1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
3
4
6 ovn-nb - OVN_Northbound database schema
7
8 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces
10 almost all of the contents of the database. The ovn-northd program mon‐
11 itors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13
14 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16
17 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21
22 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32
33 Table Purpose
34 NB_Global Northbound configuration
35 Logical_Switch
36 L2 logical switch
37 Logical_Switch_Port
38 L2 logical switch port
39 Forwarding_Group
40 forwarding group
41 Address_Set
42 Address Sets
43 Port_Group
44 Port Groups
45 Load_Balancer
46 load balancer
47 Load_Balancer_Health_Check
48 load balancer
49 ACL Access Control List (ACL) rule
50 Logical_Router
51 L3 logical router
52 QoS QoS rule
53 Meter Meter entry
54 Meter_Band
55 Band for meter entries
56 Logical_Router_Port
57 L3 logical router port
58 Logical_Router_Static_Route
59 Logical router static routes
60 Logical_Router_Policy
61 Logical router policies
62 NAT NAT rules
63 DHCP_Options
64 DHCP options
65 Connection
66 OVSDB client connections.
67 DNS Native DNS resolution
68 SSL SSL configuration.
69 Gateway_Chassis
70 Gateway_Chassis configuration.
71 HA_Chassis_Group
72 HA_Chassis_Group configuration.
73 HA_Chassis
74 HA_Chassis configuration.
75
77 Northbound configuration for an OVN system. This table must have
78 exactly one row.
79
80 Summary:
81 Identity:
82 name string
83 Status:
84 nb_cfg integer
85 sb_cfg integer
86 hv_cfg integer
87 Common Columns:
88 external_ids map of string-string pairs
89 Common options:
90 options map of string-string pairs
91 Options for configuring BFD:
92 options : bfd-min-rx optional string
93 options : bfd-decay-min-rx
94 optional string
95 options : bfd-min-tx optional string
96 options : bfd-mult optional string
97 options : mac_prefix optional string
98 options : controller_event optional string, either true or false
99 options : northd_probe_interval
100 optional string
101 Options for configuring interconnection route advertisement:
102 options : ic-route-adv optional string
103 options : ic-route-learn optional string
104 options : ic-route-adv-default
105 optional string
106 options : ic-route-learn-default
107 optional string
108 options : ic-route-blacklist
109 optional string
110 Connection Options:
111 connections set of Connections
112 ssl optional SSL
113 Security Configurations:
114 ipsec boolean
115
116 Details:
117 Identity:
118
119 name: string
120 The name of the OVN cluster, which uniquely identifies the OVN
121 cluster throughout all OVN clusters supposed to interconnect
122 with each other.
123
124 Status:
125
126 These columns allow a client to track the overall configuration state
127 of the system.
128
129 nb_cfg: integer
130 Sequence number for client to increment. When a client modifies
131 any part of the northbound database configuration and wishes to
132 wait for ovn-northd and possibly all of the hypervisors to fin‐
133 ish applying the changes, it may increment this sequence number.
134
135 sb_cfg: integer
136 Sequence number that ovn-northd sets to the value of nb_cfg
137 after it finishes applying the corresponding configuration
138 changes to the OVN_Southbound database.
139
140 hv_cfg: integer
141 Sequence number that ovn-northd sets to the smallest sequence
142 number of all the chassis in the system, as reported in the
143 Chassis table in the southbound database. Thus, hv_cfg equals
144 nb_cfg if all chassis are caught up with the northbound configu‐
145 ration (which may never happen, if any chassis is down). This
146 value can regress, if a chassis was removed from the system and
147 rejoins before catching up.
148
149 Common Columns:
150
151 external_ids: map of string-string pairs
152 See External IDs at the beginning of this document.
153
154 Common options:
155
156 options: map of string-string pairs
157 This column provides general key/value settings. The supported
158 options are described individually below.
159
160 Options for configuring BFD:
161
162 These options apply when ovn-controller configures BFD on tunnels
163 interfaces.
164
165 options : bfd-min-rx: optional string
166 BFD option min-rx value to use when configuring BFD on tunnel
167 interfaces.
168
169 options : bfd-decay-min-rx: optional string
170 BFD option decay-min-rx value to use when configuring BFD on
171 tunnel interfaces.
172
173 options : bfd-min-tx: optional string
174 BFD option min-tx value to use when configuring BFD on tunnel
175 interfaces.
176
177 options : bfd-mult: optional string
178 BFD option mult value to use when configuring BFD on tunnel
179 interfaces.
180
181 options : mac_prefix: optional string
182 Configure a given OUI to be used as prefix when L2 address is
183 dynamically assigned, e.g. 00:11:22
184
185 options : controller_event: optional string, either true or false
186 Value set by the CMS to enable/disable ovn-controller event
187 reporting. Traffic into OVS can raise a ’controller’ event that
188 results in a Controller_Event being written to the Con‐
189 troller_Event table in SBDB. When the CMS has seen the event and
190 taken appropriate action, it can remove the correponding row in
191 Controller_Event table. The intention is for a CMS to see the
192 events and take some sort of action. Please see the Con‐
193 troller_Event table in SBDB. It is possible to associate a meter
194 to each controller event type in order to not overload the pinc‐
195 trl thread under heavy load. Each event type relies on a meter
196 with a defined name:
197
198 · empty_lb_backends: event-elb
199
200 options : northd_probe_interval: optional string
201 The inactivity probe interval of the connection to the OVN
202 Northbound and Southbound databases from ovn-northd, in mil‐
203 liseconds. If the value is zero, it disables the connection
204 keepalive feature.
205
206 If the value is nonzero, then it will be forced to a value of at
207 least 1000 ms.
208
209 Options for configuring interconnection route advertisement:
210
211 These options control how routes are advertised between OVN deployments
212 for interconnection. If enabled, ovn-ic from different OVN deployments
213 exchanges routes between each other through the global OVN_IC_South‐
214 bound database. Only routers with ports connected to interconnection
215 transit switches participate in route advertisement. For each of these
216 routers, there are two types of routes to be advertised:
217
218 Firstly, the static routes configured in the router are advertised.
219
220 Secondly, the networks configured in the logical router ports that are
221 not on the transit switches are advertised. These are considered as
222 directly connected subnets on the router.
223
224 Link local prefixes (IPv4 169.254.0.0/16 and IPv6 FE80::/10) are never
225 advertised.
226
227 The learned routes are added to the static_routes column of the Logi‐
228 cal_Router table, with external_ids:ic-learned-route set to the uuid of
229 the row in Route table of the OVN_IC_Southbound database.
230
231 options : ic-route-adv: optional string
232 A boolean value that enables route advertisement to the global
233 OVN_IC_Southbound database. Default is false.
234
235 options : ic-route-learn: optional string
236 A boolean value that enables route learning from the global
237 OVN_IC_Southbound database. Default is false.
238
239 options : ic-route-adv-default: optional string
240 A boolean value that enables advertising default route to the
241 global OVN_IC_Southbound database. Default is false. This option
242 takes effect only when option ic-route-adv is true.
243
244 options : ic-route-learn-default: optional string
245 A boolean value that enables learning default route from the
246 global OVN_IC_Southbound database. Default is false. This option
247 takes effect only when option ic-route-learn is true.
248
249 options : ic-route-blacklist: optional string
250 A string value contains a list of CIDRs delimited by ",". A
251 route will not be advertised or learned if the route’s prefix
252 belongs to any of the CIDRs listed.
253
254 Connection Options:
255
256 connections: set of Connections
257 Database clients to which the Open vSwitch database server
258 should connect or on which it should listen, along with options
259 for how these connections should be configured. See the Connec‐
260 tion table for more information.
261
262 ssl: optional SSL
263 Global SSL configuration.
264
265 Security Configurations:
266
267 ipsec: boolean
268 Tunnel encryption configuration. If this column is set to be
269 true, all OVN tunnels will be encrypted with IPsec.
270
272 Each row represents one L2 logical switch.
273
274 There are two kinds of logical switches, that is, ones that fully vir‐
275 tualize the network (overlay logical switches) and ones that provide
276 simple connectivity to a physical network (bridged logical switches).
277 They work in the same way when providing connectivity between logical
278 ports on same chasis, but differently when connecting remote logical
279 ports. Overlay logical switches connect remote logical ports by tun‐
280 nels, while bridged logical switches provide connectivity to remote
281 ports by bridging the packets to directly connected physical L2 segment
282 with the help of localnet ports. Each bridged logical switch has one
283 and only one localnet port, which has only one special address unknown.
284
285 Summary:
286 ports set of Logical_Switch_Ports
287 load_balancer set of weak reference to Load_Balancers
288 acls set of ACLs
289 qos_rules set of QoSs
290 dns_records set of weak reference to DNSs
291 forwarding_groups set of Forwarding_Groups
292 Naming:
293 name string
294 external_ids : neutron:network_name
295 optional string
296 IP Address Assignment:
297 other_config : subnet optional string
298 other_config : exclude_ips optional string
299 other_config : ipv6_prefix optional string
300 other_config : mac_only optional string, either true or false
301 IP Multicast Snooping Options:
302 other_config : mcast_snoop optional string, either true or false
303 other_config : mcast_querier
304 optional string, either true or false
305 other_config : mcast_flood_unregistered
306 optional string, either true or false
307 other_config : mcast_table_size
308 optional string, containing an integer,
309 in range 1 to 32,766
310 other_config : mcast_idle_timeout
311 optional string, containing an integer,
312 in range 15 to 3,600
313 other_config : mcast_query_interval
314 optional string, containing an integer,
315 in range 1 to 3,600
316 other_config : mcast_query_max_response
317 optional string, containing an integer,
318 in range 1 to 10
319 other_config : mcast_eth_src
320 optional string
321 other_config : mcast_ip4_src
322 optional string
323 other_config : mcast_ip6_src
324 optional string
325 Interconnection:
326 other_config : interconn-ts
327 optional string
328 Tunnel Key:
329 other_config : requested-tnl-key
330 optional string, containing an integer,
331 in range 1 to 16,777,215
332 Common Columns:
333 external_ids map of string-string pairs
334
335 Details:
336 ports: set of Logical_Switch_Ports
337 The logical ports connected to the logical switch.
338
339 It is an error for multiple logical switches to include the same
340 logical port.
341
342 load_balancer: set of weak reference to Load_Balancers
343 Load balance a virtual ip address to a set of logical port end‐
344 point ip addresses.
345
346 acls: set of ACLs
347 Access control rules that apply to packets within the logical
348 switch.
349
350 qos_rules: set of QoSs
351 QoS marking and metering rules that apply to packets within the
352 logical switch.
353
354 dns_records: set of weak reference to DNSs
355 This column defines the DNS records to be used for resolving
356 internal DNS queries within the logical switch by the native DNS
357 resolver. Please see the DNS table.
358
359 forwarding_groups: set of Forwarding_Groups
360 Groups a set of logical port endpoints for traffic going out of
361 the logical switch.
362
363 Naming:
364
365 These columns provide names for the logical switch. From OVN’s perspec‐
366 tive, these names have no special meaning or purpose other than to pro‐
367 vide convenience for human interaction with the database. There is no
368 requirement for the name to be unique. (For a unique identifier for a
369 logical switch, use its row UUID.)
370
371 (Originally, name was intended to serve the purpose of a human-friendly
372 name, but the Neutron integration used it to uniquely identify its own
373 switch object, in the format neutron-uuid. Later on, Neutron started
374 propagating the friendly name of a switch as external_ids:neutron:net‐
375 work_name. Perhaps this can be cleaned up someday.)
376
377 name: string
378 A name for the logical switch.
379
380 external_ids : neutron:network_name: optional string
381 Another name for the logical switch.
382
383 IP Address Assignment:
384
385 These options control automatic IP address management (IPAM) for ports
386 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
387 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
388 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled
389 together or separately.
390
391 To request dynamic address assignment for a particular port, use the
392 dynamic keyword in the addresses column of the port’s Logi‐
393 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
394 IPAM for IPv4 and IPv6 are both enabled.
395
396 other_config : subnet: optional string
397 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
398 ovn-northd to automatically assign IP addresses within that sub‐
399 net.
400
401 other_config : exclude_ips: optional string
402 To exclude some addresses from automatic IP address management,
403 set this to a list of the IPv4 addresses or ..-delimited ranges
404 to exclude. The addresses or ranges should be a subset of those
405 in other_config:subnet.
406
407 Whether listed or not, ovn-northd will never allocate the first
408 or last address in a subnet, such as 192.168.0.0 or
409 192.168.0.255 in 192.168.0.0/24.
410
411 Examples:
412
413 · 192.168.0.2 192.168.0.10
414
415 · 192.168.0.4 192.168.0.30..192.168.0.60
416 192.168.0.110..192.168.0.120
417
418 · 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
419 192.168.0.144
420
421 other_config : ipv6_prefix: optional string
422 Set this to an IPv6 prefix to enable ovn-northd to automatically
423 assign IPv6 addresses using this prefix. The assigned IPv6
424 address will be generated using the IPv6 prefix and the MAC
425 address (converted to an IEEE EUI64 identifier) of the port. The
426 IPv6 prefix defined here should be a valid IPv6 address ending
427 with ::.
428
429 Examples:
430
431 · aef0::
432
433 · bef0:1234:a890:5678::
434
435 · 8230:5678::
436
437 other_config : mac_only: optional string, either true or false
438 Value used to request to assign L2 address only if neither sub‐
439 net nor ipv6_prefix are specified
440
441 IP Multicast Snooping Options:
442
443 These options control IP Multicast Snooping configuration of the logi‐
444 cal switch. To enable IP Multicast Snooping set other_con‐
445 fig:mcast_snoop to true. To enable IP Multicast Querier set other_con‐
446 fig:mcast_snoop to true. If IP Multicast Querier is enabled other_con‐
447 fig:mcast_eth_src and other_config:mcast_ip4_src must be set.
448
449 other_config : mcast_snoop: optional string, either true or false
450 Enables/disables IP Multicast Snooping on the logical switch.
451
452 other_config : mcast_querier: optional string, either true or false
453 Enables/disables IP Multicast Querier on the logical switch.
454
455 other_config : mcast_flood_unregistered: optional string, either true
456 or false
457 Determines whether unregistered multicast traffic should be
458 flooded or not. Only applicable if other_config:mcast_snoop is
459 enabled.
460
461 other_config : mcast_table_size: optional string, containing an inte‐
462 ger, in range 1 to 32,766
463 Number of multicast groups to be stored. Default: 2048.
464
465 other_config : mcast_idle_timeout: optional string, containing an inte‐
466 ger, in range 15 to 3,600
467 Configures the IP Multicast Snooping group idle timeout (in sec‐
468 onds). Default: 300 seconds.
469
470 other_config : mcast_query_interval: optional string, containing an
471 integer, in range 1 to 3,600
472 Configures the IP Multicast Querier interval between queries (in
473 seconds). Default: other_config:mcast_idle_timeout / 2.
474
475 other_config : mcast_query_max_response: optional string, containing an
476 integer, in range 1 to 10
477 Configures the value of the "max-response" field in the multi‐
478 cast queries originated by the logical switch. Default: 1 sec‐
479 ond.
480
481 other_config : mcast_eth_src: optional string
482 Configures the source Ethernet address for queries originated by
483 the logical switch.
484
485 other_config : mcast_ip4_src: optional string
486 Configures the source IPv4 address for queries originated by the
487 logical switch.
488
489 other_config : mcast_ip6_src: optional string
490 Configures the source IPv6 address for queries originated by the
491 logical switch.
492
493 Interconnection:
494
495 other_config : interconn-ts: optional string
496 The name of corresponding transit switch in OVN_IC_Northbound
497 database. This kind of logical switch is created and controlled
498 by ovn-ic.
499
500 Tunnel Key:
501
502 other_config : requested-tnl-key: optional string, containing an inte‐
503 ger, in range 1 to 16,777,215
504 Configures the datapath tunnel key for the logical switch. Usu‐
505 ally this is not needed because ovn-northd will assign an unique
506 key for each datapath by itself. However, if it is configured,
507 ovn-northd honors the configured value. The typical use case is
508 for interconnection: the tunnel keys for transit switches need
509 to be unique globally, so they are maintained in the global
510 OVN_IC_Southbound database, and ovn-ic simply syncs the value
511 from OVN_IC_Southbound through this config.
512
513 Common Columns:
514
515 external_ids: map of string-string pairs
516 See External IDs at the beginning of this document.
517
519 A port within an L2 logical switch.
520
521 Summary:
522 Core Features:
523 name string (must be unique within table)
524 type string
525 Options:
526 options map of string-string pairs
527 Options for router ports:
528 options : router-port optional string
529 options : nat-addresses optional string
530 Options for localnet ports:
531 options : network_name optional string
532 Options for l2gateway ports:
533 options : network_name optional string
534 options : l2gateway-chassis
535 optional string
536 Options for vtep ports:
537 options : vtep-physical-switch
538 optional string
539 options : vtep-logical-switch
540 optional string
541 VMI (or VIF) Options:
542 options : requested-chassis
543 optional string
544 options : qos_max_rate optional string
545 options : qos_burst optional string
546 Virtual port Options:
547 options : virtual-ip optional string
548 options : virtual-parents
549 optional string
550 IP Multicast Snooping Options:
551 options : mcast_flood optional string, either true or false
552 options : mcast_flood_reports
553 optional string, either true or false
554 Containers:
555 parent_name optional string
556 tag_request optional integer, in range 0 to 4,095
557 tag optional integer, in range 1 to 4,095
558 Port State:
559 up optional boolean
560 enabled optional boolean
561 Addressing:
562 addresses set of strings
563 dynamic_addresses optional string
564 port_security set of strings
565 DHCP:
566 dhcpv4_options optional weak reference to DHCP_Options
567 dhcpv6_options optional weak reference to DHCP_Options
568 ha_chassis_group optional HA_Chassis_Group
569 Naming:
570 external_ids : neutron:port_name
571 optional string
572 Tunnel Key:
573 options : requested-tnl-key
574 optional string, containing an integer,
575 in range 1 to 65,535
576 Common Columns:
577 external_ids map of string-string pairs
578
579 Details:
580 Core Features:
581
582 name: string (must be unique within table)
583 The logical port name.
584
585 For entities (VMs or containers) that are spawned in the hyper‐
586 visor, the name used here must match those used in the exter‐
587 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
588 because hypervisors use external_ids:iface-id as a lookup key to
589 identify the network interface of that entity.
590
591 For containers that share a VIF within a VM, the name can be any
592 unique identifier. See Containers, below, for more information.
593
594 type: string
595 Specify a type for this logical port. Logical ports can be used
596 to model other types of connectivity into an OVN logical switch.
597 The following types are defined:
598
599 (empty string)
600 A VM (or VIF) interface.
601
602 router A connection to a logical router. The value of
603 options:router-port specifies the name of the Logi‐
604 cal_Router_Port to which this logical switch port is con‐
605 nected.
606
607 localnet
608 A connection to a locally accessible network from each
609 ovn-controller instance. A logical switch can only have a
610 single localnet port attached. This is used to model
611 direct connectivity to an existing network.
612
613 localport
614 A connection to a local VIF. Traffic that arrives on a
615 localport is never forwarded over a tunnel to another
616 chassis. These ports are present on every chassis and
617 have the same address in all of them. This is used to
618 model connectivity to local services that run on every
619 hypervisor.
620
621 l2gateway
622 A connection to a physical network.
623
624 vtep A port to a logical switch on a VTEP gateway.
625
626 external
627 Represents a logical port which is external and not hav‐
628 ing an OVS port in the integration bridge. OVN will never
629 receive any traffic from this port or send any traffic to
630 this port. OVN can support native services like
631 DHCPv4/DHCPv6/DNS for this port. If ha_chassis_group is
632 defined, ovn-controller running in the master chassis of
633 the HA chassis group will bind this port to provide these
634 native services. It is expected that this port belong to
635 a bridged logical switch (with a localnet port).
636
637 It is recommended to use the same HA chassis group for
638 all the external ports of a logical switch. Otherwise,
639 the physical switch might see MAC flap issue when differ‐
640 ent chassis provide the native services. For example when
641 supporting native DHCPv4 service, DHCPv4 server mac (con‐
642 figured in options:server_mac column in table
643 DHCP_Options) originating from different ports can cause
644 MAC flap issue. The MAC of the logical router IP(s) can
645 also flap if the same HA chassis group is not set for all
646 the external ports of a logical switch.
647
648 Below are some of the use cases where external ports can
649 be used.
650
651 · VMs connected to SR-IOV nics - Traffic from these
652 VMs by passes the kernel stack and local ovn-con‐
653 troller do not bind these ports and cannot serve
654 the native services.
655
656 · When CMS supports provisioning baremetal servers.
657
658 virtual
659 Represents a logical port which does not have an OVS port
660 in the integration bridge and has a virtual ip configured
661 in the options:virtual-ip column. This virtual ip can
662 move around between the logical ports configured in the
663 options:virtual-parents column.
664
665 One of the use case where virtual ports can be used is.
666
667 · The virtual ip represents a load balancer vip and
668 the virtual parents provide load balancer service
669 in an active-standby setup with the active virtual
670 parent owning the virtual ip.
671
672 remote A remote port is to model a port that resides remotely on
673 another OVN, which is on the other side of a transit log‐
674 ical switch for OVN interconnection. This type of ports
675 are created by ovn-ic instead of by CMS. Any change to
676 the port will be automatically overwritten by ovn-ic.
677
678 Options:
679
680 options: map of string-string pairs
681 This column provides key/value settings specific to the logical
682 port type. The type-specific options are described individually
683 below.
684
685 Options for router ports:
686
687 These options apply when type is router.
688
689 options : router-port: optional string
690 Required. The name of the Logical_Router_Port to which this log‐
691 ical switch port is connected.
692
693 options : nat-addresses: optional string
694 This is used to send gratuitous ARPs for SNAT and DNAT IP
695 addresses via the localnet port that is attached to the same
696 logical switch as this type router port. This option is speci‐
697 fied on a logical switch port that is connected to a gateway
698 router, or a logical switch port that is connected to a distrib‐
699 uted gateway port on a logical router.
700
701 This must take one of the following forms:
702
703 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
704 nal IP addresses and for all load balancer IP addresses
705 defined on the options:router-port’s logical router,
706 using the options:router-port’s MAC address.
707
708 This form of options:nat-addresses is valid for logical
709 switch ports where options:router-port is the name of a
710 port on a gateway router, or the name of a distributed
711 gateway port.
712
713 Supported only in OVN 2.8 and later. Earlier versions
714 required NAT addresses to be manually synchronized.
715
716 Ethernet address followed by one or more IPv4 addresses
717 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
718 This would result in generation of gratuitous ARPs for IP
719 addresses 158.36.44.22 and 158.36.44.24 with a MAC
720 address of 80:fa:5b:06:72:b7.
721
722 This form of options:nat-addresses is only valid for log‐
723 ical switch ports where options:router-port is the name
724 of a port on a gateway router.
725
726 Options for localnet ports:
727
728 These options apply when type is localnet.
729
730 options : network_name: optional string
731 Required. The name of the network to which the localnet port is
732 connected. Each hypervisor, via ovn-controller, uses its local
733 configuration to determine exactly how to connect to this
734 locally accessible network.
735
736 Options for l2gateway ports:
737
738 These options apply when type is l2gateway.
739
740 options : network_name: optional string
741 Required. The name of the network to which the l2gateway port is
742 connected. The L2 gateway, via ovn-controller, uses its local
743 configuration to determine exactly how to connect to this net‐
744 work.
745
746 options : l2gateway-chassis: optional string
747 Required. The chassis on which the l2gateway logical port should
748 be bound to. ovn-controller running on the defined chassis will
749 connect this logical port to the physical network.
750
751 Options for vtep ports:
752
753 These options apply when type is vtep.
754
755 options : vtep-physical-switch: optional string
756 Required. The name of the VTEP gateway.
757
758 options : vtep-logical-switch: optional string
759 Required. A logical switch name connected by the VTEP gateway.
760
761 VMI (or VIF) Options:
762
763 These options apply to logical ports with type having (empty string)
764
765 options : requested-chassis: optional string
766 If set, identifies a specific chassis (by name or hostname) that
767 is allowed to bind this port. Using this option will prevent
768 thrashing between two chassis trying to bind the same port dur‐
769 ing a live migration. It can also prevent similar thrashing due
770 to a mis-configuration, if a port is accidentally created on
771 more than one chassis.
772
773 options : qos_max_rate: optional string
774 If set, indicates the maximum rate for data sent from this
775 interface, in bit/s. The traffic will be shaped according to
776 this limit.
777
778 options : qos_burst: optional string
779 If set, indicates the maximum burst size for data sent from this
780 interface, in bits.
781
782 Virtual port Options:
783
784 These options apply when type is virtual.
785
786 options : virtual-ip: optional string
787 This option represents the virtual IPv4 address.
788
789 options : virtual-parents: optional string
790 This options represents a set of logical port names (with in the
791 same logical switch) which can own the virtual ip configured in
792 the options:virtual-ip. All these virtual parents should add the
793 virtual ip in the port_security if port security addressed are
794 enabled.
795
796 IP Multicast Snooping Options:
797
798 These options apply when the port is part of a logical switch which has
799 other_config :mcast_snoop set to true.
800
801 options : mcast_flood: optional string, either true or false
802 If set to true, multicast packets (except reports) are uncondi‐
803 tionally forwarded to the specific port.
804
805 options : mcast_flood_reports: optional string, either true or false
806 If set to true, multicast reports are unconditionally forwarded
807 to the specific port.
808
809 Containers:
810
811 When a large number of containers are nested within a VM, it may be too
812 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
813 support such cases. Each container is assigned a VLAN ID and each
814 packet that passes between the hypervisor and the VM is tagged with the
815 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
816 ical wire, even inside a tunnel, so they need not be unique except rel‐
817 ative to a single VM on a hypervisor.
818
819 These columns are used for VIFs that represent nested containers using
820 shared VIFs. For VMs and for containers that have dedicated VIFs, they
821 are empty.
822
823 parent_name: optional string
824 The VM interface through which the nested container sends its
825 network traffic. This must match the name column for some other
826 Logical_Switch_Port.
827
828 tag_request: optional integer, in range 0 to 4,095
829 The VLAN tag in the network traffic associated with a con‐
830 tainer’s network interface. The client can request ovn-northd to
831 allocate a tag that is unique within the scope of a specific
832 parent (specified in parent_name) by setting a value of 0 in
833 this column. The allocated value is written by ovn-northd in the
834 tag column. (Note that these tags are allocated and managed
835 locally in ovn-northd, so they cannot be reconstructed in the
836 event that the database is lost.) The client can also request a
837 specific non-zero tag and ovn-northd will honor it and copy that
838 value to the tag column.
839
840 When type is set to localnet or l2gateway, this can be set to
841 indicate that the port represents a connection to a specific
842 VLAN on a locally accessible network. The VLAN ID is used to
843 match incoming traffic and is also added to outgoing traffic.
844
845 tag: optional integer, in range 1 to 4,095
846 The VLAN tag allocated by ovn-northd based on the contents of
847 the tag_request column.
848
849 Port State:
850
851 up: optional boolean
852 This column is populated by ovn-northd, rather than by the CMS
853 plugin as is most of this database. When a logical port is bound
854 to a physical location in the OVN Southbound database Binding
855 table, ovn-northd sets this column to true; otherwise, or if the
856 port becomes unbound later, it sets it to false. If this column
857 is empty, the port is not considered up. This allows the CMS to
858 wait for a VM’s (or container’s) networking to become active
859 before it allows the VM (or container) to start.
860
861 Logical ports of router type are an exception to this rule. They
862 are considered to be always up, that is this column is always
863 set to true.
864
865 enabled: optional boolean
866 This column is used to administratively set port state. If this
867 column is empty or is set to true, the port is enabled. If this
868 column is set to false, the port is disabled. A disabled port
869 has all ingress and egress traffic dropped.
870
871 Addressing:
872
873 addresses: set of strings
874 Addresses owned by the logical port.
875
876 Each element in the set must take one of the following forms:
877
878 Ethernet address followed by zero or more IPv4 or IPv6 addresses
879 (or both)
880 An Ethernet address defined is owned by the logical port.
881 Like a physical Ethernet NIC, a logical port ordinarily
882 has a single fixed Ethernet address.
883
884 When a OVN logical switch processes a unicast Ethernet
885 frame whose destination MAC address is in a logical
886 port’s addresses column, it delivers it only to that
887 port, as if a MAC learning process had learned that MAC
888 address on the port.
889
890 If IPv4 or IPv6 address(es) (or both) are defined, it
891 indicates that the logical port owns the given IP
892 addresses.
893
894 If IPv4 address(es) are defined, the OVN logical switch
895 uses this information to synthesize responses to ARP
896 requests without traversing the physical network. The OVN
897 logical router connected to the logical switch, if any,
898 uses this information to avoid issuing ARP requests for
899 logical switch ports.
900
901 Note that the order here is important. The Ethernet
902 address must be listed before the IP address(es) if
903 defined.
904
905 Examples:
906
907 80:fa:5b:06:72:b7
908 This indicates that the logical port owns the
909 above mac address.
910
911 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
912 This indicates that the logical port owns the mac
913 address and two IPv4 addresses.
914
915 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
916 This indicates that the logical port owns the mac
917 address and 1 IPv6 address.
918
919 80:fa:5b:06:72:b7 10.0.0.4
920 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
921 This indicates that the logical port owns the mac
922 address and 1 IPv4 address and 1 IPv6 address.
923
924 unknown
925 This indicates that the logical port has an unknown set
926 of Ethernet addresses. When an OVN logical switch pro‐
927 cesses a unicast Ethernet frame whose destination MAC
928 address is not in any logical port’s addresses column, it
929 delivers it to the port (or ports) whose addresses col‐
930 umns include unknown.
931
932 dynamic
933 Use this keyword to make ovn-northd generate a globally
934 unique MAC address and choose an unused IPv4 address with
935 the logical port’s subnet and store them in the port’s
936 dynamic_addresses column. ovn-northd will use the subnet
937 specified in other_config:subnet in the port’s Logi‐
938 cal_Switch.
939
940 Ethernet address followed by keyword "dynamic"
941 The keyword dynamic after the MAC address indicates that
942 ovn-northd should choose an unused IPv4 address from the
943 logical port’s subnet and store it with the specified MAC
944 in the port’s dynamic_addresses column. ovn-northd will
945 use the subnet specified in other_config:subnet in the
946 port’s Logical_Switch table.
947
948 Examples:
949
950 80:fa:5b:06:72:b7 dynamic
951 This indicates that the logical port owns the
952 specified MAC address and ovn-northd should allo‐
953 cate an unused IPv4 address for the logical port
954 from the corresponding logical switch subnet.
955
956 Keyword "dynamic" followed by an IPv4/IPv6 address
957 The keyword dynamic followed by an IPv4/IPv6 address
958 indicates that ovn-northd should choose a dynamic ether‐
959 net address and use the provided IPv4/IPv6 address as
960 network address.
961
962 Examples:
963
964 dynamic 192.168.0.1 2001::1
965 This indicates that ovn-northd should allocate a
966 unique MAC address and use the provided IPv4/IPv6
967 address for the related port
968
969 router Accepted only when type is router. This indicates that
970 the Ethernet, IPv4, and IPv6 addresses for this logical
971 switch port should be obtained from the connected logical
972 router port, as specified by router-port in options.
973
974 The resulting addresses are used to populate the logical
975 switch’s destination lookup, and also for the logical
976 switch to generate ARP and ND replies.
977
978 If the connected logical router port has a distributed
979 gateway port specified and the logical router has rules
980 specified in nat with external_mac, then those addresses
981 are also used to populate the switch’s destination
982 lookup.
983
984 Supported only in OVN 2.7 and later. Earlier versions
985 required router addresses to be manually synchronized.
986
987 dynamic_addresses: optional string
988 Addresses assigned to the logical port by ovn-northd, if dynamic
989 is specified in addresses. Addresses will be of the same format
990 as those that populate the addresses column. Note that dynami‐
991 cally assigned addresses are constructed and managed locally in
992 ovn-northd, so they cannot be reconstructed in the event that
993 the database is lost.
994
995 port_security: set of strings
996 This column controls the addresses from which the host attached
997 to the logical port (``the host’’) is allowed to send packets
998 and to which it is allowed to receive packets. If this column is
999 empty, all addresses are permitted.
1000
1001 Each element in the set must begin with one Ethernet address.
1002 This would restrict the host to sending packets from and receiv‐
1003 ing packets to the ethernet addresses defined in the logical
1004 port’s port_security column. It also restricts the inner source
1005 MAC addresses that the host may send in ARP and IPv6 Neighbor
1006 Discovery packets. The host is always allowed to receive packets
1007 to multicast and broadcast Ethernet addresses.
1008
1009 Each element in the set may additionally contain one or more
1010 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
1011 is given, it must be a CIDR mask. In addition to the restric‐
1012 tions described for Ethernet addresses above, such an element
1013 restricts the IPv4 or IPv6 addresses from which the host may
1014 send and to which it may receive packets to the specified
1015 addresses. A masked address, if the host part is zero, indicates
1016 that the host is allowed to use any address in the subnet; if
1017 the host part is nonzero, the mask simply indicates the size of
1018 the subnet. In addition:
1019
1020 · If any IPv4 address is given, the host is also allowed to
1021 receive packets to the IPv4 local broadcast address
1022 255.255.255.255 and to IPv4 multicast addresses
1023 (224.0.0.0/4). If an IPv4 address with a mask is given,
1024 the host is also allowed to receive packets to the broad‐
1025 cast address in that specified subnet.
1026
1027 If any IPv4 address is given, the host is additionally
1028 restricted to sending ARP packets with the specified
1029 source IPv4 address. (RARP is not restricted.)
1030
1031 · If any IPv6 address is given, the host is also allowed to
1032 receive packets to IPv6 multicast addresses (ff00::/8).
1033
1034 If any IPv6 address is given, the host is additionally
1035 restricted to sending IPv6 Neighbor Discovery Solicita‐
1036 tion or Advertisement packets with the specified source
1037 address or, for solicitations, the unspecified address.
1038
1039 If an element includes an IPv4 address, but no IPv6 addresses,
1040 then IPv6 traffic is not allowed. If an element includes an IPv6
1041 address, but no IPv4 address, then IPv4 and ARP traffic is not
1042 allowed.
1043
1044 This column uses the same lexical syntax as the match column in
1045 the OVN Southbound database’s Pipeline table. Multiple addresses
1046 within an element may be space or comma separated.
1047
1048 This column is provided as a convenience to cloud management
1049 systems, but all of the features that it implements can be
1050 implemented as ACLs using the ACL table.
1051
1052 Examples:
1053
1054 80:fa:5b:06:72:b7
1055 The host may send traffic from and receive traffic to the
1056 specified MAC address, and to receive traffic to Ethernet
1057 multicast and broadcast addresses, but not otherwise. The
1058 host may not send ARP or IPv6 Neighbor Discovery packets
1059 with inner source Ethernet addresses other than the one
1060 specified.
1061
1062 80:fa:5b:06:72:b7 192.168.1.10/24
1063 This adds further restrictions to the first example. The
1064 host may send IPv4 packets from or receive IPv4 packets
1065 to only 192.168.1.10, except that it may also receive
1066 IPv4 packets to 192.168.1.255 (based on the subnet mask),
1067 255.255.255.255, and any address in 224.0.0.0/4. The host
1068 may not send ARPs with a source Ethernet address other
1069 than 80:fa:5b:06:72:b7 or source IPv4 address other than
1070 192.168.1.10. The host may not send or receive any IPv6
1071 (including IPv6 Neighbor Discovery) traffic.
1072
1073 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
1074 The host may send traffic from and receive traffic to the
1075 specified MAC addresses, and to receive traffic to Ether‐
1076 net multicast and broadcast addresses, but not otherwise.
1077 With MAC 80:fa:5b:12:42:ba, the host may send traffic
1078 from and receive traffic to any L3 address. With MAC
1079 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
1080 receive IPv4 packets to only 192.168.1.10, except that it
1081 may also receive IPv4 packets to 192.168.1.255 (based on
1082 the subnet mask), 255.255.255.255, and any address in
1083 224.0.0.0/4. The host may not send or receive any IPv6
1084 (including IPv6 Neighbor Discovery) traffic.
1085
1086 DHCP:
1087
1088 dhcpv4_options: optional weak reference to DHCP_Options
1089 This column defines the DHCPv4 Options to be included by the
1090 ovn-controller when it replies to the DHCPv4 requests. Please
1091 see the DHCP_Options table.
1092
1093 dhcpv6_options: optional weak reference to DHCP_Options
1094 This column defines the DHCPv6 Options to be included by the
1095 ovn-controller when it replies to the DHCPv6 requests. Please
1096 see the DHCP_Options table.
1097
1098 ha_chassis_group: optional HA_Chassis_Group
1099 References a row in the OVN Northbound database’s HA_Chas‐
1100 sis_Group table. It indicates the HA chassis group to use if the
1101 type is set to external. If type is not external, this column is
1102 ignored.
1103
1104 Naming:
1105
1106 external_ids : neutron:port_name: optional string
1107 This column gives an optional human-friendly name for the port.
1108 This name has no special meaning or purpose other than to pro‐
1109 vide convenience for human interaction with the northbound data‐
1110 base.
1111
1112 Neutron copies this from its own port object’s name. (Neutron
1113 ports do are not assigned human-friendly names by default, so it
1114 will often be empty.)
1115
1116 Tunnel Key:
1117
1118 options : requested-tnl-key: optional string, containing an integer, in
1119 range 1 to 65,535
1120 Configures the port binding tunnel key for the port. Usually
1121 this is not needed because ovn-northd will assign an unique key
1122 for each port by itself. However, if it is configured,
1123 ovn-northd honors the configured value. The typical use case is
1124 for interconnection: the tunnel keys for ports on transit
1125 switches need to be unique globally, so they are maintained in
1126 the global OVN_IC_Southbound database, and ovn-ic simply syncs
1127 the value from OVN_IC_Southbound through this config.
1128
1129 Common Columns:
1130
1131 external_ids: map of string-string pairs
1132 See External IDs at the beginning of this document.
1133
1134 The ovn-northd program copies all these pairs into the exter‐
1135 nal_ids column of the Port_Binding table in OVN_Southbound data‐
1136 base.
1137
1139 Each row represents one forwarding group.
1140
1141 Summary:
1142 name string
1143 vip string
1144 vmac string
1145 liveness boolean
1146 child_port set of 1 or more strings
1147 Common Columns:
1148 external_ids map of string-string pairs
1149
1150 Details:
1151 name: string
1152 A name for the forwarding group. This name has no special mean‐
1153 ing or purpose other than to provide convenience for human
1154 interaction with the ovn-nb database.
1155
1156 vip: string
1157 The virtual IP address assigned to the forwarding group. It will
1158 respond with vmac when an ARP request is sent for vip.
1159
1160 vmac: string
1161 The virtual MAC address assigned to the forwarding group.
1162
1163 liveness: boolean
1164 If set to true, liveness is enabled for child ports otherwise it
1165 is disabled.
1166
1167 child_port: set of 1 or more strings
1168 List of child ports in the forwarding group.
1169
1170 Common Columns:
1171
1172 external_ids: map of string-string pairs
1173 See External IDs at the beginning of this document.
1174
1176 Each row in this table represents a named set of addresses. An address
1177 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
1178 or CIDR masks. Address set may ultimately be used in ACLs to compare
1179 against fields such as ip4.src or ip6.src. A single address set must
1180 contain addresses of the same type. As an example, the following would
1181 create an address set with three IP addresses:
1182
1183 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1184
1185
1186 Address sets may be used in the match column of the ACL table. For syn‐
1187 tax information, see the details of the expression language used for
1188 the match column in the Logical_Flow table of the OVN_Southbound data‐
1189 base.
1190
1191 Summary:
1192 name string (must be unique within table)
1193 addresses set of strings
1194 Common Columns:
1195 external_ids map of string-string pairs
1196
1197 Details:
1198 name: string (must be unique within table)
1199 A name for the address set. Names are ASCII and must match
1200 [a-zA-Z_.][a-zA-Z_.0-9]*.
1201
1202 addresses: set of strings
1203 The set of addresses in string form.
1204
1205 Common Columns:
1206
1207 external_ids: map of string-string pairs
1208 See External IDs at the beginning of this document.
1209
1211 Each row in this table represents a named group of logical switch
1212 ports.
1213
1214 Port groups may be used in the match column of the ACL table. For syn‐
1215 tax information, see the details of the expression language used for
1216 the match column in the Logical_Flow table of the OVN_Southbound data‐
1217 base.
1218
1219 For each port group, there are two address sets generated to the
1220 Address_Set table of the OVN_Southbound database, containing the IP
1221 addresses of the group of ports, one for IPv4, and the other for IPv6,
1222 with name being the name of the Port_Group followed by a suffix _ip4
1223 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
1224 the same way as regular address sets in the match column of the ACL ta‐
1225 ble. For syntax information, see the details of the expression language
1226 used for the match column in the Logical_Flow table of the OVN_South‐
1227 bound database.
1228
1229 Summary:
1230 name string (must be unique within table)
1231 ports set of weak reference to Logi‐
1232 cal_Switch_Ports
1233 acls set of ACLs
1234 Common Columns:
1235 external_ids map of string-string pairs
1236
1237 Details:
1238 name: string (must be unique within table)
1239 A name for the port group. Names are ASCII and must match
1240 [a-zA-Z_.][a-zA-Z_.0-9]*.
1241
1242 ports: set of weak reference to Logical_Switch_Ports
1243 The logical switch ports belonging to the group in uuids.
1244
1245 acls: set of ACLs
1246 Access control rules that apply to the port group. Applying an
1247 ACL to a port group has the same effect as applying the ACL to
1248 all logical lswitches that the ports of the port group belong
1249 to.
1250
1251 Common Columns:
1252
1253 external_ids: map of string-string pairs
1254 See External IDs at the beginning of this document.
1255
1257 Each row represents one load balancer.
1258
1259 Summary:
1260 name string
1261 vips map of string-string pairs
1262 protocol optional string, one of sctp, tcp, or udp
1263 health_check set of Load_Balancer_Health_Checks
1264 ip_port_mappings map of string-string pairs
1265 Common Columns:
1266 external_ids map of string-string pairs
1267
1268 Details:
1269 name: string
1270 A name for the load balancer. This name has no special meaning
1271 or purpose other than to provide convenience for human interac‐
1272 tion with the ovn-nb database.
1273
1274 vips: map of string-string pairs
1275 A map of virtual IP addresses (and an optional port number with
1276 : as a separator) associated with this load balancer and their
1277 corresponding endpoint IP addresses (and optional port numbers
1278 with : as separators) separated by commas. If the destination IP
1279 address (and port number) of a packet leaving a container or a
1280 VM matches the virtual IP address (and port number) provided
1281 here as a key, then OVN will statefully replace the destination
1282 IP address by one of the provided IP address (and port number)
1283 in this map as a value. IPv4 and IPv6 addresses are supported
1284 for load balancing; however a VIP of one address family may not
1285 be mapped to a destination IP address of a different family. If
1286 specifying an IPv6 address with a port, the address portion must
1287 be enclosed in square brackets. Examples for keys are
1288 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
1289 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1290
1291 When the Load_Balancer is added to the logical_switch, the VIP
1292 has to be in a different subnet than the one used for the logi‐
1293 cal_switch. Since VIP is in a different subnet, you should con‐
1294 nect your logical switch to either a OVN logical router or a
1295 real router (this is because the client can now send a packet
1296 with VIP as the destination IP address and router’s mac address
1297 as the destination MAC address).
1298
1299 protocol: optional string, one of sctp, tcp, or udp
1300 Valid protocols are tcp, udp, or sctp. This column is useful
1301 when a port number is provided as part of the vips column. If
1302 this column is empty and a port number is provided as part of
1303 vips column, OVN assumes the protocol to be tcp.
1304
1305 health_check: set of Load_Balancer_Health_Checks
1306 Load balancer health checks associated with this load balancer.
1307 If health check is desired for a vip’s endpoints defined in the
1308 vips column, then a row in the table Load_Balancer_Health_Check
1309 should be created and referenced here and L4 port should be
1310 defined for the vip and it’s endpoints. Health checks are sup‐
1311 ported only for IPv4 load balancers.
1312
1313 ip_port_mappings: map of string-string pairs
1314 This column is used if load balancer health checks are enabled.
1315 This keeps a mapping of endpoint IP to the logical port name.
1316 The source ip to be used for health checks is also expected to
1317 be defined. The key of the mapping is the endpoint IP and the
1318 value is in the format : port_name:SRC_IP
1319
1320 Eg. If there is a VIP entry:
1321 "10.0.0.10:80=10.0.0.4:8080,20.0.0.4:8080", then the IP to port
1322 mappings should be defined as: "10.0.0.4"="sw0-p1:10.0.0.2" and
1323 "20.0.0.4"="sw1-p1:20.0.0.2". 10.0.0.2 and 20.0.0.2 will be used
1324 by ovn-controller as source ip when it sends out health check
1325 packets.
1326
1327 Common Columns:
1328
1329 external_ids: map of string-string pairs
1330 See External IDs at the beginning of this document.
1331
1333 Each row represents one load balancer health check. Health checks are
1334 supported for IPv4 load balancers only.
1335
1336 Summary:
1337 vip string
1338 Health check options:
1339 options : interval optional string, containing an integer
1340 options : timeout optional string, containing an integer
1341 options : success_count optional string, containing an integer
1342 options : failure_count optional string, containing an integer
1343 Common Columns:
1344 external_ids map of string-string pairs
1345
1346 Details:
1347 vip: string
1348 vip whose endpoints should be monitored for health check.
1349
1350 Health check options:
1351
1352 options : interval: optional string, containing an integer
1353 The interval, in seconds, between health checks.
1354
1355 options : timeout: optional string, containing an integer
1356 The time, in seconds, after which a health check times out.
1357
1358 options : success_count: optional string, containing an integer
1359 The number of successful checks after which the endpoint is con‐
1360 sidered online.
1361
1362 options : failure_count: optional string, containing an integer
1363 The number of failure checks after which the endpoint is consid‐
1364 ered offline.
1365
1366 Common Columns:
1367
1368 external_ids: map of string-string pairs
1369 See External IDs at the beginning of this document.
1370
1372 Each row in this table represents one ACL rule for a logical switch or
1373 a port group that points to it through its acls column. The action col‐
1374 umn for the highest-priority matching row in this table determines a
1375 packet’s treatment. If no row matches, packets are allowed by default.
1376 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1377 match, and deny as action.)
1378
1379 Summary:
1380 priority integer, in range 0 to 32,767
1381 direction string, either from-lport or to-lport
1382 match string
1383 action string, one of allow-related, allow,
1384 drop, or reject
1385 Logging:
1386 log boolean
1387 name optional string, at most 63 characters
1388 long
1389 severity optional string, one of alert, debug,
1390 info, notice, or warning
1391 meter optional string
1392 Common Columns:
1393 external_ids map of string-string pairs
1394
1395 Details:
1396 priority: integer, in range 0 to 32,767
1397 The ACL rule’s priority. Rules with numerically higher priority
1398 take precedence over those with lower. If two ACL rules with the
1399 same priority both match, then the one actually applied to a
1400 packet is undefined.
1401
1402 Return traffic from an allow-related flow is always allowed and
1403 cannot be changed through an ACL.
1404
1405 direction: string, either from-lport or to-lport
1406 Direction of the traffic to which this rule should apply:
1407
1408 · from-lport: Used to implement filters on traffic arriving
1409 from a logical port. These rules are applied to the logi‐
1410 cal switch’s ingress pipeline.
1411
1412 · to-lport: Used to implement filters on traffic forwarded
1413 to a logical port. These rules are applied to the logical
1414 switch’s egress pipeline.
1415
1416 match: string
1417 The packets that the ACL should match, in the same expression
1418 language used for the match column in the OVN Southbound data‐
1419 base’s Logical_Flow table. The outport logical port is only
1420 available in the to-lport direction (the inport is available in
1421 both directions).
1422
1423 By default all traffic is allowed. When writing a more restric‐
1424 tive policy, it is important to remember to allow flows such as
1425 ARP and IPv6 neighbor discovery packets.
1426
1427 Note that you can not create an ACL matching on a port with
1428 type=router or type=localnet.
1429
1430 action: string, one of allow-related, allow, drop, or reject
1431 The action to take when the ACL rule matches:
1432
1433 · allow: Forward the packet.
1434
1435 · allow-related: Forward the packet and related traffic
1436 (e.g. inbound replies to an outbound connection).
1437
1438 · drop: Silently drop the packet.
1439
1440 · reject: Drop the packet, replying with a RST for TCP or
1441 ICMPv4/ICMPv6 unreachable message for other
1442 IPv4/IPv6-based protocols.
1443
1444 Logging:
1445
1446 These columns control whether and how OVN logs packets that match an
1447 ACL.
1448
1449 log: boolean
1450 If set to true, packets that match the ACL will trigger a log
1451 message on the transport node or nodes that perform ACL process‐
1452 ing. Logging may be combined with any action.
1453
1454 If set to false, the remaining columns in this group have no
1455 significance.
1456
1457 name: optional string, at most 63 characters long
1458 This name, if it is provided, is included in log records. It
1459 provides the administrator and the cloud management system a way
1460 to associate a log record with a particular ACL.
1461
1462 severity: optional string, one of alert, debug, info, notice, or warn‐
1463 ing
1464 The severity of the ACL. The severity levels match those of sys‐
1465 log, in decreasing level of severity: alert, warning, notice,
1466 info, or debug. When the column is empty, the default is info.
1467
1468 meter: optional string
1469 The name of a meter to rate-limit log messages for the ACL. The
1470 string must match the name column of a row in the Meter table.
1471 By default, log messages are not rate-limited.
1472
1473 Common Columns:
1474
1475 external_ids: map of string-string pairs
1476 See External IDs at the beginning of this document.
1477
1479 Each row represents one L3 logical router.
1480
1481 Summary:
1482 ports set of Logical_Router_Ports
1483 static_routes set of Logical_Router_Static_Routes
1484 policies set of Logical_Router_Policys
1485 enabled optional boolean
1486 nat set of NATs
1487 load_balancer set of weak reference to Load_Balancers
1488 Naming:
1489 name string
1490 external_ids : neutron:router_name
1491 optional string
1492 Options:
1493 options : chassis optional string
1494 options : dnat_force_snat_ip
1495 optional string
1496 options : lb_force_snat_ip optional string
1497 options : mcast_relay optional string, either true or false
1498 Common Columns:
1499 external_ids map of string-string pairs
1500
1501 Details:
1502 ports: set of Logical_Router_Ports
1503 The router’s ports.
1504
1505 static_routes: set of Logical_Router_Static_Routes
1506 Zero or more static routes for the router.
1507
1508 policies: set of Logical_Router_Policys
1509 Zero or more routing policies for the router.
1510
1511 enabled: optional boolean
1512 This column is used to administratively set router state. If
1513 this column is empty or is set to true, the router is enabled.
1514 If this column is set to false, the router is disabled. A dis‐
1515 abled router has all ingress and egress traffic dropped.
1516
1517 nat: set of NATs
1518 One or more NAT rules for the router. NAT rules only work on
1519 Gateway routers, and on distributed routers with logical gateway
1520 ports.
1521
1522 load_balancer: set of weak reference to Load_Balancers
1523 Load balance a virtual ip address to a set of logical port ip
1524 addresses. Load balancer rules only work on the Gateway routers.
1525
1526 Naming:
1527
1528 These columns provide names for the logical router. From OVN’s perspec‐
1529 tive, these names have no special meaning or purpose other than to pro‐
1530 vide convenience for human interaction with the northbound database.
1531 There is no requirement for the name to be unique. (For a unique iden‐
1532 tifier for a logical router, use its row UUID.)
1533
1534 (Originally, name was intended to serve the purpose of a human-friendly
1535 name, but the Neutron integration used it to uniquely identify its own
1536 router object, in the format neutron-uuid. Later on, Neutron started
1537 propagating the friendly name of a router as external_ids:neu‐
1538 tron:router_name. Perhaps this can be cleaned up someday.)
1539
1540 name: string
1541 A name for the logical router.
1542
1543 external_ids : neutron:router_name: optional string
1544 Another name for the logical router.
1545
1546 Options:
1547
1548 Additional options for the logical router.
1549
1550 options : chassis: optional string
1551 If set, indicates that the logical router in question is a Gate‐
1552 way router (which is centralized) and resides in the set chas‐
1553 sis. The same value is also used by ovn-controller to uniquely
1554 identify the chassis in the OVN deployment and comes from exter‐
1555 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
1556 database.
1557
1558 The Gateway router can only be connected to a distributed router
1559 via a switch if SNAT and DNAT are to be configured in the Gate‐
1560 way router.
1561
1562 options : dnat_force_snat_ip: optional string
1563 If set, indicates the IP address to use to force SNAT a packet
1564 that has already been DNATed in the gateway router. When multi‐
1565 ple gateway routers are configured, a packet can potentially
1566 enter any of the gateway router, get DNATted and eventually
1567 reach the logical switch port. For the return traffic to go back
1568 to the same gateway router (for unDNATing), the packet needs a
1569 SNAT in the first place. This can be achieved by setting the
1570 above option with a gateway specific IP address.
1571
1572 options : lb_force_snat_ip: optional string
1573 If set, indicates the IP address to use to force SNAT a packet
1574 that has already been load-balanced in the gateway router. When
1575 multiple gateway routers are configured, a packet can poten‐
1576 tially enter any of the gateway routers, get DNATted as part of
1577 the load- balancing and eventually reach the logical switch
1578 port. For the return traffic to go back to the same gateway
1579 router (for unDNATing), the packet needs a SNAT in the first
1580 place. This can be achieved by setting the above option with a
1581 gateway specific IP address.
1582
1583 options : mcast_relay: optional string, either true or false
1584 Enables/disables IP multicast relay between logical switches
1585 connected to the logical router. Default: False.
1586
1587 Common Columns:
1588
1589 external_ids: map of string-string pairs
1590 See External IDs at the beginning of this document.
1591
1593 Each row in this table represents one QoS rule for a logical switch
1594 that points to it through its qos_rules column. Two types of QoS are
1595 supported: DSCP marking and metering. A match with the highest-priority
1596 will have QoS applied to it. If the action column is specified, then
1597 matching packets will have DSCP marking applied. If the bandwdith col‐
1598 umn is specified, then matching packets will have metering applied.
1599 action and bandwdith are not exclusive, so both marking and metering by
1600 defined for the same QoS entry. If no row matches, packets will not
1601 have any QoS applied.
1602
1603 Summary:
1604 priority integer, in range 0 to 32,767
1605 direction string, either from-lport or to-lport
1606 match string
1607 action map of string-integer pairs, key must be
1608 dscp, value in range 0 to 63
1609 bandwidth map of string-integer pairs, key either
1610 burst or rate, value in range 1 to
1611 4,294,967,295
1612 external_ids map of string-string pairs
1613
1614 Details:
1615 priority: integer, in range 0 to 32,767
1616 The QoS rule’s priority. Rules with numerically higher priority
1617 take precedence over those with lower. If two QoS rules with the
1618 same priority both match, then the one actually applied to a
1619 packet is undefined.
1620
1621 direction: string, either from-lport or to-lport
1622 The value of this field is similar to ACL column in the OVN
1623 Northbound database’s ACL table.
1624
1625 match: string
1626 The packets that the QoS rules should match, in the same expres‐
1627 sion language used for the match column in the OVN Southbound
1628 database’s Logical_Flow table. The outport logical port is only
1629 available in the to-lport direction (the inport is available in
1630 both directions).
1631
1632 action: map of string-integer pairs, key must be dscp, value in range 0
1633 to 63
1634 When specified, matching flows will have DSCP marking applied.
1635
1636 · dscp: The value of this action should be in the range of
1637 0 to 63 (inclusive).
1638
1639 bandwidth: map of string-integer pairs, key either burst or rate, value
1640 in range 1 to 4,294,967,295
1641 When specified, matching packets will have bandwidth metering
1642 applied. Traffic over the limit will be dropped.
1643
1644 · rate: The value of rate limit in kbps.
1645
1646 · burst: The value of burst rate limit in kilobits. This is
1647 optional and needs to specify the rate.
1648
1649 external_ids: map of string-string pairs
1650 See External IDs at the beginning of this document.
1651
1653 Each row in this table represents a meter that can be used for QoS or
1654 rate-limiting.
1655
1656 Summary:
1657 name string (must be unique within table)
1658 unit string, either kbps or pktps
1659 bands set of 1 or more Meter_Bands
1660 external_ids map of string-string pairs
1661
1662 Details:
1663 name: string (must be unique within table)
1664 A name for this meter.
1665
1666 Names that begin with "__" (two underscores) are reserved for
1667 OVN internal use and should not be added manually.
1668
1669 unit: string, either kbps or pktps
1670 The unit for rate and burst_rate parameters in the bands entry.
1671 kbps specifies kilobits per second, and pktps specifies packets
1672 per second.
1673
1674 bands: set of 1 or more Meter_Bands
1675 The bands associated with this meter. Each band specifies a rate
1676 above which the band is to take the action action. If multiple
1677 bands’ rates are exceeded, then the band with the highest rate
1678 among the exceeded bands is selected.
1679
1680 external_ids: map of string-string pairs
1681 See External IDs at the beginning of this document.
1682
1684 Each row in this table represents a meter band which specifies the rate
1685 above which the configured action should be applied. These bands are
1686 referenced by the bands column in the Meter table.
1687
1688 Summary:
1689 action string, must be drop
1690 rate integer, in range 1 to 4,294,967,295
1691 burst_size integer, in range 0 to 4,294,967,295
1692 external_ids map of string-string pairs
1693
1694 Details:
1695 action: string, must be drop
1696 The action to execute when this band matches. The only supported
1697 action is drop.
1698
1699 rate: integer, in range 1 to 4,294,967,295
1700 The rate limit for this band, in kilobits per second or bits per
1701 second, depending on whether the parent Meter entry’s unit col‐
1702 umn specified kbps or pktps.
1703
1704 burst_size: integer, in range 0 to 4,294,967,295
1705 The maximum burst allowed for the band in kilobits or packets,
1706 depending on whether kbps or pktps was selected in the parent
1707 Meter entry’s unit column. If the size is zero, the switch is
1708 free to select some reasonable value depending on its configura‐
1709 tion.
1710
1711 external_ids: map of string-string pairs
1712 See External IDs at the beginning of this document.
1713
1715 A port within an L3 logical router.
1716
1717 Exactly one Logical_Router row must reference a given logical router
1718 port.
1719
1720 Summary:
1721 name string (must be unique within table)
1722 networks set of 1 or more strings
1723 mac string
1724 enabled optional boolean
1725 Distributed Gateway Ports:
1726 ha_chassis_group optional HA_Chassis_Group
1727 gateway_chassis set of Gateway_Chassiss
1728 options : redirect-chassis optional string
1729 Options for Physical VLAN MTU Issues:
1730 options : reside-on-redirect-chassis
1731 optional string, either true or false
1732 options : redirect-type optional string, either bridged or over‐
1733 lay
1734 ipv6_prefix set of strings
1735 ipv6_ra_configs:
1736 ipv6_ra_configs : address_mode
1737 optional string
1738 ipv6_ra_configs : router_preference
1739 optional string
1740 ipv6_ra_configs : route_info
1741 optional string
1742 ipv6_ra_configs : mtu optional string
1743 ipv6_ra_configs : send_periodic
1744 optional string
1745 ipv6_ra_configs : max_interval
1746 optional string
1747 ipv6_ra_configs : min_interval
1748 optional string
1749 ipv6_ra_configs : rdnss optional string
1750 ipv6_ra_configs : dnssl optional string
1751 Options:
1752 options : mcast_flood optional string, either true or false
1753 options : requested-tnl-key
1754 optional string, containing an integer,
1755 in range 1 to 65,535
1756 options : prefix_delegation
1757 optional string, either true or false
1758 options : prefix optional string, either true or false
1759 Attachment:
1760 peer optional string
1761 Common Columns:
1762 external_ids map of string-string pairs
1763
1764 Details:
1765 name: string (must be unique within table)
1766 A name for the logical router port.
1767
1768 In addition to provide convenience for human interaction with
1769 the northbound database, this column is used as reference by its
1770 patch port in Logical_Switch_Port or another logical router port
1771 in Logical_Router_Port.
1772
1773 networks: set of 1 or more strings
1774 The IP addresses and netmasks of the router. For example,
1775 192.168.0.1/24 indicates that the router’s IP address is
1776 192.168.0.1 and that packets destined to 192.168.0.x should be
1777 routed to this port.
1778
1779 A logical router port always adds a link-local IPv6 address
1780 (fe80::/64) automatically generated from the interface’s MAC
1781 address using the modified EUI-64 format.
1782
1783 mac: string
1784 The Ethernet address that belongs to this router port.
1785
1786 enabled: optional boolean
1787 This column is used to administratively set port state. If this
1788 column is empty or is set to true, the port is enabled. If this
1789 column is set to false, the port is disabled. A disabled port
1790 has all ingress and egress traffic dropped.
1791
1792 Distributed Gateway Ports:
1793
1794 Gateways, as documented under Gateways in the OVN architecture guide,
1795 provide limited connectivity between logical networks and physical
1796 ones. OVN support multiple kinds of gateways. The Logical_Router_Port
1797 table can be used three different ways to configure distributed gateway
1798 ports, which are one kind of gateway. These different forms of configu‐
1799 ration exist for historical reasons. All of them produce the same kind
1800 of OVN southbound records and the same behavior in practice.
1801
1802 If any of these are set, this logical router port represents a distrib‐
1803 uted gateway port that connects this router to a logical switch with a
1804 localnet port or a connection to another OVN deployment. There may be
1805 at most one such logical router port on each logical router.
1806
1807 The newest and most preferred way to configure a gateway is ha_chas‐
1808 sis_group, followed by gateway_chassis. Using options:redirect-chassis
1809 is deprecated. At most one of these should be set at a time on a given
1810 LRP, since they configure the same features.
1811
1812 Even when a gateway is configured, the logical router port still effec‐
1813 tively resides on each chassis. However, due to the implications of the
1814 use of L2 learning in the physical network, as well as the need to sup‐
1815 port advanced features such as one-to-many NAT (aka IP masquerading), a
1816 subset of the logical router processing is handled in a centralized
1817 manner on the gateway chassis.
1818
1819 When more than one gateway chassis is specified, OVN only uses one at a
1820 time. OVN uses BFD to monitor gateway connectivity, preferring the
1821 highest-priority gateway that is online. Priorities are specified in
1822 the priority column of Gateway_Chassis or HA_Chassis.
1823
1824 ovn-northd programs the external_mac rules specified in the LRP’s LR
1825 into the peer logical switch’s destination lookup on the chassis where
1826 the logical_port resides. In addition, the logical router’s MAC address
1827 is automatically programmed in the peer logical switch’s destination
1828 lookup flow on the gateway chasssis. If it is desired to generate gra‐
1829 tuitous ARPs for NAT addresses, then set the peer LSP’s options:nat-
1830 addresses to router.
1831
1832 ha_chassis_group: optional HA_Chassis_Group
1833 Designates an HA_Chassis_Group to provide gateway high avail‐
1834 ability.
1835
1836 gateway_chassis: set of Gateway_Chassiss
1837 Designates one or more Gateway_Chassis for the logical router
1838 port.
1839
1840 options : redirect-chassis: optional string
1841 Designates the named chassis as the gateway.
1842
1843 Options for Physical VLAN MTU Issues:
1844
1845 MTU issues arise in mixing tunnels with logical networks that are
1846 bridged to a physical VLAN. For an explanation of the MTU issues, see
1847 Physical VLAN MTU Issues in the OVN architecture document. The follow‐
1848 ing options, which are alternatives, provide solutions. Both of them
1849 cause packets to be sent over localnet instead of tunnels, but they
1850 differ in whether some or all packets are sent this way. The most prom‐
1851 inent tradeoff between these options is that reside-on-redirect-chassis
1852 is easier to configure and that redirect-type performs better for east-
1853 west traffic.
1854
1855 options : reside-on-redirect-chassis: optional string, either true or
1856 false
1857 If set to true, this option forces all traffic across the logi‐
1858 cal router port to pass through the gateway chassis using a hop
1859 across a localnet port. This changes behavior in two ways:
1860
1861 · Without this option, east-west traffic passes directly
1862 between source and destination chassis (or even within a
1863 single chassis, for co-located VMs). With this option,
1864 all east-west traffic passes through the gateway chassis.
1865
1866 · Without this option, traffic between the gateway chassis
1867 and other chassis is encapsulated in tunnels. With this
1868 option, traffic passes over a localnet interface.
1869
1870 This option may usefully be set only on logical router ports
1871 that connect a distributed logical router to a logical switch
1872 with VIFs. It should not be set on a distributed gateway port.
1873
1874 OVN honors this option only if the logical router has a distrib‐
1875 uted gateway port and if the LRP’s peer switch has a localnet
1876 port.
1877
1878 options : redirect-type: optional string, either bridged or overlay
1879 If set to bridged on a distributed gateway port, this option
1880 causes OVN to redirect packets to the gateway chassis over a
1881 localnet port instead of a tunnel. The relevant chassis must
1882 share a localnet port.
1883
1884 This feature requires the administrator or the CMS to configure
1885 each participating chassis with a unique Ethernet address for
1886 the locgical router by setting ovn-chassis-mac-mappings in the
1887 Open vSwitch database, for use by ovn-controller.
1888
1889 Setting this option to overlay or leaving it unset has no
1890 effect. This option may usefully be set only on a distributed
1891 gateway port. It is otherwise ignored.
1892
1893 ipv6_prefix: set of strings
1894 This column contains IPv6 prefix obtained by prefix delegation
1895 router according to RFC 3633
1896
1897 ipv6_ra_configs:
1898
1899 This column defines the IPv6 ND RA address mode and ND MTU Option to be
1900 included by ovn-controller when it replies to the IPv6 Router solicita‐
1901 tion requests.
1902
1903 ipv6_ra_configs : address_mode: optional string
1904 The address mode to be used for IPv6 address configuration. The
1905 supported values are:
1906
1907 · slaac: Address configuration using Router Advertisement
1908 (RA) packet. The IPv6 prefixes defined in the Logi‐
1909 cal_Router_Port table’s networks column will be included
1910 in the RA’s ICMPv6 option - Prefix information.
1911
1912 · dhcpv6_stateful: Address configuration using DHCPv6.
1913
1914 · dhcpv6_stateless: Address configuration using Router
1915 Advertisement (RA) packet. Other IPv6 options are pro‐
1916 vided by DHCPv6.
1917
1918 ipv6_ra_configs : router_preference: optional string
1919 Default Router Preference (PRF) indicates whether to prefer this
1920 router over other default routers (RFC 4191). Possible values
1921 are:
1922
1923 · HIGH: mapped to 0x01 in RA PRF field
1924
1925 · MEDIUM: mapped to 0x00 in RA PRF field
1926
1927 · LOW: mapped to 0x11 in RA PRF field
1928
1929 ipv6_ra_configs : route_info: optional string
1930 Route Info is used to configure Route Info Option sent in Router
1931 Advertisment according to RFC 4191. Route Info is a comma sepa‐
1932 rated string where each field provides PRF and prefix for a
1933 given route (e.g: HIGH-aef1::11/48,LOW-aef2::11/96) Possible PRF
1934 values are:
1935
1936 · HIGH: mapped to 0x01 in RA PRF field
1937
1938 · MEDIUM: mapped to 0x00 in RA PRF field
1939
1940 · LOW: mapped to 0x11 in RA PRF field
1941
1942 ipv6_ra_configs : mtu: optional string
1943 The recommended MTU for the link. Default is 0, which means no
1944 MTU Option will be included in RA packet replied by ovn-con‐
1945 troller. Per RFC 2460, the mtu value is recommended no less than
1946 1280, so any mtu value less than 1280 will be considered as no
1947 MTU Option.
1948
1949 ipv6_ra_configs : send_periodic: optional string
1950 If set to true, then this router interface will send router
1951 advertisements periodically. The default is false.
1952
1953 ipv6_ra_configs : max_interval: optional string
1954 The maximum number of seconds to wait between sending periodic
1955 router advertisements. This option has no effect if ipv6_ra_con‐
1956 figs:send_periodic is false. The default is 600.
1957
1958 ipv6_ra_configs : min_interval: optional string
1959 The minimum number of seconds to wait between sending periodic
1960 router advertisements. This option has no effect if ipv6_ra_con‐
1961 figs:send_periodic is false. The default is one-third of
1962 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
1963 unset.
1964
1965 ipv6_ra_configs : rdnss: optional string
1966 IPv6 address of RDNSS server announced in RA packets. At the
1967 moment OVN supports just one RDNSS server.
1968
1969 ipv6_ra_configs : dnssl: optional string
1970 DNS Search List announced in RA packets. Multiple DNS Search
1971 List must be ’comma’ separated (e.g. "a.b.c, d.e.f")
1972
1973 Options:
1974
1975 Additional options for the logical router port.
1976
1977 options : mcast_flood: optional string, either true or false
1978 If set to true, multicast traffic (including reports) are uncon‐
1979 ditionally forwarded to the specific port.
1980
1981 This option applies when the port is part of a logical router
1982 which has options:mcast_relay set to true.
1983
1984 options : requested-tnl-key: optional string, containing an integer, in
1985 range 1 to 65,535
1986 Configures the port binding tunnel key for the port. Usually
1987 this is not needed because ovn-northd will assign an unique key
1988 for each port by itself. However, if it is configured,
1989 ovn-northd honors the configured value.
1990
1991 options : prefix_delegation: optional string, either true or false
1992 If set to true, enable IPv6 prefix delegation state machine on
1993 this logical router port (RFC3633). IPv6 prefix delegation is
1994 available just on a gateway router or on a gateway router port.
1995
1996 options : prefix: optional string, either true or false
1997 If set to true, this interface will receive an IPv6 prefix
1998 according to RFC3663
1999
2000 Attachment:
2001
2002 A given router port serves one of two purposes:
2003
2004 · To attach a logical switch to a logical router. A logical
2005 router port of this type is referenced by exactly one
2006 Logical_Switch_Port of type router. The value of name is
2007 set as router-port in column options of Logi‐
2008 cal_Switch_Port. In this case peer column is empty.
2009
2010 · To connect one logical router to another. This requires a
2011 pair of logical router ports, each connected to a differ‐
2012 ent router. Each router port in the pair specifies the
2013 other in its peer column. No Logical_Switch refers to the
2014 router port.
2015
2016 peer: optional string
2017 For a router port used to connect two logical routers, this
2018 identifies the other router port in the pair by name.
2019
2020 For a router port attached to a logical switch, this column is
2021 empty.
2022
2023 Common Columns:
2024
2025 external_ids: map of string-string pairs
2026 See External IDs at the beginning of this document.
2027
2029 Each record represents a static route.
2030
2031 When multiple routes match a packet, the longest-prefix match is cho‐
2032 sen. For a given prefix length, a dst-ip route is preferred over a
2033 src-ip route.
2034
2035 When there are ECMP routes, i.e. multiple routes with same prefix and
2036 policy, one of them will be selected based on the 5-tuple hashing of
2037 the packet header.
2038
2039 Summary:
2040 ip_prefix string
2041 policy optional string, either dst-ip or src-ip
2042 nexthop string
2043 output_port optional string
2044 external_ids : ic-learned-route
2045 optional string
2046 Common Columns:
2047 external_ids map of string-string pairs
2048
2049 Details:
2050 ip_prefix: string
2051 IP prefix of this route (e.g. 192.168.100.0/24).
2052
2053 policy: optional string, either dst-ip or src-ip
2054 If it is specified, this setting describes the policy used to
2055 make routing decisions. This setting must be one of the follow‐
2056 ing strings:
2057
2058 · src-ip: This policy sends the packet to the nexthop when
2059 the packet’s source IP address matches ip_prefix.
2060
2061 · dst-ip: This policy sends the packet to the nexthop when
2062 the packet’s destination IP address matches ip_prefix.
2063
2064 If not specified, the default is dst-ip.
2065
2066 nexthop: string
2067 Nexthop IP address for this route. Nexthop IP address should be
2068 the IP address of a connected router port or the IP address of a
2069 logical port.
2070
2071 output_port: optional string
2072 The name of the Logical_Router_Port via which the packet needs
2073 to be sent out. This is optional and when not specified, OVN
2074 will automatically figure this out based on the nexthop. When
2075 this is specified and there are multiple IP addresses on the
2076 router port and none of them are in the same subnet of nexthop,
2077 OVN chooses the first IP address as the one via which the nex‐
2078 thop is reachable.
2079
2080 external_ids : ic-learned-route: optional string
2081 ovn-ic populates this key if the route is learned from the
2082 global OVN_IC_Southbound database. In this case the value will
2083 be set to the uuid of the row in Route table of the
2084 OVN_IC_Southbound database.
2085
2086 Common Columns:
2087
2088 external_ids: map of string-string pairs
2089 See External IDs at the beginning of this document.
2090
2092 Each row in this table represents one routing policy for a logical
2093 router that points to it through its policies column. The action column
2094 for the highest-priority matching row in this table determines a
2095 packet’s treatment. If no row matches, packets are allowed by default.
2096 (Default-deny treatment is possible: add a rule with priority 0, 1 as
2097 match, and drop as action.)
2098
2099 Summary:
2100 priority integer, in range 0 to 32,767
2101 match string
2102 action string, one of allow, drop, or reroute
2103 nexthop optional string
2104 Common Columns:
2105 external_ids map of string-string pairs
2106
2107 Details:
2108 priority: integer, in range 0 to 32,767
2109 The routing policy’s priority. Rules with numerically higher
2110 priority take precedence over those with lower. A rule is
2111 uniquely identified by the priority and match string.
2112
2113 match: string
2114 The packets that the routing policy should match, in the same
2115 expression language used for the match column in the OVN South‐
2116 bound database’s Logical_Flow table.
2117
2118 By default all traffic is allowed. When writing a more restric‐
2119 tive policy, it is important to remember to allow flows such as
2120 ARP and IPv6 neighbor discovery packets.
2121
2122 action: string, one of allow, drop, or reroute
2123 The action to take when the routing policy matches:
2124
2125 · allow: Forward the packet.
2126
2127 · drop: Silently drop the packet.
2128
2129 · reroute: Reroute packet to nexthop.
2130
2131 nexthop: optional string
2132 Next-hop IP address for this route, which should be the IP
2133 address of a connected router port or the IP address of a logi‐
2134 cal port.
2135
2136 Common Columns:
2137
2138 external_ids: map of string-string pairs
2139 See External IDs at the beginning of this document.
2140
2142 Each record represents a NAT rule.
2143
2144 Summary:
2145 type string, one of dnat, dnat_and_snat, or
2146 snat
2147 external_ip string
2148 external_mac optional string
2149 external_port_range string
2150 logical_ip string
2151 logical_port optional string
2152 options : stateless optional string
2153 Common Columns:
2154 external_ids map of string-string pairs
2155
2156 Details:
2157 type: string, one of dnat, dnat_and_snat, or snat
2158 Type of the NAT rule.
2159
2160 · When type is dnat, the externally visible IP address
2161 external_ip is DNATted to the IP address logical_ip in
2162 the logical space.
2163
2164 · When type is snat, IP packets with their source IP
2165 address that either matches the IP address in logical_ip
2166 or is in the network provided by logical_ip is SNATed
2167 into the IP address in external_ip.
2168
2169 · When type is dnat_and_snat, the externally visible IP
2170 address external_ip is DNATted to the IP address logi‐
2171 cal_ip in the logical space. In addition, IP packets with
2172 the source IP address that matches logical_ip is SNATed
2173 into the IP address in external_ip.
2174
2175 external_ip: string
2176 An IPv4 address.
2177
2178 external_mac: optional string
2179 A MAC address.
2180
2181 This is only used on the gateway port on distributed routers.
2182 This must be specified in order for the NAT rule to be processed
2183 in a distributed manner on all chassis. If this is not specified
2184 for a NAT rule on a distributed router, then this NAT rule will
2185 be processed in a centralized manner on the gateway port
2186 instance on the gateway chassis.
2187
2188 This MAC address must be unique on the logical switch that the
2189 gateway port is attached to. If the MAC address used on the log‐
2190 ical_port is globally unique, then that MAC address can be spec‐
2191 ified as this external_mac.
2192
2193 external_port_range: string
2194 L4 source port range
2195
2196 Range of ports, from which a port number will be picked that
2197 will replace the source port of to be NATed packet. This is
2198 basically PAT (port address translation).
2199
2200 Value of the column is in the format, port_lo-port_hi. For exam‐
2201 ple: external_port_range : "1-30000"
2202
2203 Valid range of ports is 1-65535.
2204
2205 logical_ip: string
2206 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
2207
2208 logical_port: optional string
2209 The name of the logical port where the logical_ip resides.
2210
2211 This is only used on distributed routers. This must be specified
2212 in order for the NAT rule to be processed in a distributed man‐
2213 ner on all chassis. If this is not specified for a NAT rule on a
2214 distributed router, then this NAT rule will be processed in a
2215 centralized manner on the gateway port instance on the gateway
2216 chassis.
2217
2218 options : stateless: optional string
2219 Indicates if a dnat_and_snat rule should lead to connection
2220 tracking state or not.
2221
2222 Common Columns:
2223
2224 external_ids: map of string-string pairs
2225 See External IDs at the beginning of this document.
2226
2228 OVN implements native DHCPv4 support which caters to the common use
2229 case of providing an IPv4 address to a booting instance by providing
2230 stateless replies to DHCPv4 requests based on statically configured
2231 address mappings. To do this it allows a short list of DHCPv4 options
2232 to be configured and applied at each compute host running ovn-con‐
2233 troller.
2234
2235 OVN also implements native DHCPv6 support which provides stateless
2236 replies to DHCPv6 requests.
2237
2238 Summary:
2239 cidr string
2240 DHCPv4 options:
2241 Mandatory DHCPv4 options:
2242 options : server_id optional string
2243 options : server_mac optional string
2244 options : lease_time optional string, containing an integer,
2245 in range 0 to 4,294,967,295
2246 IPv4 DHCP Options:
2247 options : router optional string
2248 options : netmask optional string
2249 options : dns_server optional string
2250 options : log_server optional string
2251 options : lpr_server optional string
2252 options : swap_server optional string
2253 options : policy_filter optional string
2254 options : router_solicitation
2255 optional string
2256 options : nis_server optional string
2257 options : ntp_server optional string
2258 options : tftp_server optional string
2259 options : classless_static_route
2260 optional string
2261 options : ms_classless_static_route
2262 optional string
2263 Boolean DHCP Options:
2264 options : ip_forward_enable
2265 optional string, either 0 or 1
2266 options : router_discovery
2267 optional string, either 0 or 1
2268 options : ethernet_encap optional string, either 0 or 1
2269 Integer DHCP Options:
2270 options : default_ttl optional string, containing an integer,
2271 in range 0 to 255
2272 options : tcp_ttl optional string, containing an integer,
2273 in range 0 to 255
2274 options : mtu optional string, containing an integer,
2275 in range 68 to 65,535
2276 options : T1 optional string, containing an integer,
2277 in range 68 to 4,294,967,295
2278 options : T2 optional string, containing an integer,
2279 in range 68 to 4,294,967,295
2280 options : arp_cache_timeout
2281 optional string, containing an integer,
2282 in range 0 to 255
2283 options : tcp_keepalive_interval
2284 optional string, containing an integer,
2285 in range 0 to 255
2286 String DHCP Options:
2287 options : wpad optional string
2288 options : bootfile_name optional string
2289 options : path_prefix optional string
2290 options : tftp_server_address
2291 optional string
2292 options : domain_name optional string
2293 DHCPv6 options:
2294 Mandatory DHCPv6 options:
2295 options : server_id optional string
2296 IPv6 DHCPv6 options:
2297 options : dns_server optional string
2298 String DHCPv6 options:
2299 options : domain_search optional string
2300 options : dhcpv6_stateless
2301 optional string
2302 Common Columns:
2303 external_ids map of string-string pairs
2304
2305 Details:
2306 cidr: string
2307 The DHCPv4/DHCPv6 options will be included if the logical port
2308 has its IP address in this cidr.
2309
2310 DHCPv4 options:
2311
2312 The CMS should define the set of DHCPv4 options as key/value pairs in
2313 the options column of this table. For ovn-controller to include these
2314 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
2315 to an entry in this table.
2316
2317 Mandatory DHCPv4 options:
2318
2319 The following options must be defined.
2320
2321 options : server_id: optional string
2322 The IP address for the DHCP server to use. This should be in the
2323 subnet of the offered IP. This is also included in the DHCP
2324 offer as option 54, ``server identifier.’’
2325
2326 options : server_mac: optional string
2327 The Ethernet address for the DHCP server to use.
2328
2329 options : lease_time: optional string, containing an integer, in range
2330 0 to 4,294,967,295
2331 The offered lease time in seconds,
2332
2333 The DHCPv4 option code for this option is 51.
2334
2335 IPv4 DHCP Options:
2336
2337 Below are the supported DHCPv4 options whose values are an IPv4
2338 address, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
2339 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
2340 refer to RFC 2132 for more details on DHCPv4 options and their codes.
2341
2342 options : router: optional string
2343 The IP address of a gateway for the client to use. This should
2344 be in the subnet of the offered IP. The DHCPv4 option code for
2345 this option is 3.
2346
2347 options : netmask: optional string
2348 The DHCPv4 option code for this option is 1.
2349
2350 options : dns_server: optional string
2351 The DHCPv4 option code for this option is 6.
2352
2353 options : log_server: optional string
2354 The DHCPv4 option code for this option is 7.
2355
2356 options : lpr_server: optional string
2357 The DHCPv4 option code for this option is 9.
2358
2359 options : swap_server: optional string
2360 The DHCPv4 option code for this option is 16.
2361
2362 options : policy_filter: optional string
2363 The DHCPv4 option code for this option is 21.
2364
2365 options : router_solicitation: optional string
2366 The DHCPv4 option code for this option is 32.
2367
2368 options : nis_server: optional string
2369 The DHCPv4 option code for this option is 41.
2370
2371 options : ntp_server: optional string
2372 The DHCPv4 option code for this option is 42.
2373
2374 options : tftp_server: optional string
2375 The DHCPv4 option code for this option is 66.
2376
2377 options : classless_static_route: optional string
2378 The DHCPv4 option code for this option is 121.
2379
2380 This option can contain one or more static routes, each of which
2381 consists of a destination descriptor and the IP address of the
2382 router that should be used to reach that destination. Please see
2383 RFC 3442 for more details.
2384
2385 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
2386
2387 options : ms_classless_static_route: optional string
2388 The DHCPv4 option code for this option is 249. This option is
2389 similar to classless_static_route supported by Microsoft Windows
2390 DHCPv4 clients.
2391
2392 Boolean DHCP Options:
2393
2394 These options accept a Boolean value, expressed as 0 for false or 1 for
2395 true.
2396
2397 options : ip_forward_enable: optional string, either 0 or 1
2398 The DHCPv4 option code for this option is 19.
2399
2400 options : router_discovery: optional string, either 0 or 1
2401 The DHCPv4 option code for this option is 31.
2402
2403 options : ethernet_encap: optional string, either 0 or 1
2404 The DHCPv4 option code for this option is 36.
2405
2406 Integer DHCP Options:
2407
2408 These options accept a nonnegative integer value.
2409
2410 options : default_ttl: optional string, containing an integer, in range
2411 0 to 255
2412 The DHCPv4 option code for this option is 23.
2413
2414 options : tcp_ttl: optional string, containing an integer, in range 0
2415 to 255
2416 The DHCPv4 option code for this option is 37.
2417
2418 options : mtu: optional string, containing an integer, in range 68 to
2419 65,535
2420 The DHCPv4 option code for this option is 26.
2421
2422 options : T1: optional string, containing an integer, in range 68 to
2423 4,294,967,295
2424 This specifies the time interval from address assignment until
2425 the client begins trying to renew its address. The DHCPv4 option
2426 code for this option is 58.
2427
2428 options : T2: optional string, containing an integer, in range 68 to
2429 4,294,967,295
2430 This specifies the time interval from address assignment until
2431 the client begins trying to rebind its address. The DHCPv4
2432 option code for this option is 59.
2433
2434 options : arp_cache_timeout: optional string, containing an integer, in
2435 range 0 to 255
2436 The DHCPv4 option code for this option is 35. This option speci‐
2437 fies the timeout in seconds for ARP cache entries.
2438
2439 options : tcp_keepalive_interval: optional string, containing an inte‐
2440 ger, in range 0 to 255
2441 The DHCPv4 option code for this option is 38. This option speci‐
2442 fies the interval that the client TCP should wait before sending
2443 a keepalive message on a TCP connection.
2444
2445 String DHCP Options:
2446
2447 These options accept a string value.
2448
2449 options : wpad: optional string
2450 The DHCPv4 option code for this option is 252. This option is
2451 used as part of web proxy auto discovery to provide a URL for a
2452 web proxy.
2453
2454 options : bootfile_name: optional string
2455 The DHCPv4 option code for this option is 67. This option is
2456 used to identify a bootfile.
2457
2458 options : path_prefix: optional string
2459 The DHCPv4 option code for this option is 210. In PXELINUX’ case
2460 this option is used to set a common path prefix, instead of
2461 deriving it from the bootfile name.
2462
2463 options : tftp_server_address: optional string
2464 The DHCPv4 option code for this option is 150. The option con‐
2465 tains one or more IPv4 addresses that the client MAY use. This
2466 option is Cisco proprietary, the IEEE standard that matches with
2467 this requirement is option 66 (tftp_server).
2468
2469 options : domain_name: optional string
2470 The DHCPv4 option code for this option is 15. This option speci‐
2471 fies the domain name that client should use when resolving host‐
2472 names via the Domain Name System.
2473
2474 DHCPv6 options:
2475
2476 OVN also implements native DHCPv6 support. The CMS should define the
2477 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
2478 will be included in the DHCPv6 response to the DHCPv6
2479 Solicit/Request/Confirm packet from the logical ports having the IPv6
2480 addresses in the cidr.
2481
2482 Mandatory DHCPv6 options:
2483
2484 The following options must be defined.
2485
2486 options : server_id: optional string
2487 The Ethernet address for the DHCP server to use. This is also
2488 included in the DHCPv6 reply as option 2, ``Server Identifier’’
2489 to carry a DUID identifying a server between a client and a
2490 server. ovn-controller defines DUID based on Link-layer Address
2491 [DUID-LL].
2492
2493 IPv6 DHCPv6 options:
2494
2495 Below are the supported DHCPv6 options whose values are an IPv6
2496 address, e.g. aef0::4. Some options accept multiple IPv6 addresses
2497 enclosed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
2498 RFC 3315 for more details on DHCPv6 options and their codes.
2499
2500 options : dns_server: optional string
2501 The DHCPv6 option code for this option is 23. This option speci‐
2502 fies the DNS servers that the VM should use.
2503
2504 String DHCPv6 options:
2505
2506 These options accept string values.
2507
2508 options : domain_search: optional string
2509 The DHCPv6 option code for this option is 24. This option speci‐
2510 fies the domain search list the client should use to resolve
2511 hostnames with DNS.
2512
2513 Example: "ovn.org".
2514
2515 options : dhcpv6_stateless: optional string
2516 This option specifies the OVN native DHCPv6 will work in state‐
2517 less mode, which means OVN native DHCPv6 will not offer IPv6
2518 addresses for VM/VIF ports, but only reply other configurations,
2519 such as DNS and domain search list. When setting this option
2520 with string value "true", VM/VIF will configure IPv6 addresses
2521 by stateless way. Default value for this option is false.
2522
2523 Common Columns:
2524
2525 external_ids: map of string-string pairs
2526 See External IDs at the beginning of this document.
2527
2529 Configuration for a database connection to an Open vSwitch database
2530 (OVSDB) client.
2531
2532 This table primarily configures the Open vSwitch database server
2533 (ovsdb-server).
2534
2535 The Open vSwitch database server can initiate and maintain active con‐
2536 nections to remote clients. It can also listen for database connec‐
2537 tions.
2538
2539 Summary:
2540 Core Features:
2541 target string (must be unique within table)
2542 Client Failure Detection and Handling:
2543 max_backoff optional integer, at least 1,000
2544 inactivity_probe optional integer
2545 Status:
2546 is_connected boolean
2547 status : last_error optional string
2548 status : state optional string, one of ACTIVE, BACKOFF,
2549 CONNECTING, IDLE, or VOID
2550 status : sec_since_connect optional string, containing an integer,
2551 at least 0
2552 status : sec_since_disconnect
2553 optional string, containing an integer,
2554 at least 0
2555 status : locks_held optional string
2556 status : locks_waiting optional string
2557 status : locks_lost optional string
2558 status : n_connections optional string, containing an integer,
2559 at least 2
2560 status : bound_port optional string, containing an integer
2561 Common Columns:
2562 external_ids map of string-string pairs
2563 other_config map of string-string pairs
2564
2565 Details:
2566 Core Features:
2567
2568 target: string (must be unique within table)
2569 Connection methods for clients.
2570
2571 The following connection methods are currently supported:
2572
2573 ssl:host[:port]
2574 The specified SSL port on the host at the given host,
2575 which can either be a DNS name (if built with unbound
2576 library) or an IP address. A valid SSL configuration must
2577 be provided when this form is used, this configuration
2578 can be specified via command-line options or the SSL ta‐
2579 ble.
2580
2581 If port is not specified, it defaults to 6640.
2582
2583 SSL support is an optional feature that is not always
2584 built as part of Open vSwitch.
2585
2586 tcp:host[:port]
2587 The specified TCP port on the host at the given host,
2588 which can either be a DNS name (if built with unbound
2589 library) or an IP address. If host is an IPv6 address,
2590 wrap it in square brackets, e.g. tcp:[::1]:6640.
2591
2592 If port is not specified, it defaults to 6640.
2593
2594 pssl:[port][:host]
2595 Listens for SSL connections on the specified TCP port.
2596 Specify 0 for port to have the kernel automatically
2597 choose an available port. If host, which can either be a
2598 DNS name (if built with unbound library) or an IP
2599 address, is specified, then connections are restricted to
2600 the resolved or specified local IPaddress (either IPv4 or
2601 IPv6 address). If host is an IPv6 address, wrap in square
2602 brackets, e.g. pssl:6640:[::1]. If host is not specified
2603 then it listens only on IPv4 (but not IPv6) addresses. A
2604 valid SSL configuration must be provided when this form
2605 is used, this can be specified either via command-line
2606 options or the SSL table.
2607
2608 If port is not specified, it defaults to 6640.
2609
2610 SSL support is an optional feature that is not always
2611 built as part of Open vSwitch.
2612
2613 ptcp:[port][:host]
2614 Listens for connections on the specified TCP port. Spec‐
2615 ify 0 for port to have the kernel automatically choose an
2616 available port. If host, which can either be a DNS name
2617 (if built with unbound library) or an IP address, is
2618 specified, then connections are restricted to the
2619 resolved or specified local IP address (either IPv4 or
2620 IPv6 address). If host is an IPv6 address, wrap it in
2621 square brackets, e.g. ptcp:6640:[::1]. If host is not
2622 specified then it listens only on IPv4 addresses.
2623
2624 If port is not specified, it defaults to 6640.
2625
2626 When multiple clients are configured, the target values must be
2627 unique. Duplicate target values yield unspecified results.
2628
2629 Client Failure Detection and Handling:
2630
2631 max_backoff: optional integer, at least 1,000
2632 Maximum number of milliseconds to wait between connection
2633 attempts. Default is implementation-specific.
2634
2635 inactivity_probe: optional integer
2636 Maximum number of milliseconds of idle time on connection to the
2637 client before sending an inactivity probe message. If Open
2638 vSwitch does not communicate with the client for the specified
2639 number of seconds, it will send a probe. If a response is not
2640 received for the same additional amount of time, Open vSwitch
2641 assumes the connection has been broken and attempts to recon‐
2642 nect. Default is implementation-specific. A value of 0 disables
2643 inactivity probes.
2644
2645 Status:
2646
2647 Key-value pair of is_connected is always updated. Other key-value pairs
2648 in the status columns may be updated depends on the target type.
2649
2650 When target specifies a connection method that listens for inbound con‐
2651 nections (e.g. ptcp: or punix:), both n_connections and is_connected
2652 may also be updated while the remaining key-value pairs are omitted.
2653
2654 On the other hand, when target specifies an outbound connection, all
2655 key-value pairs may be updated, except the above-mentioned two key-
2656 value pairs associated with inbound connection targets. They are omit‐
2657 ted.
2658
2659 is_connected: boolean
2660 true if currently connected to this client, false otherwise.
2661
2662 status : last_error: optional string
2663 A human-readable description of the last error on the connection
2664 to the manager; i.e. strerror(errno). This key will exist only
2665 if an error has occurred.
2666
2667 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
2668 IDLE, or VOID
2669 The state of the connection to the manager:
2670
2671 VOID Connection is disabled.
2672
2673 BACKOFF
2674 Attempting to reconnect at an increasing period.
2675
2676 CONNECTING
2677 Attempting to connect.
2678
2679 ACTIVE Connected, remote host responsive.
2680
2681 IDLE Connection is idle. Waiting for response to keep-alive.
2682
2683 These values may change in the future. They are provided only
2684 for human consumption.
2685
2686 status : sec_since_connect: optional string, containing an integer, at
2687 least 0
2688 The amount of time since this client last successfully connected
2689 to the database (in seconds). Value is empty if client has never
2690 successfully been connected.
2691
2692 status : sec_since_disconnect: optional string, containing an integer,
2693 at least 0
2694 The amount of time since this client last disconnected from the
2695 database (in seconds). Value is empty if client has never dis‐
2696 connected.
2697
2698 status : locks_held: optional string
2699 Space-separated list of the names of OVSDB locks that the con‐
2700 nection holds. Omitted if the connection does not hold any
2701 locks.
2702
2703 status : locks_waiting: optional string
2704 Space-separated list of the names of OVSDB locks that the con‐
2705 nection is currently waiting to acquire. Omitted if the connec‐
2706 tion is not waiting for any locks.
2707
2708 status : locks_lost: optional string
2709 Space-separated list of the names of OVSDB locks that the con‐
2710 nection has had stolen by another OVSDB client. Omitted if no
2711 locks have been stolen from this connection.
2712
2713 status : n_connections: optional string, containing an integer, at
2714 least 2
2715 When target specifies a connection method that listens for
2716 inbound connections (e.g. ptcp: or pssl:) and more than one con‐
2717 nection is actually active, the value is the number of active
2718 connections. Otherwise, this key-value pair is omitted.
2719
2720 status : bound_port: optional string, containing an integer
2721 When target is ptcp: or pssl:, this is the TCP port on which the
2722 OVSDB server is listening. (This is particularly useful when
2723 target specifies a port of 0, allowing the kernel to choose any
2724 available port.)
2725
2726 Common Columns:
2727
2728 The overall purpose of these columns is described under Common Columns
2729 at the beginning of this document.
2730
2731 external_ids: map of string-string pairs
2732
2733 other_config: map of string-string pairs
2734
2736 Each row in this table stores the DNS records. The Logical_Switch ta‐
2737 ble’s dns_records references these records.
2738
2739 Summary:
2740 records map of string-string pairs
2741 external_ids map of string-string pairs
2742
2743 Details:
2744 records: map of string-string pairs
2745 Key-value pair of DNS records with DNS query name as the key and
2746 value as a string of IP address(es) separated by comma or space.
2747
2748 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
2749
2750 external_ids: map of string-string pairs
2751 See External IDs at the beginning of this document.
2752
2754 SSL configuration for ovn-nb database access.
2755
2756 Summary:
2757 private_key string
2758 certificate string
2759 ca_cert string
2760 bootstrap_ca_cert boolean
2761 ssl_protocols string
2762 ssl_ciphers string
2763 Common Columns:
2764 external_ids map of string-string pairs
2765
2766 Details:
2767 private_key: string
2768 Name of a PEM file containing the private key used as the
2769 switch’s identity for SSL connections to the controller.
2770
2771 certificate: string
2772 Name of a PEM file containing a certificate, signed by the cer‐
2773 tificate authority (CA) used by the controller and manager, that
2774 certifies the switch’s private key, identifying a trustworthy
2775 switch.
2776
2777 ca_cert: string
2778 Name of a PEM file containing the CA certificate used to verify
2779 that the switch is connected to a trustworthy controller.
2780
2781 bootstrap_ca_cert: boolean
2782 If set to true, then Open vSwitch will attempt to obtain the CA
2783 certificate from the controller on its first SSL connection and
2784 save it to the named PEM file. If it is successful, it will
2785 immediately drop the connection and reconnect, and from then on
2786 all SSL connections must be authenticated by a certificate
2787 signed by the CA certificate thus obtained. This option exposes
2788 the SSL connection to a man-in-the-middle attack obtaining the
2789 initial CA certificate. It may still be useful for bootstrap‐
2790 ping.
2791
2792 ssl_protocols: string
2793 List of SSL protocols to be enabled for SSL connections. The
2794 default when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
2795
2796 ssl_ciphers: string
2797 List of ciphers (in OpenSSL cipher string format) to be sup‐
2798 ported for SSL connections. The default when this option is
2799 omitted is HIGH:!aNULL:!MD5.
2800
2801 Common Columns:
2802
2803 The overall purpose of these columns is described under Common Columns
2804 at the beginning of this document.
2805
2806 external_ids: map of string-string pairs
2807
2809 Association of a chassis to a logical router port. The traffic going
2810 out through an specific router port will be redirected to a chassis, or
2811 a set of them in high availability configurations. A single Gate‐
2812 way_Chassis is equivalent to setting options:redirect-chassis. Using
2813 Gateway_Chassis allows associating multiple prioritized chassis with a
2814 single logical router port.
2815
2816 Summary:
2817 name string (must be unique within table)
2818 chassis_name string
2819 priority integer, in range 0 to 32,767
2820 options map of string-string pairs
2821 Common Columns:
2822 external_ids map of string-string pairs
2823
2824 Details:
2825 name: string (must be unique within table)
2826 Name of the Gateway_Chassis.
2827
2828 A suggested, but not required naming convention is
2829 ${port_name}_${chassis_name}.
2830
2831 chassis_name: string
2832 Name of the chassis that we want to redirect traffic through for
2833 the associated logical router port. The value must match the
2834 name column of the Chassis table in the OVN_Southbound database.
2835
2836 priority: integer, in range 0 to 32,767
2837 This is the priority of a chassis among all Gateway_Chassis
2838 belonging to the same logical router port.
2839
2840 options: map of string-string pairs
2841 Reserved for future use.
2842
2843 Common Columns:
2844
2845 external_ids: map of string-string pairs
2846 See External IDs at the beginning of this document.
2847
2849 Table representing a group of chassis which can provide high availabil‐
2850 ity services. Each chassis in the group is represented by the table
2851 HA_Chassis. The HA chassis with highest priority will be the master of
2852 this group. If the master chassis failover is detected, the HA chassis
2853 with the next higher priority takes over the responsibility of provid‐
2854 ing the HA. If a distributed gateway router port references a row in
2855 this table, then the master HA chassis in this group provides the gate‐
2856 way functionality.
2857
2858 Summary:
2859 name string (must be unique within table)
2860 ha_chassis set of HA_Chassiss
2861 Common Columns:
2862 external_ids map of string-string pairs
2863
2864 Details:
2865 name: string (must be unique within table)
2866 Name of the HA_Chassis_Group. Name should be unique.
2867
2868 ha_chassis: set of HA_Chassiss
2869 A list of HA chassis which belongs to this group.
2870
2871 Common Columns:
2872
2873 external_ids: map of string-string pairs
2874 See External IDs at the beginning of this document.
2875
2877 Summary:
2878 chassis_name string
2879 priority integer, in range 0 to 32,767
2880 Common Columns:
2881 external_ids map of string-string pairs
2882
2883 Details:
2884 chassis_name: string
2885 Name of the chassis which is part of the HA chassis group. The
2886 value must match the name column of the Chassis table in the
2887 OVN_Southbound database.
2888
2889 priority: integer, in range 0 to 32,767
2890 Priority of the chassis. Chassis with highest priority will be
2891 the master.
2892
2893 Common Columns:
2894
2895 external_ids: map of string-string pairs
2896 See External IDs at the beginning of this document.
2897
2898
2899
2900Open vSwitch 20.03.0 DB Schema 5.22.0 ovn-nb(5)