1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
6 ovn-nb - OVN_Northbound database schema
7 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces
10 almost all of the contents of the database. The ovn-northd program mon‐
11 itors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32 Table Purpose
34 NB_Global Northbound configuration
35 Logical_Switch
36 L2 logical switch
37 Logical_Switch_Port
38 L2 logical switch port
39 Address_Set
40 Address Sets
41 Port_Group
42 Port Groups
43 Load_Balancer
44 load balancer
45 ACL Access Control List (ACL) rule
46 Logical_Router
47 L3 logical router
48 QoS QoS rule
49 Meter Meter entry
50 Meter_Band
51 Band for meter entries
52 Logical_Router_Port
53 L3 logical router port
54 Logical_Router_Static_Route
55 Logical router static routes
56 Logical_Router_Policy
57 Logical router policies
58 NAT NAT rules
59 DHCP_Options
60 DHCP options
61 Connection
62 OVSDB client connections.
63 DNS Native DNS resolution
64 SSL SSL configuration.
65 Gateway_Chassis
66 Gateway_Chassis configuration.
67 HA_Chassis_Group
68 HA_Chassis_Group configuration.
69 HA_Chassis
70 HA_Chassis configuration.
71
73 Northbound configuration for an OVN system. This table must have
74 exactly one row.
75 Summary:
77 Status:
78 nb_cfg integer
79 sb_cfg integer
80 hv_cfg integer
81 Common Columns:
82 external_ids map of string-string pairs
83 Common options:
84 options map of string-string pairs
85 Options for configuring BFD:
86 options : bfd-min-rx optional string
87 options : bfd-decay-min-rx
88 optional string
89 options : bfd-min-tx optional string
90 options : bfd-mult optional string
91 options : mac_prefix optional string
92 Connection Options:
93 connections set of Connections
94 ssl optional SSL
95 Security Configurations:
96 ipsec boolean
97 Details:
99 Status:
100 These columns allow a client to track the overall configuration state
102 of the system.
103 nb_cfg: integer
105 Sequence number for client to increment. When a client modifies
106 any part of the northbound database configuration and wishes to
107 wait for ovn-northd and possibly all of the hypervisors to fin‐
108 ish applying the changes, it may increment this sequence number.
109 sb_cfg: integer
111 Sequence number that ovn-northd sets to the value of nb_cfg
112 after it finishes applying the corresponding configuration
113 changes to the OVN_Southbound database.
114 hv_cfg: integer
116 Sequence number that ovn-northd sets to the smallest sequence
117 number of all the chassis in the system, as reported in the
118 Chassis table in the southbound database. Thus, hv_cfg equals
119 nb_cfg if all chassis are caught up with the northbound configu‐
120 ration (which may never happen, if any chassis is down). This
121 value can regress, if a chassis was removed from the system and
122 rejoins before catching up.
123 Common Columns:
125 external_ids: map of string-string pairs
127 See External IDs at the beginning of this document.
128 Common options:
130 options: map of string-string pairs
132 This column provides general key/value settings. The supported
133 options are described individually below.
134 Options for configuring BFD:
136 These options apply when ovn-controller configures BFD on tunnels
138 interfaces.
139 options : bfd-min-rx: optional string
141 BFD option min-rx value to use when configuring BFD on tunnel
142 interfaces.
143 options : bfd-decay-min-rx: optional string
145 BFD option decay-min-rx value to use when configuring BFD on
146 tunnel interfaces.
147 options : bfd-min-tx: optional string
149 BFD option min-tx value to use when configuring BFD on tunnel
150 interfaces.
151 options : bfd-mult: optional string
153 BFD option mult value to use when configuring BFD on tunnel
154 interfaces.
155 options : mac_prefix: optional string
157 Configure a given OUI to be used as prefix when L2 address is
158 dynamically assigned, e.g. 00:11:22
159 Connection Options:
161 connections: set of Connections
163 Database clients to which the Open vSwitch database server
164 should connect or on which it should listen, along with options
165 for how these connections should be configured. See the Connec‐
166 tion table for more information.
167 ssl: optional SSL
169 Global SSL configuration.
170 Security Configurations:
172 ipsec: boolean
174 Tunnel encryption configuration. If this column is set to be
175 true, all OVN tunnels will be encrypted with IPsec.
176
178 Each row represents one L2 logical switch.
179 There are two kinds of logical switches, that is, ones that fully vir‐
181 tualize the network (overlay logical switches) and ones that provide
182 simple connectivity to a physical network (bridged logical switches).
183 They work in the same way when providing connectivity between logical
184 ports on same chasis, but differently when connecting remote logical
185 ports. Overlay logical switches connect remote logical ports by tun‐
186 nels, while bridged logical switches provide connectivity to remote
187 ports by bridging the packets to directly connected physical L2 segment
188 with the help of localnet ports. Each bridged logical switch has one
189 and only one localnet port, which has only one special address unknown.
190 Summary:
192 ports set of Logical_Switch_Ports
193 load_balancer set of weak reference to Load_Balancers
194 acls set of ACLs
195 qos_rules set of QoSs
196 dns_records set of weak reference to DNSs
197 Naming:
198 name string
199 external_ids : neutron:network_name
200 optional string
201 IP Address Assignment:
202 other_config : subnet optional string
203 other_config : exclude_ips optional string
204 other_config : ipv6_prefix optional string
205 other_config : mac_only optional string, either true or false
206 Common Columns:
207 external_ids map of string-string pairs
208 Details:
210 ports: set of Logical_Switch_Ports
211 The logical ports connected to the logical switch.
212 It is an error for multiple logical switches to include the same
214 logical port.
215 load_balancer: set of weak reference to Load_Balancers
217 Load balance a virtual ip address to a set of logical port end‐
218 point ip addresses.
219 acls: set of ACLs
221 Access control rules that apply to packets within the logical
222 switch.
223 qos_rules: set of QoSs
225 QoS marking and metering rules that apply to packets within the
226 logical switch.
227 dns_records: set of weak reference to DNSs
229 This column defines the DNS records to be used for resolving
230 internal DNS queries within the logical switch by the native DNS
231 resolver. Please see the DNS table.
232 Naming:
234 These columns provide names for the logical switch. From OVN’s perspec‐
236 tive, these names have no special meaning or purpose other than to pro‐
237 vide convenience for human interaction with the database. There is no
238 requirement for the name to be unique. (For a unique identifier for a
239 logical switch, use its row UUID.)
240 (Originally, name was intended to serve the purpose of a human-friendly
242 name, but the Neutron integration used it to uniquely identify its own
243 switch object, in the format neutron-uuid. Later on, Neutron started
244 propagating the friendly name of a switch as external_ids:neutron:net‐
245 work_name. Perhaps this can be cleaned up someday.)
246 name: string
248 A name for the logical switch.
249 external_ids : neutron:network_name: optional string
251 Another name for the logical switch.
252 IP Address Assignment:
254 These options control automatic IP address management (IPAM) for ports
256 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
257 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
258 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled
259 together or separately.
260 To request dynamic address assignment for a particular port, use the
262 dynamic keyword in the addresses column of the port’s Logi‐
263 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
264 IPAM for IPv4 and IPv6 are both enabled.
265 other_config : subnet: optional string
267 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
268 ovn-northd to automatically assign IP addresses within that sub‐
269 net.
270 other_config : exclude_ips: optional string
272 To exclude some addresses from automatic IP address management,
273 set this to a list of the IPv4 addresses or ..-delimited ranges
274 to exclude. The addresses or ranges should be a subset of those
275 in other_config:subnet.
276 Whether listed or not, ovn-northd will never allocate the first
278 or last address in a subnet, such as 192.168.0.0 or
279 192.168.0.255 in 192.168.0.0/24.
280 Examples:
282 · 192.168.0.2 192.168.0.10
284 · 192.168.0.4 192.168.0.30..192.168.0.60
286 192.168.0.110..192.168.0.120
287 · 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
289 192.168.0.144
290 other_config : ipv6_prefix: optional string
292 Set this to an IPv6 prefix to enable ovn-northd to automatically
293 assign IPv6 addresses using this prefix. The assigned IPv6
294 address will be generated using the IPv6 prefix and the MAC
295 address (converted to an IEEE EUI64 identifier) of the port. The
296 IPv6 prefix defined here should be a valid IPv6 address ending
297 with ::.
298 Examples:
300 · aef0::
302 · bef0:1234:a890:5678::
304 · 8230:5678::
306 other_config : mac_only: optional string, either true or false
308 Value used to request to assign L2 address only if neither sub‐
309 net nor ipv6_prefix are specified
310 Common Columns:
312 external_ids: map of string-string pairs
314 See External IDs at the beginning of this document.
315
317 A port within an L2 logical switch.
318 Summary:
320 Core Features:
321 name string (must be unique within table)
322 type string
323 Options:
324 options map of string-string pairs
325 Options for router ports:
326 options : router-port optional string
327 options : nat-addresses optional string
328 Options for localnet ports:
329 options : network_name optional string
330 Options for l2gateway ports:
331 options : network_name optional string
332 options : l2gateway-chassis
333 optional string
334 Options for vtep ports:
335 options : vtep-physical-switch
336 optional string
337 options : vtep-logical-switch
338 optional string
339 VMI (or VIF) Options:
340 options : requested-chassis
341 optional string
342 options : qos_max_rate optional string
343 options : qos_burst optional string
344 Containers:
345 parent_name optional string
346 tag_request optional integer, in range 0 to 4,095
347 tag optional integer, in range 1 to 4,095
348 Port State:
349 up optional boolean
350 enabled optional boolean
351 Addressing:
352 addresses set of strings
353 dynamic_addresses optional string
354 port_security set of strings
355 DHCP:
356 dhcpv4_options optional weak reference to DHCP_Options
357 dhcpv6_options optional weak reference to DHCP_Options
358 ha_chassis_group optional HA_Chassis_Group
359 Naming:
360 external_ids : neutron:port_name
361 optional string
362 Common Columns:
363 external_ids map of string-string pairs
364 Details:
366 Core Features:
367 name: string (must be unique within table)
369 The logical port name.
370 For entities (VMs or containers) that are spawned in the hyper‐
372 visor, the name used here must match those used in the exter‐
373 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
374 because hypervisors use external_ids:iface-id as a lookup key to
375 identify the network interface of that entity.
376 For containers that share a VIF within a VM, the name can be any
378 unique identifier. See Containers, below, for more information.
379 type: string
381 Specify a type for this logical port. Logical ports can be used
382 to model other types of connectivity into an OVN logical switch.
383 The following types are defined:
384 (empty string)
386 A VM (or VIF) interface.
387 router A connection to a logical router.
389 localnet
391 A connection to a locally accessible network from each
392 ovn-controller instance. A logical switch can only have a
393 single localnet port attached. This is used to model
394 direct connectivity to an existing network.
395 localport
397 A connection to a local VIF. Traffic that arrives on a
398 localport is never forwarded over a tunnel to another
399 chassis. These ports are present on every chassis and
400 have the same address in all of them. This is used to
401 model connectivity to local services that run on every
402 hypervisor.
403 l2gateway
405 A connection to a physical network.
406 vtep A port to a logical switch on a VTEP gateway.
408 external
410 Represents a logical port which is external and not hav‐
411 ing an OVS port in the integration bridge. OVN will never
412 receive any traffic from this port or send any traffic to
413 this port. OVN can support native services like
414 DHCPv4/DHCPv6/DNS for this port. If ha_chassis_group is
415 defined, ovn-controller running in the master chassis of
416 the HA chassis group will bind this port to provide these
417 native services. It is expected that this port belong to
418 a bridged logical switch (with a localnet port).
419 It is recommended to use the same HA chassis group for
421 all the external ports of a logical switch. Otherwise,
422 the physical switch might see MAC flap issue when differ‐
423 ent chassis provide the native services. For example when
424 supporting native DHCPv4 service, DHCPv4 server mac (con‐
425 figured in options:server_mac column in table
426 DHCP_Options) originating from different ports can cause
427 MAC flap issue. The MAC of the logical router IP(s) can
428 also flap if the same HA chassis group is not set for all
429 the external ports of a logical switch.
430 Below are some of the use cases where external ports can
432 be used.
433 · VMs connected to SR-IOV nics - Traffic from these
435 VMs by passes the kernel stack and local ovn-con‐
436 troller do not bind these ports and cannot serve
437 the native services.
438 · When CMS supports provisioning baremetal servers.
440 Options:
442 options: map of string-string pairs
444 This column provides key/value settings specific to the logical
445 port type. The type-specific options are described individually
446 below.
447 Options for router ports:
449 These options apply when type is router.
451 options : router-port: optional string
453 Required. The name of the Logical_Router_Port to which this log‐
454 ical switch port is connected.
455 options : nat-addresses: optional string
457 This is used to send gratuitous ARPs for SNAT and DNAT IP
458 addresses via the localnet port that is attached to the same
459 logical switch as this type router port. This option is speci‐
460 fied on a logical switch port that is connected to a gateway
461 router, or a logical switch port that is connected to a distrib‐
462 uted gateway port on a logical router.
463 This must take one of the following forms:
465 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
467 nal IP addresses and for all load balancer IP addresses
468 defined on the options:router-port’s logical router,
469 using the options:router-port’s MAC address.
470 This form of options:nat-addresses is valid for logical
472 switch ports where options:router-port is the name of a
473 port on a gateway router, or the name of a distributed
474 gateway port.
475 Supported only in OVN 2.8 and later. Earlier versions
477 required NAT addresses to be manually synchronized.
478 Ethernet address followed by one or more IPv4 addresses
480 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
481 This would result in generation of gratuitous ARPs for IP
482 addresses 158.36.44.22 and 158.36.44.24 with a MAC
483 address of 80:fa:5b:06:72:b7.
484 This form of options:nat-addresses is only valid for log‐
486 ical switch ports where options:router-port is the name
487 of a port on a gateway router.
488 Options for localnet ports:
490 These options apply when type is localnet.
492 options : network_name: optional string
494 Required. The name of the network to which the localnet port is
495 connected. Each hypervisor, via ovn-controller, uses its local
496 configuration to determine exactly how to connect to this
497 locally accessible network.
498 Options for l2gateway ports:
500 These options apply when type is l2gateway.
502 options : network_name: optional string
504 Required. The name of the network to which the l2gateway port is
505 connected. The L2 gateway, via ovn-controller, uses its local
506 configuration to determine exactly how to connect to this net‐
507 work.
508 options : l2gateway-chassis: optional string
510 Required. The chassis on which the l2gateway logical port should
511 be bound to. ovn-controller running on the defined chassis will
512 connect this logical port to the physical network.
513 Options for vtep ports:
515 These options apply when type is vtep.
517 options : vtep-physical-switch: optional string
519 Required. The name of the VTEP gateway.
520 options : vtep-logical-switch: optional string
522 Required. A logical switch name connected by the VTEP gateway.
523 VMI (or VIF) Options:
525 These options apply to logical ports with type having (empty string)
527 options : requested-chassis: optional string
529 If set, identifies a specific chassis (by name or hostname) that
530 is allowed to bind this port. Using this option will prevent
531 thrashing between two chassis trying to bind the same port dur‐
532 ing a live migration. It can also prevent similar thrashing due
533 to a mis-configuration, if a port is accidentally created on
534 more than one chassis.
535 options : qos_max_rate: optional string
537 If set, indicates the maximum rate for data sent from this
538 interface, in bit/s. The traffic will be shaped according to
539 this limit.
540 options : qos_burst: optional string
542 If set, indicates the maximum burst size for data sent from this
543 interface, in bits.
544 Containers:
546 When a large number of containers are nested within a VM, it may be too
548 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
549 support such cases. Each container is assigned a VLAN ID and each
550 packet that passes between the hypervisor and the VM is tagged with the
551 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
552 ical wire, even inside a tunnel, so they need not be unique except rel‐
553 ative to a single VM on a hypervisor.
554 These columns are used for VIFs that represent nested containers using
556 shared VIFs. For VMs and for containers that have dedicated VIFs, they
557 are empty.
558 parent_name: optional string
560 The VM interface through which the nested container sends its
561 network traffic. This must match the name column for some other
562 Logical_Switch_Port.
563 tag_request: optional integer, in range 0 to 4,095
565 The VLAN tag in the network traffic associated with a con‐
566 tainer’s network interface. The client can request ovn-northd to
567 allocate a tag that is unique within the scope of a specific
568 parent (specified in parent_name) by setting a value of 0 in
569 this column. The allocated value is written by ovn-northd in the
570 tag column. (Note that these tags are allocated and managed
571 locally in ovn-northd, so they cannot be reconstructed in the
572 event that the database is lost.) The client can also request a
573 specific non-zero tag and ovn-northd will honor it and copy that
574 value to the tag column.
575 When type is set to localnet or l2gateway, this can be set to
577 indicate that the port represents a connection to a specific
578 VLAN on a locally accessible network. The VLAN ID is used to
579 match incoming traffic and is also added to outgoing traffic.
580 tag: optional integer, in range 1 to 4,095
582 The VLAN tag allocated by ovn-northd based on the contents of
583 the tag_request column.
584 Port State:
586 up: optional boolean
588 This column is populated by ovn-northd, rather than by the CMS
589 plugin as is most of this database. When a logical port is bound
590 to a physical location in the OVN Southbound database Binding
591 table, ovn-northd sets this column to true; otherwise, or if the
592 port becomes unbound later, it sets it to false. This allows the
593 CMS to wait for a VM’s (or container’s) networking to become
594 active before it allows the VM (or container) to start.
595 Logical ports of router type are an exception to this rule. They
597 are considered to be always up, that is this column is always
598 set to true.
599 enabled: optional boolean
601 This column is used to administratively set port state. If this
602 column is empty or is set to true, the port is enabled. If this
603 column is set to false, the port is disabled. A disabled port
604 has all ingress and egress traffic dropped.
605 Addressing:
607 addresses: set of strings
609 Addresses owned by the logical port.
610 Each element in the set must take one of the following forms:
612 Ethernet address followed by zero or more IPv4 or IPv6 addresses
614 (or both)
615 An Ethernet address defined is owned by the logical port.
616 Like a physical Ethernet NIC, a logical port ordinarily
617 has a single fixed Ethernet address.
618 When a OVN logical switch processes a unicast Ethernet
620 frame whose destination MAC address is in a logical
621 port’s addresses column, it delivers it only to that
622 port, as if a MAC learning process had learned that MAC
623 address on the port.
624 If IPv4 or IPv6 address(es) (or both) are defined, it
626 indicates that the logical port owns the given IP
627 addresses.
628 If IPv4 address(es) are defined, the OVN logical switch
630 uses this information to synthesize responses to ARP
631 requests without traversing the physical network. The OVN
632 logical router connected to the logical switch, if any,
633 uses this information to avoid issuing ARP requests for
634 logical switch ports.
635 Note that the order here is important. The Ethernet
637 address must be listed before the IP address(es) if
638 defined.
639 Examples:
641 80:fa:5b:06:72:b7
643 This indicates that the logical port owns the
644 above mac address.
645 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
647 This indicates that the logical port owns the mac
648 address and two IPv4 addresses.
649 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
651 This indicates that the logical port owns the mac
652 address and 1 IPv6 address.
653 80:fa:5b:06:72:b7 10.0.0.4
655 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
656 This indicates that the logical port owns the mac
657 address and 1 IPv4 address and 1 IPv6 address.
658 unknown
660 This indicates that the logical port has an unknown set
661 of Ethernet addresses. When an OVN logical switch pro‐
662 cesses a unicast Ethernet frame whose destination MAC
663 address is not in any logical port’s addresses column, it
664 delivers it to the port (or ports) whose addresses col‐
665 umns include unknown.
666 dynamic
668 Use this keyword to make ovn-northd generate a globally
669 unique MAC address and choose an unused IPv4 address with
670 the logical port’s subnet and store them in the port’s
671 dynamic_addresses column. ovn-northd will use the subnet
672 specified in other_config:subnet in the port’s Logi‐
673 cal_Switch.
674 Ethernet address followed by keyword "dynamic"
676 The keyword dynamic after the MAC address indicates that
677 ovn-northd should choose an unused IPv4 address from the
678 logical port’s subnet and store it with the specified MAC
679 in the port’s dynamic_addresses column. ovn-northd will
680 use the subnet specified in other_config:subnet in the
681 port’s Logical_Switch table.
682 Examples:
684 80:fa:5b:06:72:b7 dynamic
686 This indicates that the logical port owns the
687 specified MAC address and ovn-northd should allo‐
688 cate an unused IPv4 address for the logical port
689 from the corresponding logical switch subnet.
690 Keyword "dynamic" followed by an IPv4/IPv6 address
692 The keyword dynamic followed by an IPv4/IPv6 address
693 indicates that ovn-northd should choose a dynamic ether‐
694 net address and use the provided IPv4/IPv6 address as
695 network address.
696 Examples:
698 dynamic 192.168.0.1 2001::1
700 This indicates that ovn-northd should allocate a
701 unique MAC address and use the provided IPv4/IPv6
702 address for the related port
703 router Accepted only when type is router. This indicates that
705 the Ethernet, IPv4, and IPv6 addresses for this logical
706 switch port should be obtained from the connected logical
707 router port, as specified by router-port in options.
708 The resulting addresses are used to populate the logical
710 switch’s destination lookup, and also for the logical
711 switch to generate ARP and ND replies.
712 If the connected logical router port has a redirect-chas‐
714 sis specified and the logical router has rules specified
715 in nat with external_mac, then those addresses are also
716 used to populate the switch’s destination lookup.
717 Supported only in OVN 2.7 and later. Earlier versions
719 required router addresses to be manually synchronized.
720 dynamic_addresses: optional string
722 Addresses assigned to the logical port by ovn-northd, if dynamic
723 is specified in addresses. Addresses will be of the same format
724 as those that populate the addresses column. Note that dynami‐
725 cally assigned addresses are constructed and managed locally in
726 ovn-northd, so they cannot be reconstructed in the event that
727 the database is lost.
728 port_security: set of strings
730 This column controls the addresses from which the host attached
731 to the logical port (``the host’’) is allowed to send packets
732 and to which it is allowed to receive packets. If this column is
733 empty, all addresses are permitted.
734 Each element in the set must begin with one Ethernet address.
736 This would restrict the host to sending packets from and receiv‐
737 ing packets to the ethernet addresses defined in the logical
738 port’s port_security column. It also restricts the inner source
739 MAC addresses that the host may send in ARP and IPv6 Neighbor
740 Discovery packets. The host is always allowed to receive packets
741 to multicast and broadcast Ethernet addresses.
742 Each element in the set may additionally contain one or more
744 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
745 is given, it must be a CIDR mask. In addition to the restric‐
746 tions described for Ethernet addresses above, such an element
747 restricts the IPv4 or IPv6 addresses from which the host may
748 send and to which it may receive packets to the specified
749 addresses. A masked address, if the host part is zero, indicates
750 that the host is allowed to use any address in the subnet; if
751 the host part is nonzero, the mask simply indicates the size of
752 the subnet. In addition:
753 · If any IPv4 address is given, the host is also allowed to
755 receive packets to the IPv4 local broadcast address
756 255.255.255.255 and to IPv4 multicast addresses
757 (224.0.0.0/4). If an IPv4 address with a mask is given,
758 the host is also allowed to receive packets to the broad‐
759 cast address in that specified subnet.
760 If any IPv4 address is given, the host is additionally
762 restricted to sending ARP packets with the specified
763 source IPv4 address. (RARP is not restricted.)
764 · If any IPv6 address is given, the host is also allowed to
766 receive packets to IPv6 multicast addresses (ff00::/8).
767 If any IPv6 address is given, the host is additionally
769 restricted to sending IPv6 Neighbor Discovery Solicita‐
770 tion or Advertisement packets with the specified source
771 address or, for solicitations, the unspecified address.
772 If an element includes an IPv4 address, but no IPv6 addresses,
774 then IPv6 traffic is not allowed. If an element includes an IPv6
775 address, but no IPv4 address, then IPv4 and ARP traffic is not
776 allowed.
777 This column uses the same lexical syntax as the match column in
779 the OVN Southbound database’s Pipeline table. Multiple addresses
780 within an element may be space or comma separated.
781 This column is provided as a convenience to cloud management
783 systems, but all of the features that it implements can be
784 implemented as ACLs using the ACL table.
785 Examples:
787 80:fa:5b:06:72:b7
789 The host may send traffic from and receive traffic to the
790 specified MAC address, and to receive traffic to Ethernet
791 multicast and broadcast addresses, but not otherwise. The
792 host may not send ARP or IPv6 Neighbor Discovery packets
793 with inner source Ethernet addresses other than the one
794 specified.
795 80:fa:5b:06:72:b7 192.168.1.10/24
797 This adds further restrictions to the first example. The
798 host may send IPv4 packets from or receive IPv4 packets
799 to only 192.168.1.10, except that it may also receive
800 IPv4 packets to 192.168.1.255 (based on the subnet mask),
801 255.255.255.255, and any address in 224.0.0.0/4. The host
802 may not send ARPs with a source Ethernet address other
803 than 80:fa:5b:06:72:b7 or source IPv4 address other than
804 192.168.1.10. The host may not send or receive any IPv6
805 (including IPv6 Neighbor Discovery) traffic.
806 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
808 The host may send traffic from and receive traffic to the
809 specified MAC addresses, and to receive traffic to Ether‐
810 net multicast and broadcast addresses, but not otherwise.
811 With MAC 80:fa:5b:12:42:ba, the host may send traffic
812 from and receive traffic to any L3 address. With MAC
813 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
814 receive IPv4 packets to only 192.168.1.10, except that it
815 may also receive IPv4 packets to 192.168.1.255 (based on
816 the subnet mask), 255.255.255.255, and any address in
817 224.0.0.0/4. The host may not send or receive any IPv6
818 (including IPv6 Neighbor Discovery) traffic.
819 DHCP:
821 dhcpv4_options: optional weak reference to DHCP_Options
823 This column defines the DHCPv4 Options to be included by the
824 ovn-controller when it replies to the DHCPv4 requests. Please
825 see the DHCP_Options table.
826 dhcpv6_options: optional weak reference to DHCP_Options
828 This column defines the DHCPv6 Options to be included by the
829 ovn-controller when it replies to the DHCPv6 requests. Please
830 see the DHCP_Options table.
831 ha_chassis_group: optional HA_Chassis_Group
833 References a row in the OVN Northbound database’s HA_Chas‐
834 sis_Group table. It indicates the HA chassis group to use if the
835 type is set to external. If type is not external, this column is
836 ignored.
837 Naming:
839 external_ids : neutron:port_name: optional string
841 This column gives an optional human-friendly name for the port.
842 This name has no special meaning or purpose other than to pro‐
843 vide convenience for human interaction with the northbound data‐
844 base.
845 Neutron copies this from its own port object’s name. (Neutron
847 ports do are not assigned human-friendly names by default, so it
848 will often be empty.)
849 Common Columns:
851 external_ids: map of string-string pairs
853 See External IDs at the beginning of this document.
854 The ovn-northd program copies all these pairs into the exter‐
856 nal_ids column of the Port_Binding table in OVN_Southbound data‐
857 base.
858
860 Each row in this table represents a named set of addresses. An address
861 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
862 or CIDR masks. Address set may ultimately be used in ACLs to compare
863 against fields such as ip4.src or ip6.src. A single address set must
864 contain addresses of the same type. As an example, the following would
865 create an address set with three IP addresses:
866 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
868 Address sets may be used in the match column of the ACL table. For syn‐
871 tax information, see the details of the expression language used for
872 the match column in the Logical_Flow table of the OVN_Southbound data‐
873 base.
874 Summary:
876 name string (must be unique within table)
877 addresses set of strings
878 Common Columns:
879 external_ids map of string-string pairs
880 Details:
882 name: string (must be unique within table)
883 A name for the address set. Names are ASCII and must match
884 [a-zA-Z_.][a-zA-Z_.0-9]*.
885 addresses: set of strings
887 The set of addresses in string form.
888 Common Columns:
890 external_ids: map of string-string pairs
892 See External IDs at the beginning of this document.
893
895 Each row in this table represents a named group of logical switch
896 ports.
897 Port groups may be used in the match column of the ACL table. For syn‐
899 tax information, see the details of the expression language used for
900 the match column in the Logical_Flow table of the OVN_Southbound data‐
901 base.
902 For each port group, there are two address sets generated to the
904 Address_Set table of the OVN_Southbound database, containing the IP
905 addresses of the group of ports, one for IPv4, and the other for IPv6,
906 with name being the name of the Port_Group followed by a suffix _ip4
907 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
908 the same way as regular address sets in the match column of the ACL ta‐
909 ble. For syntax information, see the details of the expression language
910 used for the match column in the Logical_Flow table of the OVN_South‐
911 bound database.
912 Summary:
914 name string (must be unique within table)
915 ports set of weak reference to Logi‐
916 cal_Switch_Ports
917 acls set of ACLs
918 Common Columns:
919 external_ids map of string-string pairs
920 Details:
922 name: string (must be unique within table)
923 A name for the port group. Names are ASCII and must match
924 [a-zA-Z_.][a-zA-Z_.0-9]*.
925 ports: set of weak reference to Logical_Switch_Ports
927 The logical switch ports belonging to the group in uuids.
928 acls: set of ACLs
930 Access control rules that apply to the port group. Applying an
931 ACL to a port group has the same effect as applying the ACL to
932 all logical lswitches that the ports of the port group belong
933 to.
934 Common Columns:
936 external_ids: map of string-string pairs
938 See External IDs at the beginning of this document.
939
941 Each row represents one load balancer.
942 Summary:
944 name string
945 vips map of string-string pairs
946 protocol optional string, either tcp or udp
947 Common Columns:
948 external_ids map of string-string pairs
949 Details:
951 name: string
952 A name for the load balancer. This name has no special meaning
953 or purpose other than to provide convenience for human interac‐
954 tion with the ovn-nb database.
955 vips: map of string-string pairs
957 A map of virtual IP addresses (and an optional port number with
958 : as a separator) associated with this load balancer and their
959 corresponding endpoint IP addresses (and optional port numbers
960 with : as separators) separated by commas. If the destination IP
961 address (and port number) of a packet leaving a container or a
962 VM matches the virtual IP address (and port number) provided
963 here as a key, then OVN will statefully replace the destination
964 IP address by one of the provided IP address (and port number)
965 in this map as a value. IPv4 and IPv6 addresses are supported
966 for load balancing; however a VIP of one address family may not
967 be mapped to a destination IP address of a different family. If
968 specifying an IPv6 address with a port, the address portion must
969 be enclosed in square brackets. Examples for keys are
970 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
971 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
972 When the Load_Balancer is added to the logical_switch, the VIP
974 has to be in a different subnet than the one used for the logi‐
975 cal_switch. Since VIP is in a different subnet, you should con‐
976 nect your logical switch to either a OVN logical router or a
977 real router (this is because the client can now send a packet
978 with VIP as the destination IP address and router’s mac address
979 as the destination MAC address).
980 protocol: optional string, either tcp or udp
982 Valid protocols are tcp or udp. This column is useful when a
983 port number is provided as part of the vips column. If this col‐
984 umn is empty and a port number is provided as part of vips col‐
985 umn, OVN assumes the protocol to be tcp.
986 Common Columns:
988 external_ids: map of string-string pairs
990 See External IDs at the beginning of this document.
991
993 Each row in this table represents one ACL rule for a logical switch or
994 a port group that points to it through its acls column. The action col‐
995 umn for the highest-priority matching row in this table determines a
996 packet’s treatment. If no row matches, packets are allowed by default.
997 (Default-deny treatment is possible: add a rule with priority 0, 1 as
998 match, and deny as action.)
999 Summary:
1001 priority integer, in range 0 to 32,767
1002 direction string, either from-lport or to-lport
1003 match string
1004 action string, one of allow-related, allow,
1005 drop, or reject
1006 Logging:
1007 log boolean
1008 name optional string, at most 63 characters
1009 long
1010 severity optional string, one of alert, debug,
1011 info, notice, or warning
1012 meter optional string
1013 Common Columns:
1014 external_ids map of string-string pairs
1015 Details:
1017 priority: integer, in range 0 to 32,767
1018 The ACL rule’s priority. Rules with numerically higher priority
1019 take precedence over those with lower. If two ACL rules with the
1020 same priority both match, then the one actually applied to a
1021 packet is undefined.
1022 Return traffic from an allow-related flow is always allowed and
1024 cannot be changed through an ACL.
1025 direction: string, either from-lport or to-lport
1027 Direction of the traffic to which this rule should apply:
1028 · from-lport: Used to implement filters on traffic arriving
1030 from a logical port. These rules are applied to the logi‐
1031 cal switch’s ingress pipeline.
1032 · to-lport: Used to implement filters on traffic forwarded
1034 to a logical port. These rules are applied to the logical
1035 switch’s egress pipeline.
1036 match: string
1038 The packets that the ACL should match, in the same expression
1039 language used for the match column in the OVN Southbound data‐
1040 base’s Logical_Flow table. The outport logical port is only
1041 available in the to-lport direction (the inport is available in
1042 both directions).
1043 By default all traffic is allowed. When writing a more restric‐
1045 tive policy, it is important to remember to allow flows such as
1046 ARP and IPv6 neighbor discovery packets.
1047 Note that you can not create an ACL matching on a port with
1049 type=router or type=localnet.
1050 action: string, one of allow-related, allow, drop, or reject
1052 The action to take when the ACL rule matches:
1053 · allow: Forward the packet.
1055 · allow-related: Forward the packet and related traffic
1057 (e.g. inbound replies to an outbound connection).
1058 · drop: Silently drop the packet.
1060 · reject: Drop the packet, replying with a RST for TCP or
1062 ICMPv4/ICMPv6 unreachable message for other
1063 IPv4/IPv6-based protocols.
1064 Logging:
1066 These columns control whether and how OVN logs packets that match an
1068 ACL.
1069 log: boolean
1071 If set to true, packets that match the ACL will trigger a log
1072 message on the transport node or nodes that perform ACL process‐
1073 ing. Logging may be combined with any action.
1074 If set to false, the remaining columns in this group have no
1076 significance.
1077 name: optional string, at most 63 characters long
1079 This name, if it is provided, is included in log records. It
1080 provides the administrator and the cloud management system a way
1081 to associate a log record with a particular ACL.
1082 severity: optional string, one of alert, debug, info, notice, or warn‐
1084 ing
1085 The severity of the ACL. The severity levels match those of sys‐
1086 log, in decreasing level of severity: alert, warning, notice,
1087 info, or debug. When the column is empty, the default is info.
1088 meter: optional string
1090 The name of a meter to rate-limit log messages for the ACL. The
1091 string must match the name column of a row in the Meter table.
1092 By default, log messages are not rate-limited.
1093 Common Columns:
1095 external_ids: map of string-string pairs
1097 See External IDs at the beginning of this document.
1098
1100 Each row represents one L3 logical router.
1101 Summary:
1103 ports set of Logical_Router_Ports
1104 static_routes set of Logical_Router_Static_Routes
1105 policies set of Logical_Router_Policys
1106 enabled optional boolean
1107 nat set of NATs
1108 load_balancer set of weak reference to Load_Balancers
1109 Naming:
1110 name string
1111 external_ids : neutron:router_name
1112 optional string
1113 Options:
1114 options : chassis optional string
1115 options : dnat_force_snat_ip
1116 optional string
1117 options : lb_force_snat_ip optional string
1118 Common Columns:
1119 external_ids map of string-string pairs
1120 Details:
1122 ports: set of Logical_Router_Ports
1123 The router’s ports.
1124 static_routes: set of Logical_Router_Static_Routes
1126 Zero or more static routes for the router.
1127 policies: set of Logical_Router_Policys
1129 Zero or more routing policies for the router.
1130 enabled: optional boolean
1132 This column is used to administratively set router state. If
1133 this column is empty or is set to true, the router is enabled.
1134 If this column is set to false, the router is disabled. A dis‐
1135 abled router has all ingress and egress traffic dropped.
1136 nat: set of NATs
1138 One or more NAT rules for the router. NAT rules only work on
1139 Gateway routers, and on distributed routers with one logical
1140 router port with a redirect-chassis specified.
1141 load_balancer: set of weak reference to Load_Balancers
1143 Load balance a virtual ip address to a set of logical port ip
1144 addresses. Load balancer rules only work on the Gateway routers.
1145 Naming:
1147 These columns provide names for the logical router. From OVN’s perspec‐
1149 tive, these names have no special meaning or purpose other than to pro‐
1150 vide convenience for human interaction with the northbound database.
1151 There is no requirement for the name to be unique. (For a unique iden‐
1152 tifier for a logical router, use its row UUID.)
1153 (Originally, name was intended to serve the purpose of a human-friendly
1155 name, but the Neutron integration used it to uniquely identify its own
1156 router object, in the format neutron-uuid. Later on, Neutron started
1157 propagating the friendly name of a router as external_ids:neu‐
1158 tron:router_name. Perhaps this can be cleaned up someday.)
1159 name: string
1161 A name for the logical router.
1162 external_ids : neutron:router_name: optional string
1164 Another name for the logical router.
1165 Options:
1167 Additional options for the logical router.
1169 options : chassis: optional string
1171 If set, indicates that the logical router in question is a Gate‐
1172 way router (which is centralized) and resides in the set chas‐
1173 sis. The same value is also used by ovn-controller to uniquely
1174 identify the chassis in the OVN deployment and comes from exter‐
1175 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
1176 database.
1177 The Gateway router can only be connected to a distributed router
1179 via a switch if SNAT and DNAT are to be configured in the Gate‐
1180 way router.
1181 options : dnat_force_snat_ip: optional string
1183 If set, indicates the IP address to use to force SNAT a packet
1184 that has already been DNATed in the gateway router. When multi‐
1185 ple gateway routers are configured, a packet can potentially
1186 enter any of the gateway router, get DNATted and eventually
1187 reach the logical switch port. For the return traffic to go back
1188 to the same gateway router (for unDNATing), the packet needs a
1189 SNAT in the first place. This can be achieved by setting the
1190 above option with a gateway specific IP address.
1191 options : lb_force_snat_ip: optional string
1193 If set, indicates the IP address to use to force SNAT a packet
1194 that has already been load-balanced in the gateway router. When
1195 multiple gateway routers are configured, a packet can poten‐
1196 tially enter any of the gateway routers, get DNATted as part of
1197 the load- balancing and eventually reach the logical switch
1198 port. For the return traffic to go back to the same gateway
1199 router (for unDNATing), the packet needs a SNAT in the first
1200 place. This can be achieved by setting the above option with a
1201 gateway specific IP address.
1202 Common Columns:
1204 external_ids: map of string-string pairs
1206 See External IDs at the beginning of this document.
1207
1209 Each row in this table represents one QoS rule for a logical switch
1210 that points to it through its qos_rules column. Two types of QoS are
1211 supported: DSCP marking and metering. A match with the highest-priority
1212 will have QoS applied to it. If the action column is specified, then
1213 matching packets will have DSCP marking applied. If the bandwdith col‐
1214 umn is specified, then matching packets will have metering applied.
1215 action and bandwdith are not exclusive, so both marking and metering by
1216 defined for the same QoS entry. If no row matches, packets will not
1217 have any QoS applied.
1218 Summary:
1220 priority integer, in range 0 to 32,767
1221 direction string, either from-lport or to-lport
1222 match string
1223 action map of string-integer pairs, key must be
1224 dscp, value in range 0 to 63
1225 bandwidth map of string-integer pairs, key either
1226 burst or rate, value in range 1 to
1227 4,294,967,295
1228 external_ids map of string-string pairs
1229 Details:
1231 priority: integer, in range 0 to 32,767
1232 The QoS rule’s priority. Rules with numerically higher priority
1233 take precedence over those with lower. If two QoS rules with the
1234 same priority both match, then the one actually applied to a
1235 packet is undefined.
1236 direction: string, either from-lport or to-lport
1238 The value of this field is similar to ACL column in the OVN
1239 Northbound database’s ACL table.
1240 match: string
1242 The packets that the QoS rules should match, in the same expres‐
1243 sion language used for the match column in the OVN Southbound
1244 database’s Logical_Flow table. The outport logical port is only
1245 available in the to-lport direction (the inport is available in
1246 both directions).
1247 action: map of string-integer pairs, key must be dscp, value in range 0
1249 to 63
1250 When specified, matching flows will have DSCP marking applied.
1251 · dscp: The value of this action should be in the range of
1253 0 to 63 (inclusive).
1254 bandwidth: map of string-integer pairs, key either burst or rate, value
1256 in range 1 to 4,294,967,295
1257 When specified, matching packets will have bandwidth metering
1258 applied. Traffic over the limit will be dropped.
1259 · rate: The value of rate limit in kbps.
1261 · burst: The value of burst rate limit in kilobits. This is
1263 optional and needs to specify the rate.
1264 external_ids: map of string-string pairs
1266 See External IDs at the beginning of this document.
1267
1269 Each row in this table represents a meter that can be used for QoS or
1270 rate-limiting.
1271 Summary:
1273 name string (must be unique within table)
1274 unit string, either kbps or pktps
1275 bands set of 1 or more Meter_Bands
1276 external_ids map of string-string pairs
1277 Details:
1279 name: string (must be unique within table)
1280 A name for this meter.
1281 Names that begin with "__" (two underscores) are reserved for
1283 OVN internal use and should not be added manually.
1284 unit: string, either kbps or pktps
1286 The unit for rate and burst_rate parameters in the bands entry.
1287 kbps specifies kilobits per second, and pktps specifies packets
1288 per second.
1289 bands: set of 1 or more Meter_Bands
1291 The bands associated with this meter. Each band specifies a rate
1292 above which the band is to take the action action. If multiple
1293 bands’ rates are exceeded, then the band with the highest rate
1294 among the exceeded bands is selected.
1295 external_ids: map of string-string pairs
1297 See External IDs at the beginning of this document.
1298
1300 Each row in this table represents a meter band which specifies the rate
1301 above which the configured action should be applied. These bands are
1302 referenced by the bands column in the Meter table.
1303 Summary:
1305 action string, must be drop
1306 rate integer, in range 1 to 4,294,967,295
1307 burst_size integer, in range 0 to 4,294,967,295
1308 external_ids map of string-string pairs
1309 Details:
1311 action: string, must be drop
1312 The action to execute when this band matches. The only supported
1313 action is drop.
1314 rate: integer, in range 1 to 4,294,967,295
1316 The rate limit for this band, in kilobits per second or bits per
1317 second, depending on whether the parent Meter entry’s unit col‐
1318 umn specified kbps or pktps.
1319 burst_size: integer, in range 0 to 4,294,967,295
1321 The maximum burst allowed for the band in kilobits or packets,
1322 depending on whether kbps or pktps was selected in the parent
1323 Meter entry’s unit column. If the size is zero, the switch is
1324 free to select some reasonable value depending on its configura‐
1325 tion.
1326 external_ids: map of string-string pairs
1328 See External IDs at the beginning of this document.
1329
1331 A port within an L3 logical router.
1332 Exactly one Logical_Router row must reference a given logical router
1334 port.
1335 Summary:
1337 name string (must be unique within table)
1338 gateway_chassis set of Gateway_Chassiss
1339 ha_chassis_group optional HA_Chassis_Group
1340 networks set of 1 or more strings
1341 mac string
1342 enabled optional boolean
1343 ipv6_ra_configs:
1344 ipv6_ra_configs : address_mode
1345 optional string
1346 ipv6_ra_configs : mtu optional string
1347 ipv6_ra_configs : send_periodic
1348 optional string
1349 ipv6_ra_configs : max_interval
1350 optional string
1351 ipv6_ra_configs : min_interval
1352 optional string
1353 Options:
1354 options : redirect-chassis optional string
1355 options : reside-on-redirect-chassis
1356 optional string
1357 Attachment:
1358 peer optional string
1359 Common Columns:
1360 external_ids map of string-string pairs
1361 Details:
1363 name: string (must be unique within table)
1364 A name for the logical router port.
1365 In addition to provide convenience for human interaction with
1367 the northbound database, this column is used as reference by its
1368 patch port in Logical_Switch_Port or another logical router port
1369 in Logical_Router_Port.
1370 gateway_chassis: set of Gateway_Chassiss
1372 This column is ignored if the column ha_chassis_group. is set.
1373 If set, this indicates that this logical router port represents
1375 a distributed gateway port that connects this router to a logi‐
1376 cal switch with a localnet port. There may be at most one such
1377 logical router port on each logical router.
1378 Several Gateway_Chassis can be referenced for a given logical
1380 router port. A single Gateway_Chassis is functionally equivalent
1381 to setting options:redirect-chassis. Refer to the description of
1382 options:redirect-chassis for additional details on gateway han‐
1383 dling.
1384 Defining more than one Gateway_Chassis will enable gateway high
1386 availability. Only one gateway will be active at a time. OVN
1387 chassis will use BFD to monitor connectivity to a gateway. If
1388 connectivity to the active gateway is interrupted, another gate‐
1389 way will become active. The priority column specifies the order
1390 that gateways will be chosen by OVN.
1391 ha_chassis_group: optional HA_Chassis_Group
1393 If set, this indicates that this logical router port represents
1394 a distributed gateway port that connects this router to a logi‐
1395 cal switch with a localnet port. There may be at most one such
1396 logical router port on each logical router. The HA chassis which
1397 are part of the HA chassis group will provide the gateway high
1398 availability. Please see the HA_Chassis_Group for more details.
1399 When this column is set, the column gateway_chassis will be
1401 ignored.
1402 networks: set of 1 or more strings
1404 The IP addresses and netmasks of the router. For example,
1405 192.168.0.1/24 indicates that the router’s IP address is
1406 192.168.0.1 and that packets destined to 192.168.0.x should be
1407 routed to this port.
1408 A logical router port always adds a link-local IPv6 address
1410 (fe80::/64) automatically generated from the interface’s MAC
1411 address using the modified EUI-64 format.
1412 mac: string
1414 The Ethernet address that belongs to this router port.
1415 enabled: optional boolean
1417 This column is used to administratively set port state. If this
1418 column is empty or is set to true, the port is enabled. If this
1419 column is set to false, the port is disabled. A disabled port
1420 has all ingress and egress traffic dropped.
1421 ipv6_ra_configs:
1423 This column defines the IPv6 ND RA address mode and ND MTU Option to be
1425 included by ovn-controller when it replies to the IPv6 Router solicita‐
1426 tion requests.
1427 ipv6_ra_configs : address_mode: optional string
1429 The address mode to be used for IPv6 address configuration. The
1430 supported values are:
1431 · slaac: Address configuration using Router Advertisement
1433 (RA) packet. The IPv6 prefixes defined in the Logi‐
1434 cal_Router_Port table’s networks column will be included
1435 in the RA’s ICMPv6 option - Prefix information.
1436 · dhcpv6_stateful: Address configuration using DHCPv6.
1438 · dhcpv6_stateless: Address configuration using Router
1440 Advertisement (RA) packet. Other IPv6 options are pro‐
1441 vided by DHCPv6.
1442 ipv6_ra_configs : mtu: optional string
1444 The recommended MTU for the link. Default is 0, which means no
1445 MTU Option will be included in RA packet replied by ovn-con‐
1446 troller. Per RFC 2460, the mtu value is recommended no less than
1447 1280, so any mtu value less than 1280 will be considered as no
1448 MTU Option.
1449 ipv6_ra_configs : send_periodic: optional string
1451 If set to true, then this router interface will send router
1452 advertisements periodically. The default is false.
1453 ipv6_ra_configs : max_interval: optional string
1455 The maximum number of seconds to wait between sending periodic
1456 router advertisements. This option has no effect if ipv6_ra_con‐
1457 figs:send_periodic is false. The default is 600.
1458 ipv6_ra_configs : min_interval: optional string
1460 The minimum number of seconds to wait between sending periodic
1461 router advertisements. This option has no effect if ipv6_ra_con‐
1462 figs:send_periodic is false. The default is one-third of
1463 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
1464 unset.
1465 Options:
1467 Additional options for the logical router port.
1469 options : redirect-chassis: optional string
1471 If set, this indicates that this logical router port represents
1472 a distributed gateway port that connects this router to a logi‐
1473 cal switch with a localnet port. There may be at most one such
1474 logical router port on each logical router.
1475 Even when a redirect-chassis is specified, the logical router
1477 port still effectively resides on each chassis. However, due to
1478 the implications of the use of L2 learning in the physical net‐
1479 work, as well as the need to support advanced features such as
1480 one-to-many NAT (aka IP masquerading), a subset of the logical
1481 router processing is handled in a centralized manner on the
1482 specified redirect-chassis.
1483 When this option is specified, the peer logical switch port’s
1485 addresses must be set to router. With this setting, the exter‐
1486 nal_macs specified in NAT rules are automatically programmed in
1487 the peer logical switch’s destination lookup on the chassis
1488 where the logical_port resides. In addition, the logical
1489 router’s MAC address is automatically programmed in the peer
1490 logical switch’s destination lookup flow on the redirect-chas‐
1491 sis.
1492 When this option is specified and it is desired to generate gra‐
1494 tuitous ARPs for NAT addresses, then the peer logical switch
1495 port’s options:nat-addresses should be set to router.
1496 While options:redirect-chassis is still supported for backwards
1498 compatibility, it is now preferred to specify one or more gate‐
1499 way_chassis instead. It is functionally equivalent, but allows
1500 you to specify multiple chassis to enable high availability.
1501 options : reside-on-redirect-chassis: optional string
1503 Generally routing is distributed in OVN. The packet from a logi‐
1504 cal port which needs to be routed hits the router pipeline in
1505 the source chassis. For the East-West traffic, the packet is
1506 sent directly to the destination chassis. For the outside traf‐
1507 fic the packet is sent to the gateway chassis.
1508 When this option is set, OVN considers this only if
1510 · The logical router to which this logical router port
1512 belongs to has a distributed gateway port.
1513 · The peer’s logical switch has a localnet port (represent‐
1515 ing a VLAN tagged network)
1516 When this option is set to true, then the packet which needs to
1518 be routed hits the router pipeline in the chassis hosting the
1519 distributed gateway router port. The source chassis pushes out
1520 this traffic via the localnet port. With this the East-West
1521 traffic is no more distributed and will always go through the
1522 gateway chassis.
1523 Without this option set, for any traffic destined to outside
1525 from a logical port which belongs to a logical switch with
1526 localnet port, the source chassis will send the traffic to the
1527 gateway chassis via the tunnel port instead of the localnet port
1528 and this could cause MTU issues.
1529 Attachment:
1531 A given router port serves one of two purposes:
1533 · To attach a logical switch to a logical router. A logical
1535 router port of this type is referenced by exactly one
1536 Logical_Switch_Port of type router. The value of name is
1537 set as router-port in column options of Logi‐
1538 cal_Switch_Port. In this case peer column is empty.
1539 · To connect one logical router to another. This requires a
1541 pair of logical router ports, each connected to a differ‐
1542 ent router. Each router port in the pair specifies the
1543 other in its peer column. No Logical_Switch refers to the
1544 router port.
1545 peer: optional string
1547 For a router port used to connect two logical routers, this
1548 identifies the other router port in the pair by name.
1549 For a router port attached to a logical switch, this column is
1551 empty.
1552 Common Columns:
1554 external_ids: map of string-string pairs
1556 See External IDs at the beginning of this document.
1557
1559 Each record represents a static route.
1560 When multiple routes match a packet, the longest-prefix match is cho‐
1562 sen. For a given prefix length, a dst-ip route is preferred over a
1563 src-ip route.
1564 Summary:
1566 ip_prefix string
1567 policy optional string, either dst-ip or src-ip
1568 nexthop string
1569 output_port optional string
1570 Common Columns:
1571 external_ids map of string-string pairs
1572 Details:
1574 ip_prefix: string
1575 IP prefix of this route (e.g. 192.168.100.0/24).
1576 policy: optional string, either dst-ip or src-ip
1578 If it is specified, this setting describes the policy used to
1579 make routing decisions. This setting must be one of the follow‐
1580 ing strings:
1581 · src-ip: This policy sends the packet to the nexthop when
1583 the packet’s source IP address matches ip_prefix.
1584 · dst-ip: This policy sends the packet to the nexthop when
1586 the packet’s destination IP address matches ip_prefix.
1587 If not specified, the default is dst-ip.
1589 nexthop: string
1591 Nexthop IP address for this route. Nexthop IP address should be
1592 the IP address of a connected router port or the IP address of a
1593 logical port.
1594 output_port: optional string
1596 The name of the Logical_Router_Port via which the packet needs
1597 to be sent out. This is optional and when not specified, OVN
1598 will automatically figure this out based on the nexthop. When
1599 this is specified and there are multiple IP addresses on the
1600 router port and none of them are in the same subnet of nexthop,
1601 OVN chooses the first IP address as the one via which the nex‐
1602 thop is reachable.
1603 Common Columns:
1605 external_ids: map of string-string pairs
1607 See External IDs at the beginning of this document.
1608
1610 Each row in this table represents one routing policy for a logical
1611 router that points to it through its policies column. The action column
1612 for the highest-priority matching row in this table determines a
1613 packet’s treatment. If no row matches, packets are allowed by default.
1614 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1615 match, and drop as action.)
1616 Summary:
1618 priority integer, in range 0 to 32,767
1619 match string
1620 action string, one of allow, drop, or reroute
1621 nexthop optional string
1622 Details:
1624 priority: integer, in range 0 to 32,767
1625 The routing policy’s priority. Rules with numerically higher
1626 priority take precedence over those with lower. A rule is
1627 uniquely identified by the priority and match string.
1628 match: string
1630 The packets that the routing policy should match, in the same
1631 expression language used for the match column in the OVN South‐
1632 bound database’s Logical_Flow table.
1633 By default all traffic is allowed. When writing a more restric‐
1635 tive policy, it is important to remember to allow flows such as
1636 ARP and IPv6 neighbor discovery packets.
1637 action: string, one of allow, drop, or reroute
1639 The action to take when the routing policy matches:
1640 · allow: Forward the packet.
1642 · drop: Silently drop the packet.
1644 · reroute: Reroute packet to nexthop.
1646 nexthop: optional string
1648 Next-hop IP address for this route, which should be the IP
1649 address of a connected router port or the IP address of a logi‐
1650 cal port.
1651
1653 Each record represents a NAT rule.
1654 Summary:
1656 type string, one of dnat, dnat_and_snat, or
1657 snat
1658 external_ip string
1659 external_mac optional string
1660 logical_ip string
1661 logical_port optional string
1662 Common Columns:
1663 external_ids map of string-string pairs
1664 Details:
1666 type: string, one of dnat, dnat_and_snat, or snat
1667 Type of the NAT rule.
1668 · When type is dnat, the externally visible IP address
1670 external_ip is DNATted to the IP address logical_ip in
1671 the logical space.
1672 · When type is snat, IP packets with their source IP
1674 address that either matches the IP address in logical_ip
1675 or is in the network provided by logical_ip is SNATed
1676 into the IP address in external_ip.
1677 · When type is dnat_and_snat, the externally visible IP
1679 address external_ip is DNATted to the IP address logi‐
1680 cal_ip in the logical space. In addition, IP packets with
1681 the source IP address that matches logical_ip is SNATed
1682 into the IP address in external_ip.
1683 external_ip: string
1685 An IPv4 address.
1686 external_mac: optional string
1688 A MAC address.
1689 This is only used on the gateway port on distributed routers.
1691 This must be specified in order for the NAT rule to be processed
1692 in a distributed manner on all chassis. If this is not specified
1693 for a NAT rule on a distributed router, then this NAT rule will
1694 be processed in a centralized manner on the gateway port
1695 instance on the redirect-chassis.
1696 This MAC address must be unique on the logical switch that the
1698 gateway port is attached to. If the MAC address used on the log‐
1699 ical_port is globally unique, then that MAC address can be spec‐
1700 ified as this external_mac.
1701 logical_ip: string
1703 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
1704 logical_port: optional string
1706 The name of the logical port where the logical_ip resides.
1707 This is only used on distributed routers. This must be specified
1709 in order for the NAT rule to be processed in a distributed man‐
1710 ner on all chassis. If this is not specified for a NAT rule on a
1711 distributed router, then this NAT rule will be processed in a
1712 centralized manner on the gateway port instance on the redi‐
1713 rect-chassis.
1714 Common Columns:
1716 external_ids: map of string-string pairs
1718 See External IDs at the beginning of this document.
1719
1721 OVN implements native DHCPv4 support which caters to the common use
1722 case of providing an IPv4 address to a booting instance by providing
1723 stateless replies to DHCPv4 requests based on statically configured
1724 address mappings. To do this it allows a short list of DHCPv4 options
1725 to be configured and applied at each compute host running ovn-con‐
1726 troller.
1727 OVN also implements native DHCPv6 support which provides stateless
1729 replies to DHCPv6 requests.
1730 Summary:
1732 cidr string
1733 DHCPv4 options:
1734 Mandatory DHCPv4 options:
1735 options : server_id optional string
1736 options : server_mac optional string
1737 options : lease_time optional string, containing an integer,
1738 in range 0 to 4,294,967,295
1739 IPv4 DHCP Options:
1740 options : router optional string
1741 options : netmask optional string
1742 options : dns_server optional string
1743 options : log_server optional string
1744 options : lpr_server optional string
1745 options : swap_server optional string
1746 options : policy_filter optional string
1747 options : router_solicitation
1748 optional string
1749 options : nis_server optional string
1750 options : ntp_server optional string
1751 options : tftp_server optional string
1752 options : classless_static_route
1753 optional string
1754 options : ms_classless_static_route
1755 optional string
1756 Boolean DHCP Options:
1757 options : ip_forward_enable
1758 optional string, either 0 or 1
1759 options : router_discovery
1760 optional string, either 0 or 1
1761 options : ethernet_encap optional string, either 0 or 1
1762 Integer DHCP Options:
1763 options : default_ttl optional string, containing an integer,
1764 in range 0 to 255
1765 options : tcp_ttl optional string, containing an integer,
1766 in range 0 to 255
1767 options : mtu optional string, containing an integer,
1768 in range 68 to 65,535
1769 options : T1 optional string, containing an integer,
1770 in range 68 to 4,294,967,295
1771 options : T2 optional string, containing an integer,
1772 in range 68 to 4,294,967,295
1773 String DHCP Options:
1774 options : wpad optional string
1775 options : bootfile_name optional string
1776 options : path_prefix optional string
1777 options : tftp_server_address
1778 optional string
1779 DHCPv6 options:
1780 Mandatory DHCPv6 options:
1781 options : server_id optional string
1782 IPv6 DHCPv6 options:
1783 options : dns_server optional string
1784 String DHCPv6 options:
1785 options : domain_search optional string
1786 options : dhcpv6_stateless
1787 optional string
1788 Common Columns:
1789 external_ids map of string-string pairs
1790 Details:
1792 cidr: string
1793 The DHCPv4/DHCPv6 options will be included if the logical port
1794 has its IP address in this cidr.
1795 DHCPv4 options:
1797 The CMS should define the set of DHCPv4 options as key/value pairs in
1799 the options column of this table. For ovn-controller to include these
1800 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
1801 to an entry in this table.
1802 Mandatory DHCPv4 options:
1804 The following options must be defined.
1806 options : server_id: optional string
1808 The IP address for the DHCP server to use. This should be in the
1809 subnet of the offered IP. This is also included in the DHCP
1810 offer as option 54, ``server identifier.’’
1811 options : server_mac: optional string
1813 The Ethernet address for the DHCP server to use.
1814 options : lease_time: optional string, containing an integer, in range
1816 0 to 4,294,967,295
1817 The offered lease time in seconds,
1818 The DHCPv4 option code for this option is 51.
1820 IPv4 DHCP Options:
1822 Below are the supported DHCPv4 options whose values are an IPv4
1824 address, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
1825 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
1826 refer to RFC 2132 for more details on DHCPv4 options and their codes.
1827 options : router: optional string
1829 The IP address of a gateway for the client to use. This should
1830 be in the subnet of the offered IP. The DHCPv4 option code for
1831 this option is 3.
1832 options : netmask: optional string
1834 The DHCPv4 option code for this option is 1.
1835 options : dns_server: optional string
1837 The DHCPv4 option code for this option is 6.
1838 options : log_server: optional string
1840 The DHCPv4 option code for this option is 7.
1841 options : lpr_server: optional string
1843 The DHCPv4 option code for this option is 9.
1844 options : swap_server: optional string
1846 The DHCPv4 option code for this option is 16.
1847 options : policy_filter: optional string
1849 The DHCPv4 option code for this option is 21.
1850 options : router_solicitation: optional string
1852 The DHCPv4 option code for this option is 32.
1853 options : nis_server: optional string
1855 The DHCPv4 option code for this option is 41.
1856 options : ntp_server: optional string
1858 The DHCPv4 option code for this option is 42.
1859 options : tftp_server: optional string
1861 The DHCPv4 option code for this option is 66.
1862 options : classless_static_route: optional string
1864 The DHCPv4 option code for this option is 121.
1865 This option can contain one or more static routes, each of which
1867 consists of a destination descriptor and the IP address of the
1868 router that should be used to reach that destination. Please see
1869 RFC 3442 for more details.
1870 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
1872 options : ms_classless_static_route: optional string
1874 The DHCPv4 option code for this option is 249. This option is
1875 similar to classless_static_route supported by Microsoft Windows
1876 DHCPv4 clients.
1877 Boolean DHCP Options:
1879 These options accept a Boolean value, expressed as 0 for false or 1 for
1881 true.
1882 options : ip_forward_enable: optional string, either 0 or 1
1884 The DHCPv4 option code for this option is 19.
1885 options : router_discovery: optional string, either 0 or 1
1887 The DHCPv4 option code for this option is 31.
1888 options : ethernet_encap: optional string, either 0 or 1
1890 The DHCPv4 option code for this option is 36.
1891 Integer DHCP Options:
1893 These options accept a nonnegative integer value.
1895 options : default_ttl: optional string, containing an integer, in range
1897 0 to 255
1898 The DHCPv4 option code for this option is 23.
1899 options : tcp_ttl: optional string, containing an integer, in range 0
1901 to 255
1902 The DHCPv4 option code for this option is 37.
1903 options : mtu: optional string, containing an integer, in range 68 to
1905 65,535
1906 The DHCPv4 option code for this option is 26.
1907 options : T1: optional string, containing an integer, in range 68 to
1909 4,294,967,295
1910 This specifies the time interval from address assignment until
1911 the client begins trying to renew its address. The DHCPv4 option
1912 code for this option is 58.
1913 options : T2: optional string, containing an integer, in range 68 to
1915 4,294,967,295
1916 This specifies the time interval from address assignment until
1917 the client begins trying to rebind its address. The DHCPv4
1918 option code for this option is 59.
1919 String DHCP Options:
1921 These options accept a string value.
1923 options : wpad: optional string
1925 The DHCPv4 option code for this option is 252. This option is
1926 used as part of web proxy auto discovery to provide a URL for a
1927 web proxy.
1928 options : bootfile_name: optional string
1930 The DHCPv4 option code for this option is 67. This option is
1931 used to identify a bootfile.
1932 options : path_prefix: optional string
1934 The DHCPv4 option code for this option is 210. In PXELINUX’ case
1935 this option is used to set a common path prefix, instead of
1936 deriving it from the bootfile name.
1937 options : tftp_server_address: optional string
1939 The DHCPv4 option code for this option is 150. The option con‐
1940 tains one or more IPv4 addresses that the client MAY use. This
1941 option is Cisco proprietary, the IEEE standard that matches with
1942 this requirement is option 66 (tftp_server).
1943 DHCPv6 options:
1945 OVN also implements native DHCPv6 support. The CMS should define the
1947 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
1948 will be included in the DHCPv6 response to the DHCPv6
1949 Solicit/Request/Confirm packet from the logical ports having the IPv6
1950 addresses in the cidr.
1951 Mandatory DHCPv6 options:
1953 The following options must be defined.
1955 options : server_id: optional string
1957 The Ethernet address for the DHCP server to use. This is also
1958 included in the DHCPv6 reply as option 2, ``Server Identifier’’
1959 to carry a DUID identifying a server between a client and a
1960 server. ovn-controller defines DUID based on Link-layer Address
1961 [DUID-LL].
1962 IPv6 DHCPv6 options:
1964 Below are the supported DHCPv6 options whose values are an IPv6
1966 address, e.g. aef0::4. Some options accept multiple IPv6 addresses
1967 enclosed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
1968 RFC 3315 for more details on DHCPv6 options and their codes.
1969 options : dns_server: optional string
1971 The DHCPv6 option code for this option is 23. This option speci‐
1972 fies the DNS servers that the VM should use.
1973 String DHCPv6 options:
1975 These options accept string values.
1977 options : domain_search: optional string
1979 The DHCPv6 option code for this option is 24. This option speci‐
1980 fies the domain search list the client should use to resolve
1981 hostnames with DNS.
1982 Example: "ovn.org".
1984 options : dhcpv6_stateless: optional string
1986 This option specifies the OVN native DHCPv6 will work in state‐
1987 less mode, which means OVN native DHCPv6 will not offer IPv6
1988 addresses for VM/VIF ports, but only reply other configurations,
1989 such as DNS and domain search list. When setting this option
1990 with string value "true", VM/VIF will configure IPv6 addresses
1991 by stateless way. Default value for this option is false.
1992 Common Columns:
1994 external_ids: map of string-string pairs
1996 See External IDs at the beginning of this document.
1997
1999 Configuration for a database connection to an Open vSwitch database
2000 (OVSDB) client.
2001 This table primarily configures the Open vSwitch database server
2003 (ovsdb-server).
2004 The Open vSwitch database server can initiate and maintain active con‐
2006 nections to remote clients. It can also listen for database connec‐
2007 tions.
2008 Summary:
2010 Core Features:
2011 target string (must be unique within table)
2012 Client Failure Detection and Handling:
2013 max_backoff optional integer, at least 1,000
2014 inactivity_probe optional integer
2015 Status:
2016 is_connected boolean
2017 status : last_error optional string
2018 status : state optional string, one of ACTIVE, BACKOFF,
2019 CONNECTING, IDLE, or VOID
2020 status : sec_since_connect optional string, containing an integer,
2021 at least 0
2022 status : sec_since_disconnect
2023 optional string, containing an integer,
2024 at least 0
2025 status : locks_held optional string
2026 status : locks_waiting optional string
2027 status : locks_lost optional string
2028 status : n_connections optional string, containing an integer,
2029 at least 2
2030 status : bound_port optional string, containing an integer
2031 Common Columns:
2032 external_ids map of string-string pairs
2033 other_config map of string-string pairs
2034 Details:
2036 Core Features:
2037 target: string (must be unique within table)
2039 Connection methods for clients.
2040 The following connection methods are currently supported:
2042 ssl:host[:port]
2044 The specified SSL port on the host at the given host,
2045 which can either be a DNS name (if built with unbound
2046 library) or an IP address. A valid SSL configuration must
2047 be provided when this form is used, this configuration
2048 can be specified via command-line options or the SSL ta‐
2049 ble.
2050 If port is not specified, it defaults to 6640.
2052 SSL support is an optional feature that is not always
2054 built as part of Open vSwitch.
2055 tcp:host[:port]
2057 The specified TCP port on the host at the given host,
2058 which can either be a DNS name (if built with unbound
2059 library) or an IP address. If host is an IPv6 address,
2060 wrap it in square brackets, e.g. tcp:[::1]:6640.
2061 If port is not specified, it defaults to 6640.
2063 pssl:[port][:host]
2065 Listens for SSL connections on the specified TCP port.
2066 Specify 0 for port to have the kernel automatically
2067 choose an available port. If host, which can either be a
2068 DNS name (if built with unbound library) or an IP
2069 address, is specified, then connections are restricted to
2070 the resolved or specified local IPaddress (either IPv4 or
2071 IPv6 address). If host is an IPv6 address, wrap in square
2072 brackets, e.g. pssl:6640:[::1]. If host is not specified
2073 then it listens only on IPv4 (but not IPv6) addresses. A
2074 valid SSL configuration must be provided when this form
2075 is used, this can be specified either via command-line
2076 options or the SSL table.
2077 If port is not specified, it defaults to 6640.
2079 SSL support is an optional feature that is not always
2081 built as part of Open vSwitch.
2082 ptcp:[port][:host]
2084 Listens for connections on the specified TCP port. Spec‐
2085 ify 0 for port to have the kernel automatically choose an
2086 available port. If host, which can either be a DNS name
2087 (if built with unbound library) or an IP address, is
2088 specified, then connections are restricted to the
2089 resolved or specified local IP address (either IPv4 or
2090 IPv6 address). If host is an IPv6 address, wrap it in
2091 square brackets, e.g. ptcp:6640:[::1]. If host is not
2092 specified then it listens only on IPv4 addresses.
2093 If port is not specified, it defaults to 6640.
2095 When multiple clients are configured, the target values must be
2097 unique. Duplicate target values yield unspecified results.
2098 Client Failure Detection and Handling:
2100 max_backoff: optional integer, at least 1,000
2102 Maximum number of milliseconds to wait between connection
2103 attempts. Default is implementation-specific.
2104 inactivity_probe: optional integer
2106 Maximum number of milliseconds of idle time on connection to the
2107 client before sending an inactivity probe message. If Open
2108 vSwitch does not communicate with the client for the specified
2109 number of seconds, it will send a probe. If a response is not
2110 received for the same additional amount of time, Open vSwitch
2111 assumes the connection has been broken and attempts to recon‐
2112 nect. Default is implementation-specific. A value of 0 disables
2113 inactivity probes.
2114 Status:
2116 Key-value pair of is_connected is always updated. Other key-value pairs
2118 in the status columns may be updated depends on the target type.
2119 When target specifies a connection method that listens for inbound con‐
2121 nections (e.g. ptcp: or punix:), both n_connections and is_connected
2122 may also be updated while the remaining key-value pairs are omitted.
2123 On the other hand, when target specifies an outbound connection, all
2125 key-value pairs may be updated, except the above-mentioned two key-
2126 value pairs associated with inbound connection targets. They are omit‐
2127 ted.
2128 is_connected: boolean
2130 true if currently connected to this client, false otherwise.
2131 status : last_error: optional string
2133 A human-readable description of the last error on the connection
2134 to the manager; i.e. strerror(errno). This key will exist only
2135 if an error has occurred.
2136 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
2138 IDLE, or VOID
2139 The state of the connection to the manager:
2140 VOID Connection is disabled.
2142 BACKOFF
2144 Attempting to reconnect at an increasing period.
2145 CONNECTING
2147 Attempting to connect.
2148 ACTIVE Connected, remote host responsive.
2150 IDLE Connection is idle. Waiting for response to keep-alive.
2152 These values may change in the future. They are provided only
2154 for human consumption.
2155 status : sec_since_connect: optional string, containing an integer, at
2157 least 0
2158 The amount of time since this client last successfully connected
2159 to the database (in seconds). Value is empty if client has never
2160 successfully been connected.
2161 status : sec_since_disconnect: optional string, containing an integer,
2163 at least 0
2164 The amount of time since this client last disconnected from the
2165 database (in seconds). Value is empty if client has never dis‐
2166 connected.
2167 status : locks_held: optional string
2169 Space-separated list of the names of OVSDB locks that the con‐
2170 nection holds. Omitted if the connection does not hold any
2171 locks.
2172 status : locks_waiting: optional string
2174 Space-separated list of the names of OVSDB locks that the con‐
2175 nection is currently waiting to acquire. Omitted if the connec‐
2176 tion is not waiting for any locks.
2177 status : locks_lost: optional string
2179 Space-separated list of the names of OVSDB locks that the con‐
2180 nection has had stolen by another OVSDB client. Omitted if no
2181 locks have been stolen from this connection.
2182 status : n_connections: optional string, containing an integer, at
2184 least 2
2185 When target specifies a connection method that listens for
2186 inbound connections (e.g. ptcp: or pssl:) and more than one con‐
2187 nection is actually active, the value is the number of active
2188 connections. Otherwise, this key-value pair is omitted.
2189 status : bound_port: optional string, containing an integer
2191 When target is ptcp: or pssl:, this is the TCP port on which the
2192 OVSDB server is listening. (This is particularly useful when
2193 target specifies a port of 0, allowing the kernel to choose any
2194 available port.)
2195 Common Columns:
2197 The overall purpose of these columns is described under Common Columns
2199 at the beginning of this document.
2200 external_ids: map of string-string pairs
2202 other_config: map of string-string pairs
2204
2206 Each row in this table stores the DNS records. The Logical_Switch ta‐
2207 ble’s dns_records references these records.
2208 Summary:
2210 records map of string-string pairs
2211 external_ids map of string-string pairs
2212 Details:
2214 records: map of string-string pairs
2215 Key-value pair of DNS records with DNS query name as the key and
2216 value as a string of IP address(es) separated by comma or space.
2217 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
2219 external_ids: map of string-string pairs
2221 See External IDs at the beginning of this document.
2222
2224 SSL configuration for ovn-nb database access.
2225 Summary:
2227 private_key string
2228 certificate string
2229 ca_cert string
2230 bootstrap_ca_cert boolean
2231 ssl_protocols string
2232 ssl_ciphers string
2233 Common Columns:
2234 external_ids map of string-string pairs
2235 Details:
2237 private_key: string
2238 Name of a PEM file containing the private key used as the
2239 switch’s identity for SSL connections to the controller.
2240 certificate: string
2242 Name of a PEM file containing a certificate, signed by the cer‐
2243 tificate authority (CA) used by the controller and manager, that
2244 certifies the switch’s private key, identifying a trustworthy
2245 switch.
2246 ca_cert: string
2248 Name of a PEM file containing the CA certificate used to verify
2249 that the switch is connected to a trustworthy controller.
2250 bootstrap_ca_cert: boolean
2252 If set to true, then Open vSwitch will attempt to obtain the CA
2253 certificate from the controller on its first SSL connection and
2254 save it to the named PEM file. If it is successful, it will
2255 immediately drop the connection and reconnect, and from then on
2256 all SSL connections must be authenticated by a certificate
2257 signed by the CA certificate thus obtained. This option exposes
2258 the SSL connection to a man-in-the-middle attack obtaining the
2259 initial CA certificate. It may still be useful for bootstrap‐
2260 ping.
2261 ssl_protocols: string
2263 List of SSL protocols to be enabled for SSL connections. The
2264 default when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
2265 ssl_ciphers: string
2267 List of ciphers (in OpenSSL cipher string format) to be sup‐
2268 ported for SSL connections. The default when this option is
2269 omitted is HIGH:!aNULL:!MD5.
2270 Common Columns:
2272 The overall purpose of these columns is described under Common Columns
2274 at the beginning of this document.
2275 external_ids: map of string-string pairs
2277
2279 Association of one or more chassis to a logical router port. The traf‐
2280 fic going out through an specific router port will be redirected to a
2281 chassis, or a set of them in high availability configurations. A single
2282 Gateway_Chassis is equivalent to setting options:redirect-chassis.
2283 Using Gateway_Chassis allows associating multiple prioritized chassis
2284 with a single logical router port.
2285 Summary:
2287 name string (must be unique within table)
2288 chassis_name string
2289 priority integer, in range 0 to 32,767
2290 options map of string-string pairs
2291 Common Columns:
2292 external_ids map of string-string pairs
2293 Details:
2295 name: string (must be unique within table)
2296 Name of the Gateway_Chassis.
2297 A suggested, but not required naming convention is
2299 ${port_name}_${chassis_name}.
2300 chassis_name: string
2302 Name of the chassis that we want to redirect traffic through for
2303 the associated logical router port. The value must match the
2304 name column of the Chassis table in the OVN_Southbound database.
2305 priority: integer, in range 0 to 32,767
2307 This is the priority of a chassis among all Gateway_Chassis
2308 belonging to the same logical router port.
2309 options: map of string-string pairs
2311 Reserved for future use.
2312 Common Columns:
2314 external_ids: map of string-string pairs
2316 See External IDs at the beginning of this document.
2317
2319 Table representing a group of chassis which can provide High availabil‐
2320 ity services. Each chassis in the group is represented by the table
2321 HA_Chassis. The HA chassis with highest priority will be the master of
2322 this group. If the master chassis failover is detected, the HA chassis
2323 with the next higher priority takes over the responsibility of provid‐
2324 ing the HA. If a distributed gateway router port references a row in
2325 this table, then the master HA chassis in this group provides the gate‐
2326 way functionality.
2327 Summary:
2329 name string (must be unique within table)
2330 ha_chassis set of HA_Chassiss
2331 Common Columns:
2332 external_ids map of string-string pairs
2333 Details:
2335 name: string (must be unique within table)
2336 Name of the HA_Chassis_Group. Name should be unique.
2337 ha_chassis: set of HA_Chassiss
2339 A list of HA chassis which belongs to this group.
2340 Common Columns:
2342 external_ids: map of string-string pairs
2344 See External IDs at the beginning of this document.
2345
2347 Summary:
2348 chassis_name string
2349 priority integer, in range 0 to 32,767
2350 Common Columns:
2351 external_ids map of string-string pairs
2352 Details:
2354 chassis_name: string
2355 Name of the chassis which is part of the HA chassis group. The
2356 value must match the name column of the Chassis table in the
2357 OVN_Southbound database.
2358 priority: integer, in range 0 to 32,767
2360 Priority of the chassis. Chassis with highest priority will be
2361 the master.
2362 Common Columns:
2364 external_ids: map of string-string pairs
2366 See External IDs at the beginning of this document.
2367Open vSwitch 2.11.1 DB Schema 5.16.0 ovn-nb(5)