1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
6 ovn-nb - OVN_Northbound database schema
7 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces
10 almost all of the contents of the database. The ovn-northd program mon‐
11 itors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32 Table Purpose
34 NB_Global Northbound configuration
35 Logical_Switch
36 L2 logical switch
37 Logical_Switch_Port
38 L2 logical switch port
39 Address_Set
40 Address Sets
41 Port_Group
42 Port Groups
43 Load_Balancer
44 load balancer
45 ACL Access Control List (ACL) rule
46 Logical_Router
47 L3 logical router
48 QoS QoS rule
49 Meter Meter entry
50 Meter_Band
51 Band for meter entries
52 Logical_Router_Port
53 L3 logical router port
54 Logical_Router_Static_Route
55 Logical router static routes
56 Logical_Router_Policy
57 Logical router policies
58 NAT NAT rules
59 DHCP_Options
60 DHCP options
61 Connection
62 OVSDB client connections.
63 DNS Native DNS resolution
64 SSL SSL configuration.
65 Gateway_Chassis
66 Gateway_Chassis configuration.
67 HA_Chassis_Group
68 HA_Chassis_Group configuration.
69 HA_Chassis
70 HA_Chassis configuration.
71
73 Northbound configuration for an OVN system. This table must have
74 exactly one row.
75 Summary:
77 Status:
78 nb_cfg integer
79 sb_cfg integer
80 hv_cfg integer
81 Common Columns:
82 external_ids map of string-string pairs
83 Common options:
84 options map of string-string pairs
85 Options for configuring BFD:
86 options : bfd-min-rx optional string
87 options : bfd-decay-min-rx
88 optional string
89 options : bfd-min-tx optional string
90 options : bfd-mult optional string
91 options : mac_prefix optional string
92 options : controller_event optional string, either true or false
93 Connection Options:
94 connections set of Connections
95 ssl optional SSL
96 Security Configurations:
97 ipsec boolean
98 Details:
100 Status:
101 These columns allow a client to track the overall configuration state
103 of the system.
104 nb_cfg: integer
106 Sequence number for client to increment. When a client modifies
107 any part of the northbound database configuration and wishes to
108 wait for ovn-northd and possibly all of the hypervisors to fin‐
109 ish applying the changes, it may increment this sequence number.
110 sb_cfg: integer
112 Sequence number that ovn-northd sets to the value of nb_cfg
113 after it finishes applying the corresponding configuration
114 changes to the OVN_Southbound database.
115 hv_cfg: integer
117 Sequence number that ovn-northd sets to the smallest sequence
118 number of all the chassis in the system, as reported in the
119 Chassis table in the southbound database. Thus, hv_cfg equals
120 nb_cfg if all chassis are caught up with the northbound configu‐
121 ration (which may never happen, if any chassis is down). This
122 value can regress, if a chassis was removed from the system and
123 rejoins before catching up.
124 Common Columns:
126 external_ids: map of string-string pairs
128 See External IDs at the beginning of this document.
129 Common options:
131 options: map of string-string pairs
133 This column provides general key/value settings. The supported
134 options are described individually below.
135 Options for configuring BFD:
137 These options apply when ovn-controller configures BFD on tunnels
139 interfaces.
140 options : bfd-min-rx: optional string
142 BFD option min-rx value to use when configuring BFD on tunnel
143 interfaces.
144 options : bfd-decay-min-rx: optional string
146 BFD option decay-min-rx value to use when configuring BFD on
147 tunnel interfaces.
148 options : bfd-min-tx: optional string
150 BFD option min-tx value to use when configuring BFD on tunnel
151 interfaces.
152 options : bfd-mult: optional string
154 BFD option mult value to use when configuring BFD on tunnel
155 interfaces.
156 options : mac_prefix: optional string
158 Configure a given OUI to be used as prefix when L2 address is
159 dynamically assigned, e.g. 00:11:22
160 options : controller_event: optional string, either true or false
162 Value set by the CMS to enable/disable ovn-controller event
163 reporting. Traffic into OVS can raise a ’controller’ event that
164 results in a Controller_Event being written to the Con‐
165 troller_Event table in SBDB. When the CMS has seen the event and
166 taken appropriate action, it can remove the correponding row in
167 Controller_Event table. The intention is for a CMS to see the
168 events and take some sort of action. Please see the Con‐
169 troller_Event table in SBDB. It is possible to associate a meter
170 to each controller event type in order to not overload the pinc‐
171 trl thread under heavy load. Each event type relies on a meter
172 with a defined name:
173 · empty_lb_backends: event-elb
175 Connection Options:
177 connections: set of Connections
179 Database clients to which the Open vSwitch database server
180 should connect or on which it should listen, along with options
181 for how these connections should be configured. See the Connec‐
182 tion table for more information.
183 ssl: optional SSL
185 Global SSL configuration.
186 Security Configurations:
188 ipsec: boolean
190 Tunnel encryption configuration. If this column is set to be
191 true, all OVN tunnels will be encrypted with IPsec.
192
194 Each row represents one L2 logical switch.
195 There are two kinds of logical switches, that is, ones that fully vir‐
197 tualize the network (overlay logical switches) and ones that provide
198 simple connectivity to a physical network (bridged logical switches).
199 They work in the same way when providing connectivity between logical
200 ports on same chasis, but differently when connecting remote logical
201 ports. Overlay logical switches connect remote logical ports by tun‐
202 nels, while bridged logical switches provide connectivity to remote
203 ports by bridging the packets to directly connected physical L2 segment
204 with the help of localnet ports. Each bridged logical switch has one
205 and only one localnet port, which has only one special address unknown.
206 Summary:
208 ports set of Logical_Switch_Ports
209 load_balancer set of weak reference to Load_Balancers
210 acls set of ACLs
211 qos_rules set of QoSs
212 dns_records set of weak reference to DNSs
213 Naming:
214 name string
215 external_ids : neutron:network_name
216 optional string
217 IP Address Assignment:
218 other_config : subnet optional string
219 other_config : exclude_ips optional string
220 other_config : ipv6_prefix optional string
221 other_config : mac_only optional string, either true or false
222 IP Multicast Snooping Options:
223 other_config : mcast_snoop optional string, either true or false
224 other_config : mcast_querier
225 optional string, either true or false
226 other_config : mcast_flood_unregistered
227 optional string, either true or false
228 other_config : mcast_table_size
229 optional string, containing an integer,
230 in range 1 to 32,766
231 other_config : mcast_idle_timeout
232 optional string, containing an integer,
233 in range 15 to 3,600
234 other_config : mcast_query_interval
235 optional string, containing an integer,
236 in range 1 to 3,600
237 other_config : mcast_query_max_response
238 optional string, containing an integer,
239 in range 1 to 10
240 other_config : mcast_eth_src
241 optional string
242 other_config : mcast_ip4_src
243 optional string
244 Common Columns:
245 external_ids map of string-string pairs
246 Details:
248 ports: set of Logical_Switch_Ports
249 The logical ports connected to the logical switch.
250 It is an error for multiple logical switches to include the same
252 logical port.
253 load_balancer: set of weak reference to Load_Balancers
255 Load balance a virtual ip address to a set of logical port end‐
256 point ip addresses.
257 acls: set of ACLs
259 Access control rules that apply to packets within the logical
260 switch.
261 qos_rules: set of QoSs
263 QoS marking and metering rules that apply to packets within the
264 logical switch.
265 dns_records: set of weak reference to DNSs
267 This column defines the DNS records to be used for resolving
268 internal DNS queries within the logical switch by the native DNS
269 resolver. Please see the DNS table.
270 Naming:
272 These columns provide names for the logical switch. From OVN’s perspec‐
274 tive, these names have no special meaning or purpose other than to pro‐
275 vide convenience for human interaction with the database. There is no
276 requirement for the name to be unique. (For a unique identifier for a
277 logical switch, use its row UUID.)
278 (Originally, name was intended to serve the purpose of a human-friendly
280 name, but the Neutron integration used it to uniquely identify its own
281 switch object, in the format neutron-uuid. Later on, Neutron started
282 propagating the friendly name of a switch as external_ids:neutron:net‐
283 work_name. Perhaps this can be cleaned up someday.)
284 name: string
286 A name for the logical switch.
287 external_ids : neutron:network_name: optional string
289 Another name for the logical switch.
290 IP Address Assignment:
292 These options control automatic IP address management (IPAM) for ports
294 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
295 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
296 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled
297 together or separately.
298 To request dynamic address assignment for a particular port, use the
300 dynamic keyword in the addresses column of the port’s Logi‐
301 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
302 IPAM for IPv4 and IPv6 are both enabled.
303 other_config : subnet: optional string
305 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
306 ovn-northd to automatically assign IP addresses within that sub‐
307 net.
308 other_config : exclude_ips: optional string
310 To exclude some addresses from automatic IP address management,
311 set this to a list of the IPv4 addresses or ..-delimited ranges
312 to exclude. The addresses or ranges should be a subset of those
313 in other_config:subnet.
314 Whether listed or not, ovn-northd will never allocate the first
316 or last address in a subnet, such as 192.168.0.0 or
317 192.168.0.255 in 192.168.0.0/24.
318 Examples:
320 · 192.168.0.2 192.168.0.10
322 · 192.168.0.4 192.168.0.30..192.168.0.60
324 192.168.0.110..192.168.0.120
325 · 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
327 192.168.0.144
328 other_config : ipv6_prefix: optional string
330 Set this to an IPv6 prefix to enable ovn-northd to automatically
331 assign IPv6 addresses using this prefix. The assigned IPv6
332 address will be generated using the IPv6 prefix and the MAC
333 address (converted to an IEEE EUI64 identifier) of the port. The
334 IPv6 prefix defined here should be a valid IPv6 address ending
335 with ::.
336 Examples:
338 · aef0::
340 · bef0:1234:a890:5678::
342 · 8230:5678::
344 other_config : mac_only: optional string, either true or false
346 Value used to request to assign L2 address only if neither sub‐
347 net nor ipv6_prefix are specified
348 IP Multicast Snooping Options:
350 These options control IP Multicast Snooping configuration of the logi‐
352 cal switch. To enable IP Multicast Snooping set other_con‐
353 fig:mcast_snoop to true. To enable IP Multicast Querier set other_con‐
354 fig:mcast_snoop to true. If IP Multicast Querier is enabled other_con‐
355 fig:mcast_eth_src and other_config:mcast_ip4_src must be set.
356 other_config : mcast_snoop: optional string, either true or false
358 Enables/disables IP Multicast Snooping on the logical switch.
359 other_config : mcast_querier: optional string, either true or false
361 Enables/disables IP Multicast Querier on the logical switch.
362 other_config : mcast_flood_unregistered: optional string, either true
364 or false
365 Determines whether unregistered multicast traffic should be
366 flooded or not. Only applicable if other_config:mcast_snoop is
367 enabled.
368 other_config : mcast_table_size: optional string, containing an inte‐
370 ger, in range 1 to 32,766
371 Number of multicast groups to be stored. Default: 2048.
372 other_config : mcast_idle_timeout: optional string, containing an inte‐
374 ger, in range 15 to 3,600
375 Configures the IP Multicast Snooping group idle timeout (in sec‐
376 onds). Default: 300 seconds.
377 other_config : mcast_query_interval: optional string, containing an
379 integer, in range 1 to 3,600
380 Configures the IP Multicast Querier interval between queries (in
381 seconds). Default: other_config:mcast_idle_timeout / 2.
382 other_config : mcast_query_max_response: optional string, containing an
384 integer, in range 1 to 10
385 Configures the value of the "max-response" field in the multi‐
386 cast queries originated by the logical switch. Default: 1 sec‐
387 ond.
388 other_config : mcast_eth_src: optional string
390 Configures the source Ethernet address for queries originated by
391 the logical switch.
392 other_config : mcast_ip4_src: optional string
394 Configures the source IPv4 address for queries originated by the
395 logical switch.
396 Common Columns:
398 external_ids: map of string-string pairs
400 See External IDs at the beginning of this document.
401
403 A port within an L2 logical switch.
404 Summary:
406 Core Features:
407 name string (must be unique within table)
408 type string
409 Options:
410 options map of string-string pairs
411 Options for router ports:
412 options : router-port optional string
413 options : nat-addresses optional string
414 Options for localnet ports:
415 options : network_name optional string
416 Options for l2gateway ports:
417 options : network_name optional string
418 options : l2gateway-chassis
419 optional string
420 Options for vtep ports:
421 options : vtep-physical-switch
422 optional string
423 options : vtep-logical-switch
424 optional string
425 VMI (or VIF) Options:
426 options : requested-chassis
427 optional string
428 options : qos_max_rate optional string
429 options : qos_burst optional string
430 Virtual port Options:
431 options : virtual-ip optional string
432 options : virtual-parents
433 optional string
434 IP Multicast Snooping Options:
435 options : mcast_flood optional string, either true or false
436 options : mcast_flood_reports
437 optional string, either true or false
438 Containers:
439 parent_name optional string
440 tag_request optional integer, in range 0 to 4,095
441 tag optional integer, in range 1 to 4,095
442 Port State:
443 up optional boolean
444 enabled optional boolean
445 Addressing:
446 addresses set of strings
447 dynamic_addresses optional string
448 port_security set of strings
449 DHCP:
450 dhcpv4_options optional weak reference to DHCP_Options
451 dhcpv6_options optional weak reference to DHCP_Options
452 ha_chassis_group optional HA_Chassis_Group
453 Naming:
454 external_ids : neutron:port_name
455 optional string
456 Common Columns:
457 external_ids map of string-string pairs
458 Details:
460 Core Features:
461 name: string (must be unique within table)
463 The logical port name.
464 For entities (VMs or containers) that are spawned in the hyper‐
466 visor, the name used here must match those used in the exter‐
467 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
468 because hypervisors use external_ids:iface-id as a lookup key to
469 identify the network interface of that entity.
470 For containers that share a VIF within a VM, the name can be any
472 unique identifier. See Containers, below, for more information.
473 type: string
475 Specify a type for this logical port. Logical ports can be used
476 to model other types of connectivity into an OVN logical switch.
477 The following types are defined:
478 (empty string)
480 A VM (or VIF) interface.
481 router A connection to a logical router.
483 localnet
485 A connection to a locally accessible network from each
486 ovn-controller instance. A logical switch can only have a
487 single localnet port attached. This is used to model
488 direct connectivity to an existing network.
489 localport
491 A connection to a local VIF. Traffic that arrives on a
492 localport is never forwarded over a tunnel to another
493 chassis. These ports are present on every chassis and
494 have the same address in all of them. This is used to
495 model connectivity to local services that run on every
496 hypervisor.
497 l2gateway
499 A connection to a physical network.
500 vtep A port to a logical switch on a VTEP gateway.
502 external
504 Represents a logical port which is external and not hav‐
505 ing an OVS port in the integration bridge. OVN will never
506 receive any traffic from this port or send any traffic to
507 this port. OVN can support native services like
508 DHCPv4/DHCPv6/DNS for this port. If ha_chassis_group is
509 defined, ovn-controller running in the master chassis of
510 the HA chassis group will bind this port to provide these
511 native services. It is expected that this port belong to
512 a bridged logical switch (with a localnet port).
513 It is recommended to use the same HA chassis group for
515 all the external ports of a logical switch. Otherwise,
516 the physical switch might see MAC flap issue when differ‐
517 ent chassis provide the native services. For example when
518 supporting native DHCPv4 service, DHCPv4 server mac (con‐
519 figured in options:server_mac column in table
520 DHCP_Options) originating from different ports can cause
521 MAC flap issue. The MAC of the logical router IP(s) can
522 also flap if the same HA chassis group is not set for all
523 the external ports of a logical switch.
524 Below are some of the use cases where external ports can
526 be used.
527 · VMs connected to SR-IOV nics - Traffic from these
529 VMs by passes the kernel stack and local ovn-con‐
530 troller do not bind these ports and cannot serve
531 the native services.
532 · When CMS supports provisioning baremetal servers.
534 virtual
536 Represents a logical port which does not have an OVS port
537 in the integration bridge and has a virtual ip configured
538 in the options:virtual-ip column. This virtual ip can
539 move around between the logical ports configured in the
540 options:virtual-parents column.
541 One of the use case where virtual ports can be used is.
543 · The virtual ip represents a load balancer vip and
545 the virtual parents provide load balancer service
546 in an active-standby setup with the active virtual
547 parent owning the virtual ip.
548 Options:
550 options: map of string-string pairs
552 This column provides key/value settings specific to the logical
553 port type. The type-specific options are described individually
554 below.
555 Options for router ports:
557 These options apply when type is router.
559 options : router-port: optional string
561 Required. The name of the Logical_Router_Port to which this log‐
562 ical switch port is connected.
563 options : nat-addresses: optional string
565 This is used to send gratuitous ARPs for SNAT and DNAT IP
566 addresses via the localnet port that is attached to the same
567 logical switch as this type router port. This option is speci‐
568 fied on a logical switch port that is connected to a gateway
569 router, or a logical switch port that is connected to a distrib‐
570 uted gateway port on a logical router.
571 This must take one of the following forms:
573 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
575 nal IP addresses and for all load balancer IP addresses
576 defined on the options:router-port’s logical router,
577 using the options:router-port’s MAC address.
578 This form of options:nat-addresses is valid for logical
580 switch ports where options:router-port is the name of a
581 port on a gateway router, or the name of a distributed
582 gateway port.
583 Supported only in OVN 2.8 and later. Earlier versions
585 required NAT addresses to be manually synchronized.
586 Ethernet address followed by one or more IPv4 addresses
588 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
589 This would result in generation of gratuitous ARPs for IP
590 addresses 158.36.44.22 and 158.36.44.24 with a MAC
591 address of 80:fa:5b:06:72:b7.
592 This form of options:nat-addresses is only valid for log‐
594 ical switch ports where options:router-port is the name
595 of a port on a gateway router.
596 Options for localnet ports:
598 These options apply when type is localnet.
600 options : network_name: optional string
602 Required. The name of the network to which the localnet port is
603 connected. Each hypervisor, via ovn-controller, uses its local
604 configuration to determine exactly how to connect to this
605 locally accessible network.
606 Options for l2gateway ports:
608 These options apply when type is l2gateway.
610 options : network_name: optional string
612 Required. The name of the network to which the l2gateway port is
613 connected. The L2 gateway, via ovn-controller, uses its local
614 configuration to determine exactly how to connect to this net‐
615 work.
616 options : l2gateway-chassis: optional string
618 Required. The chassis on which the l2gateway logical port should
619 be bound to. ovn-controller running on the defined chassis will
620 connect this logical port to the physical network.
621 Options for vtep ports:
623 These options apply when type is vtep.
625 options : vtep-physical-switch: optional string
627 Required. The name of the VTEP gateway.
628 options : vtep-logical-switch: optional string
630 Required. A logical switch name connected by the VTEP gateway.
631 VMI (or VIF) Options:
633 These options apply to logical ports with type having (empty string)
635 options : requested-chassis: optional string
637 If set, identifies a specific chassis (by name or hostname) that
638 is allowed to bind this port. Using this option will prevent
639 thrashing between two chassis trying to bind the same port dur‐
640 ing a live migration. It can also prevent similar thrashing due
641 to a mis-configuration, if a port is accidentally created on
642 more than one chassis.
643 options : qos_max_rate: optional string
645 If set, indicates the maximum rate for data sent from this
646 interface, in bit/s. The traffic will be shaped according to
647 this limit.
648 options : qos_burst: optional string
650 If set, indicates the maximum burst size for data sent from this
651 interface, in bits.
652 Virtual port Options:
654 These options apply when type is virtual.
656 options : virtual-ip: optional string
658 This option represents the virtual IPv4 address.
659 options : virtual-parents: optional string
661 This options represents a set of logical port names (with in the
662 same logical switch) which can own the virtual ip configured in
663 the options:virtual-ip. All these virtual parents should add the
664 virtual ip in the port_security if port security addressed are
665 enabled.
666 IP Multicast Snooping Options:
668 These options apply when the port is part of a logical switch which has
670 other_config :mcast_snoop set to true.
671 options : mcast_flood: optional string, either true or false
673 If set to true, multicast packets (except reports) are uncondi‐
674 tionally forwarded to the specific port.
675 options : mcast_flood_reports: optional string, either true or false
677 If set to true, multicast reports are unconditionally forwarded
678 to the specific port.
679 Containers:
681 When a large number of containers are nested within a VM, it may be too
683 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
684 support such cases. Each container is assigned a VLAN ID and each
685 packet that passes between the hypervisor and the VM is tagged with the
686 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
687 ical wire, even inside a tunnel, so they need not be unique except rel‐
688 ative to a single VM on a hypervisor.
689 These columns are used for VIFs that represent nested containers using
691 shared VIFs. For VMs and for containers that have dedicated VIFs, they
692 are empty.
693 parent_name: optional string
695 The VM interface through which the nested container sends its
696 network traffic. This must match the name column for some other
697 Logical_Switch_Port.
698 tag_request: optional integer, in range 0 to 4,095
700 The VLAN tag in the network traffic associated with a con‐
701 tainer’s network interface. The client can request ovn-northd to
702 allocate a tag that is unique within the scope of a specific
703 parent (specified in parent_name) by setting a value of 0 in
704 this column. The allocated value is written by ovn-northd in the
705 tag column. (Note that these tags are allocated and managed
706 locally in ovn-northd, so they cannot be reconstructed in the
707 event that the database is lost.) The client can also request a
708 specific non-zero tag and ovn-northd will honor it and copy that
709 value to the tag column.
710 When type is set to localnet or l2gateway, this can be set to
712 indicate that the port represents a connection to a specific
713 VLAN on a locally accessible network. The VLAN ID is used to
714 match incoming traffic and is also added to outgoing traffic.
715 tag: optional integer, in range 1 to 4,095
717 The VLAN tag allocated by ovn-northd based on the contents of
718 the tag_request column.
719 Port State:
721 up: optional boolean
723 This column is populated by ovn-northd, rather than by the CMS
724 plugin as is most of this database. When a logical port is bound
725 to a physical location in the OVN Southbound database Binding
726 table, ovn-northd sets this column to true; otherwise, or if the
727 port becomes unbound later, it sets it to false. If this column
728 is empty, the port is not considered up. This allows the CMS to
729 wait for a VM’s (or container’s) networking to become active
730 before it allows the VM (or container) to start.
731 Logical ports of router type are an exception to this rule. They
733 are considered to be always up, that is this column is always
734 set to true.
735 enabled: optional boolean
737 This column is used to administratively set port state. If this
738 column is empty or is set to true, the port is enabled. If this
739 column is set to false, the port is disabled. A disabled port
740 has all ingress and egress traffic dropped.
741 Addressing:
743 addresses: set of strings
745 Addresses owned by the logical port.
746 Each element in the set must take one of the following forms:
748 Ethernet address followed by zero or more IPv4 or IPv6 addresses
750 (or both)
751 An Ethernet address defined is owned by the logical port.
752 Like a physical Ethernet NIC, a logical port ordinarily
753 has a single fixed Ethernet address.
754 When a OVN logical switch processes a unicast Ethernet
756 frame whose destination MAC address is in a logical
757 port’s addresses column, it delivers it only to that
758 port, as if a MAC learning process had learned that MAC
759 address on the port.
760 If IPv4 or IPv6 address(es) (or both) are defined, it
762 indicates that the logical port owns the given IP
763 addresses.
764 If IPv4 address(es) are defined, the OVN logical switch
766 uses this information to synthesize responses to ARP
767 requests without traversing the physical network. The OVN
768 logical router connected to the logical switch, if any,
769 uses this information to avoid issuing ARP requests for
770 logical switch ports.
771 Note that the order here is important. The Ethernet
773 address must be listed before the IP address(es) if
774 defined.
775 Examples:
777 80:fa:5b:06:72:b7
779 This indicates that the logical port owns the
780 above mac address.
781 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
783 This indicates that the logical port owns the mac
784 address and two IPv4 addresses.
785 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
787 This indicates that the logical port owns the mac
788 address and 1 IPv6 address.
789 80:fa:5b:06:72:b7 10.0.0.4
791 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
792 This indicates that the logical port owns the mac
793 address and 1 IPv4 address and 1 IPv6 address.
794 unknown
796 This indicates that the logical port has an unknown set
797 of Ethernet addresses. When an OVN logical switch pro‐
798 cesses a unicast Ethernet frame whose destination MAC
799 address is not in any logical port’s addresses column, it
800 delivers it to the port (or ports) whose addresses col‐
801 umns include unknown.
802 dynamic
804 Use this keyword to make ovn-northd generate a globally
805 unique MAC address and choose an unused IPv4 address with
806 the logical port’s subnet and store them in the port’s
807 dynamic_addresses column. ovn-northd will use the subnet
808 specified in other_config:subnet in the port’s Logi‐
809 cal_Switch.
810 Ethernet address followed by keyword "dynamic"
812 The keyword dynamic after the MAC address indicates that
813 ovn-northd should choose an unused IPv4 address from the
814 logical port’s subnet and store it with the specified MAC
815 in the port’s dynamic_addresses column. ovn-northd will
816 use the subnet specified in other_config:subnet in the
817 port’s Logical_Switch table.
818 Examples:
820 80:fa:5b:06:72:b7 dynamic
822 This indicates that the logical port owns the
823 specified MAC address and ovn-northd should allo‐
824 cate an unused IPv4 address for the logical port
825 from the corresponding logical switch subnet.
826 Keyword "dynamic" followed by an IPv4/IPv6 address
828 The keyword dynamic followed by an IPv4/IPv6 address
829 indicates that ovn-northd should choose a dynamic ether‐
830 net address and use the provided IPv4/IPv6 address as
831 network address.
832 Examples:
834 dynamic 192.168.0.1 2001::1
836 This indicates that ovn-northd should allocate a
837 unique MAC address and use the provided IPv4/IPv6
838 address for the related port
839 router Accepted only when type is router. This indicates that
841 the Ethernet, IPv4, and IPv6 addresses for this logical
842 switch port should be obtained from the connected logical
843 router port, as specified by router-port in options.
844 The resulting addresses are used to populate the logical
846 switch’s destination lookup, and also for the logical
847 switch to generate ARP and ND replies.
848 If the connected logical router port has a redirect-chas‐
850 sis specified and the logical router has rules specified
851 in nat with external_mac, then those addresses are also
852 used to populate the switch’s destination lookup.
853 Supported only in OVN 2.7 and later. Earlier versions
855 required router addresses to be manually synchronized.
856 dynamic_addresses: optional string
858 Addresses assigned to the logical port by ovn-northd, if dynamic
859 is specified in addresses. Addresses will be of the same format
860 as those that populate the addresses column. Note that dynami‐
861 cally assigned addresses are constructed and managed locally in
862 ovn-northd, so they cannot be reconstructed in the event that
863 the database is lost.
864 port_security: set of strings
866 This column controls the addresses from which the host attached
867 to the logical port (``the host’’) is allowed to send packets
868 and to which it is allowed to receive packets. If this column is
869 empty, all addresses are permitted.
870 Each element in the set must begin with one Ethernet address.
872 This would restrict the host to sending packets from and receiv‐
873 ing packets to the ethernet addresses defined in the logical
874 port’s port_security column. It also restricts the inner source
875 MAC addresses that the host may send in ARP and IPv6 Neighbor
876 Discovery packets. The host is always allowed to receive packets
877 to multicast and broadcast Ethernet addresses.
878 Each element in the set may additionally contain one or more
880 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
881 is given, it must be a CIDR mask. In addition to the restric‐
882 tions described for Ethernet addresses above, such an element
883 restricts the IPv4 or IPv6 addresses from which the host may
884 send and to which it may receive packets to the specified
885 addresses. A masked address, if the host part is zero, indicates
886 that the host is allowed to use any address in the subnet; if
887 the host part is nonzero, the mask simply indicates the size of
888 the subnet. In addition:
889 · If any IPv4 address is given, the host is also allowed to
891 receive packets to the IPv4 local broadcast address
892 255.255.255.255 and to IPv4 multicast addresses
893 (224.0.0.0/4). If an IPv4 address with a mask is given,
894 the host is also allowed to receive packets to the broad‐
895 cast address in that specified subnet.
896 If any IPv4 address is given, the host is additionally
898 restricted to sending ARP packets with the specified
899 source IPv4 address. (RARP is not restricted.)
900 · If any IPv6 address is given, the host is also allowed to
902 receive packets to IPv6 multicast addresses (ff00::/8).
903 If any IPv6 address is given, the host is additionally
905 restricted to sending IPv6 Neighbor Discovery Solicita‐
906 tion or Advertisement packets with the specified source
907 address or, for solicitations, the unspecified address.
908 If an element includes an IPv4 address, but no IPv6 addresses,
910 then IPv6 traffic is not allowed. If an element includes an IPv6
911 address, but no IPv4 address, then IPv4 and ARP traffic is not
912 allowed.
913 This column uses the same lexical syntax as the match column in
915 the OVN Southbound database’s Pipeline table. Multiple addresses
916 within an element may be space or comma separated.
917 This column is provided as a convenience to cloud management
919 systems, but all of the features that it implements can be
920 implemented as ACLs using the ACL table.
921 Examples:
923 80:fa:5b:06:72:b7
925 The host may send traffic from and receive traffic to the
926 specified MAC address, and to receive traffic to Ethernet
927 multicast and broadcast addresses, but not otherwise. The
928 host may not send ARP or IPv6 Neighbor Discovery packets
929 with inner source Ethernet addresses other than the one
930 specified.
931 80:fa:5b:06:72:b7 192.168.1.10/24
933 This adds further restrictions to the first example. The
934 host may send IPv4 packets from or receive IPv4 packets
935 to only 192.168.1.10, except that it may also receive
936 IPv4 packets to 192.168.1.255 (based on the subnet mask),
937 255.255.255.255, and any address in 224.0.0.0/4. The host
938 may not send ARPs with a source Ethernet address other
939 than 80:fa:5b:06:72:b7 or source IPv4 address other than
940 192.168.1.10. The host may not send or receive any IPv6
941 (including IPv6 Neighbor Discovery) traffic.
942 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
944 The host may send traffic from and receive traffic to the
945 specified MAC addresses, and to receive traffic to Ether‐
946 net multicast and broadcast addresses, but not otherwise.
947 With MAC 80:fa:5b:12:42:ba, the host may send traffic
948 from and receive traffic to any L3 address. With MAC
949 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
950 receive IPv4 packets to only 192.168.1.10, except that it
951 may also receive IPv4 packets to 192.168.1.255 (based on
952 the subnet mask), 255.255.255.255, and any address in
953 224.0.0.0/4. The host may not send or receive any IPv6
954 (including IPv6 Neighbor Discovery) traffic.
955 DHCP:
957 dhcpv4_options: optional weak reference to DHCP_Options
959 This column defines the DHCPv4 Options to be included by the
960 ovn-controller when it replies to the DHCPv4 requests. Please
961 see the DHCP_Options table.
962 dhcpv6_options: optional weak reference to DHCP_Options
964 This column defines the DHCPv6 Options to be included by the
965 ovn-controller when it replies to the DHCPv6 requests. Please
966 see the DHCP_Options table.
967 ha_chassis_group: optional HA_Chassis_Group
969 References a row in the OVN Northbound database’s HA_Chas‐
970 sis_Group table. It indicates the HA chassis group to use if the
971 type is set to external. If type is not external, this column is
972 ignored.
973 Naming:
975 external_ids : neutron:port_name: optional string
977 This column gives an optional human-friendly name for the port.
978 This name has no special meaning or purpose other than to pro‐
979 vide convenience for human interaction with the northbound data‐
980 base.
981 Neutron copies this from its own port object’s name. (Neutron
983 ports do are not assigned human-friendly names by default, so it
984 will often be empty.)
985 Common Columns:
987 external_ids: map of string-string pairs
989 See External IDs at the beginning of this document.
990 The ovn-northd program copies all these pairs into the exter‐
992 nal_ids column of the Port_Binding table in OVN_Southbound data‐
993 base.
994
996 Each row in this table represents a named set of addresses. An address
997 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
998 or CIDR masks. Address set may ultimately be used in ACLs to compare
999 against fields such as ip4.src or ip6.src. A single address set must
1000 contain addresses of the same type. As an example, the following would
1001 create an address set with three IP addresses:
1002 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1004 Address sets may be used in the match column of the ACL table. For syn‐
1007 tax information, see the details of the expression language used for
1008 the match column in the Logical_Flow table of the OVN_Southbound data‐
1009 base.
1010 Summary:
1012 name string (must be unique within table)
1013 addresses set of strings
1014 Common Columns:
1015 external_ids map of string-string pairs
1016 Details:
1018 name: string (must be unique within table)
1019 A name for the address set. Names are ASCII and must match
1020 [a-zA-Z_.][a-zA-Z_.0-9]*.
1021 addresses: set of strings
1023 The set of addresses in string form.
1024 Common Columns:
1026 external_ids: map of string-string pairs
1028 See External IDs at the beginning of this document.
1029
1031 Each row in this table represents a named group of logical switch
1032 ports.
1033 Port groups may be used in the match column of the ACL table. For syn‐
1035 tax information, see the details of the expression language used for
1036 the match column in the Logical_Flow table of the OVN_Southbound data‐
1037 base.
1038 For each port group, there are two address sets generated to the
1040 Address_Set table of the OVN_Southbound database, containing the IP
1041 addresses of the group of ports, one for IPv4, and the other for IPv6,
1042 with name being the name of the Port_Group followed by a suffix _ip4
1043 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
1044 the same way as regular address sets in the match column of the ACL ta‐
1045 ble. For syntax information, see the details of the expression language
1046 used for the match column in the Logical_Flow table of the OVN_South‐
1047 bound database.
1048 Summary:
1050 name string (must be unique within table)
1051 ports set of weak reference to Logi‐
1052 cal_Switch_Ports
1053 acls set of ACLs
1054 Common Columns:
1055 external_ids map of string-string pairs
1056 Details:
1058 name: string (must be unique within table)
1059 A name for the port group. Names are ASCII and must match
1060 [a-zA-Z_.][a-zA-Z_.0-9]*.
1061 ports: set of weak reference to Logical_Switch_Ports
1063 The logical switch ports belonging to the group in uuids.
1064 acls: set of ACLs
1066 Access control rules that apply to the port group. Applying an
1067 ACL to a port group has the same effect as applying the ACL to
1068 all logical lswitches that the ports of the port group belong
1069 to.
1070 Common Columns:
1072 external_ids: map of string-string pairs
1074 See External IDs at the beginning of this document.
1075
1077 Each row represents one load balancer.
1078 Summary:
1080 name string
1081 vips map of string-string pairs
1082 protocol optional string, either tcp or udp
1083 Common Columns:
1084 external_ids map of string-string pairs
1085 Details:
1087 name: string
1088 A name for the load balancer. This name has no special meaning
1089 or purpose other than to provide convenience for human interac‐
1090 tion with the ovn-nb database.
1091 vips: map of string-string pairs
1093 A map of virtual IP addresses (and an optional port number with
1094 : as a separator) associated with this load balancer and their
1095 corresponding endpoint IP addresses (and optional port numbers
1096 with : as separators) separated by commas. If the destination IP
1097 address (and port number) of a packet leaving a container or a
1098 VM matches the virtual IP address (and port number) provided
1099 here as a key, then OVN will statefully replace the destination
1100 IP address by one of the provided IP address (and port number)
1101 in this map as a value. IPv4 and IPv6 addresses are supported
1102 for load balancing; however a VIP of one address family may not
1103 be mapped to a destination IP address of a different family. If
1104 specifying an IPv6 address with a port, the address portion must
1105 be enclosed in square brackets. Examples for keys are
1106 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
1107 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1108 When the Load_Balancer is added to the logical_switch, the VIP
1110 has to be in a different subnet than the one used for the logi‐
1111 cal_switch. Since VIP is in a different subnet, you should con‐
1112 nect your logical switch to either a OVN logical router or a
1113 real router (this is because the client can now send a packet
1114 with VIP as the destination IP address and router’s mac address
1115 as the destination MAC address).
1116 protocol: optional string, either tcp or udp
1118 Valid protocols are tcp or udp. This column is useful when a
1119 port number is provided as part of the vips column. If this col‐
1120 umn is empty and a port number is provided as part of vips col‐
1121 umn, OVN assumes the protocol to be tcp.
1122 Common Columns:
1124 external_ids: map of string-string pairs
1126 See External IDs at the beginning of this document.
1127
1129 Each row in this table represents one ACL rule for a logical switch or
1130 a port group that points to it through its acls column. The action col‐
1131 umn for the highest-priority matching row in this table determines a
1132 packet’s treatment. If no row matches, packets are allowed by default.
1133 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1134 match, and deny as action.)
1135 Summary:
1137 priority integer, in range 0 to 32,767
1138 direction string, either from-lport or to-lport
1139 match string
1140 action string, one of allow-related, allow,
1141 drop, or reject
1142 Logging:
1143 log boolean
1144 name optional string, at most 63 characters
1145 long
1146 severity optional string, one of alert, debug,
1147 info, notice, or warning
1148 meter optional string
1149 Common Columns:
1150 external_ids map of string-string pairs
1151 Details:
1153 priority: integer, in range 0 to 32,767
1154 The ACL rule’s priority. Rules with numerically higher priority
1155 take precedence over those with lower. If two ACL rules with the
1156 same priority both match, then the one actually applied to a
1157 packet is undefined.
1158 Return traffic from an allow-related flow is always allowed and
1160 cannot be changed through an ACL.
1161 direction: string, either from-lport or to-lport
1163 Direction of the traffic to which this rule should apply:
1164 · from-lport: Used to implement filters on traffic arriving
1166 from a logical port. These rules are applied to the logi‐
1167 cal switch’s ingress pipeline.
1168 · to-lport: Used to implement filters on traffic forwarded
1170 to a logical port. These rules are applied to the logical
1171 switch’s egress pipeline.
1172 match: string
1174 The packets that the ACL should match, in the same expression
1175 language used for the match column in the OVN Southbound data‐
1176 base’s Logical_Flow table. The outport logical port is only
1177 available in the to-lport direction (the inport is available in
1178 both directions).
1179 By default all traffic is allowed. When writing a more restric‐
1181 tive policy, it is important to remember to allow flows such as
1182 ARP and IPv6 neighbor discovery packets.
1183 Note that you can not create an ACL matching on a port with
1185 type=router or type=localnet.
1186 action: string, one of allow-related, allow, drop, or reject
1188 The action to take when the ACL rule matches:
1189 · allow: Forward the packet.
1191 · allow-related: Forward the packet and related traffic
1193 (e.g. inbound replies to an outbound connection).
1194 · drop: Silently drop the packet.
1196 · reject: Drop the packet, replying with a RST for TCP or
1198 ICMPv4/ICMPv6 unreachable message for other
1199 IPv4/IPv6-based protocols.
1200 Logging:
1202 These columns control whether and how OVN logs packets that match an
1204 ACL.
1205 log: boolean
1207 If set to true, packets that match the ACL will trigger a log
1208 message on the transport node or nodes that perform ACL process‐
1209 ing. Logging may be combined with any action.
1210 If set to false, the remaining columns in this group have no
1212 significance.
1213 name: optional string, at most 63 characters long
1215 This name, if it is provided, is included in log records. It
1216 provides the administrator and the cloud management system a way
1217 to associate a log record with a particular ACL.
1218 severity: optional string, one of alert, debug, info, notice, or warn‐
1220 ing
1221 The severity of the ACL. The severity levels match those of sys‐
1222 log, in decreasing level of severity: alert, warning, notice,
1223 info, or debug. When the column is empty, the default is info.
1224 meter: optional string
1226 The name of a meter to rate-limit log messages for the ACL. The
1227 string must match the name column of a row in the Meter table.
1228 By default, log messages are not rate-limited.
1229 Common Columns:
1231 external_ids: map of string-string pairs
1233 See External IDs at the beginning of this document.
1234
1236 Each row represents one L3 logical router.
1237 Summary:
1239 ports set of Logical_Router_Ports
1240 static_routes set of Logical_Router_Static_Routes
1241 policies set of Logical_Router_Policys
1242 enabled optional boolean
1243 nat set of NATs
1244 load_balancer set of weak reference to Load_Balancers
1245 Naming:
1246 name string
1247 external_ids : neutron:router_name
1248 optional string
1249 Options:
1250 options : chassis optional string
1251 options : dnat_force_snat_ip
1252 optional string
1253 options : lb_force_snat_ip optional string
1254 options : mcast_relay optional string, either true or false
1255 Common Columns:
1256 external_ids map of string-string pairs
1257 Details:
1259 ports: set of Logical_Router_Ports
1260 The router’s ports.
1261 static_routes: set of Logical_Router_Static_Routes
1263 Zero or more static routes for the router.
1264 policies: set of Logical_Router_Policys
1266 Zero or more routing policies for the router.
1267 enabled: optional boolean
1269 This column is used to administratively set router state. If
1270 this column is empty or is set to true, the router is enabled.
1271 If this column is set to false, the router is disabled. A dis‐
1272 abled router has all ingress and egress traffic dropped.
1273 nat: set of NATs
1275 One or more NAT rules for the router. NAT rules only work on
1276 Gateway routers, and on distributed routers with one logical
1277 router port with a redirect-chassis specified.
1278 load_balancer: set of weak reference to Load_Balancers
1280 Load balance a virtual ip address to a set of logical port ip
1281 addresses. Load balancer rules only work on the Gateway routers.
1282 Naming:
1284 These columns provide names for the logical router. From OVN’s perspec‐
1286 tive, these names have no special meaning or purpose other than to pro‐
1287 vide convenience for human interaction with the northbound database.
1288 There is no requirement for the name to be unique. (For a unique iden‐
1289 tifier for a logical router, use its row UUID.)
1290 (Originally, name was intended to serve the purpose of a human-friendly
1292 name, but the Neutron integration used it to uniquely identify its own
1293 router object, in the format neutron-uuid. Later on, Neutron started
1294 propagating the friendly name of a router as external_ids:neu‐
1295 tron:router_name. Perhaps this can be cleaned up someday.)
1296 name: string
1298 A name for the logical router.
1299 external_ids : neutron:router_name: optional string
1301 Another name for the logical router.
1302 Options:
1304 Additional options for the logical router.
1306 options : chassis: optional string
1308 If set, indicates that the logical router in question is a Gate‐
1309 way router (which is centralized) and resides in the set chas‐
1310 sis. The same value is also used by ovn-controller to uniquely
1311 identify the chassis in the OVN deployment and comes from exter‐
1312 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
1313 database.
1314 The Gateway router can only be connected to a distributed router
1316 via a switch if SNAT and DNAT are to be configured in the Gate‐
1317 way router.
1318 options : dnat_force_snat_ip: optional string
1320 If set, indicates the IP address to use to force SNAT a packet
1321 that has already been DNATed in the gateway router. When multi‐
1322 ple gateway routers are configured, a packet can potentially
1323 enter any of the gateway router, get DNATted and eventually
1324 reach the logical switch port. For the return traffic to go back
1325 to the same gateway router (for unDNATing), the packet needs a
1326 SNAT in the first place. This can be achieved by setting the
1327 above option with a gateway specific IP address.
1328 options : lb_force_snat_ip: optional string
1330 If set, indicates the IP address to use to force SNAT a packet
1331 that has already been load-balanced in the gateway router. When
1332 multiple gateway routers are configured, a packet can poten‐
1333 tially enter any of the gateway routers, get DNATted as part of
1334 the load- balancing and eventually reach the logical switch
1335 port. For the return traffic to go back to the same gateway
1336 router (for unDNATing), the packet needs a SNAT in the first
1337 place. This can be achieved by setting the above option with a
1338 gateway specific IP address.
1339 options : mcast_relay: optional string, either true or false
1341 Enables/disables IP multicast relay between logical switches
1342 connected to the logical router. Default: False.
1343 Common Columns:
1345 external_ids: map of string-string pairs
1347 See External IDs at the beginning of this document.
1348
1350 Each row in this table represents one QoS rule for a logical switch
1351 that points to it through its qos_rules column. Two types of QoS are
1352 supported: DSCP marking and metering. A match with the highest-priority
1353 will have QoS applied to it. If the action column is specified, then
1354 matching packets will have DSCP marking applied. If the bandwdith col‐
1355 umn is specified, then matching packets will have metering applied.
1356 action and bandwdith are not exclusive, so both marking and metering by
1357 defined for the same QoS entry. If no row matches, packets will not
1358 have any QoS applied.
1359 Summary:
1361 priority integer, in range 0 to 32,767
1362 direction string, either from-lport or to-lport
1363 match string
1364 action map of string-integer pairs, key must be
1365 dscp, value in range 0 to 63
1366 bandwidth map of string-integer pairs, key either
1367 burst or rate, value in range 1 to
1368 4,294,967,295
1369 external_ids map of string-string pairs
1370 Details:
1372 priority: integer, in range 0 to 32,767
1373 The QoS rule’s priority. Rules with numerically higher priority
1374 take precedence over those with lower. If two QoS rules with the
1375 same priority both match, then the one actually applied to a
1376 packet is undefined.
1377 direction: string, either from-lport or to-lport
1379 The value of this field is similar to ACL column in the OVN
1380 Northbound database’s ACL table.
1381 match: string
1383 The packets that the QoS rules should match, in the same expres‐
1384 sion language used for the match column in the OVN Southbound
1385 database’s Logical_Flow table. The outport logical port is only
1386 available in the to-lport direction (the inport is available in
1387 both directions).
1388 action: map of string-integer pairs, key must be dscp, value in range 0
1390 to 63
1391 When specified, matching flows will have DSCP marking applied.
1392 · dscp: The value of this action should be in the range of
1394 0 to 63 (inclusive).
1395 bandwidth: map of string-integer pairs, key either burst or rate, value
1397 in range 1 to 4,294,967,295
1398 When specified, matching packets will have bandwidth metering
1399 applied. Traffic over the limit will be dropped.
1400 · rate: The value of rate limit in kbps.
1402 · burst: The value of burst rate limit in kilobits. This is
1404 optional and needs to specify the rate.
1405 external_ids: map of string-string pairs
1407 See External IDs at the beginning of this document.
1408
1410 Each row in this table represents a meter that can be used for QoS or
1411 rate-limiting.
1412 Summary:
1414 name string (must be unique within table)
1415 unit string, either kbps or pktps
1416 bands set of 1 or more Meter_Bands
1417 external_ids map of string-string pairs
1418 Details:
1420 name: string (must be unique within table)
1421 A name for this meter.
1422 Names that begin with "__" (two underscores) are reserved for
1424 OVN internal use and should not be added manually.
1425 unit: string, either kbps or pktps
1427 The unit for rate and burst_rate parameters in the bands entry.
1428 kbps specifies kilobits per second, and pktps specifies packets
1429 per second.
1430 bands: set of 1 or more Meter_Bands
1432 The bands associated with this meter. Each band specifies a rate
1433 above which the band is to take the action action. If multiple
1434 bands’ rates are exceeded, then the band with the highest rate
1435 among the exceeded bands is selected.
1436 external_ids: map of string-string pairs
1438 See External IDs at the beginning of this document.
1439
1441 Each row in this table represents a meter band which specifies the rate
1442 above which the configured action should be applied. These bands are
1443 referenced by the bands column in the Meter table.
1444 Summary:
1446 action string, must be drop
1447 rate integer, in range 1 to 4,294,967,295
1448 burst_size integer, in range 0 to 4,294,967,295
1449 external_ids map of string-string pairs
1450 Details:
1452 action: string, must be drop
1453 The action to execute when this band matches. The only supported
1454 action is drop.
1455 rate: integer, in range 1 to 4,294,967,295
1457 The rate limit for this band, in kilobits per second or bits per
1458 second, depending on whether the parent Meter entry’s unit col‐
1459 umn specified kbps or pktps.
1460 burst_size: integer, in range 0 to 4,294,967,295
1462 The maximum burst allowed for the band in kilobits or packets,
1463 depending on whether kbps or pktps was selected in the parent
1464 Meter entry’s unit column. If the size is zero, the switch is
1465 free to select some reasonable value depending on its configura‐
1466 tion.
1467 external_ids: map of string-string pairs
1469 See External IDs at the beginning of this document.
1470
1472 A port within an L3 logical router.
1473 Exactly one Logical_Router row must reference a given logical router
1475 port.
1476 Summary:
1478 name string (must be unique within table)
1479 gateway_chassis set of Gateway_Chassiss
1480 ha_chassis_group optional HA_Chassis_Group
1481 networks set of 1 or more strings
1482 mac string
1483 enabled optional boolean
1484 ipv6_ra_configs:
1485 ipv6_ra_configs : address_mode
1486 optional string
1487 ipv6_ra_configs : mtu optional string
1488 ipv6_ra_configs : send_periodic
1489 optional string
1490 ipv6_ra_configs : max_interval
1491 optional string
1492 ipv6_ra_configs : min_interval
1493 optional string
1494 ipv6_ra_configs : rdnss optional string
1495 Options:
1496 options : redirect-chassis optional string
1497 options : reside-on-redirect-chassis
1498 optional string
1499 options : redirect-type optional string
1500 options : mcast_flood optional string, either true or false
1501 Attachment:
1502 peer optional string
1503 Common Columns:
1504 external_ids map of string-string pairs
1505 Details:
1507 name: string (must be unique within table)
1508 A name for the logical router port.
1509 In addition to provide convenience for human interaction with
1511 the northbound database, this column is used as reference by its
1512 patch port in Logical_Switch_Port or another logical router port
1513 in Logical_Router_Port.
1514 gateway_chassis: set of Gateway_Chassiss
1516 This column is ignored if the column ha_chassis_group. is set.
1517 If set, this indicates that this logical router port represents
1519 a distributed gateway port that connects this router to a logi‐
1520 cal switch with a localnet port. There may be at most one such
1521 logical router port on each logical router.
1522 Several Gateway_Chassis can be referenced for a given logical
1524 router port. A single Gateway_Chassis is functionally equivalent
1525 to setting options:redirect-chassis. Refer to the description of
1526 options:redirect-chassis for additional details on gateway han‐
1527 dling.
1528 Defining more than one Gateway_Chassis will enable gateway high
1530 availability. Only one gateway will be active at a time. OVN
1531 chassis will use BFD to monitor connectivity to a gateway. If
1532 connectivity to the active gateway is interrupted, another gate‐
1533 way will become active. The priority column specifies the order
1534 that gateways will be chosen by OVN.
1535 ha_chassis_group: optional HA_Chassis_Group
1537 If set, this indicates that this logical router port represents
1538 a distributed gateway port that connects this router to a logi‐
1539 cal switch with a localnet port. There may be at most one such
1540 logical router port on each logical router. The HA chassis which
1541 are part of the HA chassis group will provide the gateway high
1542 availability. Please see the HA_Chassis_Group for more details.
1543 When this column is set, the column gateway_chassis will be
1545 ignored.
1546 networks: set of 1 or more strings
1548 The IP addresses and netmasks of the router. For example,
1549 192.168.0.1/24 indicates that the router’s IP address is
1550 192.168.0.1 and that packets destined to 192.168.0.x should be
1551 routed to this port.
1552 A logical router port always adds a link-local IPv6 address
1554 (fe80::/64) automatically generated from the interface’s MAC
1555 address using the modified EUI-64 format.
1556 mac: string
1558 The Ethernet address that belongs to this router port.
1559 enabled: optional boolean
1561 This column is used to administratively set port state. If this
1562 column is empty or is set to true, the port is enabled. If this
1563 column is set to false, the port is disabled. A disabled port
1564 has all ingress and egress traffic dropped.
1565 ipv6_ra_configs:
1567 This column defines the IPv6 ND RA address mode and ND MTU Option to be
1569 included by ovn-controller when it replies to the IPv6 Router solicita‐
1570 tion requests.
1571 ipv6_ra_configs : address_mode: optional string
1573 The address mode to be used for IPv6 address configuration. The
1574 supported values are:
1575 · slaac: Address configuration using Router Advertisement
1577 (RA) packet. The IPv6 prefixes defined in the Logi‐
1578 cal_Router_Port table’s networks column will be included
1579 in the RA’s ICMPv6 option - Prefix information.
1580 · dhcpv6_stateful: Address configuration using DHCPv6.
1582 · dhcpv6_stateless: Address configuration using Router
1584 Advertisement (RA) packet. Other IPv6 options are pro‐
1585 vided by DHCPv6.
1586 ipv6_ra_configs : mtu: optional string
1588 The recommended MTU for the link. Default is 0, which means no
1589 MTU Option will be included in RA packet replied by ovn-con‐
1590 troller. Per RFC 2460, the mtu value is recommended no less than
1591 1280, so any mtu value less than 1280 will be considered as no
1592 MTU Option.
1593 ipv6_ra_configs : send_periodic: optional string
1595 If set to true, then this router interface will send router
1596 advertisements periodically. The default is false.
1597 ipv6_ra_configs : max_interval: optional string
1599 The maximum number of seconds to wait between sending periodic
1600 router advertisements. This option has no effect if ipv6_ra_con‐
1601 figs:send_periodic is false. The default is 600.
1602 ipv6_ra_configs : min_interval: optional string
1604 The minimum number of seconds to wait between sending periodic
1605 router advertisements. This option has no effect if ipv6_ra_con‐
1606 figs:send_periodic is false. The default is one-third of
1607 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
1608 unset.
1609 ipv6_ra_configs : rdnss: optional string
1611 IPv6 address of RDNSS server announced in RA packets. At the
1612 moment OVN supports just one RDNSS server.
1613 Options:
1615 Additional options for the logical router port.
1617 options : redirect-chassis: optional string
1619 If set, this indicates that this logical router port represents
1620 a distributed gateway port that connects this router to a logi‐
1621 cal switch with a localnet port. There may be at most one such
1622 logical router port on each logical router.
1623 Even when a redirect-chassis is specified, the logical router
1625 port still effectively resides on each chassis. However, due to
1626 the implications of the use of L2 learning in the physical net‐
1627 work, as well as the need to support advanced features such as
1628 one-to-many NAT (aka IP masquerading), a subset of the logical
1629 router processing is handled in a centralized manner on the
1630 specified redirect-chassis.
1631 When this option is specified, the peer logical switch port’s
1633 addresses must be set to router. With this setting, the exter‐
1634 nal_macs specified in NAT rules are automatically programmed in
1635 the peer logical switch’s destination lookup on the chassis
1636 where the logical_port resides. In addition, the logical
1637 router’s MAC address is automatically programmed in the peer
1638 logical switch’s destination lookup flow on the redirect-chas‐
1639 sis.
1640 When this option is specified and it is desired to generate gra‐
1642 tuitous ARPs for NAT addresses, then the peer logical switch
1643 port’s options:nat-addresses should be set to router.
1644 While options:redirect-chassis is still supported for backwards
1646 compatibility, it is now preferred to specify one or more gate‐
1647 way_chassis instead. It is functionally equivalent, but allows
1648 you to specify multiple chassis to enable high availability.
1649 options : reside-on-redirect-chassis: optional string
1651 Generally routing is distributed in OVN. The packet from a logi‐
1652 cal port which needs to be routed hits the router pipeline in
1653 the source chassis. For the East-West traffic, the packet is
1654 sent directly to the destination chassis. For the outside traf‐
1655 fic the packet is sent to the gateway chassis.
1656 When this option is set, OVN considers this only if
1658 · The logical router to which this logical router port
1660 belongs to has a distributed gateway port.
1661 · The peer’s logical switch has a localnet port (represent‐
1663 ing a VLAN tagged network)
1664 When this option is set to true, then the packet which needs to
1666 be routed hits the router pipeline in the chassis hosting the
1667 distributed gateway router port. The source chassis pushes out
1668 this traffic via the localnet port. With this the East-West
1669 traffic is no more distributed and will always go through the
1670 gateway chassis.
1671 Without this option set, for any traffic destined to outside
1673 from a logical port which belongs to a logical switch with
1674 localnet port, the source chassis will send the traffic to the
1675 gateway chassis via the tunnel port instead of the localnet port
1676 and this could cause MTU issues.
1677 options : redirect-type: optional string
1679 This options dictates if a packet redirected to gateway chassis
1680 will be overlay encapsulated or go as a regular packet via the
1681 localnet port.
1682 Option takes following values
1684 · OVERLAY
1686 · BRIDGED
1688 OVERLAY option will ensure that redirected packet goes out as
1690 encapsulation via the tunnel port.
1691 BRIDGED option will ensure that redirected packet goes out via
1693 the localnet port tagged with vlan (if configured).
1694 OVERLAY is the default redirection type.
1696 Option is applicable only to gateway chassis attached logical
1698 router ports.
1699 options : mcast_flood: optional string, either true or false
1701 If set to true, multicast traffic (including reports) are uncon‐
1702 ditionally forwarded to the specific port.
1703 This option applies when the port is part of a logical router
1705 which has options:mcast_relay set to true.
1706 Attachment:
1708 A given router port serves one of two purposes:
1710 · To attach a logical switch to a logical router. A logical
1712 router port of this type is referenced by exactly one
1713 Logical_Switch_Port of type router. The value of name is
1714 set as router-port in column options of Logi‐
1715 cal_Switch_Port. In this case peer column is empty.
1716 · To connect one logical router to another. This requires a
1718 pair of logical router ports, each connected to a differ‐
1719 ent router. Each router port in the pair specifies the
1720 other in its peer column. No Logical_Switch refers to the
1721 router port.
1722 peer: optional string
1724 For a router port used to connect two logical routers, this
1725 identifies the other router port in the pair by name.
1726 For a router port attached to a logical switch, this column is
1728 empty.
1729 Common Columns:
1731 external_ids: map of string-string pairs
1733 See External IDs at the beginning of this document.
1734
1736 Each record represents a static route.
1737 When multiple routes match a packet, the longest-prefix match is cho‐
1739 sen. For a given prefix length, a dst-ip route is preferred over a
1740 src-ip route.
1741 Summary:
1743 ip_prefix string
1744 policy optional string, either dst-ip or src-ip
1745 nexthop string
1746 output_port optional string
1747 Common Columns:
1748 external_ids map of string-string pairs
1749 Details:
1751 ip_prefix: string
1752 IP prefix of this route (e.g. 192.168.100.0/24).
1753 policy: optional string, either dst-ip or src-ip
1755 If it is specified, this setting describes the policy used to
1756 make routing decisions. This setting must be one of the follow‐
1757 ing strings:
1758 · src-ip: This policy sends the packet to the nexthop when
1760 the packet’s source IP address matches ip_prefix.
1761 · dst-ip: This policy sends the packet to the nexthop when
1763 the packet’s destination IP address matches ip_prefix.
1764 If not specified, the default is dst-ip.
1766 nexthop: string
1768 Nexthop IP address for this route. Nexthop IP address should be
1769 the IP address of a connected router port or the IP address of a
1770 logical port.
1771 output_port: optional string
1773 The name of the Logical_Router_Port via which the packet needs
1774 to be sent out. This is optional and when not specified, OVN
1775 will automatically figure this out based on the nexthop. When
1776 this is specified and there are multiple IP addresses on the
1777 router port and none of them are in the same subnet of nexthop,
1778 OVN chooses the first IP address as the one via which the nex‐
1779 thop is reachable.
1780 Common Columns:
1782 external_ids: map of string-string pairs
1784 See External IDs at the beginning of this document.
1785
1787 Each row in this table represents one routing policy for a logical
1788 router that points to it through its policies column. The action column
1789 for the highest-priority matching row in this table determines a
1790 packet’s treatment. If no row matches, packets are allowed by default.
1791 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1792 match, and drop as action.)
1793 Summary:
1795 priority integer, in range 0 to 32,767
1796 match string
1797 action string, one of allow, drop, or reroute
1798 nexthop optional string
1799 Details:
1801 priority: integer, in range 0 to 32,767
1802 The routing policy’s priority. Rules with numerically higher
1803 priority take precedence over those with lower. A rule is
1804 uniquely identified by the priority and match string.
1805 match: string
1807 The packets that the routing policy should match, in the same
1808 expression language used for the match column in the OVN South‐
1809 bound database’s Logical_Flow table.
1810 By default all traffic is allowed. When writing a more restric‐
1812 tive policy, it is important to remember to allow flows such as
1813 ARP and IPv6 neighbor discovery packets.
1814 action: string, one of allow, drop, or reroute
1816 The action to take when the routing policy matches:
1817 · allow: Forward the packet.
1819 · drop: Silently drop the packet.
1821 · reroute: Reroute packet to nexthop.
1823 nexthop: optional string
1825 Next-hop IP address for this route, which should be the IP
1826 address of a connected router port or the IP address of a logi‐
1827 cal port.
1828
1830 Each record represents a NAT rule.
1831 Summary:
1833 type string, one of dnat, dnat_and_snat, or
1834 snat
1835 external_ip string
1836 external_mac optional string
1837 logical_ip string
1838 logical_port optional string
1839 Common Columns:
1840 external_ids map of string-string pairs
1841 Details:
1843 type: string, one of dnat, dnat_and_snat, or snat
1844 Type of the NAT rule.
1845 · When type is dnat, the externally visible IP address
1847 external_ip is DNATted to the IP address logical_ip in
1848 the logical space.
1849 · When type is snat, IP packets with their source IP
1851 address that either matches the IP address in logical_ip
1852 or is in the network provided by logical_ip is SNATed
1853 into the IP address in external_ip.
1854 · When type is dnat_and_snat, the externally visible IP
1856 address external_ip is DNATted to the IP address logi‐
1857 cal_ip in the logical space. In addition, IP packets with
1858 the source IP address that matches logical_ip is SNATed
1859 into the IP address in external_ip.
1860 external_ip: string
1862 An IPv4 address.
1863 external_mac: optional string
1865 A MAC address.
1866 This is only used on the gateway port on distributed routers.
1868 This must be specified in order for the NAT rule to be processed
1869 in a distributed manner on all chassis. If this is not specified
1870 for a NAT rule on a distributed router, then this NAT rule will
1871 be processed in a centralized manner on the gateway port
1872 instance on the redirect-chassis.
1873 This MAC address must be unique on the logical switch that the
1875 gateway port is attached to. If the MAC address used on the log‐
1876 ical_port is globally unique, then that MAC address can be spec‐
1877 ified as this external_mac.
1878 logical_ip: string
1880 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
1881 logical_port: optional string
1883 The name of the logical port where the logical_ip resides.
1884 This is only used on distributed routers. This must be specified
1886 in order for the NAT rule to be processed in a distributed man‐
1887 ner on all chassis. If this is not specified for a NAT rule on a
1888 distributed router, then this NAT rule will be processed in a
1889 centralized manner on the gateway port instance on the redi‐
1890 rect-chassis.
1891 Common Columns:
1893 external_ids: map of string-string pairs
1895 See External IDs at the beginning of this document.
1896
1898 OVN implements native DHCPv4 support which caters to the common use
1899 case of providing an IPv4 address to a booting instance by providing
1900 stateless replies to DHCPv4 requests based on statically configured
1901 address mappings. To do this it allows a short list of DHCPv4 options
1902 to be configured and applied at each compute host running ovn-con‐
1903 troller.
1904 OVN also implements native DHCPv6 support which provides stateless
1906 replies to DHCPv6 requests.
1907 Summary:
1909 cidr string
1910 DHCPv4 options:
1911 Mandatory DHCPv4 options:
1912 options : server_id optional string
1913 options : server_mac optional string
1914 options : lease_time optional string, containing an integer,
1915 in range 0 to 4,294,967,295
1916 IPv4 DHCP Options:
1917 options : router optional string
1918 options : netmask optional string
1919 options : dns_server optional string
1920 options : log_server optional string
1921 options : lpr_server optional string
1922 options : swap_server optional string
1923 options : policy_filter optional string
1924 options : router_solicitation
1925 optional string
1926 options : nis_server optional string
1927 options : ntp_server optional string
1928 options : tftp_server optional string
1929 options : classless_static_route
1930 optional string
1931 options : ms_classless_static_route
1932 optional string
1933 Boolean DHCP Options:
1934 options : ip_forward_enable
1935 optional string, either 0 or 1
1936 options : router_discovery
1937 optional string, either 0 or 1
1938 options : ethernet_encap optional string, either 0 or 1
1939 Integer DHCP Options:
1940 options : default_ttl optional string, containing an integer,
1941 in range 0 to 255
1942 options : tcp_ttl optional string, containing an integer,
1943 in range 0 to 255
1944 options : mtu optional string, containing an integer,
1945 in range 68 to 65,535
1946 options : T1 optional string, containing an integer,
1947 in range 68 to 4,294,967,295
1948 options : T2 optional string, containing an integer,
1949 in range 68 to 4,294,967,295
1950 String DHCP Options:
1951 options : wpad optional string
1952 options : bootfile_name optional string
1953 options : path_prefix optional string
1954 options : tftp_server_address
1955 optional string
1956 options : domain_name optional string
1957 DHCPv6 options:
1958 Mandatory DHCPv6 options:
1959 options : server_id optional string
1960 IPv6 DHCPv6 options:
1961 options : dns_server optional string
1962 String DHCPv6 options:
1963 options : domain_search optional string
1964 options : dhcpv6_stateless
1965 optional string
1966 Common Columns:
1967 external_ids map of string-string pairs
1968 Details:
1970 cidr: string
1971 The DHCPv4/DHCPv6 options will be included if the logical port
1972 has its IP address in this cidr.
1973 DHCPv4 options:
1975 The CMS should define the set of DHCPv4 options as key/value pairs in
1977 the options column of this table. For ovn-controller to include these
1978 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
1979 to an entry in this table.
1980 Mandatory DHCPv4 options:
1982 The following options must be defined.
1984 options : server_id: optional string
1986 The IP address for the DHCP server to use. This should be in the
1987 subnet of the offered IP. This is also included in the DHCP
1988 offer as option 54, ``server identifier.’’
1989 options : server_mac: optional string
1991 The Ethernet address for the DHCP server to use.
1992 options : lease_time: optional string, containing an integer, in range
1994 0 to 4,294,967,295
1995 The offered lease time in seconds,
1996 The DHCPv4 option code for this option is 51.
1998 IPv4 DHCP Options:
2000 Below are the supported DHCPv4 options whose values are an IPv4
2002 address, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
2003 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
2004 refer to RFC 2132 for more details on DHCPv4 options and their codes.
2005 options : router: optional string
2007 The IP address of a gateway for the client to use. This should
2008 be in the subnet of the offered IP. The DHCPv4 option code for
2009 this option is 3.
2010 options : netmask: optional string
2012 The DHCPv4 option code for this option is 1.
2013 options : dns_server: optional string
2015 The DHCPv4 option code for this option is 6.
2016 options : log_server: optional string
2018 The DHCPv4 option code for this option is 7.
2019 options : lpr_server: optional string
2021 The DHCPv4 option code for this option is 9.
2022 options : swap_server: optional string
2024 The DHCPv4 option code for this option is 16.
2025 options : policy_filter: optional string
2027 The DHCPv4 option code for this option is 21.
2028 options : router_solicitation: optional string
2030 The DHCPv4 option code for this option is 32.
2031 options : nis_server: optional string
2033 The DHCPv4 option code for this option is 41.
2034 options : ntp_server: optional string
2036 The DHCPv4 option code for this option is 42.
2037 options : tftp_server: optional string
2039 The DHCPv4 option code for this option is 66.
2040 options : classless_static_route: optional string
2042 The DHCPv4 option code for this option is 121.
2043 This option can contain one or more static routes, each of which
2045 consists of a destination descriptor and the IP address of the
2046 router that should be used to reach that destination. Please see
2047 RFC 3442 for more details.
2048 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
2050 options : ms_classless_static_route: optional string
2052 The DHCPv4 option code for this option is 249. This option is
2053 similar to classless_static_route supported by Microsoft Windows
2054 DHCPv4 clients.
2055 Boolean DHCP Options:
2057 These options accept a Boolean value, expressed as 0 for false or 1 for
2059 true.
2060 options : ip_forward_enable: optional string, either 0 or 1
2062 The DHCPv4 option code for this option is 19.
2063 options : router_discovery: optional string, either 0 or 1
2065 The DHCPv4 option code for this option is 31.
2066 options : ethernet_encap: optional string, either 0 or 1
2068 The DHCPv4 option code for this option is 36.
2069 Integer DHCP Options:
2071 These options accept a nonnegative integer value.
2073 options : default_ttl: optional string, containing an integer, in range
2075 0 to 255
2076 The DHCPv4 option code for this option is 23.
2077 options : tcp_ttl: optional string, containing an integer, in range 0
2079 to 255
2080 The DHCPv4 option code for this option is 37.
2081 options : mtu: optional string, containing an integer, in range 68 to
2083 65,535
2084 The DHCPv4 option code for this option is 26.
2085 options : T1: optional string, containing an integer, in range 68 to
2087 4,294,967,295
2088 This specifies the time interval from address assignment until
2089 the client begins trying to renew its address. The DHCPv4 option
2090 code for this option is 58.
2091 options : T2: optional string, containing an integer, in range 68 to
2093 4,294,967,295
2094 This specifies the time interval from address assignment until
2095 the client begins trying to rebind its address. The DHCPv4
2096 option code for this option is 59.
2097 String DHCP Options:
2099 These options accept a string value.
2101 options : wpad: optional string
2103 The DHCPv4 option code for this option is 252. This option is
2104 used as part of web proxy auto discovery to provide a URL for a
2105 web proxy.
2106 options : bootfile_name: optional string
2108 The DHCPv4 option code for this option is 67. This option is
2109 used to identify a bootfile.
2110 options : path_prefix: optional string
2112 The DHCPv4 option code for this option is 210. In PXELINUX’ case
2113 this option is used to set a common path prefix, instead of
2114 deriving it from the bootfile name.
2115 options : tftp_server_address: optional string
2117 The DHCPv4 option code for this option is 150. The option con‐
2118 tains one or more IPv4 addresses that the client MAY use. This
2119 option is Cisco proprietary, the IEEE standard that matches with
2120 this requirement is option 66 (tftp_server).
2121 options : domain_name: optional string
2123 The DHCPv4 option code for this option is 15. This option speci‐
2124 fies the domain name that client should use when resolving host‐
2125 names via the Domain Name System.
2126 DHCPv6 options:
2128 OVN also implements native DHCPv6 support. The CMS should define the
2130 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
2131 will be included in the DHCPv6 response to the DHCPv6
2132 Solicit/Request/Confirm packet from the logical ports having the IPv6
2133 addresses in the cidr.
2134 Mandatory DHCPv6 options:
2136 The following options must be defined.
2138 options : server_id: optional string
2140 The Ethernet address for the DHCP server to use. This is also
2141 included in the DHCPv6 reply as option 2, ``Server Identifier’’
2142 to carry a DUID identifying a server between a client and a
2143 server. ovn-controller defines DUID based on Link-layer Address
2144 [DUID-LL].
2145 IPv6 DHCPv6 options:
2147 Below are the supported DHCPv6 options whose values are an IPv6
2149 address, e.g. aef0::4. Some options accept multiple IPv6 addresses
2150 enclosed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
2151 RFC 3315 for more details on DHCPv6 options and their codes.
2152 options : dns_server: optional string
2154 The DHCPv6 option code for this option is 23. This option speci‐
2155 fies the DNS servers that the VM should use.
2156 String DHCPv6 options:
2158 These options accept string values.
2160 options : domain_search: optional string
2162 The DHCPv6 option code for this option is 24. This option speci‐
2163 fies the domain search list the client should use to resolve
2164 hostnames with DNS.
2165 Example: "ovn.org".
2167 options : dhcpv6_stateless: optional string
2169 This option specifies the OVN native DHCPv6 will work in state‐
2170 less mode, which means OVN native DHCPv6 will not offer IPv6
2171 addresses for VM/VIF ports, but only reply other configurations,
2172 such as DNS and domain search list. When setting this option
2173 with string value "true", VM/VIF will configure IPv6 addresses
2174 by stateless way. Default value for this option is false.
2175 Common Columns:
2177 external_ids: map of string-string pairs
2179 See External IDs at the beginning of this document.
2180
2182 Configuration for a database connection to an Open vSwitch database
2183 (OVSDB) client.
2184 This table primarily configures the Open vSwitch database server
2186 (ovsdb-server).
2187 The Open vSwitch database server can initiate and maintain active con‐
2189 nections to remote clients. It can also listen for database connec‐
2190 tions.
2191 Summary:
2193 Core Features:
2194 target string (must be unique within table)
2195 Client Failure Detection and Handling:
2196 max_backoff optional integer, at least 1,000
2197 inactivity_probe optional integer
2198 Status:
2199 is_connected boolean
2200 status : last_error optional string
2201 status : state optional string, one of ACTIVE, BACKOFF,
2202 CONNECTING, IDLE, or VOID
2203 status : sec_since_connect optional string, containing an integer,
2204 at least 0
2205 status : sec_since_disconnect
2206 optional string, containing an integer,
2207 at least 0
2208 status : locks_held optional string
2209 status : locks_waiting optional string
2210 status : locks_lost optional string
2211 status : n_connections optional string, containing an integer,
2212 at least 2
2213 status : bound_port optional string, containing an integer
2214 Common Columns:
2215 external_ids map of string-string pairs
2216 other_config map of string-string pairs
2217 Details:
2219 Core Features:
2220 target: string (must be unique within table)
2222 Connection methods for clients.
2223 The following connection methods are currently supported:
2225 ssl:host[:port]
2227 The specified SSL port on the host at the given host,
2228 which can either be a DNS name (if built with unbound
2229 library) or an IP address. A valid SSL configuration must
2230 be provided when this form is used, this configuration
2231 can be specified via command-line options or the SSL ta‐
2232 ble.
2233 If port is not specified, it defaults to 6640.
2235 SSL support is an optional feature that is not always
2237 built as part of Open vSwitch.
2238 tcp:host[:port]
2240 The specified TCP port on the host at the given host,
2241 which can either be a DNS name (if built with unbound
2242 library) or an IP address. If host is an IPv6 address,
2243 wrap it in square brackets, e.g. tcp:[::1]:6640.
2244 If port is not specified, it defaults to 6640.
2246 pssl:[port][:host]
2248 Listens for SSL connections on the specified TCP port.
2249 Specify 0 for port to have the kernel automatically
2250 choose an available port. If host, which can either be a
2251 DNS name (if built with unbound library) or an IP
2252 address, is specified, then connections are restricted to
2253 the resolved or specified local IPaddress (either IPv4 or
2254 IPv6 address). If host is an IPv6 address, wrap in square
2255 brackets, e.g. pssl:6640:[::1]. If host is not specified
2256 then it listens only on IPv4 (but not IPv6) addresses. A
2257 valid SSL configuration must be provided when this form
2258 is used, this can be specified either via command-line
2259 options or the SSL table.
2260 If port is not specified, it defaults to 6640.
2262 SSL support is an optional feature that is not always
2264 built as part of Open vSwitch.
2265 ptcp:[port][:host]
2267 Listens for connections on the specified TCP port. Spec‐
2268 ify 0 for port to have the kernel automatically choose an
2269 available port. If host, which can either be a DNS name
2270 (if built with unbound library) or an IP address, is
2271 specified, then connections are restricted to the
2272 resolved or specified local IP address (either IPv4 or
2273 IPv6 address). If host is an IPv6 address, wrap it in
2274 square brackets, e.g. ptcp:6640:[::1]. If host is not
2275 specified then it listens only on IPv4 addresses.
2276 If port is not specified, it defaults to 6640.
2278 When multiple clients are configured, the target values must be
2280 unique. Duplicate target values yield unspecified results.
2281 Client Failure Detection and Handling:
2283 max_backoff: optional integer, at least 1,000
2285 Maximum number of milliseconds to wait between connection
2286 attempts. Default is implementation-specific.
2287 inactivity_probe: optional integer
2289 Maximum number of milliseconds of idle time on connection to the
2290 client before sending an inactivity probe message. If Open
2291 vSwitch does not communicate with the client for the specified
2292 number of seconds, it will send a probe. If a response is not
2293 received for the same additional amount of time, Open vSwitch
2294 assumes the connection has been broken and attempts to recon‐
2295 nect. Default is implementation-specific. A value of 0 disables
2296 inactivity probes.
2297 Status:
2299 Key-value pair of is_connected is always updated. Other key-value pairs
2301 in the status columns may be updated depends on the target type.
2302 When target specifies a connection method that listens for inbound con‐
2304 nections (e.g. ptcp: or punix:), both n_connections and is_connected
2305 may also be updated while the remaining key-value pairs are omitted.
2306 On the other hand, when target specifies an outbound connection, all
2308 key-value pairs may be updated, except the above-mentioned two key-
2309 value pairs associated with inbound connection targets. They are omit‐
2310 ted.
2311 is_connected: boolean
2313 true if currently connected to this client, false otherwise.
2314 status : last_error: optional string
2316 A human-readable description of the last error on the connection
2317 to the manager; i.e. strerror(errno). This key will exist only
2318 if an error has occurred.
2319 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
2321 IDLE, or VOID
2322 The state of the connection to the manager:
2323 VOID Connection is disabled.
2325 BACKOFF
2327 Attempting to reconnect at an increasing period.
2328 CONNECTING
2330 Attempting to connect.
2331 ACTIVE Connected, remote host responsive.
2333 IDLE Connection is idle. Waiting for response to keep-alive.
2335 These values may change in the future. They are provided only
2337 for human consumption.
2338 status : sec_since_connect: optional string, containing an integer, at
2340 least 0
2341 The amount of time since this client last successfully connected
2342 to the database (in seconds). Value is empty if client has never
2343 successfully been connected.
2344 status : sec_since_disconnect: optional string, containing an integer,
2346 at least 0
2347 The amount of time since this client last disconnected from the
2348 database (in seconds). Value is empty if client has never dis‐
2349 connected.
2350 status : locks_held: optional string
2352 Space-separated list of the names of OVSDB locks that the con‐
2353 nection holds. Omitted if the connection does not hold any
2354 locks.
2355 status : locks_waiting: optional string
2357 Space-separated list of the names of OVSDB locks that the con‐
2358 nection is currently waiting to acquire. Omitted if the connec‐
2359 tion is not waiting for any locks.
2360 status : locks_lost: optional string
2362 Space-separated list of the names of OVSDB locks that the con‐
2363 nection has had stolen by another OVSDB client. Omitted if no
2364 locks have been stolen from this connection.
2365 status : n_connections: optional string, containing an integer, at
2367 least 2
2368 When target specifies a connection method that listens for
2369 inbound connections (e.g. ptcp: or pssl:) and more than one con‐
2370 nection is actually active, the value is the number of active
2371 connections. Otherwise, this key-value pair is omitted.
2372 status : bound_port: optional string, containing an integer
2374 When target is ptcp: or pssl:, this is the TCP port on which the
2375 OVSDB server is listening. (This is particularly useful when
2376 target specifies a port of 0, allowing the kernel to choose any
2377 available port.)
2378 Common Columns:
2380 The overall purpose of these columns is described under Common Columns
2382 at the beginning of this document.
2383 external_ids: map of string-string pairs
2385 other_config: map of string-string pairs
2387
2389 Each row in this table stores the DNS records. The Logical_Switch ta‐
2390 ble’s dns_records references these records.
2391 Summary:
2393 records map of string-string pairs
2394 external_ids map of string-string pairs
2395 Details:
2397 records: map of string-string pairs
2398 Key-value pair of DNS records with DNS query name as the key and
2399 value as a string of IP address(es) separated by comma or space.
2400 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
2402 external_ids: map of string-string pairs
2404 See External IDs at the beginning of this document.
2405
2407 SSL configuration for ovn-nb database access.
2408 Summary:
2410 private_key string
2411 certificate string
2412 ca_cert string
2413 bootstrap_ca_cert boolean
2414 ssl_protocols string
2415 ssl_ciphers string
2416 Common Columns:
2417 external_ids map of string-string pairs
2418 Details:
2420 private_key: string
2421 Name of a PEM file containing the private key used as the
2422 switch’s identity for SSL connections to the controller.
2423 certificate: string
2425 Name of a PEM file containing a certificate, signed by the cer‐
2426 tificate authority (CA) used by the controller and manager, that
2427 certifies the switch’s private key, identifying a trustworthy
2428 switch.
2429 ca_cert: string
2431 Name of a PEM file containing the CA certificate used to verify
2432 that the switch is connected to a trustworthy controller.
2433 bootstrap_ca_cert: boolean
2435 If set to true, then Open vSwitch will attempt to obtain the CA
2436 certificate from the controller on its first SSL connection and
2437 save it to the named PEM file. If it is successful, it will
2438 immediately drop the connection and reconnect, and from then on
2439 all SSL connections must be authenticated by a certificate
2440 signed by the CA certificate thus obtained. This option exposes
2441 the SSL connection to a man-in-the-middle attack obtaining the
2442 initial CA certificate. It may still be useful for bootstrap‐
2443 ping.
2444 ssl_protocols: string
2446 List of SSL protocols to be enabled for SSL connections. The
2447 default when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
2448 ssl_ciphers: string
2450 List of ciphers (in OpenSSL cipher string format) to be sup‐
2451 ported for SSL connections. The default when this option is
2452 omitted is HIGH:!aNULL:!MD5.
2453 Common Columns:
2455 The overall purpose of these columns is described under Common Columns
2457 at the beginning of this document.
2458 external_ids: map of string-string pairs
2460
2462 Association of one or more chassis to a logical router port. The traf‐
2463 fic going out through an specific router port will be redirected to a
2464 chassis, or a set of them in high availability configurations. A single
2465 Gateway_Chassis is equivalent to setting options:redirect-chassis.
2466 Using Gateway_Chassis allows associating multiple prioritized chassis
2467 with a single logical router port.
2468 Summary:
2470 name string (must be unique within table)
2471 chassis_name string
2472 priority integer, in range 0 to 32,767
2473 options map of string-string pairs
2474 Common Columns:
2475 external_ids map of string-string pairs
2476 Details:
2478 name: string (must be unique within table)
2479 Name of the Gateway_Chassis.
2480 A suggested, but not required naming convention is
2482 ${port_name}_${chassis_name}.
2483 chassis_name: string
2485 Name of the chassis that we want to redirect traffic through for
2486 the associated logical router port. The value must match the
2487 name column of the Chassis table in the OVN_Southbound database.
2488 priority: integer, in range 0 to 32,767
2490 This is the priority of a chassis among all Gateway_Chassis
2491 belonging to the same logical router port.
2492 options: map of string-string pairs
2494 Reserved for future use.
2495 Common Columns:
2497 external_ids: map of string-string pairs
2499 See External IDs at the beginning of this document.
2500
2502 Table representing a group of chassis which can provide High availabil‐
2503 ity services. Each chassis in the group is represented by the table
2504 HA_Chassis. The HA chassis with highest priority will be the master of
2505 this group. If the master chassis failover is detected, the HA chassis
2506 with the next higher priority takes over the responsibility of provid‐
2507 ing the HA. If a distributed gateway router port references a row in
2508 this table, then the master HA chassis in this group provides the gate‐
2509 way functionality.
2510 Summary:
2512 name string (must be unique within table)
2513 ha_chassis set of HA_Chassiss
2514 Common Columns:
2515 external_ids map of string-string pairs
2516 Details:
2518 name: string (must be unique within table)
2519 Name of the HA_Chassis_Group. Name should be unique.
2520 ha_chassis: set of HA_Chassiss
2522 A list of HA chassis which belongs to this group.
2523 Common Columns:
2525 external_ids: map of string-string pairs
2527 See External IDs at the beginning of this document.
2528
2530 Summary:
2531 chassis_name string
2532 priority integer, in range 0 to 32,767
2533 Common Columns:
2534 external_ids map of string-string pairs
2535 Details:
2537 chassis_name: string
2538 Name of the chassis which is part of the HA chassis group. The
2539 value must match the name column of the Chassis table in the
2540 OVN_Southbound database.
2541 priority: integer, in range 0 to 32,767
2543 Priority of the chassis. Chassis with highest priority will be
2544 the master.
2545 Common Columns:
2547 external_ids: map of string-string pairs
2549 See External IDs at the beginning of this document.
2550Open vSwitch 2.12.0 DB Schema 5.16.0 ovn-nb(5)