1034 tive, these names have no special meaning or purpose other than to pro‐
1035 vide convenience for human interaction with the northbound database.
1036 There is no requirement for the name to be unique. (For a unique iden‐
1037 tifier for a logical router, use its row UUID.)
1038 (Originally, name was intended to serve the purpose of a human-friendly
1040 name, but the Neutron integration used it to uniquely identify its own
1041 router object, in the format neutron-uuid. Later on, Neutron started
1042 propagating the friendly name of a router as external_ids:neu‐
1043 tron:router_name. Perhaps this can be cleaned up someday.)
1044 name: string
1046 A name for the logical router.
1047 external_ids : neutron:router_name: optional string
1049 Another name for the logical router.
1050 Options:
1052 Additional options for the logical router.
1054 options : chassis: optional string
1056 If set, indicates that the logical router in question is a Gate‐
1057 way router (which is centralized) and resides in the set chas‐
1058 sis. The same value is also used by ovn-controller to uniquely
1059 identify the chassis in the OVN deployment and comes from exter‐
1060 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
1061 database.
1062 The Gateway router can only be connected to a distributed router
1064 via a switch if SNAT and DNAT are to be configured in the Gate‐
1065 way router.
1066 options : dnat_force_snat_ip: optional string
1068 If set, indicates the IP address to use to force SNAT a packet
1069 that has already been DNATed in the gateway router. When multi‐
1070 ple gateway routers are configured, a packet can potentially
1071 enter any of the gateway router, get DNATted and eventually
1072 reach the logical switch port. For the return traffic to go back
1073 to the same gateway router (for unDNATing), the packet needs a
1074 SNAT in the first place. This can be achieved by setting the
1075 above option with a gateway specific IP address.
1076 options : lb_force_snat_ip: optional string
1078 If set, indicates the IP address to use to force SNAT a packet
1079 that has already been load-balanced in the gateway router. When
1080 multiple gateway routers are configured, a packet can poten‐
1081 tially enter any of the gateway routers, get DNATted as part of
1082 the load- balancing and eventually reach the logical switch
1083 port. For the return traffic to go back to the same gateway
1084 router (for unDNATing), the packet needs a SNAT in the first
1085 place. This can be achieved by setting the above option with a
1086 gateway specific IP address.
1087 Common Columns:
1089 external_ids: map of string-string pairs
1091 See External IDs at the beginning of this document.
1092
1094 Each row in this table represents one QoS rule for a logical switch
1095 that points to it through its qos_rules column. Two types of QoS are
1096 supported: DSCP marking and metering. A match with the highest-priority
1097 will have QoS applied to it. If the action column is specified, then
1098 matching packets will have DSCP marking applied. If the bandwdith col‐
1099 umn is specified, then matching packets will have metering applied.
1100 action and bandwdith are not exclusive, so both marking and metering by
1101 defined for the same QoS entry. If no row matches, packets will not
1102 have any QoS applied.
1103 Summary:
1105 priority integer, in range 0 to 32,767
1106 direction string, either from-lport or to-lport
1107 match string
1108 action map of string-integer pairs, key must be
1109 dscp, value in range 0 to 63
1110 bandwidth map of string-integer pairs, key either
1111 burst or rate, value in range 1 to
1112 4,294,967,295
1113 external_ids map of string-string pairs
1114 Details:
1116 priority: integer, in range 0 to 32,767
1117 The QoS rule’s priority. Rules with numerically higher priority
1118 take precedence over those with lower. If two QoS rules with the
1119 same priority both match, then the one actually applied to a
1120 packet is undefined.
1121 direction: string, either from-lport or to-lport
1123 The value of this field is similar to ACL column in the OVN
1124 Northbound database’s ACL table.
1125 match: string
1127 The packets that the QoS rules should match, in the same expres‐
1128 sion language used for the match column in the OVN Southbound
1129 database’s Logical_Flow table. The outport logical port is only
1130 available in the to-lport direction (the inport is available in
1131 both directions).
1132 action: map of string-integer pairs, key must be dscp, value in range 0
1134 to 63
1135 When specified, matching flows will have DSCP marking applied.
1136 · dscp: The value of this action should be in the range of
1138 0 to 63 (inclusive).
1139 bandwidth: map of string-integer pairs, key either burst or rate, value
1141 in range 1 to 4,294,967,295
1142 When specified, matching packets will have bandwidth metering
1143 applied. Traffic over the limit will be dropped.
1144 · rate: The value of rate limit in kbps.
1146 · burst: The value of burst rate limit in kilobits. This is
1148 optional and needs to specify the rate.
1149 external_ids: map of string-string pairs
1151 See External IDs at the beginning of this document.
1152
1154 Each row in this table represents a meter that can be used for QoS or
1155 rate-limiting.
1156 Summary:
1158 name string (must be unique within table)
1159 unit string, either kbps or pktps
1160 bands set of 1 or more Meter_Bands
1161 external_ids map of string-string pairs
1162 Details:
1164 name: string (must be unique within table)
1165 A name for this meter.
1166 Names that begin with "__" (two underscores) are reserved for
1168 OVN internal use and should not be added manually.
1169 unit: string, either kbps or pktps
1171 The unit for rate and burst_rate parameters in the bands entry.
1172 kbps specifies kilobits per second, and pktps specifies packets
1173 per second.
1174 bands: set of 1 or more Meter_Bands
1176 The bands associated with this meter. Each band specifies a rate
1177 above which the band is to take the action action. If multiple
1178 bands’ rates are exceeded, then the band with the highest rate
1179 among the exceeded bands is selected.
1180 external_ids: map of string-string pairs
1182 See External IDs at the beginning of this document.
1183
1185 Each row in this table represents a meter band which specifies the rate
1186 above which the configured action should be applied. These bands are
1187 referenced by the bands column in the Meter table.
1188 Summary:
1190 action string, must be drop
1191 rate integer, in range 1 to 4,294,967,295
1192 burst_size integer, in range 0 to 4,294,967,295
1193 external_ids map of string-string pairs
1194 Details:
1196 action: string, must be drop
1197 The action to execute when this band matches. The only supported
1198 action is drop.
1199 rate: integer, in range 1 to 4,294,967,295
1201 The rate limit for this band, in kilobits per second or bits per
1202 second, depending on whether the parent Meter entry’s unit col‐
1203 umn specified kbps or pktps.
1204 burst_size: integer, in range 0 to 4,294,967,295
1206 The maximum burst allowed for the band in kilobits or packets,
1207 depending on whether kbps or pktps was selected in the parent
1208 Meter entry’s unit column. If the size is zero, the switch is
1209 free to select some reasonable value depending on its configura‐
1210 tion.
1211 external_ids: map of string-string pairs
1213 See External IDs at the beginning of this document.
1214
1216 A port within an L3 logical router.
1217 Exactly one Logical_Router row must reference a given logical router
1219 port.
1220 Summary:
1222 name string (must be unique within table)
1223 gateway_chassis set of Gateway_Chassiss
1224 networks set of 1 or more strings
1225 mac string
1226 enabled optional boolean
1227 ipv6_ra_configs:
1228 ipv6_ra_configs : address_mode
1229 optional string
1230 ipv6_ra_configs : mtu optional string
1231 ipv6_ra_configs : send_periodic
1232 optional string
1233 ipv6_ra_configs : max_interval
1234 optional string
1235 ipv6_ra_configs : min_interval
1236 optional string
1237 Options:
1238 options : redirect-chassis optional string
1239 Attachment:
1240 peer optional string
1241 Common Columns:
1242 external_ids map of string-string pairs
1243 Details:
1245 name: string (must be unique within table)
1246 A name for the logical router port.
1247 In addition to provide convenience for human interaction with
1249 the northbound database, this column is used as reference by its
1250 patch port in Logical_Switch_Port or another logical router port
1251 in Logical_Router_Port.
1252 gateway_chassis: set of Gateway_Chassiss
1254 If set, this indicates that this logical router port represents
1255 a distributed gateway port that connects this router to a logi‐
1256 cal switch with a localnet port. There may be at most one such
1257 logical router port on each logical router.
1258 Several Gateway_Chassis can be referenced for a given logical
1260 router port. A single Gateway_Chassis is functionally equivalent
1261 to setting options:redirect-chassis. Refer to the description of
1262 options:redirect-chassis for additional details on gateway han‐
1263 dling.
1264 Defining more than one Gateway_Chassis will enable gateway high
1266 availability. Only one gateway will be active at a time. OVN
1267 chassis will use BFD to monitor connectivity to a gateway. If
1268 connectivity to the active gateway is interrupted, another gate‐
1269 way will become active. The priority column specifies the order
1270 that gateways will be chosen by OVN.
1271 networks: set of 1 or more strings
1273 The IP addresses and netmasks of the router. For example,
1274 192.168.0.1/24 indicates that the router’s IP address is
1275 192.168.0.1 and that packets destined to 192.168.0.x should be
1276 routed to this port.
1277 A logical router port always adds a link-local IPv6 address
1279 (fe80::/64) automatically generated from the interface’s MAC
1280 address using the modified EUI-64 format.
1281 mac: string
1283 The Ethernet address that belongs to this router port.
1284 enabled: optional boolean
1286 This column is used to administratively set port state. If this
1287 column is empty or is set to true, the port is enabled. If this
1288 column is set to false, the port is disabled. A disabled port
1289 has all ingress and egress traffic dropped.
1290 ipv6_ra_configs:
1292 This column defines the IPv6 ND RA address mode and ND MTU Option to be
1294 included by ovn-controller when it replies to the IPv6 Router solicita‐
1295 tion requests.
1296 ipv6_ra_configs : address_mode: optional string
1298 The address mode to be used for IPv6 address configuration. The
1299 supported values are:
1300 · slaac: Address configuration using Router Advertisement
1302 (RA) packet. The IPv6 prefixes defined in the Logi‐
1303 cal_Router_Port table’s networks column will be included
1304 in the RA’s ICMPv6 option - Prefix information.
1305 · dhcpv6_stateful: Address configuration using DHCPv6.
1307 · dhcpv6_stateless: Address configuration using Router
1309 Advertisement (RA) packet. Other IPv6 options are pro‐
1310 vided by DHCPv6.
1311 ipv6_ra_configs : mtu: optional string
1313 The recommended MTU for the link. Default is 0, which means no
1314 MTU Option will be included in RA packet replied by ovn-con‐
1315 troller. Per RFC 2460, the mtu value is recommended no less than
1316 1280, so any mtu value less than 1280 will be considered as no
1317 MTU Option.
1318 ipv6_ra_configs : send_periodic: optional string
1320 If set to true, then this router interface will send router
1321 advertisements periodically. The default is false.
1322 ipv6_ra_configs : max_interval: optional string
1324 The maximum number of seconds to wait between sending periodic
1325 router advertisements. This option has no effect if ipv6_ra_con‐
1326 figs:send_periodic is false. The default is 600.
1327 ipv6_ra_configs : min_interval: optional string
1329 The minimum number of seconds to wait between sending periodic
1330 router advertisements. This option has no effect if ipv6_ra_con‐
1331 figs:send_periodic is false. The default is one-third of
1332 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
1333 unset.
1334 Options:
1336 Additional options for the logical router port.
1338 options : redirect-chassis: optional string
1340 If set, this indicates that this logical router port represents
1341 a distributed gateway port that connects this router to a logi‐
1342 cal switch with a localnet port. There may be at most one such
1343 logical router port on each logical router.
1344 Even when a redirect-chassis is specified, the logical router
1346 port still effectively resides on each chassis. However, due to
1347 the implications of the use of L2 learning in the physical net‐
1348 work, as well as the need to support advanced features such as
1349 one-to-many NAT (aka IP masquerading), a subset of the logical
1350 router processing is handled in a centralized manner on the
1351 specified redirect-chassis.
1352 When this option is specified, the peer logical switch port’s
1354 addresses must be set to router. With this setting, the exter‐
1355 nal_macs specified in NAT rules are automatically programmed in
1356 the peer logical switch’s destination lookup on the chassis
1357 where the logical_port resides. In addition, the logical
1358 router’s MAC address is automatically programmed in the peer
1359 logical switch’s destination lookup flow on the redirect-chas‐
1360 sis.
1361 When this option is specified and it is desired to generate gra‐
1363 tuitous ARPs for NAT addresses, then the peer logical switch
1364 port’s options:nat-addresses should be set to router.
1365 While options:redirect-chassis is still supported for backwards
1367 compatibility, it is now preferred to specify one or more gate‐
1368 way_chassis instead. It is functionally equivalent, but allows
1369 you to specify multiple chassis to enable high availability.
1370 Attachment:
1372 A given router port serves one of two purposes:
1374 · To attach a logical switch to a logical router. A logical
1376 router port of this type is referenced by exactly one
1377 Logical_Switch_Port of type router. The value of name is
1378 set as router-port in column options of Logi‐
1379 cal_Switch_Port. In this case peer column is empty.
1380 · To connect one logical router to another. This requires a
1382 pair of logical router ports, each connected to a differ‐
1383 ent router. Each router port in the pair specifies the
1384 other in its peer column. No Logical_Switch refers to the
1385 router port.
1386 peer: optional string
1388 For a router port used to connect two logical routers, this
1389 identifies the other router port in the pair by name.
1390 For a router port attached to a logical switch, this column is
1392 empty.
1393 Common Columns:
1395 external_ids: map of string-string pairs
1397 See External IDs at the beginning of this document.
1398
1400 Each record represents a static route.
1401 When multiple routes match a packet, the longest-prefix match is cho‐
1403 sen. For a given prefix length, a dst-ip route is preferred over a
1404 src-ip route.
1405 Summary:
1407 ip_prefix string
1408 policy optional string, either dst-ip or src-ip
1409 nexthop string
1410 output_port optional string
1411 Common Columns:
1412 external_ids map of string-string pairs
1413 Details:
1415 ip_prefix: string
1416 IP prefix of this route (e.g. 192.168.100.0/24).
1417 policy: optional string, either dst-ip or src-ip
1419 If it is specified, this setting describes the policy used to
1420 make routing decisions. This setting must be one of the follow‐
1421 ing strings:
1422 · src-ip: This policy sends the packet to the nexthop when
1424 the packet’s source IP address matches ip_prefix.
1425 · dst-ip: This policy sends the packet to the nexthop when
1427 the packet’s destination IP address matches ip_prefix.
1428 If not specified, the default is dst-ip.
1430 nexthop: string
1432 Nexthop IP address for this route. Nexthop IP address should be
1433 the IP address of a connected router port or the IP address of a
1434 logical port.
1435 output_port: optional string
1437 The name of the Logical_Router_Port via which the packet needs
1438 to be sent out. This is optional and when not specified, OVN
1439 will automatically figure this out based on the nexthop. When
1440 this is specified and there are multiple IP addresses on the
1441 router port and none of them are in the same subnet of nexthop,
1442 OVN chooses the first IP address as the one via which the nex‐
1443 thop is reachable.
1444 Common Columns:
1446 external_ids: map of string-string pairs
1448 See External IDs at the beginning of this document.
1449
1451 Each record represents a NAT rule.
1452 Summary:
1454 type string, one of dnat, dnat_and_snat, or
1455 snat
1456 external_ip string
1457 external_mac optional string
1458 logical_ip string
1459 logical_port optional string
1460 Common Columns:
1461 external_ids map of string-string pairs
1462 Details:
1464 type: string, one of dnat, dnat_and_snat, or snat
1465 Type of the NAT rule.
1466 · When type is dnat, the externally visible IP address
1468 external_ip is DNATted to the IP address logical_ip in
1469 the logical space.
1470 · When type is snat, IP packets with their source IP
1472 address that either matches the IP address in logical_ip
1473 or is in the network provided by logical_ip is SNATed
1474 into the IP address in external_ip.
1475 · When type is dnat_and_snat, the externally visible IP
1477 address external_ip is DNATted to the IP address logi‐
1478 cal_ip in the logical space. In addition, IP packets with
1479 the source IP address that matches logical_ip is SNATed
1480 into the IP address in external_ip.
1481 external_ip: string
1483 An IPv4 address.
1484 external_mac: optional string
1486 A MAC address.
1487 This is only used on the gateway port on distributed routers.
1489 This must be specified in order for the NAT rule to be processed
1490 in a distributed manner on all chassis. If this is not specified
1491 for a NAT rule on a distributed router, then this NAT rule will
1492 be processed in a centralized manner on the gateway port
1493 instance on the redirect-chassis.
1494 This MAC address must be unique on the logical switch that the
1496 gateway port is attached to. If the MAC address used on the log‐
1497 ical_port is globally unique, then that MAC address can be spec‐
1498 ified as this external_mac.
1499 logical_ip: string
1501 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
1502 logical_port: optional string
1504 The name of the logical port where the logical_ip resides.
1505 This is only used on distributed routers. This must be specified
1507 in order for the NAT rule to be processed in a distributed man‐
1508 ner on all chassis. If this is not specified for a NAT rule on a
1509 distributed router, then this NAT rule will be processed in a
1510 centralized manner on the gateway port instance on the redi‐
1511 rect-chassis.
1512 Common Columns:
1514 external_ids: map of string-string pairs
1516 See External IDs at the beginning of this document.
1517
1519 OVN implements native DHCPv4 support which caters to the common use
1520 case of providing an IPv4 address to a booting instance by providing
1521 stateless replies to DHCPv4 requests based on statically configured
1522 address mappings. To do this it allows a short list of DHCPv4 options
1523 to be configured and applied at each compute host running ovn-con‐
1524 troller.
1525 OVN also implements native DHCPv6 support which provides stateless
1527 replies to DHCPv6 requests.
1528 Summary:
1530 cidr string
1531 DHCPv4 options:
1532 Mandatory DHCPv4 options:
1533 options : server_id optional string
1534 options : server_mac optional string
1535 options : lease_time optional string, containing an integer,
1536 in range 0 to 4,294,967,295
1537 IPv4 DHCP Options:
1538 options : router optional string
1539 options : netmask optional string
1540 options : dns_server optional string
1541 options : log_server optional string
1542 options : lpr_server optional string
1543 options : swap_server optional string
1544 options : policy_filter optional string
1545 options : router_solicitation
1546 optional string
1547 options : nis_server optional string
1548 options : ntp_server optional string
1549 options : tftp_server optional string
1550 options : classless_static_route
1551 optional string
1552 options : ms_classless_static_route
1553 optional string
1554 Boolean DHCP Options:
1555 options : ip_forward_enable
1556 optional string, either 0 or 1
1557 options : router_discovery
1558 optional string, either 0 or 1
1559 options : ethernet_encap optional string, either 0 or 1
1560 Integer DHCP Options:
1561 options : default_ttl optional string, containing an integer,
1562 in range 0 to 255
1563 options : tcp_ttl optional string, containing an integer,
1564 in range 0 to 255
1565 options : mtu optional string, containing an integer,
1566 in range 68 to 65,535
1567 options : T1 optional string, containing an integer,
1568 in range 68 to 4,294,967,295
1569 options : T2 optional string, containing an integer,
1570 in range 68 to 4,294,967,295
1571 String DHCP Options:
1572 options : wpad optional string
1573 DHCPv6 options:
1574 Mandatory DHCPv6 options:
1575 options : server_id optional string
1576 IPv6 DHCPv6 options:
1577 options : dns_server optional string
1578 String DHCPv6 options:
1579 options : domain_search optional string
1580 options : dhcpv6_stateless
1581 optional string
1582 Common Columns:
1583 external_ids map of string-string pairs
1584 Details:
1586 cidr: string
1587 The DHCPv4/DHCPv6 options will be included if the logical port
1588 has its IP address in this cidr.
1589 DHCPv4 options:
1591 The CMS should define the set of DHCPv4 options as key/value pairs in
1593 the options column of this table. For ovn-controller to include these
1594 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
1595 to an entry in this table.
1596 Mandatory DHCPv4 options:
1598 The following options must be defined.
1600 options : server_id: optional string
1602 The IP address for the DHCP server to use. This should be in the
1603 subnet of the offered IP. This is also included in the DHCP
1604 offer as option 54, ``server identifier.’’
1605 options : server_mac: optional string
1607 The Ethernet address for the DHCP server to use.
1608 options : lease_time: optional string, containing an integer, in range
1610 0 to 4,294,967,295
1611 The offered lease time in seconds,
1612 The DHCPv4 option code for this option is 51.
1614 IPv4 DHCP Options:
1616 Below are the supported DHCPv4 options whose values are an IPv4
1618 address, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
1619 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
1620 refer to RFC 2132 for more details on DHCPv4 options and their codes.
1621 options : router: optional string
1623 The IP address of a gateway for the client to use. This should
1624 be in the subnet of the offered IP. The DHCPv4 option code for
1625 this option is 3.
1626 options : netmask: optional string
1628 The DHCPv4 option code for this option is 1.
1629 options : dns_server: optional string
1631 The DHCPv4 option code for this option is 6.
1632 options : log_server: optional string
1634 The DHCPv4 option code for this option is 7.
1635 options : lpr_server: optional string
1637 The DHCPv4 option code for this option is 9.
1638 options : swap_server: optional string
1640 The DHCPv4 option code for this option is 16.
1641 options : policy_filter: optional string
1643 The DHCPv4 option code for this option is 21.
1644 options : router_solicitation: optional string
1646 The DHCPv4 option code for this option is 32.
1647 options : nis_server: optional string
1649 The DHCPv4 option code for this option is 41.
1650 options : ntp_server: optional string
1652 The DHCPv4 option code for this option is 42.
1653 options : tftp_server: optional string
1655 The DHCPv4 option code for this option is 66.
1656 options : classless_static_route: optional string
1658 The DHCPv4 option code for this option is 121.
1659 This option can contain one or more static routes, each of which
1661 consists of a destination descriptor and the IP address of the
1662 router that should be used to reach that destination. Please see
1663 RFC 3442 for more details.
1664 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
1666 options : ms_classless_static_route: optional string
1668 The DHCPv4 option code for this option is 249. This option is
1669 similar to classless_static_route supported by Microsoft Windows
1670 DHCPv4 clients.
1671 Boolean DHCP Options:
1673 These options accept a Boolean value, expressed as 0 for false or 1 for
1675 true.
1676 options : ip_forward_enable: optional string, either 0 or 1
1678 The DHCPv4 option code for this option is 19.
1679 options : router_discovery: optional string, either 0 or 1
1681 The DHCPv4 option code for this option is 31.
1682 options : ethernet_encap: optional string, either 0 or 1
1684 The DHCPv4 option code for this option is 36.
1685 Integer DHCP Options:
1687 These options accept a nonnegative integer value.
1689 options : default_ttl: optional string, containing an integer, in range
1691 0 to 255
1692 The DHCPv4 option code for this option is 23.
1693 options : tcp_ttl: optional string, containing an integer, in range 0
1695 to 255
1696 The DHCPv4 option code for this option is 37.
1697 options : mtu: optional string, containing an integer, in range 68 to
1699 65,535
1700 The DHCPv4 option code for this option is 26.
1701 options : T1: optional string, containing an integer, in range 68 to
1703 4,294,967,295
1704 This specifies the time interval from address assignment until
1705 the client begins trying to renew its address. The DHCPv4 option
1706 code for this option is 58.
1707 options : T2: optional string, containing an integer, in range 68 to
1709 4,294,967,295
1710 This specifies the time interval from address assignment until
1711 the client begins trying to rebind its address. The DHCPv4
1712 option code for this option is 59.
1713 String DHCP Options:
1715 These options accept a string value.
1717 options : wpad: optional string
1719 The DHCPv4 option code for this option is 252. This option is
1720 used as part of web proxy auto discovery to provide a URL for a
1721 web proxy.
1722 DHCPv6 options:
1724 OVN also implements native DHCPv6 support. The CMS should define the
1726 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
1727 will be included in the DHCPv6 response to the DHCPv6
1728 Solicit/Request/Confirm packet from the logical ports having the IPv6
1729 addresses in the cidr.
1730 Mandatory DHCPv6 options:
1732 The following options must be defined.
1734 options : server_id: optional string
1736 The Ethernet address for the DHCP server to use. This is also
1737 included in the DHCPv6 reply as option 2, ``Server Identifier’’
1738 to carry a DUID identifying a server between a client and a
1739 server. ovn-controller defines DUID based on Link-layer Address
1740 [DUID-LL].
1741 IPv6 DHCPv6 options:
1743 Below are the supported DHCPv6 options whose values are an IPv6
1745 address, e.g. aef0::4. Some options accept multiple IPv6 addresses
1746 enclosed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
1747 RFC 3315 for more details on DHCPv6 options and their codes.
1748 options : dns_server: optional string
1750 The DHCPv6 option code for this option is 23. This option speci‐
1751 fies the DNS servers that the VM should use.
1752 String DHCPv6 options:
1754 These options accept string values.
1756 options : domain_search: optional string
1758 The DHCPv6 option code for this option is 24. This option speci‐
1759 fies the domain search list the client should use to resolve
1760 hostnames with DNS.
1761 Example: "ovn.org".
1763 options : dhcpv6_stateless: optional string
1765 This option specifies the OVN native DHCPv6 will work in state‐
1766 less mode, which means OVN native DHCPv6 will not offer IPv6
1767 addresses for VM/VIF ports, but only reply other configurations,
1768 such as DNS and domain search list. When setting this option
1769 with string value "true", VM/VIF will configure IPv6 addresses
1770 by stateless way. Default value for this option is false.
1771 Common Columns:
1773 external_ids: map of string-string pairs
1775 See External IDs at the beginning of this document.
1776
1778 Configuration for a database connection to an Open vSwitch database
1779 (OVSDB) client.
1780 This table primarily configures the Open vSwitch database server
1782 (ovsdb-server).
1783 The Open vSwitch database server can initiate and maintain active con‐
1785 nections to remote clients. It can also listen for database connec‐
1786 tions.
1787 Summary:
1789 Core Features:
1790 target string (must be unique within table)
1791 Client Failure Detection and Handling:
1792 max_backoff optional integer, at least 1,000
1793 inactivity_probe optional integer
1794 Status:
1795 is_connected boolean
1796 status : last_error optional string
1797 status : state optional string, one of ACTIVE, BACKOFF,
1798 CONNECTING, IDLE, or VOID
1799 status : sec_since_connect optional string, containing an integer,
1800 at least 0
1801 status : sec_since_disconnect
1802 optional string, containing an integer,
1803 at least 0
1804 status : locks_held optional string
1805 status : locks_waiting optional string
1806 status : locks_lost optional string
1807 status : n_connections optional string, containing an integer,
1808 at least 2
1809 status : bound_port optional string, containing an integer
1810 Common Columns:
1811 external_ids map of string-string pairs
1812 other_config map of string-string pairs
1813 Details:
1815 Core Features:
1816 target: string (must be unique within table)
1818 Connection methods for clients.
1819 The following connection methods are currently supported:
1821 ssl:host[:port]
1823 The specified SSL port on the host at the given host,
1824 which can either be a DNS name (if built with unbound
1825 library) or an IP address. A valid SSL configuration must
1826 be provided when this form is used, this configuration
1827 can be specified via command-line options or the SSL ta‐
1828 ble.
1829 If port is not specified, it defaults to 6640.
1831 SSL support is an optional feature that is not always
1833 built as part of Open vSwitch.
1834 tcp:host[:port]
1836 The specified TCP port on the host at the given host,
1837 which can either be a DNS name (if built with unbound
1838 library) or an IP address. If host is an IPv6 address,
1839 wrap it in square brackets, e.g. tcp:[::1]:6640.
1840 If port is not specified, it defaults to 6640.
1842 pssl:[port][:host]
1844 Listens for SSL connections on the specified TCP port.
1845 Specify 0 for port to have the kernel automatically
1846 choose an available port. If host, which can either be a
1847 DNS name (if built with unbound library) or an IP
1848 address, is specified, then connections are restricted to
1849 the resolved or specified local IPaddress (either IPv4 or
1850 IPv6 address). If host is an IPv6 address, wrap in square
1851 brackets, e.g. pssl:6640:[::1]. If host is not specified
1852 then it listens only on IPv4 (but not IPv6) addresses. A
1853 valid SSL configuration must be provided when this form
1854 is used, this can be specified either via command-line
1855 options or the SSL table.
1856 If port is not specified, it defaults to 6640.
1858 SSL support is an optional feature that is not always
1860 built as part of Open vSwitch.
1861 ptcp:[port][:host]
1863 Listens for connections on the specified TCP port. Spec‐
1864 ify 0 for port to have the kernel automatically choose an
1865 available port. If host, which can either be a DNS name
1866 (if built with unbound library) or an IP address, is
1867 specified, then connections are restricted to the
1868 resolved or specified local IP address (either IPv4 or
1869 IPv6 address). If host is an IPv6 address, wrap it in
1870 square brackets, e.g. ptcp:6640:[::1]. If host is not
1871 specified then it listens only on IPv4 addresses.
1872 If port is not specified, it defaults to 6640.
1874 When multiple clients are configured, the target values must be
1876 unique. Duplicate target values yield unspecified results.
1877 Client Failure Detection and Handling:
1879 max_backoff: optional integer, at least 1,000
1881 Maximum number of milliseconds to wait between connection
1882 attempts. Default is implementation-specific.
1883 inactivity_probe: optional integer
1885 Maximum number of milliseconds of idle time on connection to the
1886 client before sending an inactivity probe message. If Open
1887 vSwitch does not communicate with the client for the specified
1888 number of seconds, it will send a probe. If a response is not
1889 received for the same additional amount of time, Open vSwitch
1890 assumes the connection has been broken and attempts to recon‐
1891 nect. Default is implementation-specific. A value of 0 disables
1892 inactivity probes.
1893 Status:
1895 Key-value pair of is_connected is always updated. Other key-value pairs
1897 in the status columns may be updated depends on the target type.
1898 When target specifies a connection method that listens for inbound con‐
1900 nections (e.g. ptcp: or punix:), both n_connections and is_connected
1901 may also be updated while the remaining key-value pairs are omitted.
1902 On the other hand, when target specifies an outbound connection, all
1904 key-value pairs may be updated, except the above-mentioned two key-
1905 value pairs associated with inbound connection targets. They are omit‐
1906 ted.
1907 is_connected: boolean
1909 true if currently connected to this client, false otherwise.
1910 status : last_error: optional string
1912 A human-readable description of the last error on the connection
1913 to the manager; i.e. strerror(errno). This key will exist only
1914 if an error has occurred.
1915 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
1917 IDLE, or VOID
1918 The state of the connection to the manager:
1919 VOID Connection is disabled.
1921 BACKOFF
1923 Attempting to reconnect at an increasing period.
1924 CONNECTING
1926 Attempting to connect.
1927 ACTIVE Connected, remote host responsive.
1929 IDLE Connection is idle. Waiting for response to keep-alive.
1931 These values may change in the future. They are provided only
1933 for human consumption.
1934 status : sec_since_connect: optional string, containing an integer, at
1936 least 0
1937 The amount of time since this client last successfully connected
1938 to the database (in seconds). Value is empty if client has never
1939 successfully been connected.
1940 status : sec_since_disconnect: optional string, containing an integer,
1942 at least 0
1943 The amount of time since this client last disconnected from the
1944 database (in seconds). Value is empty if client has never dis‐
1945 connected.
1946 status : locks_held: optional string
1948 Space-separated list of the names of OVSDB locks that the con‐
1949 nection holds. Omitted if the connection does not hold any
1950 locks.
1951 status : locks_waiting: optional string
1953 Space-separated list of the names of OVSDB locks that the con‐
1954 nection is currently waiting to acquire. Omitted if the connec‐
1955 tion is not waiting for any locks.
1956 status : locks_lost: optional string
1958 Space-separated list of the names of OVSDB locks that the con‐
1959 nection has had stolen by another OVSDB client. Omitted if no
1960 locks have been stolen from this connection.
1961 status : n_connections: optional string, containing an integer, at
1963 least 2
1964 When target specifies a connection method that listens for
1965 inbound connections (e.g. ptcp: or pssl:) and more than one con‐
1966 nection is actually active, the value is the number of active
1967 connections. Otherwise, this key-value pair is omitted.
1968 status : bound_port: optional string, containing an integer
1970 When target is ptcp: or pssl:, this is the TCP port on which the
1971 OVSDB server is listening. (This is particularly useful when
1972 target specifies a port of 0, allowing the kernel to choose any
1973 available port.)
1974 Common Columns:
1976 The overall purpose of these columns is described under Common Columns
1978 at the beginning of this document.
1979 external_ids: map of string-string pairs
1981 other_config: map of string-string pairs
1983
1985 Each row in this table stores the DNS records. The Logical_Switch ta‐
1986 ble’s dns_records references these records.
1987 Summary:
1989 records map of string-string pairs
1990 external_ids map of string-string pairs
1991 Details:
1993 records: map of string-string pairs
1994 Key-value pair of DNS records with DNS query name as the key and
1995 value as a string of IP address(es) separated by comma or space.
1996 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
1998 external_ids: map of string-string pairs
2000 See External IDs at the beginning of this document.
2001
2003 SSL configuration for ovn-nb database access.
2004 Summary:
2006 private_key string
2007 certificate string
2008 ca_cert string
2009 bootstrap_ca_cert boolean
2010 ssl_protocols string
2011 ssl_ciphers string
2012 Common Columns:
2013 external_ids map of string-string pairs
2014 Details:
2016 private_key: string
2017 Name of a PEM file containing the private key used as the
2018 switch’s identity for SSL connections to the controller.
2019 certificate: string
2021 Name of a PEM file containing a certificate, signed by the cer‐
2022 tificate authority (CA) used by the controller and manager, that
2023 certifies the switch’s private key, identifying a trustworthy
2024 switch.
2025 ca_cert: string
2027 Name of a PEM file containing the CA certificate used to verify
2028 that the switch is connected to a trustworthy controller.
2029 bootstrap_ca_cert: boolean
2031 If set to true, then Open vSwitch will attempt to obtain the CA
2032 certificate from the controller on its first SSL connection and
2033 save it to the named PEM file. If it is successful, it will
2034 immediately drop the connection and reconnect, and from then on
2035 all SSL connections must be authenticated by a certificate
2036 signed by the CA certificate thus obtained. This option exposes
2037 the SSL connection to a man-in-the-middle attack obtaining the
2038 initial CA certificate. It may still be useful for bootstrap‐
2039 ping.
2040 ssl_protocols: string
2042 List of SSL protocols to be enabled for SSL connections. The
2043 default when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
2044 ssl_ciphers: string
2046 List of ciphers (in OpenSSL cipher string format) to be sup‐
2047 ported for SSL connections. The default when this option is
2048 omitted is HIGH:!aNULL:!MD5.
2049 Common Columns:
2051 The overall purpose of these columns is described under Common Columns
2053 at the beginning of this document.
2054 external_ids: map of string-string pairs
2056
2058 Association of one or more chassis to a logical router port. The traf‐
2059 fic going out through an specific router port will be redirected to a
2060 chassis, or a set of them in high availability configurations. A single
2061 Gateway_Chassis is equivalent to setting options:redirect-chassis.
2062 Using Gateway_Chassis allows associating multiple prioritized chassis
2063 with a single logical router port.
2064 Summary:
2066 name string (must be unique within table)
2067 chassis_name string
2068 priority integer, in range 0 to 32,767
2069 options map of string-string pairs
2070 Common Columns:
2071 external_ids map of string-string pairs
2072 Details:
2074 name: string (must be unique within table)
2075 Name of the Gateway_Chassis.
2076 A suggested, but not required naming convention is
2078 ${port_name}_${chassis_name}.
2079 chassis_name: string
2081 Name of the chassis that we want to redirect traffic through for
2082 the associated logical router port. The value must match the
2083 name column of the Chassis table in the OVN_Southbound database.
2084 priority: integer, in range 0 to 32,767
2086 This is the priority of a chassis among all Gateway_Chassis
2087 belonging to the same logical router port.
2088 options: map of string-string pairs
2090 Reserved for future use.
2091 Common Columns:
2093 external_ids: map of string-string pairs
2095 See External IDs at the beginning of this document.
2096Open vSwitch 2.10.1 DB Schema 5.13.0 ovn-nb(5)