1ovn-nb(5)                     Open vSwitch Manual                    ovn-nb(5)
2
3
4

NAME

6       ovn-nb - OVN_Northbound database schema
7
8       This  database  is  the  interface between OVN and the cloud management
9       system (CMS), such as OpenStack, running above  it.  The  CMS  produces
10       almost all of the contents of the database. The ovn-northd program mon‐
11       itors the database contents, transforms it,  and  stores  it  into  the
12       OVN_Southbound database.
13
14       We  generally  speak  of  ``the’’ CMS, but one can imagine scenarios in
15       which multiple CMSes manage different parts of an OVN deployment.
16
17   External IDs
18       Each of the tables in this database contains a  special  column,  named
19       external_ids.  This  column has the same form and purpose each place it
20       appears.
21
22              external_ids: map of string-string pairs
23                     Key-value pairs for use by the CMS.  The  CMS  might  use
24                     certain  pairs,  for example, to identify entities in its
25                     own configuration that correspond to those in this  data‐
26                     base.
27

TABLE SUMMARY

29       The  following list summarizes the purpose of each of the tables in the
30       OVN_Northbound database.  Each table is described in more detail  on  a
31       later page.
32
33       Table     Purpose
34       NB_Global Northbound configuration
35       Logical_Switch
36                 L2 logical switch
37       Logical_Switch_Port
38                 L2 logical switch port
39       Address_Set
40                 Address Sets
41       Port_Group
42                 Port Groups
43       Load_Balancer
44                 load balancer
45       ACL       Access Control List (ACL) rule
46       Logical_Router
47                 L3 logical router
48       QoS       QoS rule
49       Meter     Meter entry
50       Meter_Band
51                 Band for meter entries
52       Logical_Router_Port
53                 L3 logical router port
54       Logical_Router_Static_Route
55                 Logical router static routes
56       Logical_Router_Policy
57                 Logical router policies
58       NAT       NAT rules
59       DHCP_Options
60                 DHCP options
61       Connection
62                 OVSDB client connections.
63       DNS       Native DNS resolution
64       SSL       SSL configuration.
65       Gateway_Chassis
66                 Gateway_Chassis configuration.
67       HA_Chassis_Group
68                 HA_Chassis_Group configuration.
69       HA_Chassis
70                 HA_Chassis configuration.
71

NB_Global TABLE

73       Northbound  configuration  for  an  OVN  system.  This  table must have
74       exactly one row.
75
76   Summary:
77       Status:
78         nb_cfg                      integer
79         sb_cfg                      integer
80         hv_cfg                      integer
81       Common Columns:
82         external_ids                map of string-string pairs
83       Common options:
84         options                     map of string-string pairs
85         Options for configuring BFD:
86            options : bfd-min-rx     optional string
87            options : bfd-decay-min-rx
88                                     optional string
89            options : bfd-min-tx     optional string
90            options : bfd-mult       optional string
91         options : mac_prefix        optional string
92         options : controller_event  optional string, either true or false
93       Connection Options:
94         connections                 set of Connections
95         ssl                         optional SSL
96       Security Configurations:
97         ipsec                       boolean
98
99   Details:
100     Status:
101
102       These columns allow a client to track the overall  configuration  state
103       of the system.
104
105       nb_cfg: integer
106              Sequence  number for client to increment. When a client modifies
107              any part of the northbound database configuration and wishes  to
108              wait  for ovn-northd and possibly all of the hypervisors to fin‐
109              ish applying the changes, it may increment this sequence number.
110
111       sb_cfg: integer
112              Sequence number that ovn-northd sets  to  the  value  of  nb_cfg
113              after  it  finishes  applying  the  corresponding  configuration
114              changes to the OVN_Southbound database.
115
116       hv_cfg: integer
117              Sequence number that ovn-northd sets to  the  smallest  sequence
118              number  of  all  the  chassis  in the system, as reported in the
119              Chassis table in the southbound database.  Thus,  hv_cfg  equals
120              nb_cfg if all chassis are caught up with the northbound configu‐
121              ration (which may never happen, if any chassis  is  down).  This
122              value  can regress, if a chassis was removed from the system and
123              rejoins before catching up.
124
125     Common Columns:
126
127       external_ids: map of string-string pairs
128              See External IDs at the beginning of this document.
129
130     Common options:
131
132       options: map of string-string pairs
133              This column provides general key/value settings.  The  supported
134              options are described individually below.
135
136     Options for configuring BFD:
137
138       These  options  apply  when  ovn-controller  configures  BFD on tunnels
139       interfaces.
140
141       options : bfd-min-rx: optional string
142              BFD option min-rx value to use when configuring  BFD  on  tunnel
143              interfaces.
144
145       options : bfd-decay-min-rx: optional string
146              BFD  option  decay-min-rx  value  to use when configuring BFD on
147              tunnel interfaces.
148
149       options : bfd-min-tx: optional string
150              BFD option min-tx value to use when configuring  BFD  on  tunnel
151              interfaces.
152
153       options : bfd-mult: optional string
154              BFD  option  mult  value  to  use when configuring BFD on tunnel
155              interfaces.
156
157       options : mac_prefix: optional string
158              Configure a given OUI to be used as prefix when  L2  address  is
159              dynamically assigned, e.g. 00:11:22
160
161       options : controller_event: optional string, either true or false
162              Value  set  by  the  CMS  to enable/disable ovn-controller event
163              reporting. Traffic into OVS can raise a ’controller’ event  that
164              results   in  a  Controller_Event  being  written  to  the  Con‐
165              troller_Event table in SBDB. When the CMS has seen the event and
166              taken  appropriate action, it can remove the correponding row in
167              Controller_Event table. The intention is for a CMS  to  see  the
168              events  and  take  some  sort  of  action.  Please  see the Con‐
169              troller_Event table in SBDB. It is possible to associate a meter
170              to each controller event type in order to not overload the pinc‐
171              trl thread under heavy load. Each event type relies on  a  meter
172              with a defined name:
173
174              ·      empty_lb_backends: event-elb
175
176     Connection Options:
177
178       connections: set of Connections
179              Database  clients  to  which  the  Open  vSwitch database server
180              should connect or on which it should listen, along with  options
181              for  how these connections should be configured. See the Connec‐
182              tion table for more information.
183
184       ssl: optional SSL
185              Global SSL configuration.
186
187     Security Configurations:
188
189       ipsec: boolean
190              Tunnel encryption configuration. If this column  is  set  to  be
191              true, all OVN tunnels will be encrypted with IPsec.
192

Logical_Switch TABLE

194       Each row represents one L2 logical switch.
195
196       There  are two kinds of logical switches, that is, ones that fully vir‐
197       tualize the network (overlay logical switches) and  ones  that  provide
198       simple  connectivity  to a physical network (bridged logical switches).
199       They work in the same way when providing connectivity  between  logical
200       ports  on  same  chasis, but differently when connecting remote logical
201       ports. Overlay logical switches connect remote logical  ports  by  tun‐
202       nels,  while  bridged  logical  switches provide connectivity to remote
203       ports by bridging the packets to directly connected physical L2 segment
204       with  the  help  of localnet ports. Each bridged logical switch has one
205       and only one localnet port, which has only one special address unknown.
206
207   Summary:
208       ports                         set of Logical_Switch_Ports
209       load_balancer                 set of weak reference to Load_Balancers
210       acls                          set of ACLs
211       qos_rules                     set of QoSs
212       dns_records                   set of weak reference to DNSs
213       Naming:
214         name                        string
215         external_ids : neutron:network_name
216                                     optional string
217       IP Address Assignment:
218         other_config : subnet       optional string
219         other_config : exclude_ips  optional string
220         other_config : ipv6_prefix  optional string
221         other_config : mac_only     optional string, either true or false
222       IP Multicast Snooping Options:
223         other_config : mcast_snoop  optional string, either true or false
224         other_config : mcast_querier
225                                     optional string, either true or false
226         other_config : mcast_flood_unregistered
227                                     optional string, either true or false
228         other_config : mcast_table_size
229                                     optional string, containing  an  integer,
230                                     in range 1 to 32,766
231         other_config : mcast_idle_timeout
232                                     optional  string,  containing an integer,
233                                     in range 15 to 3,600
234         other_config : mcast_query_interval
235                                     optional string, containing  an  integer,
236                                     in range 1 to 3,600
237         other_config : mcast_query_max_response
238                                     optional  string,  containing an integer,
239                                     in range 1 to 10
240         other_config : mcast_eth_src
241                                     optional string
242         other_config : mcast_ip4_src
243                                     optional string
244       Common Columns:
245         external_ids                map of string-string pairs
246
247   Details:
248       ports: set of Logical_Switch_Ports
249              The logical ports connected to the logical switch.
250
251              It is an error for multiple logical switches to include the same
252              logical port.
253
254       load_balancer: set of weak reference to Load_Balancers
255              Load  balance a virtual ip address to a set of logical port end‐
256              point ip addresses.
257
258       acls: set of ACLs
259              Access control rules that apply to packets  within  the  logical
260              switch.
261
262       qos_rules: set of QoSs
263              QoS  marking and metering rules that apply to packets within the
264              logical switch.
265
266       dns_records: set of weak reference to DNSs
267              This column defines the DNS records to  be  used  for  resolving
268              internal DNS queries within the logical switch by the native DNS
269              resolver. Please see the DNS table.
270
271     Naming:
272
273       These columns provide names for the logical switch. From OVN’s perspec‐
274       tive, these names have no special meaning or purpose other than to pro‐
275       vide convenience for human interaction with the database. There  is  no
276       requirement  for  the name to be unique. (For a unique identifier for a
277       logical switch, use its row UUID.)
278
279       (Originally, name was intended to serve the purpose of a human-friendly
280       name,  but the Neutron integration used it to uniquely identify its own
281       switch object, in the format neutron-uuid. Later  on,  Neutron  started
282       propagating  the friendly name of a switch as external_ids:neutron:net‐
283       work_name. Perhaps this can be cleaned up someday.)
284
285       name: string
286              A name for the logical switch.
287
288       external_ids : neutron:network_name: optional string
289              Another name for the logical switch.
290
291     IP Address Assignment:
292
293       These options control automatic IP address management (IPAM) for  ports
294       attached to the logical switch. To enable IPAM for IPv4, set other_con‐
295       fig:subnet and optionally other_config:exclude_ips. To enable IPAM  for
296       IPv6,  set  other_config:ipv6_prefix.  IPv4  and  IPv6  may  be enabled
297       together or separately.
298
299       To request dynamic address assignment for a particular  port,  use  the
300       dynamic   keyword   in   the  addresses  column  of  the  port’s  Logi‐
301       cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
302       IPAM for IPv4 and IPv6 are both enabled.
303
304       other_config : subnet: optional string
305              Set  this  to  an  IPv4  subnet,  e.g. 192.168.0.0/24, to enable
306              ovn-northd to automatically assign IP addresses within that sub‐
307              net.
308
309       other_config : exclude_ips: optional string
310              To  exclude some addresses from automatic IP address management,
311              set this to a list of the IPv4 addresses or ..-delimited  ranges
312              to  exclude. The addresses or ranges should be a subset of those
313              in other_config:subnet.
314
315              Whether listed or not, ovn-northd will never allocate the  first
316              or   last   address   in   a  subnet,  such  as  192.168.0.0  or
317              192.168.0.255 in 192.168.0.0/24.
318
319              Examples:
320
321              ·      192.168.0.2 192.168.0.10
322
323              ·      192.168.0.4                    192.168.0.30..192.168.0.60
324                     192.168.0.110..192.168.0.120
325
326              ·      192.168.0.110..192.168.0.120   192.168.0.25..192.168.0.30
327                     192.168.0.144
328
329       other_config : ipv6_prefix: optional string
330              Set this to an IPv6 prefix to enable ovn-northd to automatically
331              assign  IPv6  addresses  using  this  prefix.  The assigned IPv6
332              address will be generated using the  IPv6  prefix  and  the  MAC
333              address (converted to an IEEE EUI64 identifier) of the port. The
334              IPv6 prefix defined here should be a valid IPv6  address  ending
335              with ::.
336
337              Examples:
338
339              ·      aef0::
340
341              ·      bef0:1234:a890:5678::
342
343              ·      8230:5678::
344
345       other_config : mac_only: optional string, either true or false
346              Value  used to request to assign L2 address only if neither sub‐
347              net nor ipv6_prefix are specified
348
349     IP Multicast Snooping Options:
350
351       These options control IP Multicast Snooping configuration of the  logi‐
352       cal   switch.   To   enable   IP   Multicast  Snooping  set  other_con‐
353       fig:mcast_snoop to true. To enable IP Multicast Querier set  other_con‐
354       fig:mcast_snoop  to true. If IP Multicast Querier is enabled other_con‐
355       fig:mcast_eth_src and other_config:mcast_ip4_src must be set.
356
357       other_config : mcast_snoop: optional string, either true or false
358              Enables/disables IP Multicast Snooping on the logical switch.
359
360       other_config : mcast_querier: optional string, either true or false
361              Enables/disables IP Multicast Querier on the logical switch.
362
363       other_config : mcast_flood_unregistered: optional string,  either  true
364       or false
365              Determines  whether  unregistered  multicast  traffic  should be
366              flooded or not. Only applicable if  other_config:mcast_snoop  is
367              enabled.
368
369       other_config  :  mcast_table_size: optional string, containing an inte‐
370       ger, in range 1 to 32,766
371              Number of multicast groups to be stored. Default: 2048.
372
373       other_config : mcast_idle_timeout: optional string, containing an inte‐
374       ger, in range 15 to 3,600
375              Configures the IP Multicast Snooping group idle timeout (in sec‐
376              onds). Default: 300 seconds.
377
378       other_config : mcast_query_interval:  optional  string,  containing  an
379       integer, in range 1 to 3,600
380              Configures the IP Multicast Querier interval between queries (in
381              seconds). Default: other_config:mcast_idle_timeout / 2.
382
383       other_config : mcast_query_max_response: optional string, containing an
384       integer, in range 1 to 10
385              Configures  the  value of the "max-response" field in the multi‐
386              cast queries originated by the logical switch. Default:  1  sec‐
387              ond.
388
389       other_config : mcast_eth_src: optional string
390              Configures the source Ethernet address for queries originated by
391              the logical switch.
392
393       other_config : mcast_ip4_src: optional string
394              Configures the source IPv4 address for queries originated by the
395              logical switch.
396
397     Common Columns:
398
399       external_ids: map of string-string pairs
400              See External IDs at the beginning of this document.
401

Logical_Switch_Port TABLE

403       A port within an L2 logical switch.
404
405   Summary:
406       Core Features:
407         name                        string (must be unique within table)
408         type                        string
409       Options:
410         options                     map of string-string pairs
411         Options for router ports:
412            options : router-port    optional string
413            options : nat-addresses  optional string
414         Options for localnet ports:
415            options : network_name   optional string
416         Options for l2gateway ports:
417            options : network_name   optional string
418            options : l2gateway-chassis
419                                     optional string
420         Options for vtep ports:
421            options : vtep-physical-switch
422                                     optional string
423            options : vtep-logical-switch
424                                     optional string
425         VMI (or VIF) Options:
426            options : requested-chassis
427                                     optional string
428            options : qos_max_rate   optional string
429            options : qos_burst      optional string
430         Virtual port Options:
431            options : virtual-ip     optional string
432            options : virtual-parents
433                                     optional string
434         IP Multicast Snooping Options:
435            options : mcast_flood    optional string, either true or false
436            options : mcast_flood_reports
437                                     optional string, either true or false
438       Containers:
439         parent_name                 optional string
440         tag_request                 optional integer, in range 0 to 4,095
441         tag                         optional integer, in range 1 to 4,095
442       Port State:
443         up                          optional boolean
444         enabled                     optional boolean
445       Addressing:
446         addresses                   set of strings
447         dynamic_addresses           optional string
448         port_security               set of strings
449       DHCP:
450         dhcpv4_options              optional weak reference to DHCP_Options
451         dhcpv6_options              optional weak reference to DHCP_Options
452       ha_chassis_group              optional HA_Chassis_Group
453       Naming:
454         external_ids : neutron:port_name
455                                     optional string
456       Common Columns:
457         external_ids                map of string-string pairs
458
459   Details:
460     Core Features:
461
462       name: string (must be unique within table)
463              The logical port name.
464
465              For  entities (VMs or containers) that are spawned in the hyper‐
466              visor, the name used here must match those used  in  the  exter‐
467              nal_ids:iface-id in the Open_vSwitch database’s Interface table,
468              because hypervisors use external_ids:iface-id as a lookup key to
469              identify the network interface of that entity.
470
471              For containers that share a VIF within a VM, the name can be any
472              unique identifier. See Containers, below, for more information.
473
474       type: string
475              Specify a type for this logical port. Logical ports can be  used
476              to model other types of connectivity into an OVN logical switch.
477              The following types are defined:
478
479              (empty string)
480                     A VM (or VIF) interface.
481
482              router A connection to a logical router.
483
484              localnet
485                     A connection to a locally accessible  network  from  each
486                     ovn-controller instance. A logical switch can only have a
487                     single localnet port attached.  This  is  used  to  model
488                     direct connectivity to an existing network.
489
490              localport
491                     A  connection  to  a local VIF. Traffic that arrives on a
492                     localport is never forwarded over  a  tunnel  to  another
493                     chassis.  These  ports  are  present on every chassis and
494                     have the same address in all of them.  This  is  used  to
495                     model  connectivity  to  local services that run on every
496                     hypervisor.
497
498              l2gateway
499                     A connection to a physical network.
500
501              vtep   A port to a logical switch on a VTEP gateway.
502
503              external
504                     Represents a logical port which is external and not  hav‐
505                     ing an OVS port in the integration bridge. OVN will never
506                     receive any traffic from this port or send any traffic to
507                     this   port.   OVN   can  support  native  services  like
508                     DHCPv4/DHCPv6/DNS for this port. If  ha_chassis_group  is
509                     defined,  ovn-controller running in the master chassis of
510                     the HA chassis group will bind this port to provide these
511                     native  services. It is expected that this port belong to
512                     a bridged logical switch (with a localnet port).
513
514                     It is recommended to use the same HA  chassis  group  for
515                     all  the  external  ports of a logical switch. Otherwise,
516                     the physical switch might see MAC flap issue when differ‐
517                     ent chassis provide the native services. For example when
518                     supporting native DHCPv4 service, DHCPv4 server mac (con‐
519                     figured    in    options:server_mac   column   in   table
520                     DHCP_Options) originating from different ports can  cause
521                     MAC  flap  issue. The MAC of the logical router IP(s) can
522                     also flap if the same HA chassis group is not set for all
523                     the external ports of a logical switch.
524
525                     Below  are some of the use cases where external ports can
526                     be used.
527
528                     ·      VMs connected to SR-IOV nics - Traffic from  these
529                            VMs  by passes the kernel stack and local ovn-con‐
530                            troller do not bind these ports and  cannot  serve
531                            the native services.
532
533                     ·      When CMS supports provisioning baremetal servers.
534
535              virtual
536                     Represents a logical port which does not have an OVS port
537                     in the integration bridge and has a virtual ip configured
538                     in  the  options:virtual-ip  column.  This virtual ip can
539                     move around between the logical ports configured  in  the
540                     options:virtual-parents column.
541
542                     One of the use case where virtual ports can be used is.
543
544                     ·      The  virtual ip represents a load balancer vip and
545                            the virtual parents provide load balancer  service
546                            in an active-standby setup with the active virtual
547                            parent owning the virtual ip.
548
549     Options:
550
551       options: map of string-string pairs
552              This column provides key/value settings specific to the  logical
553              port  type. The type-specific options are described individually
554              below.
555
556     Options for router ports:
557
558       These options apply when type is router.
559
560       options : router-port: optional string
561              Required. The name of the Logical_Router_Port to which this log‐
562              ical switch port is connected.
563
564       options : nat-addresses: optional string
565              This  is  used  to  send  gratuitous  ARPs  for SNAT and DNAT IP
566              addresses via the localnet port that is  attached  to  the  same
567              logical  switch  as this type router port. This option is speci‐
568              fied on a logical switch port that is  connected  to  a  gateway
569              router, or a logical switch port that is connected to a distrib‐
570              uted gateway port on a logical router.
571
572              This must take one of the following forms:
573
574              router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
575                     nal  IP  addresses and for all load balancer IP addresses
576                     defined  on  the  options:router-port’s  logical  router,
577                     using the options:router-port’s MAC address.
578
579                     This  form  of options:nat-addresses is valid for logical
580                     switch ports where options:router-port is the name  of  a
581                     port  on  a  gateway router, or the name of a distributed
582                     gateway port.
583
584                     Supported only in OVN 2.8  and  later.  Earlier  versions
585                     required NAT addresses to be manually synchronized.
586
587              Ethernet address followed by one or more IPv4 addresses
588                     Example:   80:fa:5b:06:72:b7  158.36.44.22  158.36.44.24.
589                     This would result in generation of gratuitous ARPs for IP
590                     addresses   158.36.44.22  and  158.36.44.24  with  a  MAC
591                     address of 80:fa:5b:06:72:b7.
592
593                     This form of options:nat-addresses is only valid for log‐
594                     ical  switch  ports where options:router-port is the name
595                     of a port on a gateway router.
596
597     Options for localnet ports:
598
599       These options apply when type is localnet.
600
601       options : network_name: optional string
602              Required. The name of the network to which the localnet port  is
603              connected.  Each  hypervisor, via ovn-controller, uses its local
604              configuration to  determine  exactly  how  to  connect  to  this
605              locally accessible network.
606
607     Options for l2gateway ports:
608
609       These options apply when type is l2gateway.
610
611       options : network_name: optional string
612              Required. The name of the network to which the l2gateway port is
613              connected. The L2 gateway, via ovn-controller,  uses  its  local
614              configuration  to  determine exactly how to connect to this net‐
615              work.
616
617       options : l2gateway-chassis: optional string
618              Required. The chassis on which the l2gateway logical port should
619              be  bound to. ovn-controller running on the defined chassis will
620              connect this logical port to the physical network.
621
622     Options for vtep ports:
623
624       These options apply when type is vtep.
625
626       options : vtep-physical-switch: optional string
627              Required. The name of the VTEP gateway.
628
629       options : vtep-logical-switch: optional string
630              Required. A logical switch name connected by the VTEP gateway.
631
632     VMI (or VIF) Options:
633
634       These options apply to logical ports with type having (empty string)
635
636       options : requested-chassis: optional string
637              If set, identifies a specific chassis (by name or hostname) that
638              is  allowed  to  bind  this port. Using this option will prevent
639              thrashing between two chassis trying to bind the same port  dur‐
640              ing  a live migration. It can also prevent similar thrashing due
641              to a mis-configuration, if a port  is  accidentally  created  on
642              more than one chassis.
643
644       options : qos_max_rate: optional string
645              If  set,  indicates  the  maximum  rate  for data sent from this
646              interface, in bit/s. The traffic will  be  shaped  according  to
647              this limit.
648
649       options : qos_burst: optional string
650              If set, indicates the maximum burst size for data sent from this
651              interface, in bits.
652
653     Virtual port Options:
654
655       These options apply when type is virtual.
656
657       options : virtual-ip: optional string
658              This option represents the virtual IPv4 address.
659
660       options : virtual-parents: optional string
661              This options represents a set of logical port names (with in the
662              same  logical switch) which can own the virtual ip configured in
663              the options:virtual-ip. All these virtual parents should add the
664              virtual  ip  in the port_security if port security addressed are
665              enabled.
666
667     IP Multicast Snooping Options:
668
669       These options apply when the port is part of a logical switch which has
670       other_config :mcast_snoop set to true.
671
672       options : mcast_flood: optional string, either true or false
673              If  set to true, multicast packets (except reports) are uncondi‐
674              tionally forwarded to the specific port.
675
676       options : mcast_flood_reports: optional string, either true or false
677              If set to true, multicast reports are unconditionally  forwarded
678              to the specific port.
679
680     Containers:
681
682       When a large number of containers are nested within a VM, it may be too
683       expensive to dedicate a VIF to each container. OVN can use VLAN tags to
684       support  such  cases.  Each  container  is  assigned a VLAN ID and each
685       packet that passes between the hypervisor and the VM is tagged with the
686       appropriate ID for the container. Such VLAN IDs never appear on a phys‐
687       ical wire, even inside a tunnel, so they need not be unique except rel‐
688       ative to a single VM on a hypervisor.
689
690       These  columns are used for VIFs that represent nested containers using
691       shared VIFs. For VMs and for containers that have dedicated VIFs,  they
692       are empty.
693
694       parent_name: optional string
695              The  VM  interface  through which the nested container sends its
696              network traffic. This must match the name column for some  other
697              Logical_Switch_Port.
698
699       tag_request: optional integer, in range 0 to 4,095
700              The  VLAN  tag  in  the  network  traffic associated with a con‐
701              tainer’s network interface. The client can request ovn-northd to
702              allocate  a  tag  that  is unique within the scope of a specific
703              parent (specified in parent_name) by setting a  value  of  0  in
704              this column. The allocated value is written by ovn-northd in the
705              tag column. (Note that these  tags  are  allocated  and  managed
706              locally  in  ovn-northd,  so they cannot be reconstructed in the
707              event that the database is lost.) The client can also request  a
708              specific non-zero tag and ovn-northd will honor it and copy that
709              value to the tag column.
710
711              When type is set to localnet or l2gateway, this can  be  set  to
712              indicate  that  the  port  represents a connection to a specific
713              VLAN on a locally accessible network. The VLAN  ID  is  used  to
714              match incoming traffic and is also added to outgoing traffic.
715
716       tag: optional integer, in range 1 to 4,095
717              The  VLAN  tag  allocated by ovn-northd based on the contents of
718              the tag_request column.
719
720     Port State:
721
722       up: optional boolean
723              This column is populated by ovn-northd, rather than by  the  CMS
724              plugin as is most of this database. When a logical port is bound
725              to a physical location in the OVN  Southbound  database  Binding
726              table, ovn-northd sets this column to true; otherwise, or if the
727              port becomes unbound later, it sets it to false. If this  column
728              is  empty, the port is not considered up. This allows the CMS to
729              wait for a VM’s (or container’s)  networking  to  become  active
730              before it allows the VM (or container) to start.
731
732              Logical ports of router type are an exception to this rule. They
733              are considered to be always up, that is this  column  is  always
734              set to true.
735
736       enabled: optional boolean
737              This  column is used to administratively set port state. If this
738              column is empty or is set to true, the port is enabled. If  this
739              column  is  set  to false, the port is disabled. A disabled port
740              has all ingress and egress traffic dropped.
741
742     Addressing:
743
744       addresses: set of strings
745              Addresses owned by the logical port.
746
747              Each element in the set must take one of the following forms:
748
749              Ethernet address followed by zero or more IPv4 or IPv6 addresses
750              (or both)
751                     An Ethernet address defined is owned by the logical port.
752                     Like a physical Ethernet NIC, a logical  port  ordinarily
753                     has a single fixed Ethernet address.
754
755                     When  a  OVN  logical switch processes a unicast Ethernet
756                     frame whose destination  MAC  address  is  in  a  logical
757                     port’s  addresses  column,  it  delivers  it only to that
758                     port, as if a MAC learning process had learned  that  MAC
759                     address on the port.
760
761                     If  IPv4  or  IPv6  address(es) (or both) are defined, it
762                     indicates  that  the  logical  port  owns  the  given  IP
763                     addresses.
764
765                     If  IPv4  address(es) are defined, the OVN logical switch
766                     uses this information  to  synthesize  responses  to  ARP
767                     requests without traversing the physical network. The OVN
768                     logical router connected to the logical switch,  if  any,
769                     uses  this  information to avoid issuing ARP requests for
770                     logical switch ports.
771
772                     Note that the  order  here  is  important.  The  Ethernet
773                     address  must  be  listed  before  the  IP address(es) if
774                     defined.
775
776                     Examples:
777
778                     80:fa:5b:06:72:b7
779                            This indicates that  the  logical  port  owns  the
780                            above mac address.
781
782                     80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
783                            This  indicates that the logical port owns the mac
784                            address and two IPv4 addresses.
785
786                     80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
787                            This indicates that the logical port owns the  mac
788                            address and 1 IPv6 address.
789
790                     80:fa:5b:06:72:b7                                10.0.0.4
791                     fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
792                            This indicates that the logical port owns the  mac
793                            address and 1 IPv4 address and 1 IPv6 address.
794
795              unknown
796                     This  indicates  that the logical port has an unknown set
797                     of Ethernet addresses. When an OVN  logical  switch  pro‐
798                     cesses  a  unicast  Ethernet  frame whose destination MAC
799                     address is not in any logical port’s addresses column, it
800                     delivers  it  to the port (or ports) whose addresses col‐
801                     umns include unknown.
802
803              dynamic
804                     Use this keyword to make ovn-northd generate  a  globally
805                     unique MAC address and choose an unused IPv4 address with
806                     the logical port’s subnet and store them  in  the  port’s
807                     dynamic_addresses  column. ovn-northd will use the subnet
808                     specified in  other_config:subnet  in  the  port’s  Logi‐
809                     cal_Switch.
810
811              Ethernet address followed by keyword "dynamic"
812                     The  keyword dynamic after the MAC address indicates that
813                     ovn-northd should choose an unused IPv4 address from  the
814                     logical port’s subnet and store it with the specified MAC
815                     in the port’s dynamic_addresses column.  ovn-northd  will
816                     use  the  subnet  specified in other_config:subnet in the
817                     port’s Logical_Switch table.
818
819                     Examples:
820
821                     80:fa:5b:06:72:b7 dynamic
822                            This indicates that  the  logical  port  owns  the
823                            specified  MAC address and ovn-northd should allo‐
824                            cate an unused IPv4 address for the  logical  port
825                            from the corresponding logical switch subnet.
826
827              Keyword "dynamic" followed by an IPv4/IPv6 address
828                     The  keyword  dynamic  followed  by  an IPv4/IPv6 address
829                     indicates that ovn-northd should choose a dynamic  ether‐
830                     net  address  and  use  the provided IPv4/IPv6 address as
831                     network address.
832
833                     Examples:
834
835                     dynamic 192.168.0.1 2001::1
836                            This indicates that ovn-northd should  allocate  a
837                            unique  MAC address and use the provided IPv4/IPv6
838                            address for the related port
839
840              router Accepted only when type is router.  This  indicates  that
841                     the  Ethernet,  IPv4, and IPv6 addresses for this logical
842                     switch port should be obtained from the connected logical
843                     router port, as specified by router-port in options.
844
845                     The  resulting addresses are used to populate the logical
846                     switch’s destination lookup, and  also  for  the  logical
847                     switch to generate ARP and ND replies.
848
849                     If the connected logical router port has a redirect-chas‐
850                     sis specified and the logical router has rules  specified
851                     in  nat  with external_mac, then those addresses are also
852                     used to populate the switch’s destination lookup.
853
854                     Supported only in OVN 2.7  and  later.  Earlier  versions
855                     required router addresses to be manually synchronized.
856
857       dynamic_addresses: optional string
858              Addresses assigned to the logical port by ovn-northd, if dynamic
859              is specified in addresses. Addresses will be of the same  format
860              as  those  that populate the addresses column. Note that dynami‐
861              cally assigned addresses are constructed and managed locally  in
862              ovn-northd,  so  they  cannot be reconstructed in the event that
863              the database is lost.
864
865       port_security: set of strings
866              This column controls the addresses from which the host  attached
867              to  the  logical  port (``the host’’) is allowed to send packets
868              and to which it is allowed to receive packets. If this column is
869              empty, all addresses are permitted.
870
871              Each  element  in  the set must begin with one Ethernet address.
872              This would restrict the host to sending packets from and receiv‐
873              ing  packets  to  the  ethernet addresses defined in the logical
874              port’s port_security column. It also restricts the inner  source
875              MAC  addresses  that  the host may send in ARP and IPv6 Neighbor
876              Discovery packets. The host is always allowed to receive packets
877              to multicast and broadcast Ethernet addresses.
878
879              Each  element  in  the  set may additionally contain one or more
880              IPv4 or IPv6 addresses (or both), with optional masks. If a mask
881              is  given,  it  must be a CIDR mask. In addition to the restric‐
882              tions described for Ethernet addresses above,  such  an  element
883              restricts  the  IPv4  or  IPv6 addresses from which the host may
884              send and to which  it  may  receive  packets  to  the  specified
885              addresses. A masked address, if the host part is zero, indicates
886              that the host is allowed to use any address in  the  subnet;  if
887              the  host part is nonzero, the mask simply indicates the size of
888              the subnet. In addition:
889
890              ·      If any IPv4 address is given, the host is also allowed to
891                     receive  packets  to  the  IPv4  local  broadcast address
892                     255.255.255.255   and   to   IPv4   multicast   addresses
893                     (224.0.0.0/4).  If  an IPv4 address with a mask is given,
894                     the host is also allowed to receive packets to the broad‐
895                     cast address in that specified subnet.
896
897                     If  any  IPv4  address is given, the host is additionally
898                     restricted to sending  ARP  packets  with  the  specified
899                     source IPv4 address. (RARP is not restricted.)
900
901              ·      If any IPv6 address is given, the host is also allowed to
902                     receive packets to IPv6 multicast addresses (ff00::/8).
903
904                     If any IPv6 address is given, the  host  is  additionally
905                     restricted  to  sending IPv6 Neighbor Discovery Solicita‐
906                     tion or Advertisement packets with the  specified  source
907                     address or, for solicitations, the unspecified address.
908
909              If  an  element includes an IPv4 address, but no IPv6 addresses,
910              then IPv6 traffic is not allowed. If an element includes an IPv6
911              address,  but  no IPv4 address, then IPv4 and ARP traffic is not
912              allowed.
913
914              This column uses the same lexical syntax as the match column  in
915              the OVN Southbound database’s Pipeline table. Multiple addresses
916              within an element may be space or comma separated.
917
918              This column is provided as a  convenience  to  cloud  management
919              systems,  but  all  of  the  features  that it implements can be
920              implemented as ACLs using the ACL table.
921
922              Examples:
923
924              80:fa:5b:06:72:b7
925                     The host may send traffic from and receive traffic to the
926                     specified MAC address, and to receive traffic to Ethernet
927                     multicast and broadcast addresses, but not otherwise. The
928                     host  may not send ARP or IPv6 Neighbor Discovery packets
929                     with inner source Ethernet addresses other than  the  one
930                     specified.
931
932              80:fa:5b:06:72:b7 192.168.1.10/24
933                     This  adds further restrictions to the first example. The
934                     host may send IPv4 packets from or receive  IPv4  packets
935                     to  only  192.168.1.10,  except  that it may also receive
936                     IPv4 packets to 192.168.1.255 (based on the subnet mask),
937                     255.255.255.255, and any address in 224.0.0.0/4. The host
938                     may not send ARPs with a source  Ethernet  address  other
939                     than  80:fa:5b:06:72:b7 or source IPv4 address other than
940                     192.168.1.10. The host may not send or receive  any  IPv6
941                     (including IPv6 Neighbor Discovery) traffic.
942
943              "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
944                     The host may send traffic from and receive traffic to the
945                     specified MAC addresses, and to receive traffic to Ether‐
946                     net multicast and broadcast addresses, but not otherwise.
947                     With MAC 80:fa:5b:12:42:ba, the  host  may  send  traffic
948                     from  and  receive  traffic  to  any L3 address. With MAC
949                     80:fa:5b:06:72:b7, the host may send IPv4 packets from or
950                     receive IPv4 packets to only 192.168.1.10, except that it
951                     may also receive IPv4 packets to 192.168.1.255 (based  on
952                     the  subnet  mask),  255.255.255.255,  and any address in
953                     224.0.0.0/4. The host may not send or  receive  any  IPv6
954                     (including IPv6 Neighbor Discovery) traffic.
955
956     DHCP:
957
958       dhcpv4_options: optional weak reference to DHCP_Options
959              This  column  defines  the  DHCPv4 Options to be included by the
960              ovn-controller when it replies to the  DHCPv4  requests.  Please
961              see the DHCP_Options table.
962
963       dhcpv6_options: optional weak reference to DHCP_Options
964              This  column  defines  the  DHCPv6 Options to be included by the
965              ovn-controller when it replies to the  DHCPv6  requests.  Please
966              see the DHCP_Options table.
967
968       ha_chassis_group: optional HA_Chassis_Group
969              References  a  row  in  the  OVN  Northbound database’s HA_Chas‐
970              sis_Group table. It indicates the HA chassis group to use if the
971              type is set to external. If type is not external, this column is
972              ignored.
973
974     Naming:
975
976       external_ids : neutron:port_name: optional string
977              This column gives an optional human-friendly name for the  port.
978              This  name  has no special meaning or purpose other than to pro‐
979              vide convenience for human interaction with the northbound data‐
980              base.
981
982              Neutron  copies  this  from its own port object’s name. (Neutron
983              ports do are not assigned human-friendly names by default, so it
984              will often be empty.)
985
986     Common Columns:
987
988       external_ids: map of string-string pairs
989              See External IDs at the beginning of this document.
990
991              The  ovn-northd  program  copies all these pairs into the exter‐
992              nal_ids column of the Port_Binding table in OVN_Southbound data‐
993              base.
994

Address_Set TABLE

996       Each  row in this table represents a named set of addresses. An address
997       set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
998       or  CIDR  masks.  Address set may ultimately be used in ACLs to compare
999       against fields such as ip4.src or ip6.src. A single  address  set  must
1000       contain  addresses of the same type. As an example, the following would
1001       create an address set with three IP addresses:
1002
1003             ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1004
1005
1006       Address sets may be used in the match column of the ACL table. For syn‐
1007       tax  information,  see  the details of the expression language used for
1008       the match column in the Logical_Flow table of the OVN_Southbound  data‐
1009       base.
1010
1011   Summary:
1012       name                          string (must be unique within table)
1013       addresses                     set of strings
1014       Common Columns:
1015         external_ids                map of string-string pairs
1016
1017   Details:
1018       name: string (must be unique within table)
1019              A  name  for  the  address  set.  Names are ASCII and must match
1020              [a-zA-Z_.][a-zA-Z_.0-9]*.
1021
1022       addresses: set of strings
1023              The set of addresses in string form.
1024
1025     Common Columns:
1026
1027       external_ids: map of string-string pairs
1028              See External IDs at the beginning of this document.
1029

Port_Group TABLE

1031       Each row in this table represents  a  named  group  of  logical  switch
1032       ports.
1033
1034       Port  groups may be used in the match column of the ACL table. For syn‐
1035       tax information, see the details of the expression  language  used  for
1036       the  match column in the Logical_Flow table of the OVN_Southbound data‐
1037       base.
1038
1039       For each port group, there  are  two  address  sets  generated  to  the
1040       Address_Set  table  of  the  OVN_Southbound database, containing the IP
1041       addresses of the group of ports, one for IPv4, and the other for  IPv6,
1042       with  name  being  the name of the Port_Group followed by a suffix _ip4
1043       for IPv4 and _ip6 for IPv6. The generated address sets can be  used  in
1044       the same way as regular address sets in the match column of the ACL ta‐
1045       ble. For syntax information, see the details of the expression language
1046       used  for  the match column in the Logical_Flow table of the OVN_South‐
1047       bound database.
1048
1049   Summary:
1050       name                          string (must be unique within table)
1051       ports                         set   of   weak   reference   to    Logi‐
1052                                     cal_Switch_Ports
1053       acls                          set of ACLs
1054       Common Columns:
1055         external_ids                map of string-string pairs
1056
1057   Details:
1058       name: string (must be unique within table)
1059              A  name  for  the  port  group.  Names  are ASCII and must match
1060              [a-zA-Z_.][a-zA-Z_.0-9]*.
1061
1062       ports: set of weak reference to Logical_Switch_Ports
1063              The logical switch ports belonging to the group in uuids.
1064
1065       acls: set of ACLs
1066              Access control rules that apply to the port group.  Applying  an
1067              ACL  to  a port group has the same effect as applying the ACL to
1068              all logical lswitches that the ports of the  port  group  belong
1069              to.
1070
1071     Common Columns:
1072
1073       external_ids: map of string-string pairs
1074              See External IDs at the beginning of this document.
1075

Load_Balancer TABLE

1077       Each row represents one load balancer.
1078
1079   Summary:
1080       name                          string
1081       vips                          map of string-string pairs
1082       protocol                      optional string, either tcp or udp
1083       Common Columns:
1084         external_ids                map of string-string pairs
1085
1086   Details:
1087       name: string
1088              A  name  for the load balancer. This name has no special meaning
1089              or purpose other than to provide convenience for human  interac‐
1090              tion with the ovn-nb database.
1091
1092       vips: map of string-string pairs
1093              A  map of virtual IP addresses (and an optional port number with
1094              : as a separator) associated with this load balancer  and  their
1095              corresponding  endpoint  IP addresses (and optional port numbers
1096              with : as separators) separated by commas. If the destination IP
1097              address  (and  port number) of a packet leaving a container or a
1098              VM matches the virtual IP address  (and  port  number)  provided
1099              here  as a key, then OVN will statefully replace the destination
1100              IP address by one of the provided IP address (and  port  number)
1101              in  this  map  as a value. IPv4 and IPv6 addresses are supported
1102              for load balancing; however a VIP of one address family may  not
1103              be  mapped to a destination IP address of a different family. If
1104              specifying an IPv6 address with a port, the address portion must
1105              be   enclosed   in   square  brackets.  Examples  for  keys  are
1106              "192.168.1.4"  and  "[fd0f::1]:8800".  Examples  for  value  are
1107              "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1108
1109              When  the  Load_Balancer is added to the logical_switch, the VIP
1110              has to be in a different subnet than the one used for the  logi‐
1111              cal_switch.  Since VIP is in a different subnet, you should con‐
1112              nect your logical switch to either a OVN  logical  router  or  a
1113              real  router  (this  is because the client can now send a packet
1114              with VIP as the destination IP address and router’s mac  address
1115              as the destination MAC address).
1116
1117       protocol: optional string, either tcp or udp
1118              Valid  protocols  are  tcp  or udp. This column is useful when a
1119              port number is provided as part of the vips column. If this col‐
1120              umn  is empty and a port number is provided as part of vips col‐
1121              umn, OVN assumes the protocol to be tcp.
1122
1123     Common Columns:
1124
1125       external_ids: map of string-string pairs
1126              See External IDs at the beginning of this document.
1127

ACL TABLE

1129       Each row in this table represents one ACL rule for a logical switch  or
1130       a port group that points to it through its acls column. The action col‐
1131       umn for the highest-priority matching row in this  table  determines  a
1132       packet’s  treatment. If no row matches, packets are allowed by default.
1133       (Default-deny treatment is possible: add a rule with priority 0,  1  as
1134       match, and deny as action.)
1135
1136   Summary:
1137       priority                      integer, in range 0 to 32,767
1138       direction                     string, either from-lport or to-lport
1139       match                         string
1140       action                        string,   one  of  allow-related,  allow,
1141                                     drop, or reject
1142       Logging:
1143         log                         boolean
1144         name                        optional string, at  most  63  characters
1145                                     long
1146         severity                    optional  string,  one  of  alert, debug,
1147                                     info, notice, or warning
1148         meter                       optional string
1149       Common Columns:
1150         external_ids                map of string-string pairs
1151
1152   Details:
1153       priority: integer, in range 0 to 32,767
1154              The ACL rule’s priority. Rules with numerically higher  priority
1155              take precedence over those with lower. If two ACL rules with the
1156              same priority both match, then the one  actually  applied  to  a
1157              packet is undefined.
1158
1159              Return  traffic from an allow-related flow is always allowed and
1160              cannot be changed through an ACL.
1161
1162       direction: string, either from-lport or to-lport
1163              Direction of the traffic to which this rule should apply:
1164
1165              ·      from-lport: Used to implement filters on traffic arriving
1166                     from a logical port. These rules are applied to the logi‐
1167                     cal switch’s ingress pipeline.
1168
1169              ·      to-lport: Used to implement filters on traffic  forwarded
1170                     to a logical port. These rules are applied to the logical
1171                     switch’s egress pipeline.
1172
1173       match: string
1174              The packets that the ACL should match, in  the  same  expression
1175              language  used  for the match column in the OVN Southbound data‐
1176              base’s Logical_Flow table. The  outport  logical  port  is  only
1177              available  in the to-lport direction (the inport is available in
1178              both directions).
1179
1180              By default all traffic is allowed. When writing a more  restric‐
1181              tive  policy, it is important to remember to allow flows such as
1182              ARP and IPv6 neighbor discovery packets.
1183
1184              Note that you can not create an ACL  matching  on  a  port  with
1185              type=router or type=localnet.
1186
1187       action: string, one of allow-related, allow, drop, or reject
1188              The action to take when the ACL rule matches:
1189
1190              ·      allow: Forward the packet.
1191
1192              ·      allow-related:  Forward  the  packet  and related traffic
1193                     (e.g. inbound replies to an outbound connection).
1194
1195              ·      drop: Silently drop the packet.
1196
1197              ·      reject: Drop the packet, replying with a RST for  TCP  or
1198                     ICMPv4/ICMPv6     unreachable     message    for    other
1199                     IPv4/IPv6-based protocols.
1200
1201     Logging:
1202
1203       These columns control whether and how OVN logs packets  that  match  an
1204       ACL.
1205
1206       log: boolean
1207              If  set  to  true, packets that match the ACL will trigger a log
1208              message on the transport node or nodes that perform ACL process‐
1209              ing. Logging may be combined with any action.
1210
1211              If  set  to  false,  the remaining columns in this group have no
1212              significance.
1213
1214       name: optional string, at most 63 characters long
1215              This name, if it is provided, is included  in  log  records.  It
1216              provides the administrator and the cloud management system a way
1217              to associate a log record with a particular ACL.
1218
1219       severity: optional string, one of alert, debug, info, notice, or  warn‐
1220       ing
1221              The severity of the ACL. The severity levels match those of sys‐
1222              log, in decreasing level of severity:  alert,  warning,  notice,
1223              info, or debug. When the column is empty, the default is info.
1224
1225       meter: optional string
1226              The  name of a meter to rate-limit log messages for the ACL. The
1227              string must match the name column of a row in the  Meter  table.
1228              By default, log messages are not rate-limited.
1229
1230     Common Columns:
1231
1232       external_ids: map of string-string pairs
1233              See External IDs at the beginning of this document.
1234

Logical_Router TABLE

1236       Each row represents one L3 logical router.
1237
1238   Summary:
1239       ports                         set of Logical_Router_Ports
1240       static_routes                 set of Logical_Router_Static_Routes
1241       policies                      set of Logical_Router_Policys
1242       enabled                       optional boolean
1243       nat                           set of NATs
1244       load_balancer                 set of weak reference to Load_Balancers
1245       Naming:
1246         name                        string
1247         external_ids : neutron:router_name
1248                                     optional string
1249       Options:
1250         options : chassis           optional string
1251         options : dnat_force_snat_ip
1252                                     optional string
1253         options : lb_force_snat_ip  optional string
1254         options : mcast_relay       optional string, either true or false
1255       Common Columns:
1256         external_ids                map of string-string pairs
1257
1258   Details:
1259       ports: set of Logical_Router_Ports
1260              The router’s ports.
1261
1262       static_routes: set of Logical_Router_Static_Routes
1263              Zero or more static routes for the router.
1264
1265       policies: set of Logical_Router_Policys
1266              Zero or more routing policies for the router.
1267
1268       enabled: optional boolean
1269              This  column  is  used  to administratively set router state. If
1270              this column is empty or is set to true, the router  is  enabled.
1271              If  this  column is set to false, the router is disabled. A dis‐
1272              abled router has all ingress and egress traffic dropped.
1273
1274       nat: set of NATs
1275              One or more NAT rules for the router. NAT  rules  only  work  on
1276              Gateway  routers,  and  on  distributed routers with one logical
1277              router port with a redirect-chassis specified.
1278
1279       load_balancer: set of weak reference to Load_Balancers
1280              Load balance a virtual ip address to a set of  logical  port  ip
1281              addresses. Load balancer rules only work on the Gateway routers.
1282
1283     Naming:
1284
1285       These columns provide names for the logical router. From OVN’s perspec‐
1286       tive, these names have no special meaning or purpose other than to pro‐
1287       vide  convenience  for  human interaction with the northbound database.
1288       There is no requirement for the name to be unique. (For a unique  iden‐
1289       tifier for a logical router, use its row UUID.)
1290
1291       (Originally, name was intended to serve the purpose of a human-friendly
1292       name, but the Neutron integration used it to uniquely identify its  own
1293       router  object,  in  the format neutron-uuid. Later on, Neutron started
1294       propagating  the  friendly  name  of  a  router  as   external_ids:neu‐
1295       tron:router_name. Perhaps this can be cleaned up someday.)
1296
1297       name: string
1298              A name for the logical router.
1299
1300       external_ids : neutron:router_name: optional string
1301              Another name for the logical router.
1302
1303     Options:
1304
1305       Additional options for the logical router.
1306
1307       options : chassis: optional string
1308              If set, indicates that the logical router in question is a Gate‐
1309              way router (which is centralized) and resides in the  set  chas‐
1310              sis.  The  same value is also used by ovn-controller to uniquely
1311              identify the chassis in the OVN deployment and comes from exter‐
1312              nal_ids:system-id  in  the  Open_vSwitch  table  of Open_vSwitch
1313              database.
1314
1315              The Gateway router can only be connected to a distributed router
1316              via  a switch if SNAT and DNAT are to be configured in the Gate‐
1317              way router.
1318
1319       options : dnat_force_snat_ip: optional string
1320              If set, indicates the IP address to use to force SNAT  a  packet
1321              that  has already been DNATed in the gateway router. When multi‐
1322              ple gateway routers are configured,  a  packet  can  potentially
1323              enter  any  of  the  gateway  router, get DNATted and eventually
1324              reach the logical switch port. For the return traffic to go back
1325              to  the  same gateway router (for unDNATing), the packet needs a
1326              SNAT in the first place. This can be  achieved  by  setting  the
1327              above option with a gateway specific IP address.
1328
1329       options : lb_force_snat_ip: optional string
1330              If  set,  indicates the IP address to use to force SNAT a packet
1331              that has already been load-balanced in the gateway router.  When
1332              multiple  gateway  routers  are  configured, a packet can poten‐
1333              tially enter any of the gateway routers, get DNATted as part  of
1334              the  load-  balancing  and  eventually  reach the logical switch
1335              port. For the return traffic to go  back  to  the  same  gateway
1336              router  (for  unDNATing),  the  packet needs a SNAT in the first
1337              place. This can be achieved by setting the above option  with  a
1338              gateway specific IP address.
1339
1340       options : mcast_relay: optional string, either true or false
1341              Enables/disables  IP  multicast  relay  between logical switches
1342              connected to the logical router. Default: False.
1343
1344     Common Columns:
1345
1346       external_ids: map of string-string pairs
1347              See External IDs at the beginning of this document.
1348

QoS TABLE

1350       Each row in this table represents one QoS rule  for  a  logical  switch
1351       that  points  to  it through its qos_rules column. Two types of QoS are
1352       supported: DSCP marking and metering. A match with the highest-priority
1353       will  have  QoS  applied to it. If the action column is specified, then
1354       matching packets will have DSCP marking applied. If the bandwdith  col‐
1355       umn  is  specified,  then  matching packets will have metering applied.
1356       action and bandwdith are not exclusive, so both marking and metering by
1357       defined  for  the  same  QoS entry. If no row matches, packets will not
1358       have any QoS applied.
1359
1360   Summary:
1361       priority                      integer, in range 0 to 32,767
1362       direction                     string, either from-lport or to-lport
1363       match                         string
1364       action                        map of string-integer pairs, key must  be
1365                                     dscp, value in range 0 to 63
1366       bandwidth                     map  of  string-integer pairs, key either
1367                                     burst  or  rate,  value  in  range  1  to
1368                                     4,294,967,295
1369       external_ids                  map of string-string pairs
1370
1371   Details:
1372       priority: integer, in range 0 to 32,767
1373              The  QoS rule’s priority. Rules with numerically higher priority
1374              take precedence over those with lower. If two QoS rules with the
1375              same  priority  both  match,  then the one actually applied to a
1376              packet is undefined.
1377
1378       direction: string, either from-lport or to-lport
1379              The value of this field is similar to  ACL  column  in  the  OVN
1380              Northbound database’s ACL table.
1381
1382       match: string
1383              The packets that the QoS rules should match, in the same expres‐
1384              sion language used for the match column in  the  OVN  Southbound
1385              database’s  Logical_Flow table. The outport logical port is only
1386              available in the to-lport direction (the inport is available  in
1387              both directions).
1388
1389       action: map of string-integer pairs, key must be dscp, value in range 0
1390       to 63
1391              When specified, matching flows will have DSCP marking applied.
1392
1393              ·      dscp: The value of this action should be in the range  of
1394                     0 to 63 (inclusive).
1395
1396       bandwidth: map of string-integer pairs, key either burst or rate, value
1397       in range 1 to 4,294,967,295
1398              When specified, matching packets will  have  bandwidth  metering
1399              applied. Traffic over the limit will be dropped.
1400
1401              ·      rate: The value of rate limit in kbps.
1402
1403              ·      burst: The value of burst rate limit in kilobits. This is
1404                     optional and needs to specify the rate.
1405
1406       external_ids: map of string-string pairs
1407              See External IDs at the beginning of this document.
1408

Meter TABLE

1410       Each row in this table represents a meter that can be used for  QoS  or
1411       rate-limiting.
1412
1413   Summary:
1414       name                          string (must be unique within table)
1415       unit                          string, either kbps or pktps
1416       bands                         set of 1 or more Meter_Bands
1417       external_ids                  map of string-string pairs
1418
1419   Details:
1420       name: string (must be unique within table)
1421              A name for this meter.
1422
1423              Names  that  begin  with "__" (two underscores) are reserved for
1424              OVN internal use and should not be added manually.
1425
1426       unit: string, either kbps or pktps
1427              The unit for rate and burst_rate parameters in the bands  entry.
1428              kbps  specifies kilobits per second, and pktps specifies packets
1429              per second.
1430
1431       bands: set of 1 or more Meter_Bands
1432              The bands associated with this meter. Each band specifies a rate
1433              above  which  the band is to take the action action. If multiple
1434              bands’ rates are exceeded, then the band with the  highest  rate
1435              among the exceeded bands is selected.
1436
1437       external_ids: map of string-string pairs
1438              See External IDs at the beginning of this document.
1439

Meter_Band TABLE

1441       Each row in this table represents a meter band which specifies the rate
1442       above which the configured action should be applied.  These  bands  are
1443       referenced by the bands column in the Meter table.
1444
1445   Summary:
1446       action                        string, must be drop
1447       rate                          integer, in range 1 to 4,294,967,295
1448       burst_size                    integer, in range 0 to 4,294,967,295
1449       external_ids                  map of string-string pairs
1450
1451   Details:
1452       action: string, must be drop
1453              The action to execute when this band matches. The only supported
1454              action is drop.
1455
1456       rate: integer, in range 1 to 4,294,967,295
1457              The rate limit for this band, in kilobits per second or bits per
1458              second,  depending on whether the parent Meter entry’s unit col‐
1459              umn specified kbps or pktps.
1460
1461       burst_size: integer, in range 0 to 4,294,967,295
1462              The maximum burst allowed for the band in kilobits  or  packets,
1463              depending  on  whether  kbps or pktps was selected in the parent
1464              Meter entry’s unit column. If the size is zero,  the  switch  is
1465              free to select some reasonable value depending on its configura‐
1466              tion.
1467
1468       external_ids: map of string-string pairs
1469              See External IDs at the beginning of this document.
1470

Logical_Router_Port TABLE

1472       A port within an L3 logical router.
1473
1474       Exactly one Logical_Router row must reference a  given  logical  router
1475       port.
1476
1477   Summary:
1478       name                          string (must be unique within table)
1479       gateway_chassis               set of Gateway_Chassiss
1480       ha_chassis_group              optional HA_Chassis_Group
1481       networks                      set of 1 or more strings
1482       mac                           string
1483       enabled                       optional boolean
1484       ipv6_ra_configs:
1485         ipv6_ra_configs : address_mode
1486                                     optional string
1487         ipv6_ra_configs : mtu       optional string
1488         ipv6_ra_configs : send_periodic
1489                                     optional string
1490         ipv6_ra_configs : max_interval
1491                                     optional string
1492         ipv6_ra_configs : min_interval
1493                                     optional string
1494         ipv6_ra_configs : rdnss     optional string
1495       Options:
1496         options : redirect-chassis  optional string
1497         options : reside-on-redirect-chassis
1498                                     optional string
1499         options : redirect-type     optional string
1500         options : mcast_flood       optional string, either true or false
1501       Attachment:
1502         peer                        optional string
1503       Common Columns:
1504         external_ids                map of string-string pairs
1505
1506   Details:
1507       name: string (must be unique within table)
1508              A name for the logical router port.
1509
1510              In  addition  to  provide convenience for human interaction with
1511              the northbound database, this column is used as reference by its
1512              patch port in Logical_Switch_Port or another logical router port
1513              in Logical_Router_Port.
1514
1515       gateway_chassis: set of Gateway_Chassiss
1516              This column is ignored if the column ha_chassis_group. is set.
1517
1518              If set, this indicates that this logical router port  represents
1519              a  distributed gateway port that connects this router to a logi‐
1520              cal switch with a localnet port. There may be at most  one  such
1521              logical router port on each logical router.
1522
1523              Several  Gateway_Chassis  can  be referenced for a given logical
1524              router port. A single Gateway_Chassis is functionally equivalent
1525              to setting options:redirect-chassis. Refer to the description of
1526              options:redirect-chassis for additional details on gateway  han‐
1527              dling.
1528
1529              Defining  more than one Gateway_Chassis will enable gateway high
1530              availability. Only one gateway will be active  at  a  time.  OVN
1531              chassis  will  use  BFD to monitor connectivity to a gateway. If
1532              connectivity to the active gateway is interrupted, another gate‐
1533              way  will become active. The priority column specifies the order
1534              that gateways will be chosen by OVN.
1535
1536       ha_chassis_group: optional HA_Chassis_Group
1537              If set, this indicates that this logical router port  represents
1538              a  distributed gateway port that connects this router to a logi‐
1539              cal switch with a localnet port. There may be at most  one  such
1540              logical router port on each logical router. The HA chassis which
1541              are part of the HA chassis group will provide the  gateway  high
1542              availability. Please see the HA_Chassis_Group for more details.
1543
1544              When  this  column  is  set,  the column gateway_chassis will be
1545              ignored.
1546
1547       networks: set of 1 or more strings
1548              The IP addresses  and  netmasks  of  the  router.  For  example,
1549              192.168.0.1/24   indicates  that  the  router’s  IP  address  is
1550              192.168.0.1 and that packets destined to 192.168.0.x  should  be
1551              routed to this port.
1552
1553              A  logical  router  port  always  adds a link-local IPv6 address
1554              (fe80::/64) automatically generated  from  the  interface’s  MAC
1555              address using the modified EUI-64 format.
1556
1557       mac: string
1558              The Ethernet address that belongs to this router port.
1559
1560       enabled: optional boolean
1561              This  column is used to administratively set port state. If this
1562              column is empty or is set to true, the port is enabled. If  this
1563              column  is  set  to false, the port is disabled. A disabled port
1564              has all ingress and egress traffic dropped.
1565
1566     ipv6_ra_configs:
1567
1568       This column defines the IPv6 ND RA address mode and ND MTU Option to be
1569       included by ovn-controller when it replies to the IPv6 Router solicita‐
1570       tion requests.
1571
1572       ipv6_ra_configs : address_mode: optional string
1573              The address mode to be used for IPv6 address configuration.  The
1574              supported values are:
1575
1576              ·      slaac:  Address  configuration using Router Advertisement
1577                     (RA) packet. The  IPv6  prefixes  defined  in  the  Logi‐
1578                     cal_Router_Port  table’s networks column will be included
1579                     in the RA’s ICMPv6 option - Prefix information.
1580
1581              ·      dhcpv6_stateful: Address configuration using DHCPv6.
1582
1583              ·      dhcpv6_stateless:  Address  configuration  using   Router
1584                     Advertisement  (RA)  packet.  Other IPv6 options are pro‐
1585                     vided by DHCPv6.
1586
1587       ipv6_ra_configs : mtu: optional string
1588              The recommended MTU for the link. Default is 0, which  means  no
1589              MTU  Option  will  be  included in RA packet replied by ovn-con‐
1590              troller. Per RFC 2460, the mtu value is recommended no less than
1591              1280,  so  any mtu value less than 1280 will be considered as no
1592              MTU Option.
1593
1594       ipv6_ra_configs : send_periodic: optional string
1595              If set to true, then this  router  interface  will  send  router
1596              advertisements periodically. The default is false.
1597
1598       ipv6_ra_configs : max_interval: optional string
1599              The  maximum  number of seconds to wait between sending periodic
1600              router advertisements. This option has no effect if ipv6_ra_con‐
1601              figs:send_periodic is false. The default is 600.
1602
1603       ipv6_ra_configs : min_interval: optional string
1604              The  minimum  number of seconds to wait between sending periodic
1605              router advertisements. This option has no effect if ipv6_ra_con‐
1606              figs:send_periodic   is  false.  The  default  is  one-third  of
1607              ipv6_ra_configs:max_interval, i.e. 200 seconds if  that  key  is
1608              unset.
1609
1610       ipv6_ra_configs : rdnss: optional string
1611              IPv6  address  of  RDNSS  server announced in RA packets. At the
1612              moment OVN supports just one RDNSS server.
1613
1614     Options:
1615
1616       Additional options for the logical router port.
1617
1618       options : redirect-chassis: optional string
1619              If set, this indicates that this logical router port  represents
1620              a  distributed gateway port that connects this router to a logi‐
1621              cal switch with a localnet port. There may be at most  one  such
1622              logical router port on each logical router.
1623
1624              Even  when  a  redirect-chassis is specified, the logical router
1625              port still effectively resides on each chassis. However, due  to
1626              the  implications of the use of L2 learning in the physical net‐
1627              work, as well as the need to support advanced features  such  as
1628              one-to-many  NAT  (aka IP masquerading), a subset of the logical
1629              router processing is handled in  a  centralized  manner  on  the
1630              specified redirect-chassis.
1631
1632              When  this  option  is specified, the peer logical switch port’s
1633              addresses must be set to router. With this setting,  the  exter‐
1634              nal_macs  specified in NAT rules are automatically programmed in
1635              the peer logical switch’s  destination  lookup  on  the  chassis
1636              where   the  logical_port  resides.  In  addition,  the  logical
1637              router’s MAC address is automatically  programmed  in  the  peer
1638              logical  switch’s  destination lookup flow on the redirect-chas‐
1639              sis.
1640
1641              When this option is specified and it is desired to generate gra‐
1642              tuitous  ARPs  for  NAT  addresses, then the peer logical switch
1643              port’s options:nat-addresses should be set to router.
1644
1645              While options:redirect-chassis is still supported for  backwards
1646              compatibility,  it is now preferred to specify one or more gate‐
1647              way_chassis instead. It is functionally equivalent,  but  allows
1648              you to specify multiple chassis to enable high availability.
1649
1650       options : reside-on-redirect-chassis: optional string
1651              Generally routing is distributed in OVN. The packet from a logi‐
1652              cal port which needs to be routed hits the  router  pipeline  in
1653              the  source  chassis.  For  the East-West traffic, the packet is
1654              sent directly to the destination chassis. For the outside  traf‐
1655              fic the packet is sent to the gateway chassis.
1656
1657              When this option is set, OVN considers this only if
1658
1659              ·      The  logical  router  to  which  this logical router port
1660                     belongs to has a distributed gateway port.
1661
1662              ·      The peer’s logical switch has a localnet port (represent‐
1663                     ing a VLAN tagged network)
1664
1665              When  this option is set to true, then the packet which needs to
1666              be routed hits the router pipeline in the  chassis  hosting  the
1667              distributed  gateway  router port. The source chassis pushes out
1668              this traffic via the localnet  port.  With  this  the  East-West
1669              traffic  is  no  more distributed and will always go through the
1670              gateway chassis.
1671
1672              Without this option set, for any  traffic  destined  to  outside
1673              from  a  logical  port  which  belongs  to a logical switch with
1674              localnet port, the source chassis will send the traffic  to  the
1675              gateway chassis via the tunnel port instead of the localnet port
1676              and this could cause MTU issues.
1677
1678       options : redirect-type: optional string
1679              This options dictates if a packet redirected to gateway  chassis
1680              will  be  overlay encapsulated or go as a regular packet via the
1681              localnet port.
1682
1683              Option takes following values
1684
1685              ·      OVERLAY
1686
1687              ·      BRIDGED
1688
1689              OVERLAY option will ensure that redirected packet  goes  out  as
1690              encapsulation via the tunnel port.
1691
1692              BRIDGED  option  will ensure that redirected packet goes out via
1693              the localnet port tagged with vlan (if configured).
1694
1695              OVERLAY is the default redirection type.
1696
1697              Option is applicable only to gateway  chassis  attached  logical
1698              router ports.
1699
1700       options : mcast_flood: optional string, either true or false
1701              If set to true, multicast traffic (including reports) are uncon‐
1702              ditionally forwarded to the specific port.
1703
1704              This option applies when the port is part of  a  logical  router
1705              which has options:mcast_relay set to true.
1706
1707     Attachment:
1708
1709       A given router port serves one of two purposes:
1710
1711              ·      To attach a logical switch to a logical router. A logical
1712                     router port of this type is  referenced  by  exactly  one
1713                     Logical_Switch_Port  of type router. The value of name is
1714                     set  as  router-port   in   column   options   of   Logi‐
1715                     cal_Switch_Port. In this case peer column is empty.
1716
1717              ·      To connect one logical router to another. This requires a
1718                     pair of logical router ports, each connected to a differ‐
1719                     ent  router.  Each  router port in the pair specifies the
1720                     other in its peer column. No Logical_Switch refers to the
1721                     router port.
1722
1723       peer: optional string
1724              For  a  router  port  used  to connect two logical routers, this
1725              identifies the other router port in the pair by name.
1726
1727              For a router port attached to a logical switch, this  column  is
1728              empty.
1729
1730     Common Columns:
1731
1732       external_ids: map of string-string pairs
1733              See External IDs at the beginning of this document.
1734

Logical_Router_Static_Route TABLE

1736       Each record represents a static route.
1737
1738       When  multiple  routes match a packet, the longest-prefix match is cho‐
1739       sen. For a given prefix length, a dst-ip  route  is  preferred  over  a
1740       src-ip route.
1741
1742   Summary:
1743       ip_prefix                     string
1744       policy                        optional string, either dst-ip or src-ip
1745       nexthop                       string
1746       output_port                   optional string
1747       Common Columns:
1748         external_ids                map of string-string pairs
1749
1750   Details:
1751       ip_prefix: string
1752              IP prefix of this route (e.g. 192.168.100.0/24).
1753
1754       policy: optional string, either dst-ip or src-ip
1755              If  it  is  specified, this setting describes the policy used to
1756              make routing decisions. This setting must be one of the  follow‐
1757              ing strings:
1758
1759              ·      src-ip:  This policy sends the packet to the nexthop when
1760                     the packet’s source IP address matches ip_prefix.
1761
1762              ·      dst-ip: This policy sends the packet to the nexthop  when
1763                     the packet’s destination IP address matches ip_prefix.
1764
1765              If not specified, the default is dst-ip.
1766
1767       nexthop: string
1768              Nexthop  IP address for this route. Nexthop IP address should be
1769              the IP address of a connected router port or the IP address of a
1770              logical port.
1771
1772       output_port: optional string
1773              The  name  of the Logical_Router_Port via which the packet needs
1774              to be sent out. This is optional and  when  not  specified,  OVN
1775              will  automatically  figure  this out based on the nexthop. When
1776              this is specified and there are multiple  IP  addresses  on  the
1777              router  port and none of them are in the same subnet of nexthop,
1778              OVN chooses the first IP address as the one via which  the  nex‐
1779              thop is reachable.
1780
1781     Common Columns:
1782
1783       external_ids: map of string-string pairs
1784              See External IDs at the beginning of this document.
1785

Logical_Router_Policy TABLE

1787       Each  row  in  this  table  represents one routing policy for a logical
1788       router that points to it through its policies column. The action column
1789       for  the  highest-priority  matching  row  in  this  table determines a
1790       packet’s treatment. If no row matches, packets are allowed by  default.
1791       (Default-deny  treatment  is possible: add a rule with priority 0, 1 as
1792       match, and drop as action.)
1793
1794   Summary:
1795       priority                      integer, in range 0 to 32,767
1796       match                         string
1797       action                        string, one of allow, drop, or reroute
1798       nexthop                       optional string
1799
1800   Details:
1801       priority: integer, in range 0 to 32,767
1802              The routing policy’s priority.  Rules  with  numerically  higher
1803              priority  take  precedence  over  those  with  lower.  A rule is
1804              uniquely identified by the priority and match string.
1805
1806       match: string
1807              The packets that the routing policy should match,  in  the  same
1808              expression  language used for the match column in the OVN South‐
1809              bound database’s Logical_Flow table.
1810
1811              By default all traffic is allowed. When writing a more  restric‐
1812              tive  policy, it is important to remember to allow flows such as
1813              ARP and IPv6 neighbor discovery packets.
1814
1815       action: string, one of allow, drop, or reroute
1816              The action to take when the routing policy matches:
1817
1818              ·      allow: Forward the packet.
1819
1820              ·      drop: Silently drop the packet.
1821
1822              ·      reroute: Reroute packet to nexthop.
1823
1824       nexthop: optional string
1825              Next-hop IP address for this  route,  which  should  be  the  IP
1826              address  of a connected router port or the IP address of a logi‐
1827              cal port.
1828

NAT TABLE

1830       Each record represents a NAT rule.
1831
1832   Summary:
1833       type                          string, one of  dnat,  dnat_and_snat,  or
1834                                     snat
1835       external_ip                   string
1836       external_mac                  optional string
1837       logical_ip                    string
1838       logical_port                  optional string
1839       Common Columns:
1840         external_ids                map of string-string pairs
1841
1842   Details:
1843       type: string, one of dnat, dnat_and_snat, or snat
1844              Type of the NAT rule.
1845
1846              ·      When  type  is  dnat,  the  externally visible IP address
1847                     external_ip is DNATted to the IP  address  logical_ip  in
1848                     the logical space.
1849
1850              ·      When  type  is  snat,  IP  packets  with  their source IP
1851                     address that either matches the IP address in  logical_ip
1852                     or  is  in  the  network provided by logical_ip is SNATed
1853                     into the IP address in external_ip.
1854
1855              ·      When type is dnat_and_snat,  the  externally  visible  IP
1856                     address  external_ip  is  DNATted to the IP address logi‐
1857                     cal_ip in the logical space. In addition, IP packets with
1858                     the  source  IP address that matches logical_ip is SNATed
1859                     into the IP address in external_ip.
1860
1861       external_ip: string
1862              An IPv4 address.
1863
1864       external_mac: optional string
1865              A MAC address.
1866
1867              This is only used on the gateway port  on  distributed  routers.
1868              This must be specified in order for the NAT rule to be processed
1869              in a distributed manner on all chassis. If this is not specified
1870              for  a NAT rule on a distributed router, then this NAT rule will
1871              be processed  in  a  centralized  manner  on  the  gateway  port
1872              instance on the redirect-chassis.
1873
1874              This  MAC  address must be unique on the logical switch that the
1875              gateway port is attached to. If the MAC address used on the log‐
1876              ical_port is globally unique, then that MAC address can be spec‐
1877              ified as this external_mac.
1878
1879       logical_ip: string
1880              An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
1881
1882       logical_port: optional string
1883              The name of the logical port where the logical_ip resides.
1884
1885              This is only used on distributed routers. This must be specified
1886              in  order for the NAT rule to be processed in a distributed man‐
1887              ner on all chassis. If this is not specified for a NAT rule on a
1888              distributed  router,  then  this NAT rule will be processed in a
1889              centralized manner on the gateway port  instance  on  the  redi‐
1890              rect-chassis.
1891
1892     Common Columns:
1893
1894       external_ids: map of string-string pairs
1895              See External IDs at the beginning of this document.
1896

DHCP_Options TABLE

1898       OVN  implements  native  DHCPv4  support which caters to the common use
1899       case of providing an IPv4 address to a booting  instance  by  providing
1900       stateless  replies  to  DHCPv4  requests based on statically configured
1901       address mappings. To do this it allows a short list of  DHCPv4  options
1902       to  be  configured  and  applied  at each compute host running ovn-con‐
1903       troller.
1904
1905       OVN also implements native  DHCPv6  support  which  provides  stateless
1906       replies to DHCPv6 requests.
1907
1908   Summary:
1909       cidr                          string
1910       DHCPv4 options:
1911         Mandatory DHCPv4 options:
1912            options : server_id      optional string
1913            options : server_mac     optional string
1914            options : lease_time     optional  string,  containing an integer,
1915                                     in range 0 to 4,294,967,295
1916         IPv4 DHCP Options:
1917            options : router         optional string
1918            options : netmask        optional string
1919            options : dns_server     optional string
1920            options : log_server     optional string
1921            options : lpr_server     optional string
1922            options : swap_server    optional string
1923            options : policy_filter  optional string
1924            options : router_solicitation
1925                                     optional string
1926            options : nis_server     optional string
1927            options : ntp_server     optional string
1928            options : tftp_server    optional string
1929            options : classless_static_route
1930                                     optional string
1931            options : ms_classless_static_route
1932                                     optional string
1933         Boolean DHCP Options:
1934            options : ip_forward_enable
1935                                     optional string, either 0 or 1
1936            options : router_discovery
1937                                     optional string, either 0 or 1
1938            options : ethernet_encap optional string, either 0 or 1
1939         Integer DHCP Options:
1940            options : default_ttl    optional string, containing  an  integer,
1941                                     in range 0 to 255
1942            options : tcp_ttl        optional  string,  containing an integer,
1943                                     in range 0 to 255
1944            options : mtu            optional string, containing  an  integer,
1945                                     in range 68 to 65,535
1946            options : T1             optional  string,  containing an integer,
1947                                     in range 68 to 4,294,967,295
1948            options : T2             optional string, containing  an  integer,
1949                                     in range 68 to 4,294,967,295
1950         String DHCP Options:
1951            options : wpad           optional string
1952            options : bootfile_name  optional string
1953            options : path_prefix    optional string
1954            options : tftp_server_address
1955                                     optional string
1956            options : domain_name    optional string
1957       DHCPv6 options:
1958         Mandatory DHCPv6 options:
1959            options : server_id      optional string
1960         IPv6 DHCPv6 options:
1961            options : dns_server     optional string
1962         String DHCPv6 options:
1963            options : domain_search  optional string
1964            options : dhcpv6_stateless
1965                                     optional string
1966       Common Columns:
1967         external_ids                map of string-string pairs
1968
1969   Details:
1970       cidr: string
1971              The  DHCPv4/DHCPv6  options will be included if the logical port
1972              has its IP address in this cidr.
1973
1974     DHCPv4 options:
1975
1976       The CMS should define the set of DHCPv4 options as key/value  pairs  in
1977       the  options  column of this table. For ovn-controller to include these
1978       DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should  refer
1979       to an entry in this table.
1980
1981     Mandatory DHCPv4 options:
1982
1983       The following options must be defined.
1984
1985       options : server_id: optional string
1986              The IP address for the DHCP server to use. This should be in the
1987              subnet of the offered IP. This is  also  included  in  the  DHCP
1988              offer as option 54, ``server identifier.’’
1989
1990       options : server_mac: optional string
1991              The Ethernet address for the DHCP server to use.
1992
1993       options  : lease_time: optional string, containing an integer, in range
1994       0 to 4,294,967,295
1995              The offered lease time in seconds,
1996
1997              The DHCPv4 option code for this option is 51.
1998
1999     IPv4 DHCP Options:
2000
2001       Below are the  supported  DHCPv4  options  whose  values  are  an  IPv4
2002       address,  e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
2003       enclosed within curly braces, e.g. {192.168.1.2,  192.168.1.3}.  Please
2004       refer to RFC 2132 for more details on DHCPv4 options and their codes.
2005
2006       options : router: optional string
2007              The  IP  address of a gateway for the client to use. This should
2008              be in the subnet of the offered IP. The DHCPv4 option  code  for
2009              this option is 3.
2010
2011       options : netmask: optional string
2012              The DHCPv4 option code for this option is 1.
2013
2014       options : dns_server: optional string
2015              The DHCPv4 option code for this option is 6.
2016
2017       options : log_server: optional string
2018              The DHCPv4 option code for this option is 7.
2019
2020       options : lpr_server: optional string
2021              The DHCPv4 option code for this option is 9.
2022
2023       options : swap_server: optional string
2024              The DHCPv4 option code for this option is 16.
2025
2026       options : policy_filter: optional string
2027              The DHCPv4 option code for this option is 21.
2028
2029       options : router_solicitation: optional string
2030              The DHCPv4 option code for this option is 32.
2031
2032       options : nis_server: optional string
2033              The DHCPv4 option code for this option is 41.
2034
2035       options : ntp_server: optional string
2036              The DHCPv4 option code for this option is 42.
2037
2038       options : tftp_server: optional string
2039              The DHCPv4 option code for this option is 66.
2040
2041       options : classless_static_route: optional string
2042              The DHCPv4 option code for this option is 121.
2043
2044              This option can contain one or more static routes, each of which
2045              consists of a destination descriptor and the IP address  of  the
2046              router that should be used to reach that destination. Please see
2047              RFC 3442 for more details.
2048
2049              Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
2050
2051       options : ms_classless_static_route: optional string
2052              The DHCPv4 option code for this option is 249.  This  option  is
2053              similar to classless_static_route supported by Microsoft Windows
2054              DHCPv4 clients.
2055
2056     Boolean DHCP Options:
2057
2058       These options accept a Boolean value, expressed as 0 for false or 1 for
2059       true.
2060
2061       options : ip_forward_enable: optional string, either 0 or 1
2062              The DHCPv4 option code for this option is 19.
2063
2064       options : router_discovery: optional string, either 0 or 1
2065              The DHCPv4 option code for this option is 31.
2066
2067       options : ethernet_encap: optional string, either 0 or 1
2068              The DHCPv4 option code for this option is 36.
2069
2070     Integer DHCP Options:
2071
2072       These options accept a nonnegative integer value.
2073
2074       options : default_ttl: optional string, containing an integer, in range
2075       0 to 255
2076              The DHCPv4 option code for this option is 23.
2077
2078       options : tcp_ttl: optional string, containing an integer, in  range  0
2079       to 255
2080              The DHCPv4 option code for this option is 37.
2081
2082       options  :  mtu: optional string, containing an integer, in range 68 to
2083       65,535
2084              The DHCPv4 option code for this option is 26.
2085
2086       options : T1: optional string, containing an integer, in  range  68  to
2087       4,294,967,295
2088              This  specifies  the time interval from address assignment until
2089              the client begins trying to renew its address. The DHCPv4 option
2090              code for this option is 58.
2091
2092       options  :  T2:  optional string, containing an integer, in range 68 to
2093       4,294,967,295
2094              This specifies the time interval from address  assignment  until
2095              the  client  begins  trying  to  rebind  its address. The DHCPv4
2096              option code for this option is 59.
2097
2098     String DHCP Options:
2099
2100       These options accept a string value.
2101
2102       options : wpad: optional string
2103              The DHCPv4 option code for this option is 252.  This  option  is
2104              used  as part of web proxy auto discovery to provide a URL for a
2105              web proxy.
2106
2107       options : bootfile_name: optional string
2108              The DHCPv4 option code for this option is  67.  This  option  is
2109              used to identify a bootfile.
2110
2111       options : path_prefix: optional string
2112              The DHCPv4 option code for this option is 210. In PXELINUX’ case
2113              this option is used to set a  common  path  prefix,  instead  of
2114              deriving it from the bootfile name.
2115
2116       options : tftp_server_address: optional string
2117              The  DHCPv4  option code for this option is 150. The option con‐
2118              tains one or more IPv4 addresses that the client MAY  use.  This
2119              option is Cisco proprietary, the IEEE standard that matches with
2120              this requirement is option 66 (tftp_server).
2121
2122       options : domain_name: optional string
2123              The DHCPv4 option code for this option is 15. This option speci‐
2124              fies the domain name that client should use when resolving host‐
2125              names via the Domain Name System.
2126
2127     DHCPv6 options:
2128
2129       OVN also implements native DHCPv6 support. The CMS  should  define  the
2130       set  of  DHCPv6  options  as key/value pairs. The define DHCPv6 options
2131       will   be   included   in   the   DHCPv6   response   to   the   DHCPv6
2132       Solicit/Request/Confirm  packet  from the logical ports having the IPv6
2133       addresses in the cidr.
2134
2135     Mandatory DHCPv6 options:
2136
2137       The following options must be defined.
2138
2139       options : server_id: optional string
2140              The Ethernet address for the DHCP server to use.  This  is  also
2141              included  in the DHCPv6 reply as option 2, ``Server Identifier’’
2142              to carry a DUID identifying a server  between  a  client  and  a
2143              server.  ovn-controller defines DUID based on Link-layer Address
2144              [DUID-LL].
2145
2146     IPv6 DHCPv6 options:
2147
2148       Below are the  supported  DHCPv6  options  whose  values  are  an  IPv6
2149       address,  e.g.  aef0::4.  Some  options  accept multiple IPv6 addresses
2150       enclosed within curly braces, e.g. {aef0::4, aef0::5}. Please refer  to
2151       RFC 3315 for more details on DHCPv6 options and their codes.
2152
2153       options : dns_server: optional string
2154              The DHCPv6 option code for this option is 23. This option speci‐
2155              fies the DNS servers that the VM should use.
2156
2157     String DHCPv6 options:
2158
2159       These options accept string values.
2160
2161       options : domain_search: optional string
2162              The DHCPv6 option code for this option is 24. This option speci‐
2163              fies  the  domain  search  list the client should use to resolve
2164              hostnames with DNS.
2165
2166              Example: "ovn.org".
2167
2168       options : dhcpv6_stateless: optional string
2169              This option specifies the OVN native DHCPv6 will work in  state‐
2170              less  mode,  which  means  OVN native DHCPv6 will not offer IPv6
2171              addresses for VM/VIF ports, but only reply other configurations,
2172              such  as  DNS  and  domain search list. When setting this option
2173              with string value "true", VM/VIF will configure  IPv6  addresses
2174              by stateless way. Default value for this option is false.
2175
2176     Common Columns:
2177
2178       external_ids: map of string-string pairs
2179              See External IDs at the beginning of this document.
2180

Connection TABLE

2182       Configuration  for  a  database  connection to an Open vSwitch database
2183       (OVSDB) client.
2184
2185       This table  primarily  configures  the  Open  vSwitch  database  server
2186       (ovsdb-server).
2187
2188       The  Open vSwitch database server can initiate and maintain active con‐
2189       nections to remote clients. It can also  listen  for  database  connec‐
2190       tions.
2191
2192   Summary:
2193       Core Features:
2194         target                      string (must be unique within table)
2195       Client Failure Detection and Handling:
2196         max_backoff                 optional integer, at least 1,000
2197         inactivity_probe            optional integer
2198       Status:
2199         is_connected                boolean
2200         status : last_error         optional string
2201         status : state              optional  string, one of ACTIVE, BACKOFF,
2202                                     CONNECTING, IDLE, or VOID
2203         status : sec_since_connect  optional string, containing  an  integer,
2204                                     at least 0
2205         status : sec_since_disconnect
2206                                     optional  string,  containing an integer,
2207                                     at least 0
2208         status : locks_held         optional string
2209         status : locks_waiting      optional string
2210         status : locks_lost         optional string
2211         status : n_connections      optional string, containing  an  integer,
2212                                     at least 2
2213         status : bound_port         optional string, containing an integer
2214       Common Columns:
2215         external_ids                map of string-string pairs
2216         other_config                map of string-string pairs
2217
2218   Details:
2219     Core Features:
2220
2221       target: string (must be unique within table)
2222              Connection methods for clients.
2223
2224              The following connection methods are currently supported:
2225
2226              ssl:host[:port]
2227                     The  specified  SSL  port  on the host at the given host,
2228                     which can either be a DNS name  (if  built  with  unbound
2229                     library) or an IP address. A valid SSL configuration must
2230                     be provided when this form is  used,  this  configuration
2231                     can  be specified via command-line options or the SSL ta‐
2232                     ble.
2233
2234                     If port is not specified, it defaults to 6640.
2235
2236                     SSL support is an optional feature  that  is  not  always
2237                     built as part of Open vSwitch.
2238
2239              tcp:host[:port]
2240                     The  specified  TCP  port  on the host at the given host,
2241                     which can either be a DNS name  (if  built  with  unbound
2242                     library)  or  an  IP address. If host is an IPv6 address,
2243                     wrap it in square brackets, e.g. tcp:[::1]:6640.
2244
2245                     If port is not specified, it defaults to 6640.
2246
2247              pssl:[port][:host]
2248                     Listens for SSL connections on the  specified  TCP  port.
2249                     Specify  0  for  port  to  have  the kernel automatically
2250                     choose an available port. If host, which can either be  a
2251                     DNS  name  (if  built  with  unbound  library)  or  an IP
2252                     address, is specified, then connections are restricted to
2253                     the resolved or specified local IPaddress (either IPv4 or
2254                     IPv6 address). If host is an IPv6 address, wrap in square
2255                     brackets,  e.g. pssl:6640:[::1]. If host is not specified
2256                     then it listens only on IPv4 (but not IPv6) addresses.  A
2257                     valid  SSL  configuration must be provided when this form
2258                     is used, this can be specified  either  via  command-line
2259                     options or the SSL table.
2260
2261                     If port is not specified, it defaults to 6640.
2262
2263                     SSL  support  is  an  optional feature that is not always
2264                     built as part of Open vSwitch.
2265
2266              ptcp:[port][:host]
2267                     Listens for connections on the specified TCP port.  Spec‐
2268                     ify 0 for port to have the kernel automatically choose an
2269                     available port. If host, which can either be a  DNS  name
2270                     (if  built  with  unbound  library)  or an IP address, is
2271                     specified,  then  connections  are  restricted   to   the
2272                     resolved  or  specified  local IP address (either IPv4 or
2273                     IPv6 address). If host is an IPv6  address,  wrap  it  in
2274                     square  brackets,  e.g.  ptcp:6640:[::1].  If host is not
2275                     specified then it listens only on IPv4 addresses.
2276
2277                     If port is not specified, it defaults to 6640.
2278
2279              When multiple clients are configured, the target values must  be
2280              unique. Duplicate target values yield unspecified results.
2281
2282     Client Failure Detection and Handling:
2283
2284       max_backoff: optional integer, at least 1,000
2285              Maximum  number  of  milliseconds  to  wait  between  connection
2286              attempts. Default is implementation-specific.
2287
2288       inactivity_probe: optional integer
2289              Maximum number of milliseconds of idle time on connection to the
2290              client  before  sending  an  inactivity  probe  message. If Open
2291              vSwitch does not communicate with the client for  the  specified
2292              number  of  seconds,  it will send a probe. If a response is not
2293              received for the same additional amount of  time,  Open  vSwitch
2294              assumes  the  connection  has been broken and attempts to recon‐
2295              nect. Default is implementation-specific. A value of 0  disables
2296              inactivity probes.
2297
2298     Status:
2299
2300       Key-value pair of is_connected is always updated. Other key-value pairs
2301       in the status columns may be updated depends on the target type.
2302
2303       When target specifies a connection method that listens for inbound con‐
2304       nections  (e.g.  ptcp:  or punix:), both n_connections and is_connected
2305       may also be updated while the remaining key-value pairs are omitted.
2306
2307       On the other hand, when target specifies an  outbound  connection,  all
2308       key-value  pairs  may  be  updated, except the above-mentioned two key-
2309       value pairs associated with inbound connection targets. They are  omit‐
2310       ted.
2311
2312       is_connected: boolean
2313              true if currently connected to this client, false otherwise.
2314
2315       status : last_error: optional string
2316              A human-readable description of the last error on the connection
2317              to the manager; i.e. strerror(errno). This key will  exist  only
2318              if an error has occurred.
2319
2320       status  :  state:  optional string, one of ACTIVE, BACKOFF, CONNECTING,
2321       IDLE, or VOID
2322              The state of the connection to the manager:
2323
2324              VOID   Connection is disabled.
2325
2326              BACKOFF
2327                     Attempting to reconnect at an increasing period.
2328
2329              CONNECTING
2330                     Attempting to connect.
2331
2332              ACTIVE Connected, remote host responsive.
2333
2334              IDLE   Connection is idle. Waiting for response to keep-alive.
2335
2336              These values may change in the future. They  are  provided  only
2337              for human consumption.
2338
2339       status  : sec_since_connect: optional string, containing an integer, at
2340       least 0
2341              The amount of time since this client last successfully connected
2342              to the database (in seconds). Value is empty if client has never
2343              successfully been connected.
2344
2345       status : sec_since_disconnect: optional string, containing an  integer,
2346       at least 0
2347              The  amount of time since this client last disconnected from the
2348              database (in seconds). Value is empty if client has  never  dis‐
2349              connected.
2350
2351       status : locks_held: optional string
2352              Space-separated  list  of the names of OVSDB locks that the con‐
2353              nection holds. Omitted if  the  connection  does  not  hold  any
2354              locks.
2355
2356       status : locks_waiting: optional string
2357              Space-separated  list  of the names of OVSDB locks that the con‐
2358              nection is currently waiting to acquire. Omitted if the  connec‐
2359              tion is not waiting for any locks.
2360
2361       status : locks_lost: optional string
2362              Space-separated  list  of the names of OVSDB locks that the con‐
2363              nection has had stolen by another OVSDB client.  Omitted  if  no
2364              locks have been stolen from this connection.
2365
2366       status  :  n_connections:  optional  string,  containing an integer, at
2367       least 2
2368              When target specifies  a  connection  method  that  listens  for
2369              inbound connections (e.g. ptcp: or pssl:) and more than one con‐
2370              nection is actually active, the value is the  number  of  active
2371              connections. Otherwise, this key-value pair is omitted.
2372
2373       status : bound_port: optional string, containing an integer
2374              When target is ptcp: or pssl:, this is the TCP port on which the
2375              OVSDB server is listening. (This  is  particularly  useful  when
2376              target  specifies a port of 0, allowing the kernel to choose any
2377              available port.)
2378
2379     Common Columns:
2380
2381       The overall purpose of these columns is described under Common  Columns
2382       at the beginning of this document.
2383
2384       external_ids: map of string-string pairs
2385
2386       other_config: map of string-string pairs
2387

DNS TABLE

2389       Each  row  in this table stores the DNS records. The Logical_Switch ta‐
2390       ble’s dns_records references these records.
2391
2392   Summary:
2393       records                       map of string-string pairs
2394       external_ids                  map of string-string pairs
2395
2396   Details:
2397       records: map of string-string pairs
2398              Key-value pair of DNS records with DNS query name as the key and
2399              value as a string of IP address(es) separated by comma or space.
2400
2401              Example:  "vm1.ovn.org" = "10.0.0.4 aef0::4"
2402
2403       external_ids: map of string-string pairs
2404              See External IDs at the beginning of this document.
2405

SSL TABLE

2407       SSL configuration for ovn-nb database access.
2408
2409   Summary:
2410       private_key                   string
2411       certificate                   string
2412       ca_cert                       string
2413       bootstrap_ca_cert             boolean
2414       ssl_protocols                 string
2415       ssl_ciphers                   string
2416       Common Columns:
2417         external_ids                map of string-string pairs
2418
2419   Details:
2420       private_key: string
2421              Name  of  a  PEM  file  containing  the  private key used as the
2422              switch’s identity for SSL connections to the controller.
2423
2424       certificate: string
2425              Name of a PEM file containing a certificate, signed by the  cer‐
2426              tificate authority (CA) used by the controller and manager, that
2427              certifies the switch’s private key,  identifying  a  trustworthy
2428              switch.
2429
2430       ca_cert: string
2431              Name  of a PEM file containing the CA certificate used to verify
2432              that the switch is connected to a trustworthy controller.
2433
2434       bootstrap_ca_cert: boolean
2435              If set to true, then Open vSwitch will attempt to obtain the  CA
2436              certificate  from the controller on its first SSL connection and
2437              save it to the named PEM file. If  it  is  successful,  it  will
2438              immediately  drop the connection and reconnect, and from then on
2439              all SSL connections  must  be  authenticated  by  a  certificate
2440              signed  by the CA certificate thus obtained. This option exposes
2441              the SSL connection to a man-in-the-middle attack  obtaining  the
2442              initial  CA  certificate.  It may still be useful for bootstrap‐
2443              ping.
2444
2445       ssl_protocols: string
2446              List of SSL protocols to be enabled  for  SSL  connections.  The
2447              default when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
2448
2449       ssl_ciphers: string
2450              List  of  ciphers  (in  OpenSSL cipher string format) to be sup‐
2451              ported for SSL connections. The  default  when  this  option  is
2452              omitted is HIGH:!aNULL:!MD5.
2453
2454     Common Columns:
2455
2456       The  overall purpose of these columns is described under Common Columns
2457       at the beginning of this document.
2458
2459       external_ids: map of string-string pairs
2460

Gateway_Chassis TABLE

2462       Association of one or more chassis to a logical router port. The  traf‐
2463       fic  going  out through an specific router port will be redirected to a
2464       chassis, or a set of them in high availability configurations. A single
2465       Gateway_Chassis  is  equivalent  to  setting  options:redirect-chassis.
2466       Using Gateway_Chassis allows associating multiple  prioritized  chassis
2467       with a single logical router port.
2468
2469   Summary:
2470       name                          string (must be unique within table)
2471       chassis_name                  string
2472       priority                      integer, in range 0 to 32,767
2473       options                       map of string-string pairs
2474       Common Columns:
2475         external_ids                map of string-string pairs
2476
2477   Details:
2478       name: string (must be unique within table)
2479              Name of the Gateway_Chassis.
2480
2481              A   suggested,   but   not   required   naming   convention   is
2482              ${port_name}_${chassis_name}.
2483
2484       chassis_name: string
2485              Name of the chassis that we want to redirect traffic through for
2486              the  associated  logical  router  port. The value must match the
2487              name column of the Chassis table in the OVN_Southbound database.
2488
2489       priority: integer, in range 0 to 32,767
2490              This is the priority of  a  chassis  among  all  Gateway_Chassis
2491              belonging to the same logical router port.
2492
2493       options: map of string-string pairs
2494              Reserved for future use.
2495
2496     Common Columns:
2497
2498       external_ids: map of string-string pairs
2499              See External IDs at the beginning of this document.
2500

HA_Chassis_Group TABLE

2502       Table representing a group of chassis which can provide High availabil‐
2503       ity services. Each chassis in the group is  represented  by  the  table
2504       HA_Chassis.  The HA chassis with highest priority will be the master of
2505       this group. If the master chassis failover is detected, the HA  chassis
2506       with  the next higher priority takes over the responsibility of provid‐
2507       ing the HA. If a distributed gateway router port references  a  row  in
2508       this table, then the master HA chassis in this group provides the gate‐
2509       way functionality.
2510
2511   Summary:
2512       name                          string (must be unique within table)
2513       ha_chassis                    set of HA_Chassiss
2514       Common Columns:
2515         external_ids                map of string-string pairs
2516
2517   Details:
2518       name: string (must be unique within table)
2519              Name of the HA_Chassis_Group. Name should be unique.
2520
2521       ha_chassis: set of HA_Chassiss
2522              A list of HA chassis which belongs to this group.
2523
2524     Common Columns:
2525
2526       external_ids: map of string-string pairs
2527              See External IDs at the beginning of this document.
2528

HA_Chassis TABLE

2530   Summary:
2531       chassis_name                  string
2532       priority                      integer, in range 0 to 32,767
2533       Common Columns:
2534         external_ids                map of string-string pairs
2535
2536   Details:
2537       chassis_name: string
2538              Name of the chassis which is part of the HA chassis  group.  The
2539              value  must  match  the  name column of the Chassis table in the
2540              OVN_Southbound database.
2541
2542       priority: integer, in range 0 to 32,767
2543              Priority of the chassis. Chassis with highest priority  will  be
2544              the master.
2545
2546     Common Columns:
2547
2548       external_ids: map of string-string pairs
2549              See External IDs at the beginning of this document.
2550
2551
2552
2553Open vSwitch 2.12.0             DB Schema 5.16.0                     ovn-nb(5)
Impressum