1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
3
4
6 ovn-nb - OVN_Northbound database schema
7
8 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces
10 almost all of the contents of the database. The ovn-northd program mon‐
11 itors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13
14 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16
17 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21
22 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32
33 Table Purpose
34 NB_Global Northbound configuration
35 Logical_Switch
36 L2 logical switch
37 Logical_Switch_Port
38 L2 logical switch port
39 Address_Set
40 Address Sets
41 Port_Group
42 Port Groups
43 Load_Balancer
44 load balancer
45 ACL Access Control List (ACL) rule
46 Logical_Router
47 L3 logical router
48 QoS QoS rule
49 Meter Meter entry
50 Meter_Band
51 Band for meter entries
52 Logical_Router_Port
53 L3 logical router port
54 Logical_Router_Static_Route
55 Logical router static routes
56 NAT NAT rules
57 DHCP_Options
58 DHCP options
59 Connection
60 OVSDB client connections.
61 DNS Native DNS resolution
62 SSL SSL configuration.
63 Gateway_Chassis
64 Gateway_Chassis configuration.
65
67 Northbound configuration for an OVN system. This table must have
68 exactly one row.
69
70 Summary:
71 Status:
72 nb_cfg integer
73 sb_cfg integer
74 hv_cfg integer
75 Common Columns:
76 external_ids map of string-string pairs
77 Connection Options:
78 connections set of Connections
79 ssl optional SSL
80
81 Details:
82 Status:
83
84 These columns allow a client to track the overall configuration state
85 of the system.
86
87 nb_cfg: integer
88 Sequence number for client to increment. When a client modifies
89 any part of the northbound database configuration and wishes to
90 wait for ovn-northd and possibly all of the hypervisors to fin‐
91 ish applying the changes, it may increment this sequence number.
92
93 sb_cfg: integer
94 Sequence number that ovn-northd sets to the value of nb_cfg
95 after it finishes applying the corresponding configuration
96 changes to the OVN_Southbound database.
97
98 hv_cfg: integer
99 Sequence number that ovn-northd sets to the smallest sequence
100 number of all the chassis in the system, as reported in the
101 Chassis table in the southbound database. Thus, hv_cfg equals
102 nb_cfg if all chassis are caught up with the northbound configu‐
103 ration (which may never happen, if any chassis is down). This
104 value can regress, if a chassis was removed from the system and
105 rejoins before catching up.
106
107 Common Columns:
108
109 external_ids: map of string-string pairs
110 See External IDs at the beginning of this document.
111
112 Connection Options:
113
114 connections: set of Connections
115 Database clients to which the Open vSwitch database server
116 should connect or on which it should listen, along with options
117 for how these connections should be configured. See the Connec‐
118 tion table for more information.
119
120 ssl: optional SSL
121 Global SSL configuration.
122
124 Each row represents one L2 logical switch.
125
126 There are two kinds of logical switches, that is, ones that fully vir‐
127 tualize the network (overlay logical switches) and ones that provide
128 simple connectivity to a physical network (bridged logical switches).
129 They work in the same way when providing connectivity between logical
130 ports on same chasis, but differently when connecting remote logical
131 ports. Overlay logical switches connect remote logical ports by tun‐
132 nels, while bridged logical switches provide connectivity to remote
133 ports by bridging the packets to directly connected physical L2 segment
134 with the help of localnet ports. Each bridged logical switch has one
135 and only one localnet port, which has only one special address unknown.
136
137 Summary:
138 ports set of Logical_Switch_Ports
139 load_balancer set of Load_Balancers
140 acls set of ACLs
141 qos_rules set of QoSs
142 dns_records set of weak reference to DNSs
143 Naming:
144 name string
145 external_ids : neutron:network_name
146 optional string
147 IP Address Assignment:
148 other_config : subnet optional string
149 other_config : exclude_ips optional string
150 other_config : ipv6_prefix optional string
151 Common Columns:
152 external_ids map of string-string pairs
153
154 Details:
155 ports: set of Logical_Switch_Ports
156 The logical ports connected to the logical switch.
157
158 It is an error for multiple logical switches to include the same
159 logical port.
160
161 load_balancer: set of Load_Balancers
162 Load balance a virtual ip address to a set of logical port end‐
163 point ip addresses.
164
165 acls: set of ACLs
166 Access control rules that apply to packets within the logical
167 switch.
168
169 qos_rules: set of QoSs
170 QoS marking and metering rules that apply to packets within the
171 logical switch.
172
173 dns_records: set of weak reference to DNSs
174 This column defines the DNS records to be used for resolving
175 internal DNS queries within the logical switch by the native DNS
176 resolver. Please see the DNS table.
177
178 Naming:
179
180 These columns provide names for the logical switch. From OVN’s perspec‐
181 tive, these names have no special meaning or purpose other than to pro‐
182 vide convenience for human interaction with the database. There is no
183 requirement for the name to be unique. (For a unique identifier for a
184 logical switch, use its row UUID.)
185
186 (Originally, name was intended to serve the purpose of a human-friendly
187 name, but the Neutron integration used it to uniquely identify its own
188 switch object, in the format neutron-uuid. Later on, Neutron started
189 propagating the friendly name of a switch as external_ids:neutron:net‐
190 work_name. Perhaps this can be cleaned up someday.)
191
192 name: string
193 A name for the logical switch.
194
195 external_ids : neutron:network_name: optional string
196 Another name for the logical switch.
197
198 IP Address Assignment:
199
200 These options control automatic IP address management (IPAM) for ports
201 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
202 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
203 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled
204 together or separately.
205
206 To request dynamic address assignment for a particular port, use the
207 dynamic keyword in the addresses column of the port’s Logi‐
208 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
209 IPAM for IPv4 and IPv6 are both enabled.
210
211 other_config : subnet: optional string
212 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
213 ovn-northd to automatically assign IP addresses within that sub‐
214 net.
215
216 other_config : exclude_ips: optional string
217 To exclude some addresses from automatic IP address management,
218 set this to a list of the IPv4 addresses or ..-delimited ranges
219 to exclude. The addresses or ranges should be a subset of those
220 in other_config:subnet.
221
222 Whether listed or not, ovn-northd will never allocate the first
223 or last address in a subnet, such as 192.168.0.0 or
224 192.168.0.255 in 192.168.0.0/24.
225
226 Examples:
227
228 · 192.168.0.2 192.168.0.10
229
230 · 192.168.0.4 192.168.0.30..192.168.0.60
231 192.168.0.110..192.168.0.120
232
233 · 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
234 192.168.0.144
235
236 other_config : ipv6_prefix: optional string
237 Set this to an IPv6 prefix to enable ovn-northd to automatically
238 assign IPv6 addresses using this prefix. The assigned IPv6
239 address will be generated using the IPv6 prefix and the MAC
240 address (converted to an IEEE EUI64 identifier) of the port. The
241 IPv6 prefix defined here should be a valid IPv6 address ending
242 with ::.
243
244 Examples:
245
246 · aef0::
247
248 · bef0:1234:a890:5678::
249
250 · 8230:5678::
251
252 Common Columns:
253
254 external_ids: map of string-string pairs
255 See External IDs at the beginning of this document.
256
258 A port within an L2 logical switch.
259
260 Summary:
261 Core Features:
262 name string (must be unique within table)
263 type string
264 Options:
265 options map of string-string pairs
266 Options for router ports:
267 options : router-port optional string
268 options : nat-addresses optional string
269 Options for localnet ports:
270 options : network_name optional string
271 Options for l2gateway ports:
272 options : network_name optional string
273 options : l2gateway-chassis
274 optional string
275 Options for vtep ports:
276 options : vtep-physical-switch
277 optional string
278 options : vtep-logical-switch
279 optional string
280 VMI (or VIF) Options:
281 options : requested-chassis
282 optional string
283 options : qos_max_rate optional string
284 options : qos_burst optional string
285 Containers:
286 parent_name optional string
287 tag_request optional integer, in range 0 to 4,095
288 tag optional integer, in range 1 to 4,095
289 Port State:
290 up optional boolean
291 enabled optional boolean
292 Addressing:
293 addresses set of strings
294 dynamic_addresses optional string
295 port_security set of strings
296 DHCP:
297 dhcpv4_options optional weak reference to DHCP_Options
298 dhcpv6_options optional weak reference to DHCP_Options
299 Naming:
300 external_ids : neutron:port_name
301 optional string
302 Common Columns:
303 external_ids map of string-string pairs
304
305 Details:
306 Core Features:
307
308 name: string (must be unique within table)
309 The logical port name.
310
311 For entities (VMs or containers) that are spawned in the hyper‐
312 visor, the name used here must match those used in the exter‐
313 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
314 because hypervisors use external_ids:iface-id as a lookup key to
315 identify the network interface of that entity.
316
317 For containers that share a VIF within a VM, the name can be any
318 unique identifier. See Containers, below, for more information.
319
320 type: string
321 Specify a type for this logical port. Logical ports can be used
322 to model other types of connectivity into an OVN logical switch.
323 The following types are defined:
324
325 (empty string)
326 A VM (or VIF) interface.
327
328 router A connection to a logical router.
329
330 localnet
331 A connection to a locally accessible network from each
332 ovn-controller instance. A logical switch can only have a
333 single localnet port attached. This is used to model
334 direct connectivity to an existing network.
335
336 localport
337 A connection to a local VIF. Traffic that arrives on a
338 localport is never forwarded over a tunnel to another
339 chassis. These ports are present on every chassis and
340 have the same address in all of them. This is used to
341 model connectivity to local services that run on every
342 hypervisor.
343
344 l2gateway
345 A connection to a physical network.
346
347 vtep A port to a logical switch on a VTEP gateway.
348
349 Options:
350
351 options: map of string-string pairs
352 This column provides key/value settings specific to the logical
353 port type. The type-specific options are described individually
354 below.
355
356 Options for router ports:
357
358 These options apply when type is router.
359
360 options : router-port: optional string
361 Required. The name of the Logical_Router_Port to which this log‐
362 ical switch port is connected.
363
364 options : nat-addresses: optional string
365 This is used to send gratuitous ARPs for SNAT and DNAT IP
366 addresses via the localnet port that is attached to the same
367 logical switch as this type router port. This option is speci‐
368 fied on a logical switch port that is connected to a gateway
369 router, or a logical switch port that is connected to a distrib‐
370 uted gateway port on a logical router.
371
372 This must take one of the following forms:
373
374 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
375 nal IP addresses and for all load balancer IP addresses
376 defined on the options:router-port’s logical router,
377 using the options:router-port’s MAC address.
378
379 This form of options:nat-addresses is valid for logical
380 switch ports where options:router-port is the name of a
381 port on a gateway router, or the name of a distributed
382 gateway port.
383
384 Supported only in OVN 2.8 and later. Earlier versions
385 required NAT addresses to be manually synchronized.
386
387 Ethernet address followed by one or more IPv4 addresses
388 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
389 This would result in generation of gratuitous ARPs for IP
390 addresses 158.36.44.22 and 158.36.44.24 with a MAC
391 address of 80:fa:5b:06:72:b7.
392
393 This form of options:nat-addresses is only valid for log‐
394 ical switch ports where options:router-port is the name
395 of a port on a gateway router.
396
397 Options for localnet ports:
398
399 These options apply when type is localnet.
400
401 options : network_name: optional string
402 Required. The name of the network to which the localnet port is
403 connected. Each hypervisor, via ovn-controller, uses its local
404 configuration to determine exactly how to connect to this
405 locally accessible network.
406
407 Options for l2gateway ports:
408
409 These options apply when type is l2gateway.
410
411 options : network_name: optional string
412 Required. The name of the network to which the l2gateway port is
413 connected. The L2 gateway, via ovn-controller, uses its local
414 configuration to determine exactly how to connect to this net‐
415 work.
416
417 options : l2gateway-chassis: optional string
418 Required. The chassis on which the l2gateway logical port should
419 be bound to. ovn-controller running on the defined chassis will
420 connect this logical port to the physical network.
421
422 Options for vtep ports:
423
424 These options apply when type is vtep.
425
426 options : vtep-physical-switch: optional string
427 Required. The name of the VTEP gateway.
428
429 options : vtep-logical-switch: optional string
430 Required. A logical switch name connected by the VTEP gateway.
431
432 VMI (or VIF) Options:
433
434 These options apply to logical ports with type having (empty string)
435
436 options : requested-chassis: optional string
437 If set, identifies a specific chassis (by name or hostname) that
438 is allowed to bind this port. Using this option will prevent
439 thrashing between two chassis trying to bind the same port dur‐
440 ing a live migration. It can also prevent similar thrashing due
441 to a mis-configuration, if a port is accidentally created on
442 more than one chassis.
443
444 options : qos_max_rate: optional string
445 If set, indicates the maximum rate for data sent from this
446 interface, in bit/s. The traffic will be shaped according to
447 this limit.
448
449 options : qos_burst: optional string
450 If set, indicates the maximum burst size for data sent from this
451 interface, in bits.
452
453 Containers:
454
455 When a large number of containers are nested within a VM, it may be too
456 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
457 support such cases. Each container is assigned a VLAN ID and each
458 packet that passes between the hypervisor and the VM is tagged with the
459 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
460 ical wire, even inside a tunnel, so they need not be unique except rel‐
461 ative to a single VM on a hypervisor.
462
463 These columns are used for VIFs that represent nested containers using
464 shared VIFs. For VMs and for containers that have dedicated VIFs, they
465 are empty.
466
467 parent_name: optional string
468 The VM interface through which the nested container sends its
469 network traffic. This must match the name column for some other
470 Logical_Switch_Port.
471
472 tag_request: optional integer, in range 0 to 4,095
473 The VLAN tag in the network traffic associated with a con‐
474 tainer’s network interface. The client can request ovn-northd to
475 allocate a tag that is unique within the scope of a specific
476 parent (specified in parent_name) by setting a value of 0 in
477 this column. The allocated value is written by ovn-northd in the
478 tag column. (Note that these tags are allocated and managed
479 locally in ovn-northd, so they cannot be reconstructed in the
480 event that the database is lost.) The client can also request a
481 specific non-zero tag and ovn-northd will honor it and copy that
482 value to the tag column.
483
484 When type is set to localnet or l2gateway, this can be set to
485 indicate that the port represents a connection to a specific
486 VLAN on a locally accessible network. The VLAN ID is used to
487 match incoming traffic and is also added to outgoing traffic.
488
489 tag: optional integer, in range 1 to 4,095
490 The VLAN tag allocated by ovn-northd based on the contents of
491 the tag_request column.
492
493 Port State:
494
495 up: optional boolean
496 This column is populated by ovn-northd, rather than by the CMS
497 plugin as is most of this database. When a logical port is bound
498 to a physical location in the OVN Southbound database Binding
499 table, ovn-northd sets this column to true; otherwise, or if the
500 port becomes unbound later, it sets it to false. This allows the
501 CMS to wait for a VM’s (or container’s) networking to become
502 active before it allows the VM (or container) to start.
503
504 Logical ports of router type are an exception to this rule. They
505 are considered to be always up, that is this column is always
506 set to true.
507
508 enabled: optional boolean
509 This column is used to administratively set port state. If this
510 column is empty or is set to true, the port is enabled. If this
511 column is set to false, the port is disabled. A disabled port
512 has all ingress and egress traffic dropped.
513
514 Addressing:
515
516 addresses: set of strings
517 Addresses owned by the logical port.
518
519 Each element in the set must take one of the following forms:
520
521 Ethernet address followed by zero or more IPv4 or IPv6 addresses
522 (or both)
523 An Ethernet address defined is owned by the logical port.
524 Like a physical Ethernet NIC, a logical port ordinarily
525 has a single fixed Ethernet address.
526
527 When a OVN logical switch processes a unicast Ethernet
528 frame whose destination MAC address is in a logical
529 port’s addresses column, it delivers it only to that
530 port, as if a MAC learning process had learned that MAC
531 address on the port.
532
533 If IPv4 or IPv6 address(es) (or both) are defined, it
534 indicates that the logical port owns the given IP
535 addresses.
536
537 If IPv4 address(es) are defined, the OVN logical switch
538 uses this information to synthesize responses to ARP
539 requests without traversing the physical network. The OVN
540 logical router connected to the logical switch, if any,
541 uses this information to avoid issuing ARP requests for
542 logical switch ports.
543
544 Note that the order here is important. The Ethernet
545 address must be listed before the IP address(es) if
546 defined.
547
548 Examples:
549
550 80:fa:5b:06:72:b7
551 This indicates that the logical port owns the
552 above mac address.
553
554 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
555 This indicates that the logical port owns the mac
556 address and two IPv4 addresses.
557
558 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
559 This indicates that the logical port owns the mac
560 address and 1 IPv6 address.
561
562 80:fa:5b:06:72:b7 10.0.0.4
563 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
564 This indicates that the logical port owns the mac
565 address and 1 IPv4 address and 1 IPv6 address.
566
567 unknown
568 This indicates that the logical port has an unknown set
569 of Ethernet addresses. When an OVN logical switch pro‐
570 cesses a unicast Ethernet frame whose destination MAC
571 address is not in any logical port’s addresses column, it
572 delivers it to the port (or ports) whose addresses col‐
573 umns include unknown.
574
575 dynamic
576 Use this keyword to make ovn-northd generate a globally
577 unique MAC address and choose an unused IPv4 address with
578 the logical port’s subnet and store them in the port’s
579 dynamic_addresses column. ovn-northd will use the subnet
580 specified in other_config:subnet in the port’s Logi‐
581 cal_Switch.
582
583 Ethernet address followed by keyword "dynamic"
584 The keyword dynamic after the MAC address indicates that
585 ovn-northd should choose an unused IPv4 address from the
586 logical port’s subnet and store it with the specified MAC
587 in the port’s dynamic_addresses column. ovn-northd will
588 use the subnet specified in other_config:subnet in the
589 port’s Logical_Switch table.
590
591 Examples:
592
593 80:fa:5b:06:72:b7 dynamic
594 This indicates that the logical port owns the
595 specified MAC address and ovn-northd should allo‐
596 cate an unused IPv4 address for the logical port
597 from the corresponding logical switch subnet.
598
599 router Accepted only when type is router. This indicates that
600 the Ethernet, IPv4, and IPv6 addresses for this logical
601 switch port should be obtained from the connected logical
602 router port, as specified by router-port in options.
603
604 The resulting addresses are used to populate the logical
605 switch’s destination lookup, and also for the logical
606 switch to generate ARP and ND replies.
607
608 If the connected logical router port has a redirect-chas‐
609 sis specified and the logical router has rules specified
610 in nat with external_mac, then those addresses are also
611 used to populate the switch’s destination lookup.
612
613 Supported only in OVN 2.7 and later. Earlier versions
614 required router addresses to be manually synchronized.
615
616 dynamic_addresses: optional string
617 Addresses assigned to the logical port by ovn-northd, if dynamic
618 is specified in addresses. Addresses will be of the same format
619 as those that populate the addresses column. Note that dynami‐
620 cally assigned addresses are constructed and managed locally in
621 ovn-northd, so they cannot be reconstructed in the event that
622 the database is lost.
623
624 port_security: set of strings
625 This column controls the addresses from which the host attached
626 to the logical port (``the host’’) is allowed to send packets
627 and to which it is allowed to receive packets. If this column is
628 empty, all addresses are permitted.
629
630 Each element in the set must begin with one Ethernet address.
631 This would restrict the host to sending packets from and receiv‐
632 ing packets to the ethernet addresses defined in the logical
633 port’s port_security column. It also restricts the inner source
634 MAC addresses that the host may send in ARP and IPv6 Neighbor
635 Discovery packets. The host is always allowed to receive packets
636 to multicast and broadcast Ethernet addresses.
637
638 Each element in the set may additionally contain one or more
639 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
640 is given, it must be a CIDR mask. In addition to the restric‐
641 tions described for Ethernet addresses above, such an element
642 restricts the IPv4 or IPv6 addresses from which the host may
643 send and to which it may receive packets to the specified
644 addresses. A masked address, if the host part is zero, indicates
645 that the host is allowed to use any address in the subnet; if
646 the host part is nonzero, the mask simply indicates the size of
647 the subnet. In addition:
648
649 · If any IPv4 address is given, the host is also allowed to
650 receive packets to the IPv4 local broadcast address
651 255.255.255.255 and to IPv4 multicast addresses
652 (224.0.0.0/4). If an IPv4 address with a mask is given,
653 the host is also allowed to receive packets to the broad‐
654 cast address in that specified subnet.
655
656 If any IPv4 address is given, the host is additionally
657 restricted to sending ARP packets with the specified
658 source IPv4 address. (RARP is not restricted.)
659
660 · If any IPv6 address is given, the host is also allowed to
661 receive packets to IPv6 multicast addresses (ff00::/8).
662
663 If any IPv6 address is given, the host is additionally
664 restricted to sending IPv6 Neighbor Discovery Solicita‐
665 tion or Advertisement packets with the specified source
666 address or, for solicitations, the unspecified address.
667
668 If an element includes an IPv4 address, but no IPv6 addresses,
669 then IPv6 traffic is not allowed. If an element includes an IPv6
670 address, but no IPv4 address, then IPv4 and ARP traffic is not
671 allowed.
672
673 This column uses the same lexical syntax as the match column in
674 the OVN Southbound database’s Pipeline table. Multiple addresses
675 within an element may be space or comma separated.
676
677 This column is provided as a convenience to cloud management
678 systems, but all of the features that it implements can be
679 implemented as ACLs using the ACL table.
680
681 Examples:
682
683 80:fa:5b:06:72:b7
684 The host may send traffic from and receive traffic to the
685 specified MAC address, and to receive traffic to Ethernet
686 multicast and broadcast addresses, but not otherwise. The
687 host may not send ARP or IPv6 Neighbor Discovery packets
688 with inner source Ethernet addresses other than the one
689 specified.
690
691 80:fa:5b:06:72:b7 192.168.1.10/24
692 This adds further restrictions to the first example. The
693 host may send IPv4 packets from or receive IPv4 packets
694 to only 192.168.1.10, except that it may also receive
695 IPv4 packets to 192.168.1.255 (based on the subnet mask),
696 255.255.255.255, and any address in 224.0.0.0/4. The host
697 may not send ARPs with a source Ethernet address other
698 than 80:fa:5b:06:72:b7 or source IPv4 address other than
699 192.168.1.10. The host may not send or receive any IPv6
700 (including IPv6 Neighbor Discovery) traffic.
701
702 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
703 The host may send traffic from and receive traffic to the
704 specified MAC addresses, and to receive traffic to Ether‐
705 net multicast and broadcast addresses, but not otherwise.
706 With MAC 80:fa:5b:12:42:ba, the host may send traffic
707 from and receive traffic to any L3 address. With MAC
708 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
709 receive IPv4 packets to only 192.168.1.10, except that it
710 may also receive IPv4 packets to 192.168.1.255 (based on
711 the subnet mask), 255.255.255.255, and any address in
712 224.0.0.0/4. The host may not send or receive any IPv6
713 (including IPv6 Neighbor Discovery) traffic.
714
715 DHCP:
716
717 dhcpv4_options: optional weak reference to DHCP_Options
718 This column defines the DHCPv4 Options to be included by the
719 ovn-controller when it replies to the DHCPv4 requests. Please
720 see the DHCP_Options table.
721
722 dhcpv6_options: optional weak reference to DHCP_Options
723 This column defines the DHCPv6 Options to be included by the
724 ovn-controller when it replies to the DHCPv6 requests. Please
725 see the DHCP_Options table.
726
727 Naming:
728
729 external_ids : neutron:port_name: optional string
730 This column gives an optional human-friendly name for the port.
731 This name has no special meaning or purpose other than to pro‐
732 vide convenience for human interaction with the northbound data‐
733 base.
734
735 Neutron copies this from its own port object’s name. (Neutron
736 ports do are not assigned human-friendly names by default, so it
737 will often be empty.)
738
739 Common Columns:
740
741 external_ids: map of string-string pairs
742 See External IDs at the beginning of this document.
743
744 The ovn-northd program copies all these pairs into the exter‐
745 nal_ids column of the Port_Binding table in OVN_Southbound data‐
746 base.
747
749 Each row in this table represents a named set of addresses. An address
750 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
751 or CIDR masks. Address set may ultimately be used in ACLs to compare
752 against fields such as ip4.src or ip6.src. A single address set must
753 contain addresses of the same type. As an example, the following would
754 create an address set with three IP addresses:
755
756 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
757
758
759 Address sets may be used in the match column of the ACL table. For syn‐
760 tax information, see the details of the expression language used for
761 the match column in the Logical_Flow table of the OVN_Southbound data‐
762 base.
763
764 Summary:
765 name string (must be unique within table)
766 addresses set of strings
767 Common Columns:
768 external_ids map of string-string pairs
769
770 Details:
771 name: string (must be unique within table)
772 A name for the address set. Names are ASCII and must match
773 [a-zA-Z_.][a-zA-Z_.0-9]*.
774
775 addresses: set of strings
776 The set of addresses in string form.
777
778 Common Columns:
779
780 external_ids: map of string-string pairs
781 See External IDs at the beginning of this document.
782
784 Each row in this table represents a named group of logical switch
785 ports.
786
787 Port groups may be used in the match column of the ACL table. For syn‐
788 tax information, see the details of the expression language used for
789 the match column in the Logical_Flow table of the OVN_Southbound data‐
790 base.
791
792 For each port group, there are two address sets generated to the
793 Address_Set table of the OVN_Southbound database, containing the IP
794 addresses of the group of ports, one for IPv4, and the other for IPv6,
795 with name being the name of the Port_Group followed by a suffix _ip4
796 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
797 the same way as regular address sets in the match column of the ACL ta‐
798 ble. For syntax information, see the details of the expression language
799 used for the match column in the Logical_Flow table of the OVN_South‐
800 bound database.
801
802 Summary:
803 name string (must be unique within table)
804 ports set of weak reference to Logi‐
805 cal_Switch_Ports
806 acls set of ACLs
807 Common Columns:
808 external_ids map of string-string pairs
809
810 Details:
811 name: string (must be unique within table)
812 A name for the port group. Names are ASCII and must match
813 [a-zA-Z_.][a-zA-Z_.0-9]*.
814
815 ports: set of weak reference to Logical_Switch_Ports
816 The logical switch ports belonging to the group in uuids.
817
818 acls: set of ACLs
819 Access control rules that apply to the port group. Applying an
820 ACL to a port group has the same effect as applying the ACL to
821 all logical lswitches that the ports of the port group belong
822 to.
823
824 Common Columns:
825
826 external_ids: map of string-string pairs
827 See External IDs at the beginning of this document.
828
830 Each row represents one load balancer.
831
832 Summary:
833 name string
834 vips map of string-string pairs
835 protocol optional string, either tcp or udp
836 Common Columns:
837 external_ids map of string-string pairs
838
839 Details:
840 name: string
841 A name for the load balancer. This name has no special meaning
842 or purpose other than to provide convenience for human interac‐
843 tion with the ovn-nb database.
844
845 vips: map of string-string pairs
846 A map of virtual IP addresses (and an optional port number with
847 : as a separator) associated with this load balancer and their
848 corresponding endpoint IP addresses (and optional port numbers
849 with : as separators) separated by commas. If the destination IP
850 address (and port number) of a packet leaving a container or a
851 VM matches the virtual IP address (and port number) provided
852 here as a key, then OVN will statefully replace the destination
853 IP address by one of the provided IP address (and port number)
854 in this map as a value. IPv4 and IPv6 addresses are supported
855 for load balancing; however a VIP of one address family may not
856 be mapped to a destination IP address of a different family. If
857 specifying an IPv6 address with a port, the address portion must
858 be enclosed in square brackets. Examples for keys are
859 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
860 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
861
862 When the Load_Balancer is added to the logical_switch, the VIP
863 has to be in a different subnet than the one used for the logi‐
864 cal_switch. Since VIP is in a different subnet, you should con‐
865 nect your logical switch to either a OVN logical router or a
866 real router (this is because the client can now send a packet
867 with VIP as the destination IP address and router’s mac address
868 as the destination MAC address).
869
870 protocol: optional string, either tcp or udp
871 Valid protocols are tcp or udp. This column is useful when a
872 port number is provided as part of the vips column. If this col‐
873 umn is empty and a port number is provided as part of vips col‐
874 umn, OVN assumes the protocol to be tcp.
875
876 Common Columns:
877
878 external_ids: map of string-string pairs
879 See External IDs at the beginning of this document.
880
882 Each row in this table represents one ACL rule for a logical switch or
883 a port group that points to it through its acls column. The action col‐
884 umn for the highest-priority matching row in this table determines a
885 packet’s treatment. If no row matches, packets are allowed by default.
886 (Default-deny treatment is possible: add a rule with priority 0, 0 as
887 match, and deny as action.)
888
889 Summary:
890 priority integer, in range 0 to 32,767
891 direction string, either from-lport or to-lport
892 match string
893 action string, one of allow-related, allow,
894 drop, or reject
895 Logging:
896 log boolean
897 name optional string, at most 63 characters
898 long
899 severity optional string, one of alert, debug,
900 info, notice, or warning
901 meter optional string
902 Common Columns:
903 external_ids map of string-string pairs
904
905 Details:
906 priority: integer, in range 0 to 32,767
907 The ACL rule’s priority. Rules with numerically higher priority
908 take precedence over those with lower. If two ACL rules with the
909 same priority both match, then the one actually applied to a
910 packet is undefined.
911
912 Return traffic from an allow-related flow is always allowed and
913 cannot be changed through an ACL.
914
915 direction: string, either from-lport or to-lport
916 Direction of the traffic to which this rule should apply:
917
918 · from-lport: Used to implement filters on traffic arriving
919 from a logical port. These rules are applied to the logi‐
920 cal switch’s ingress pipeline.
921
922 · to-lport: Used to implement filters on traffic forwarded
923 to a logical port. These rules are applied to the logical
924 switch’s egress pipeline.
925
926 match: string
927 The packets that the ACL should match, in the same expression
928 language used for the match column in the OVN Southbound data‐
929 base’s Logical_Flow table. The outport logical port is only
930 available in the to-lport direction (the inport is available in
931 both directions).
932
933 By default all traffic is allowed. When writing a more restric‐
934 tive policy, it is important to remember to allow flows such as
935 ARP and IPv6 neighbor discovery packets.
936
937 Note that you can not create an ACL matching on a port with
938 type=router or type=localnet.
939
940 action: string, one of allow-related, allow, drop, or reject
941 The action to take when the ACL rule matches:
942
943 · allow: Forward the packet.
944
945 · allow-related: Forward the packet and related traffic
946 (e.g. inbound replies to an outbound connection).
947
948 · drop: Silently drop the packet.
949
950 · reject: Drop the packet, replying with a RST for TCP or
951 ICMPv4/ICMPv6 unreachable message for other
952 IPv4/IPv6-based protocols.
953
954 Logging:
955
956 These columns control whether and how OVN logs packets that match an
957 ACL.
958
959 log: boolean
960 If set to true, packets that match the ACL will trigger a log
961 message on the transport node or nodes that perform ACL process‐
962 ing. Logging may be combined with any action.
963
964 If set to false, the remaining columns in this group have no
965 significance.
966
967 name: optional string, at most 63 characters long
968 This name, if it is provided, is included in log records. It
969 provides the administrator and the cloud management system a way
970 to associate a log record with a particular ACL.
971
972 severity: optional string, one of alert, debug, info, notice, or warn‐
973 ing
974 The severity of the ACL. The severity levels match those of sys‐
975 log, in decreasing level of severity: alert, warning, notice,
976 info, or debug. When the column is empty, the default is info.
977
978 meter: optional string
979 The name of a meter to rate-limit log messages for the ACL. The
980 string must match the name column of a row in the Meter table.
981 By default, log messages are not rate-limited.
982
983 Common Columns:
984
985 external_ids: map of string-string pairs
986 See External IDs at the beginning of this document.
987
989 Each row represents one L3 logical router.
990
991 Summary:
992 ports set of Logical_Router_Ports
993 static_routes set of Logical_Router_Static_Routes
994 enabled optional boolean
995 nat set of NATs
996 load_balancer set of Load_Balancers
997 Naming:
998 name string
999 external_ids : neutron:router_name
1000 optional string
1001 Options:
1002 options : chassis optional string
1003 options : dnat_force_snat_ip
1004 optional string
1005 options : lb_force_snat_ip optional string
1006 Common Columns:
1007 external_ids map of string-string pairs
1008
1009 Details:
1010 ports: set of Logical_Router_Ports
1011 The router’s ports.
1012
1013 static_routes: set of Logical_Router_Static_Routes
1014 One or more static routes for the router.
1015
1016 enabled: optional boolean
1017 This column is used to administratively set router state. If
1018 this column is empty or is set to true, the router is enabled.
1019 If this column is set to false, the router is disabled. A dis‐
1020 abled router has all ingress and egress traffic dropped.
1021
1022 nat: set of NATs
1023 One or more NAT rules for the router. NAT rules only work on
1024 Gateway routers, and on distributed routers with one logical
1025 router port with a redirect-chassis specified.
1026
1027 load_balancer: set of Load_Balancers
1028 Load balance a virtual ip address to a set of logical port ip
1029 addresses. Load balancer rules only work on the Gateway routers.
1030
1031 Naming:
1032
1033 These columns provide names for the logical router. From OVN’s perspec‐
1034 tive, these names have no special meaning or purpose other than to pro‐
1035 vide convenience for human interaction with the northbound database.
1036 There is no requirement for the name to be unique. (For a unique iden‐
1037 tifier for a logical router, use its row UUID.)
1038
1039 (Originally, name was intended to serve the purpose of a human-friendly
1040 name, but the Neutron integration used it to uniquely identify its own
1041 router object, in the format neutron-uuid. Later on, Neutron started
1042 propagating the friendly name of a router as external_ids:neu‐
1043 tron:router_name. Perhaps this can be cleaned up someday.)
1044
1045 name: string
1046 A name for the logical router.
1047
1048 external_ids : neutron:router_name: optional string
1049 Another name for the logical router.
1050
1051 Options:
1052
1053 Additional options for the logical router.
1054
1055 options : chassis: optional string
1056 If set, indicates that the logical router in question is a Gate‐
1057 way router (which is centralized) and resides in the set chas‐
1058 sis. The same value is also used by ovn-controller to uniquely
1059 identify the chassis in the OVN deployment and comes from exter‐
1060 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
1061 database.
1062
1063 The Gateway router can only be connected to a distributed router
1064 via a switch if SNAT and DNAT are to be configured in the Gate‐
1065 way router.
1066
1067 options : dnat_force_snat_ip: optional string
1068 If set, indicates the IP address to use to force SNAT a packet
1069 that has already been DNATed in the gateway router. When multi‐
1070 ple gateway routers are configured, a packet can potentially
1071 enter any of the gateway router, get DNATted and eventually
1072 reach the logical switch port. For the return traffic to go back
1073 to the same gateway router (for unDNATing), the packet needs a
1074 SNAT in the first place. This can be achieved by setting the
1075 above option with a gateway specific IP address.
1076
1077 options : lb_force_snat_ip: optional string
1078 If set, indicates the IP address to use to force SNAT a packet
1079 that has already been load-balanced in the gateway router. When
1080 multiple gateway routers are configured, a packet can poten‐
1081 tially enter any of the gateway routers, get DNATted as part of
1082 the load- balancing and eventually reach the logical switch
1083 port. For the return traffic to go back to the same gateway
1084 router (for unDNATing), the packet needs a SNAT in the first
1085 place. This can be achieved by setting the above option with a
1086 gateway specific IP address.
1087
1088 Common Columns:
1089
1090 external_ids: map of string-string pairs
1091 See External IDs at the beginning of this document.
1092
1094 Each row in this table represents one QoS rule for a logical switch
1095 that points to it through its qos_rules column. Two types of QoS are
1096 supported: DSCP marking and metering. A match with the highest-priority
1097 will have QoS applied to it. If the action column is specified, then
1098 matching packets will have DSCP marking applied. If the bandwdith col‐
1099 umn is specified, then matching packets will have metering applied.
1100 action and bandwdith are not exclusive, so both marking and metering by
1101 defined for the same QoS entry. If no row matches, packets will not
1102 have any QoS applied.
1103
1104 Summary:
1105 priority integer, in range 0 to 32,767
1106 direction string, either from-lport or to-lport
1107 match string
1108 action map of string-integer pairs, key must be
1109 dscp, value in range 0 to 63
1110 bandwidth map of string-integer pairs, key either
1111 burst or rate, value in range 1 to
1112 4,294,967,295
1113 external_ids map of string-string pairs
1114
1115 Details:
1116 priority: integer, in range 0 to 32,767
1117 The QoS rule’s priority. Rules with numerically higher priority
1118 take precedence over those with lower. If two QoS rules with the
1119 same priority both match, then the one actually applied to a
1120 packet is undefined.
1121
1122 direction: string, either from-lport or to-lport
1123 The value of this field is similar to ACL column in the OVN
1124 Northbound database’s ACL table.
1125
1126 match: string
1127 The packets that the QoS rules should match, in the same expres‐
1128 sion language used for the match column in the OVN Southbound
1129 database’s Logical_Flow table. The outport logical port is only
1130 available in the to-lport direction (the inport is available in
1131 both directions).
1132
1133 action: map of string-integer pairs, key must be dscp, value in range 0
1134 to 63
1135 When specified, matching flows will have DSCP marking applied.
1136
1137 · dscp: The value of this action should be in the range of
1138 0 to 63 (inclusive).
1139
1140 bandwidth: map of string-integer pairs, key either burst or rate, value
1141 in range 1 to 4,294,967,295
1142 When specified, matching packets will have bandwidth metering
1143 applied. Traffic over the limit will be dropped.
1144
1145 · rate: The value of rate limit in kbps.
1146
1147 · burst: The value of burst rate limit in kilobits. This is
1148 optional and needs to specify the rate.
1149
1150 external_ids: map of string-string pairs
1151 See External IDs at the beginning of this document.
1152
1154 Each row in this table represents a meter that can be used for QoS or
1155 rate-limiting.
1156
1157 Summary:
1158 name string (must be unique within table)
1159 unit string, either kbps or pktps
1160 bands set of 1 or more Meter_Bands
1161 external_ids map of string-string pairs
1162
1163 Details:
1164 name: string (must be unique within table)
1165 A name for this meter.
1166
1167 Names that begin with "__" (two underscores) are reserved for
1168 OVN internal use and should not be added manually.
1169
1170 unit: string, either kbps or pktps
1171 The unit for rate and burst_rate parameters in the bands entry.
1172 kbps specifies kilobits per second, and pktps specifies packets
1173 per second.
1174
1175 bands: set of 1 or more Meter_Bands
1176 The bands associated with this meter. Each band specifies a rate
1177 above which the band is to take the action action. If multiple
1178 bands’ rates are exceeded, then the band with the highest rate
1179 among the exceeded bands is selected.
1180
1181 external_ids: map of string-string pairs
1182 See External IDs at the beginning of this document.
1183
1185 Each row in this table represents a meter band which specifies the rate
1186 above which the configured action should be applied. These bands are
1187 referenced by the bands column in the Meter table.
1188
1189 Summary:
1190 action string, must be drop
1191 rate integer, in range 1 to 4,294,967,295
1192 burst_size integer, in range 0 to 4,294,967,295
1193 external_ids map of string-string pairs
1194
1195 Details:
1196 action: string, must be drop
1197 The action to execute when this band matches. The only supported
1198 action is drop.
1199
1200 rate: integer, in range 1 to 4,294,967,295
1201 The rate limit for this band, in kilobits per second or bits per
1202 second, depending on whether the parent Meter entry’s unit col‐
1203 umn specified kbps or pktps.
1204
1205 burst_size: integer, in range 0 to 4,294,967,295
1206 The maximum burst allowed for the band in kilobits or packets,
1207 depending on whether kbps or pktps was selected in the parent
1208 Meter entry’s unit column. If the size is zero, the switch is
1209 free to select some reasonable value depending on its configura‐
1210 tion.
1211
1212 external_ids: map of string-string pairs
1213 See External IDs at the beginning of this document.
1214
1216 A port within an L3 logical router.
1217
1218 Exactly one Logical_Router row must reference a given logical router
1219 port.
1220
1221 Summary:
1222 name string (must be unique within table)
1223 gateway_chassis set of Gateway_Chassiss
1224 networks set of 1 or more strings
1225 mac string
1226 enabled optional boolean
1227 ipv6_ra_configs:
1228 ipv6_ra_configs : address_mode
1229 optional string
1230 ipv6_ra_configs : mtu optional string
1231 ipv6_ra_configs : send_periodic
1232 optional string
1233 ipv6_ra_configs : max_interval
1234 optional string
1235 ipv6_ra_configs : min_interval
1236 optional string
1237 Options:
1238 options : redirect-chassis optional string
1239 Attachment:
1240 peer optional string
1241 Common Columns:
1242 external_ids map of string-string pairs
1243
1244 Details:
1245 name: string (must be unique within table)
1246 A name for the logical router port.
1247
1248 In addition to provide convenience for human interaction with
1249 the northbound database, this column is used as reference by its
1250 patch port in Logical_Switch_Port or another logical router port
1251 in Logical_Router_Port.
1252
1253 gateway_chassis: set of Gateway_Chassiss
1254 If set, this indicates that this logical router port represents
1255 a distributed gateway port that connects this router to a logi‐
1256 cal switch with a localnet port. There may be at most one such
1257 logical router port on each logical router.
1258
1259 Several Gateway_Chassis can be referenced for a given logical
1260 router port. A single Gateway_Chassis is functionally equivalent
1261 to setting options:redirect-chassis. Refer to the description of
1262 options:redirect-chassis for additional details on gateway han‐
1263 dling.
1264
1265 Defining more than one Gateway_Chassis will enable gateway high
1266 availability. Only one gateway will be active at a time. OVN
1267 chassis will use BFD to monitor connectivity to a gateway. If
1268 connectivity to the active gateway is interrupted, another gate‐
1269 way will become active. The priority column specifies the order
1270 that gateways will be chosen by OVN.
1271
1272 networks: set of 1 or more strings
1273 The IP addresses and netmasks of the router. For example,
1274 192.168.0.1/24 indicates that the router’s IP address is
1275 192.168.0.1 and that packets destined to 192.168.0.x should be
1276 routed to this port.
1277
1278 A logical router port always adds a link-local IPv6 address
1279 (fe80::/64) automatically generated from the interface’s MAC
1280 address using the modified EUI-64 format.
1281
1282 mac: string
1283 The Ethernet address that belongs to this router port.
1284
1285 enabled: optional boolean
1286 This column is used to administratively set port state. If this
1287 column is empty or is set to true, the port is enabled. If this
1288 column is set to false, the port is disabled. A disabled port
1289 has all ingress and egress traffic dropped.
1290
1291 ipv6_ra_configs:
1292
1293 This column defines the IPv6 ND RA address mode and ND MTU Option to be
1294 included by ovn-controller when it replies to the IPv6 Router solicita‐
1295 tion requests.
1296
1297 ipv6_ra_configs : address_mode: optional string
1298 The address mode to be used for IPv6 address configuration. The
1299 supported values are:
1300
1301 · slaac: Address configuration using Router Advertisement
1302 (RA) packet. The IPv6 prefixes defined in the Logi‐
1303 cal_Router_Port table’s networks column will be included
1304 in the RA’s ICMPv6 option - Prefix information.
1305
1306 · dhcpv6_stateful: Address configuration using DHCPv6.
1307
1308 · dhcpv6_stateless: Address configuration using Router
1309 Advertisement (RA) packet. Other IPv6 options are pro‐
1310 vided by DHCPv6.
1311
1312 ipv6_ra_configs : mtu: optional string
1313 The recommended MTU for the link. Default is 0, which means no
1314 MTU Option will be included in RA packet replied by ovn-con‐
1315 troller. Per RFC 2460, the mtu value is recommended no less than
1316 1280, so any mtu value less than 1280 will be considered as no
1317 MTU Option.
1318
1319 ipv6_ra_configs : send_periodic: optional string
1320 If set to true, then this router interface will send router
1321 advertisements periodically. The default is false.
1322
1323 ipv6_ra_configs : max_interval: optional string
1324 The maximum number of seconds to wait between sending periodic
1325 router advertisements. This option has no effect if ipv6_ra_con‐
1326 figs:send_periodic is false. The default is 600.
1327
1328 ipv6_ra_configs : min_interval: optional string
1329 The minimum number of seconds to wait between sending periodic
1330 router advertisements. This option has no effect if ipv6_ra_con‐
1331 figs:send_periodic is false. The default is one-third of
1332 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
1333 unset.
1334
1335 Options:
1336
1337 Additional options for the logical router port.
1338
1339 options : redirect-chassis: optional string
1340 If set, this indicates that this logical router port represents
1341 a distributed gateway port that connects this router to a logi‐
1342 cal switch with a localnet port. There may be at most one such
1343 logical router port on each logical router.
1344
1345 Even when a redirect-chassis is specified, the logical router
1346 port still effectively resides on each chassis. However, due to
1347 the implications of the use of L2 learning in the physical net‐
1348 work, as well as the need to support advanced features such as
1349 one-to-many NAT (aka IP masquerading), a subset of the logical
1350 router processing is handled in a centralized manner on the
1351 specified redirect-chassis.
1352
1353 When this option is specified, the peer logical switch port’s
1354 addresses must be set to router. With this setting, the exter‐
1355 nal_macs specified in NAT rules are automatically programmed in
1356 the peer logical switch’s destination lookup on the chassis
1357 where the logical_port resides. In addition, the logical
1358 router’s MAC address is automatically programmed in the peer
1359 logical switch’s destination lookup flow on the redirect-chas‐
1360 sis.
1361
1362 When this option is specified and it is desired to generate gra‐
1363 tuitous ARPs for NAT addresses, then the peer logical switch
1364 port’s options:nat-addresses should be set to router.
1365
1366 While options:redirect-chassis is still supported for backwards
1367 compatibility, it is now preferred to specify one or more gate‐
1368 way_chassis instead. It is functionally equivalent, but allows
1369 you to specify multiple chassis to enable high availability.
1370
1371 Attachment:
1372
1373 A given router port serves one of two purposes:
1374
1375 · To attach a logical switch to a logical router. A logical
1376 router port of this type is referenced by exactly one
1377 Logical_Switch_Port of type router. The value of name is
1378 set as router-port in column options of Logi‐
1379 cal_Switch_Port. In this case peer column is empty.
1380
1381 · To connect one logical router to another. This requires a
1382 pair of logical router ports, each connected to a differ‐
1383 ent router. Each router port in the pair specifies the
1384 other in its peer column. No Logical_Switch refers to the
1385 router port.
1386
1387 peer: optional string
1388 For a router port used to connect two logical routers, this
1389 identifies the other router port in the pair by name.
1390
1391 For a router port attached to a logical switch, this column is
1392 empty.
1393
1394 Common Columns:
1395
1396 external_ids: map of string-string pairs
1397 See External IDs at the beginning of this document.
1398
1400 Each record represents a static route.
1401
1402 When multiple routes match a packet, the longest-prefix match is cho‐
1403 sen. For a given prefix length, a dst-ip route is preferred over a
1404 src-ip route.
1405
1406 Summary:
1407 ip_prefix string
1408 policy optional string, either dst-ip or src-ip
1409 nexthop string
1410 output_port optional string
1411 Common Columns:
1412 external_ids map of string-string pairs
1413
1414 Details:
1415 ip_prefix: string
1416 IP prefix of this route (e.g. 192.168.100.0/24).
1417
1418 policy: optional string, either dst-ip or src-ip
1419 If it is specified, this setting describes the policy used to
1420 make routing decisions. This setting must be one of the follow‐
1421 ing strings:
1422
1423 · src-ip: This policy sends the packet to the nexthop when
1424 the packet’s source IP address matches ip_prefix.
1425
1426 · dst-ip: This policy sends the packet to the nexthop when
1427 the packet’s destination IP address matches ip_prefix.
1428
1429 If not specified, the default is dst-ip.
1430
1431 nexthop: string
1432 Nexthop IP address for this route. Nexthop IP address should be
1433 the IP address of a connected router port or the IP address of a
1434 logical port.
1435
1436 output_port: optional string
1437 The name of the Logical_Router_Port via which the packet needs
1438 to be sent out. This is optional and when not specified, OVN
1439 will automatically figure this out based on the nexthop. When
1440 this is specified and there are multiple IP addresses on the
1441 router port and none of them are in the same subnet of nexthop,
1442 OVN chooses the first IP address as the one via which the nex‐
1443 thop is reachable.
1444
1445 Common Columns:
1446
1447 external_ids: map of string-string pairs
1448 See External IDs at the beginning of this document.
1449
1451 Each record represents a NAT rule.
1452
1453 Summary:
1454 type string, one of dnat, dnat_and_snat, or
1455 snat
1456 external_ip string
1457 external_mac optional string
1458 logical_ip string
1459 logical_port optional string
1460 Common Columns:
1461 external_ids map of string-string pairs
1462
1463 Details:
1464 type: string, one of dnat, dnat_and_snat, or snat
1465 Type of the NAT rule.
1466
1467 · When type is dnat, the externally visible IP address
1468 external_ip is DNATted to the IP address logical_ip in
1469 the logical space.
1470
1471 · When type is snat, IP packets with their source IP
1472 address that either matches the IP address in logical_ip
1473 or is in the network provided by logical_ip is SNATed
1474 into the IP address in external_ip.
1475
1476 · When type is dnat_and_snat, the externally visible IP
1477 address external_ip is DNATted to the IP address logi‐
1478 cal_ip in the logical space. In addition, IP packets with
1479 the source IP address that matches logical_ip is SNATed
1480 into the IP address in external_ip.
1481
1482 external_ip: string
1483 An IPv4 address.
1484
1485 external_mac: optional string
1486 A MAC address.
1487
1488 This is only used on the gateway port on distributed routers.
1489 This must be specified in order for the NAT rule to be processed
1490 in a distributed manner on all chassis. If this is not specified
1491 for a NAT rule on a distributed router, then this NAT rule will
1492 be processed in a centralized manner on the gateway port
1493 instance on the redirect-chassis.
1494
1495 This MAC address must be unique on the logical switch that the
1496 gateway port is attached to. If the MAC address used on the log‐
1497 ical_port is globally unique, then that MAC address can be spec‐
1498 ified as this external_mac.
1499
1500 logical_ip: string
1501 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
1502
1503 logical_port: optional string
1504 The name of the logical port where the logical_ip resides.
1505
1506 This is only used on distributed routers. This must be specified
1507 in order for the NAT rule to be processed in a distributed man‐
1508 ner on all chassis. If this is not specified for a NAT rule on a
1509 distributed router, then this NAT rule will be processed in a
1510 centralized manner on the gateway port instance on the redi‐
1511 rect-chassis.
1512
1513 Common Columns:
1514
1515 external_ids: map of string-string pairs
1516 See External IDs at the beginning of this document.
1517
1519 OVN implements native DHCPv4 support which caters to the common use
1520 case of providing an IPv4 address to a booting instance by providing
1521 stateless replies to DHCPv4 requests based on statically configured
1522 address mappings. To do this it allows a short list of DHCPv4 options
1523 to be configured and applied at each compute host running ovn-con‐
1524 troller.
1525
1526 OVN also implements native DHCPv6 support which provides stateless
1527 replies to DHCPv6 requests.
1528
1529 Summary:
1530 cidr string
1531 DHCPv4 options:
1532 Mandatory DHCPv4 options:
1533 options : server_id optional string
1534 options : server_mac optional string
1535 options : lease_time optional string, containing an integer,
1536 in range 0 to 4,294,967,295
1537 IPv4 DHCP Options:
1538 options : router optional string
1539 options : netmask optional string
1540 options : dns_server optional string
1541 options : log_server optional string
1542 options : lpr_server optional string
1543 options : swap_server optional string
1544 options : policy_filter optional string
1545 options : router_solicitation
1546 optional string
1547 options : nis_server optional string
1548 options : ntp_server optional string
1549 options : tftp_server optional string
1550 options : classless_static_route
1551 optional string
1552 options : ms_classless_static_route
1553 optional string
1554 Boolean DHCP Options:
1555 options : ip_forward_enable
1556 optional string, either 0 or 1
1557 options : router_discovery
1558 optional string, either 0 or 1
1559 options : ethernet_encap optional string, either 0 or 1
1560 Integer DHCP Options:
1561 options : default_ttl optional string, containing an integer,
1562 in range 0 to 255
1563 options : tcp_ttl optional string, containing an integer,
1564 in range 0 to 255
1565 options : mtu optional string, containing an integer,
1566 in range 68 to 65,535
1567 options : T1 optional string, containing an integer,
1568 in range 68 to 4,294,967,295
1569 options : T2 optional string, containing an integer,
1570 in range 68 to 4,294,967,295
1571 DHCPv6 options:
1572 Mandatory DHCPv6 options:
1573 options : server_id optional string
1574 IPv6 DHCPv6 options:
1575 options : dns_server optional string
1576 String DHCPv6 options:
1577 options : domain_search optional string
1578 options : dhcpv6_stateless
1579 optional string
1580 Common Columns:
1581 external_ids map of string-string pairs
1582
1583 Details:
1584 cidr: string
1585 The DHCPv4/DHCPv6 options will be included if the logical port
1586 has its IP address in this cidr.
1587
1588 DHCPv4 options:
1589
1590 The CMS should define the set of DHCPv4 options as key/value pairs in
1591 the options column of this table. For ovn-controller to include these
1592 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
1593 to an entry in this table.
1594
1595 Mandatory DHCPv4 options:
1596
1597 The following options must be defined.
1598
1599 options : server_id: optional string
1600 The IP address for the DHCP server to use. This should be in the
1601 subnet of the offered IP. This is also included in the DHCP
1602 offer as option 54, ``server identifier.’’
1603
1604 options : server_mac: optional string
1605 The Ethernet address for the DHCP server to use.
1606
1607 options : lease_time: optional string, containing an integer, in range
1608 0 to 4,294,967,295
1609 The offered lease time in seconds,
1610
1611 The DHCPv4 option code for this option is 51.
1612
1613 IPv4 DHCP Options:
1614
1615 Below are the supported DHCPv4 options whose values are an IPv4
1616 address, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
1617 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
1618 refer to RFC 2132 for more details on DHCPv4 options and their codes.
1619
1620 options : router: optional string
1621 The IP address of a gateway for the client to use. This should
1622 be in the subnet of the offered IP. The DHCPv4 option code for
1623 this option is 3.
1624
1625 options : netmask: optional string
1626 The DHCPv4 option code for this option is 1.
1627
1628 options : dns_server: optional string
1629 The DHCPv4 option code for this option is 6.
1630
1631 options : log_server: optional string
1632 The DHCPv4 option code for this option is 7.
1633
1634 options : lpr_server: optional string
1635 The DHCPv4 option code for this option is 9.
1636
1637 options : swap_server: optional string
1638 The DHCPv4 option code for this option is 16.
1639
1640 options : policy_filter: optional string
1641 The DHCPv4 option code for this option is 21.
1642
1643 options : router_solicitation: optional string
1644 The DHCPv4 option code for this option is 32.
1645
1646 options : nis_server: optional string
1647 The DHCPv4 option code for this option is 41.
1648
1649 options : ntp_server: optional string
1650 The DHCPv4 option code for this option is 42.
1651
1652 options : tftp_server: optional string
1653 The DHCPv4 option code for this option is 66.
1654
1655 options : classless_static_route: optional string
1656 The DHCPv4 option code for this option is 121.
1657
1658 This option can contain one or more static routes, each of which
1659 consists of a destination descriptor and the IP address of the
1660 router that should be used to reach that destination. Please see
1661 RFC 3442 for more details.
1662
1663 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
1664
1665 options : ms_classless_static_route: optional string
1666 The DHCPv4 option code for this option is 249. This option is
1667 similar to classless_static_route supported by Microsoft Windows
1668 DHCPv4 clients.
1669
1670 Boolean DHCP Options:
1671
1672 These options accept a Boolean value, expressed as 0 for false or 1 for
1673 true.
1674
1675 options : ip_forward_enable: optional string, either 0 or 1
1676 The DHCPv4 option code for this option is 19.
1677
1678 options : router_discovery: optional string, either 0 or 1
1679 The DHCPv4 option code for this option is 31.
1680
1681 options : ethernet_encap: optional string, either 0 or 1
1682 The DHCPv4 option code for this option is 36.
1683
1684 Integer DHCP Options:
1685
1686 These options accept a nonnegative integer value.
1687
1688 options : default_ttl: optional string, containing an integer, in range
1689 0 to 255
1690 The DHCPv4 option code for this option is 23.
1691
1692 options : tcp_ttl: optional string, containing an integer, in range 0
1693 to 255
1694 The DHCPv4 option code for this option is 37.
1695
1696 options : mtu: optional string, containing an integer, in range 68 to
1697 65,535
1698 The DHCPv4 option code for this option is 26.
1699
1700 options : T1: optional string, containing an integer, in range 68 to
1701 4,294,967,295
1702 This specifies the time interval from address assignment until
1703 the client begins trying to renew its address. The DHCPv4 option
1704 code for this option is 58.
1705
1706 options : T2: optional string, containing an integer, in range 68 to
1707 4,294,967,295
1708 This specifies the time interval from address assignment until
1709 the client begins trying to rebind its address. The DHCPv4
1710 option code for this option is 59.
1711
1712 DHCPv6 options:
1713
1714 OVN also implements native DHCPv6 support. The CMS should define the
1715 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
1716 will be included in the DHCPv6 response to the DHCPv6
1717 Solicit/Request/Confirm packet from the logical ports having the IPv6
1718 addresses in the cidr.
1719
1720 Mandatory DHCPv6 options:
1721
1722 The following options must be defined.
1723
1724 options : server_id: optional string
1725 The Ethernet address for the DHCP server to use. This is also
1726 included in the DHCPv6 reply as option 2, ``Server Identifier’’
1727 to carry a DUID identifying a server between a client and a
1728 server. ovn-controller defines DUID based on Link-layer Address
1729 [DUID-LL].
1730
1731 IPv6 DHCPv6 options:
1732
1733 Below are the supported DHCPv6 options whose values are an IPv6
1734 address, e.g. aef0::4. Some options accept multiple IPv6 addresses
1735 enclosed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
1736 RFC 3315 for more details on DHCPv6 options and their codes.
1737
1738 options : dns_server: optional string
1739 The DHCPv6 option code for this option is 23. This option speci‐
1740 fies the DNS servers that the VM should use.
1741
1742 String DHCPv6 options:
1743
1744 These options accept string values.
1745
1746 options : domain_search: optional string
1747 The DHCPv6 option code for this option is 24. This option speci‐
1748 fies the domain search list the client should use to resolve
1749 hostnames with DNS.
1750
1751 Example: "ovn.org".
1752
1753 options : dhcpv6_stateless: optional string
1754 This option specifies the OVN native DHCPv6 will work in state‐
1755 less mode, which means OVN native DHCPv6 will not offer IPv6
1756 addresses for VM/VIF ports, but only reply other configurations,
1757 such as DNS and domain search list. When setting this option
1758 with string value "true", VM/VIF will configure IPv6 addresses
1759 by stateless way. Default value for this option is false.
1760
1761 Common Columns:
1762
1763 external_ids: map of string-string pairs
1764 See External IDs at the beginning of this document.
1765
1767 Configuration for a database connection to an Open vSwitch database
1768 (OVSDB) client.
1769
1770 This table primarily configures the Open vSwitch database server
1771 (ovsdb-server).
1772
1773 The Open vSwitch database server can initiate and maintain active con‐
1774 nections to remote clients. It can also listen for database connec‐
1775 tions.
1776
1777 Summary:
1778 Core Features:
1779 target string (must be unique within table)
1780 Client Failure Detection and Handling:
1781 max_backoff optional integer, at least 1,000
1782 inactivity_probe optional integer
1783 Status:
1784 is_connected boolean
1785 status : last_error optional string
1786 status : state optional string, one of ACTIVE, BACKOFF,
1787 CONNECTING, IDLE, or VOID
1788 status : sec_since_connect optional string, containing an integer,
1789 at least 0
1790 status : sec_since_disconnect
1791 optional string, containing an integer,
1792 at least 0
1793 status : locks_held optional string
1794 status : locks_waiting optional string
1795 status : locks_lost optional string
1796 status : n_connections optional string, containing an integer,
1797 at least 2
1798 status : bound_port optional string, containing an integer
1799 Common Columns:
1800 external_ids map of string-string pairs
1801 other_config map of string-string pairs
1802
1803 Details:
1804 Core Features:
1805
1806 target: string (must be unique within table)
1807 Connection methods for clients.
1808
1809 The following connection methods are currently supported:
1810
1811 ssl:host[:port]
1812 The specified SSL port on the host at the given host,
1813 which can either be a DNS name (if built with unbound
1814 library) or an IP address. A valid SSL configuration must
1815 be provided when this form is used, this configuration
1816 can be specified via command-line options or the SSL ta‐
1817 ble.
1818
1819 If port is not specified, it defaults to 6640.
1820
1821 SSL support is an optional feature that is not always
1822 built as part of Open vSwitch.
1823
1824 tcp:host[:port]
1825 The specified TCP port on the host at the given host,
1826 which can either be a DNS name (if built with unbound
1827 library) or an IP address. If host is an IPv6 address,
1828 wrap it in square brackets, e.g. tcp:[::1]:6640.
1829
1830 If port is not specified, it defaults to 6640.
1831
1832 pssl:[port][:host]
1833 Listens for SSL connections on the specified TCP port.
1834 Specify 0 for port to have the kernel automatically
1835 choose an available port. If host, which can either be a
1836 DNS name (if built with unbound library) or an IP
1837 address, is specified, then connections are restricted to
1838 the resolved or specified local IPaddress (either IPv4 or
1839 IPv6 address). If host is an IPv6 address, wrap in square
1840 brackets, e.g. pssl:6640:[::1]. If host is not specified
1841 then it listens only on IPv4 (but not IPv6) addresses. A
1842 valid SSL configuration must be provided when this form
1843 is used, this can be specified either via command-line
1844 options or the SSL table.
1845
1846 If port is not specified, it defaults to 6640.
1847
1848 SSL support is an optional feature that is not always
1849 built as part of Open vSwitch.
1850
1851 ptcp:[port][:host]
1852 Listens for connections on the specified TCP port. Spec‐
1853 ify 0 for port to have the kernel automatically choose an
1854 available port. If host, which can either be a DNS name
1855 (if built with unbound library) or an IP address, is
1856 specified, then connections are restricted to the
1857 resolved or specified local IP address (either IPv4 or
1858 IPv6 address). If host is an IPv6 address, wrap it in
1859 square brackets, e.g. ptcp:6640:[::1]. If host is not
1860 specified then it listens only on IPv4 addresses.
1861
1862 If port is not specified, it defaults to 6640.
1863
1864 When multiple clients are configured, the target values must be
1865 unique. Duplicate target values yield unspecified results.
1866
1867 Client Failure Detection and Handling:
1868
1869 max_backoff: optional integer, at least 1,000
1870 Maximum number of milliseconds to wait between connection
1871 attempts. Default is implementation-specific.
1872
1873 inactivity_probe: optional integer
1874 Maximum number of milliseconds of idle time on connection to the
1875 client before sending an inactivity probe message. If Open
1876 vSwitch does not communicate with the client for the specified
1877 number of seconds, it will send a probe. If a response is not
1878 received for the same additional amount of time, Open vSwitch
1879 assumes the connection has been broken and attempts to recon‐
1880 nect. Default is implementation-specific. A value of 0 disables
1881 inactivity probes.
1882
1883 Status:
1884
1885 Key-value pair of is_connected is always updated. Other key-value pairs
1886 in the status columns may be updated depends on the target type.
1887
1888 When target specifies a connection method that listens for inbound con‐
1889 nections (e.g. ptcp: or punix:), both n_connections and is_connected
1890 may also be updated while the remaining key-value pairs are omitted.
1891
1892 On the other hand, when target specifies an outbound connection, all
1893 key-value pairs may be updated, except the above-mentioned two key-
1894 value pairs associated with inbound connection targets. They are omit‐
1895 ted.
1896
1897 is_connected: boolean
1898 true if currently connected to this client, false otherwise.
1899
1900 status : last_error: optional string
1901 A human-readable description of the last error on the connection
1902 to the manager; i.e. strerror(errno). This key will exist only
1903 if an error has occurred.
1904
1905 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
1906 IDLE, or VOID
1907 The state of the connection to the manager:
1908
1909 VOID Connection is disabled.
1910
1911 BACKOFF
1912 Attempting to reconnect at an increasing period.
1913
1914 CONNECTING
1915 Attempting to connect.
1916
1917 ACTIVE Connected, remote host responsive.
1918
1919 IDLE Connection is idle. Waiting for response to keep-alive.
1920
1921 These values may change in the future. They are provided only
1922 for human consumption.
1923
1924 status : sec_since_connect: optional string, containing an integer, at
1925 least 0
1926 The amount of time since this client last successfully connected
1927 to the database (in seconds). Value is empty if client has never
1928 successfully been connected.
1929
1930 status : sec_since_disconnect: optional string, containing an integer,
1931 at least 0
1932 The amount of time since this client last disconnected from the
1933 database (in seconds). Value is empty if client has never dis‐
1934 connected.
1935
1936 status : locks_held: optional string
1937 Space-separated list of the names of OVSDB locks that the con‐
1938 nection holds. Omitted if the connection does not hold any
1939 locks.
1940
1941 status : locks_waiting: optional string
1942 Space-separated list of the names of OVSDB locks that the con‐
1943 nection is currently waiting to acquire. Omitted if the connec‐
1944 tion is not waiting for any locks.
1945
1946 status : locks_lost: optional string
1947 Space-separated list of the names of OVSDB locks that the con‐
1948 nection has had stolen by another OVSDB client. Omitted if no
1949 locks have been stolen from this connection.
1950
1951 status : n_connections: optional string, containing an integer, at
1952 least 2
1953 When target specifies a connection method that listens for
1954 inbound connections (e.g. ptcp: or pssl:) and more than one con‐
1955 nection is actually active, the value is the number of active
1956 connections. Otherwise, this key-value pair is omitted.
1957
1958 status : bound_port: optional string, containing an integer
1959 When target is ptcp: or pssl:, this is the TCP port on which the
1960 OVSDB server is listening. (This is particularly useful when
1961 target specifies a port of 0, allowing the kernel to choose any
1962 available port.)
1963
1964 Common Columns:
1965
1966 The overall purpose of these columns is described under Common Columns
1967 at the beginning of this document.
1968
1969 external_ids: map of string-string pairs
1970
1971 other_config: map of string-string pairs
1972
1974 Each row in this table stores the DNS records. The Logical_Switch ta‐
1975 ble’s dns_records references these records.
1976
1977 Summary:
1978 records map of string-string pairs
1979 external_ids map of string-string pairs
1980
1981 Details:
1982 records: map of string-string pairs
1983 Key-value pair of DNS records with DNS query name as the key and
1984 value as a string of IP address(es) separated by comma or space.
1985
1986 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
1987
1988 external_ids: map of string-string pairs
1989 See External IDs at the beginning of this document.
1990
1992 SSL configuration for ovn-nb database access.
1993
1994 Summary:
1995 private_key string
1996 certificate string
1997 ca_cert string
1998 bootstrap_ca_cert boolean
1999 ssl_protocols string
2000 ssl_ciphers string
2001 Common Columns:
2002 external_ids map of string-string pairs
2003
2004 Details:
2005 private_key: string
2006 Name of a PEM file containing the private key used as the
2007 switch’s identity for SSL connections to the controller.
2008
2009 certificate: string
2010 Name of a PEM file containing a certificate, signed by the cer‐
2011 tificate authority (CA) used by the controller and manager, that
2012 certifies the switch’s private key, identifying a trustworthy
2013 switch.
2014
2015 ca_cert: string
2016 Name of a PEM file containing the CA certificate used to verify
2017 that the switch is connected to a trustworthy controller.
2018
2019 bootstrap_ca_cert: boolean
2020 If set to true, then Open vSwitch will attempt to obtain the CA
2021 certificate from the controller on its first SSL connection and
2022 save it to the named PEM file. If it is successful, it will
2023 immediately drop the connection and reconnect, and from then on
2024 all SSL connections must be authenticated by a certificate
2025 signed by the CA certificate thus obtained. This option exposes
2026 the SSL connection to a man-in-the-middle attack obtaining the
2027 initial CA certificate. It may still be useful for bootstrap‐
2028 ping.
2029
2030 ssl_protocols: string
2031 List of SSL protocols to be enabled for SSL connections. The
2032 default when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
2033
2034 ssl_ciphers: string
2035 List of ciphers (in OpenSSL cipher string format) to be sup‐
2036 ported for SSL connections. The default when this option is
2037 omitted is HIGH:!aNULL:!MD5.
2038
2039 Common Columns:
2040
2041 The overall purpose of these columns is described under Common Columns
2042 at the beginning of this document.
2043
2044 external_ids: map of string-string pairs
2045
2047 Association of one or more chassis to a logical router port. The traf‐
2048 fic going out through an specific router port will be redirected to a
2049 chassis, or a set of them in high availability configurations. A single
2050 Gateway_Chassis is equivalent to setting options:redirect-chassis.
2051 Using Gateway_Chassis allows associating multiple prioritized chassis
2052 with a single logical router port.
2053
2054 Summary:
2055 name string (must be unique within table)
2056 chassis_name string
2057 priority integer, in range 0 to 32,767
2058 options map of string-string pairs
2059 Common Columns:
2060 external_ids map of string-string pairs
2061
2062 Details:
2063 name: string (must be unique within table)
2064 Name of the Gateway_Chassis.
2065
2066 A suggested, but not required naming convention is
2067 ${port_name}_${chassis_name}.
2068
2069 chassis_name: string
2070 Name of the chassis that we want to redirect traffic through for
2071 the associated logical router port. The value must match the
2072 name column of the Chassis table in the OVN_Southbound database.
2073
2074 priority: integer, in range 0 to 32,767
2075 This is the priority of a chassis among all Gateway_Chassis
2076 belonging to the same logical router port.
2077
2078 options: map of string-string pairs
2079 Reserved for future use.
2080
2081 Common Columns:
2082
2083 external_ids: map of string-string pairs
2084 See External IDs at the beginning of this document.
2085
2086
2087
2088Open vSwitch 2.10.0 DB Schema 5.13.0 ovn-nb(5)