1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
6 ovn-nb - OVN_Northbound database schema
7 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces
10 almost all of the contents of the database. The ovn-northd program mon‐
11 itors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32 Table Purpose
34 NB_Global Northbound configuration
35 Logical_Switch
36 L2 logical switch
37 Logical_Switch_Port
38 L2 logical switch port
39 Forwarding_Group
40 forwarding group
41 Address_Set
42 Address Sets
43 Port_Group
44 Port Groups
45 Load_Balancer
46 load balancer
47 Load_Balancer_Health_Check
48 load balancer
49 ACL Access Control List (ACL) rule
50 Logical_Router
51 L3 logical router
52 QoS QoS rule
53 Meter Meter entry
54 Meter_Band
55 Band for meter entries
56 Logical_Router_Port
57 L3 logical router port
58 Logical_Router_Static_Route
59 Logical router static routes
60 Logical_Router_Policy
61 Logical router policies
62 NAT NAT rules
63 DHCP_Options
64 DHCP options
65 Connection
66 OVSDB client connections.
67 DNS Native DNS resolution
68 SSL SSL configuration.
69 Gateway_Chassis
70 Gateway_Chassis configuration.
71 HA_Chassis_Group
72 HA_Chassis_Group configuration.
73 HA_Chassis
74 HA_Chassis configuration.
75 BFD BFD configuration.
76
78 Northbound configuration for an OVN system. This table must have
79 exactly one row.
80 Summary:
82 Identity:
83 name string
84 Status:
85 nb_cfg integer
86 nb_cfg_timestamp integer
87 sb_cfg integer
88 sb_cfg_timestamp integer
89 hv_cfg integer
90 hv_cfg_timestamp integer
91 Common Columns:
92 external_ids map of string-string pairs
93 Common options:
94 options map of string-string pairs
95 Options for configuring BFD:
96 options : bfd-min-rx optional string
97 options : bfd-decay-min-rx
98 optional string
99 options : bfd-min-tx optional string
100 options : bfd-mult optional string
101 options : mac_prefix optional string
102 options : controller_event optional string, either true or false
103 options : northd_probe_interval
104 optional string
105 options : use_logical_dp_groups
106 optional string
107 options : ignore_lsp_down optional string
108 Options for configuring interconnection route advertisement:
109 options : ic-route-adv optional string
110 options : ic-route-learn optional string
111 options : ic-route-adv-default
112 optional string
113 options : ic-route-learn-default
114 optional string
115 options : ic-route-blacklist
116 optional string
117 Connection Options:
118 connections set of Connections
119 ssl optional SSL
120 Security Configurations:
121 ipsec boolean
122 Read-only Options:
123 options : max_tunid optional string
124 Details:
126 Identity:
127 name: string
129 The name of the OVN cluster, which uniquely identifies the OVN
130 cluster throughout all OVN clusters supposed to interconnect
131 with each other.
132 Status:
134 These columns allow a client to track the overall configuration state
136 of the system.
137 nb_cfg: integer
139 Sequence number for client to increment. When a client modifies
140 any part of the northbound database configuration and wishes to
141 wait for ovn-northd and possibly all of the hypervisors to fin‐
142 ish applying the changes, it may increment this sequence number.
143 nb_cfg_timestamp: integer
145 The timestamp, in milliseconds since the epoch, when ovn-northd
146 sees the latest nb_cfg and starts processing.
147 To print the timestamp as a human-readable date:
149 date -d "@$(ovn-nbctl get NB_Global . nb_cfg_timestamp | sed ’s/...$//’)"
151 sb_cfg: integer
154 Sequence number that ovn-northd sets to the value of nb_cfg
155 after it finishes applying the corresponding configuration
156 changes to the OVN_Southbound database.
157 sb_cfg_timestamp: integer
159 The timestamp, in milliseconds since the epoch, when ovn-northd
160 finishes applying the corresponding configuration changes to the
161 OVN_Southbound database successfully.
162 hv_cfg: integer
164 Sequence number that ovn-northd sets to the smallest sequence
165 number of all the chassis in the system, as reported in the
166 Chassis_Private table in the southbound database. Thus, hv_cfg
167 equals nb_cfg if all chassis are caught up with the northbound
168 configuration (which may never happen, if any chassis is down).
169 This value can regress, if a chassis was removed from the system
170 and rejoins before catching up.
171 If there are no chassis, then ovn-northd copies nb_cfg to
173 hv_cfg. Thus, in this case, the (nonexistent) hypervisors are
174 always considered to be caught up. This means that hypervisors
175 can be "caught up" even in cases where sb_cfg would show that
176 the southbound database is not. To detect when both the hypervi‐
177 sors and the southbound database are caught up, a client should
178 take the smaller of sb_cfg and hv_cfg.
179 hv_cfg_timestamp: integer
181 The largest timestamp, in milliseconds since the epoch, of the
182 smallest sequence number of all the chassis in the system, as
183 reported in the Chassis_Private table in the southbound data‐
184 base. In other words, this timestamp reflects the time when the
185 slowest chassis catches up with the northbound configuration,
186 which is useful for end-to-end control plane latency measure‐
187 ment.
188 Common Columns:
190 external_ids: map of string-string pairs
192 See External IDs at the beginning of this document.
193 Common options:
195 options: map of string-string pairs
197 This column provides general key/value settings. The supported
198 options are described individually below.
199 Options for configuring BFD:
201 These options apply when ovn-controller configures BFD on tunnels
203 interfaces.
204 options : bfd-min-rx: optional string
206 BFD option min-rx value to use when configuring BFD on tunnel
207 interfaces.
208 options : bfd-decay-min-rx: optional string
210 BFD option decay-min-rx value to use when configuring BFD on
211 tunnel interfaces.
212 options : bfd-min-tx: optional string
214 BFD option min-tx value to use when configuring BFD on tunnel
215 interfaces.
216 options : bfd-mult: optional string
218 BFD option mult value to use when configuring BFD on tunnel
219 interfaces.
220 options : mac_prefix: optional string
222 Configure a given OUI to be used as prefix when L2 address is
223 dynamically assigned, e.g. 00:11:22
224 options : controller_event: optional string, either true or false
226 Value set by the CMS to enable/disable ovn-controller event
227 reporting. Traffic into OVS can raise a ’controller’ event that
228 results in a Controller_Event being written to the Con‐
229 troller_Event table in SBDB. When the CMS has seen the event and
230 taken appropriate action, it can remove the correponding row in
231 Controller_Event table. The intention is for a CMS to see the
232 events and take some sort of action. Please see the Con‐
233 troller_Event table in SBDB. It is possible to associate a meter
234 to each controller event type in order to not overload the pinc‐
235 trl thread under heavy load. Each event type relies on a meter
236 with a defined name:
237 · empty_lb_backends: event-elb
239 options : northd_probe_interval: optional string
241 The inactivity probe interval of the connection to the OVN
242 Northbound and Southbound databases from ovn-northd, in mil‐
243 liseconds. If the value is zero, it disables the connection
244 keepalive feature.
245 If the value is nonzero, then it will be forced to a value of at
247 least 1000 ms.
248 options : use_logical_dp_groups: optional string
250 If set to true, ovn-northd will combine logical flows that dif‐
251 fers only by logical datapath into a single logical flow with
252 logical datapath group attached.
253 While this should significantly reduce number of logical flows
255 stored in Southbound database this could also increase process‐
256 ing complexity on the ovn-controller side, e.g., ovn-controller
257 will re-consider logical flow for all logical datapaths in a
258 group. If the option set to false, there will be separate logi‐
259 cal flow per logical datapath and only this flow will be re-con‐
260 sidered.
261 The default value is false.
263 options : ignore_lsp_down: optional string
265 If set to false, ARP/ND reply flows for logical switch ports
266 will be installed only if the port is up, i.e. claimed by a
267 Chassis. If set to true, these flows are installed regardless of
268 the status of the port, which can result in a situation that ARP
269 request to an IP is resolved even before the relevant VM/con‐
270 tainer is running. For environments where this is not an issue,
271 setting it to true can reduce the load and latency of the con‐
272 trol plane. The default value is false.
273 Options for configuring interconnection route advertisement:
275 These options control how routes are advertised between OVN deployments
277 for interconnection. If enabled, ovn-ic from different OVN deployments
278 exchanges routes between each other through the global OVN_IC_South‐
279 bound database. Only routers with ports connected to interconnection
280 transit switches participate in route advertisement. For each of these
281 routers, there are two types of routes to be advertised:
282 Firstly, the static routes configured in the router are advertised.
284 Secondly, the networks configured in the logical router ports that are
286 not on the transit switches are advertised. These are considered as
287 directly connected subnets on the router.
288 Link local prefixes (IPv4 169.254.0.0/16 and IPv6 FE80::/10) are never
290 advertised.
291 The learned routes are added to the static_routes column of the Logi‐
293 cal_Router table, with external_ids:ic-learned-route set to the uuid of
294 the row in Route table of the OVN_IC_Southbound database.
295 options : ic-route-adv: optional string
297 A boolean value that enables route advertisement to the global
298 OVN_IC_Southbound database. Default is false.
299 options : ic-route-learn: optional string
301 A boolean value that enables route learning from the global
302 OVN_IC_Southbound database. Default is false.
303 options : ic-route-adv-default: optional string
305 A boolean value that enables advertising default route to the
306 global OVN_IC_Southbound database. Default is false. This option
307 takes effect only when option ic-route-adv is true.
308 options : ic-route-learn-default: optional string
310 A boolean value that enables learning default route from the
311 global OVN_IC_Southbound database. Default is false. This option
312 takes effect only when option ic-route-learn is true.
313 options : ic-route-blacklist: optional string
315 A string value contains a list of CIDRs delimited by ",". A
316 route will not be advertised or learned if the route’s prefix
317 belongs to any of the CIDRs listed.
318 Connection Options:
320 connections: set of Connections
322 Database clients to which the Open vSwitch database server
323 should connect or on which it should listen, along with options
324 for how these connections should be configured. See the Connec‐
325 tion table for more information.
326 ssl: optional SSL
328 Global SSL configuration.
329 Security Configurations:
331 ipsec: boolean
333 Tunnel encryption configuration. If this column is set to be
334 true, all OVN tunnels will be encrypted with IPsec.
335 Read-only Options:
337 options : max_tunid: optional string
339 The maximum supported tunnel ID. Depends on types of encapsula‐
340 tion enabled in the cluster.
341
343 Each row represents one L2 logical switch.
344 There are two kinds of logical switches, that is, ones that fully vir‐
346 tualize the network (overlay logical switches) and ones that provide
347 simple connectivity to physical networks (bridged logical switches).
348 They work in the same way when providing connectivity between logical
349 ports on same chassis, but differently when connecting remote logical
350 ports. Overlay logical switches connect remote logical ports by tun‐
351 nels, while bridged logical switches provide connectivity to remote
352 ports by bridging the packets to directly connected physical L2 seg‐
353 ments with the help of localnet ports. Each bridged logical switch has
354 one or more localnet ports, which have only one special address
355 unknown.
356 Summary:
358 ports set of Logical_Switch_Ports
359 load_balancer set of weak reference to Load_Balancers
360 acls set of ACLs
361 qos_rules set of QoSes
362 dns_records set of weak reference to DNSes
363 forwarding_groups set of Forwarding_Groups
364 Naming:
365 name string
366 external_ids : neutron:network_name
367 optional string
368 IP Address Assignment:
369 other_config : subnet optional string
370 other_config : exclude_ips optional string
371 other_config : ipv6_prefix optional string
372 other_config : mac_only optional string, either true or false
373 IP Multicast Snooping Options:
374 other_config : mcast_snoop optional string, either true or false
375 other_config : mcast_querier
376 optional string, either true or false
377 other_config : mcast_flood_unregistered
378 optional string, either true or false
379 other_config : mcast_table_size
380 optional string, containing an integer,
381 in range 1 to 32,766
382 other_config : mcast_idle_timeout
383 optional string, containing an integer,
384 in range 15 to 3,600
385 other_config : mcast_query_interval
386 optional string, containing an integer,
387 in range 1 to 3,600
388 other_config : mcast_query_max_response
389 optional string, containing an integer,
390 in range 1 to 10
391 other_config : mcast_eth_src
392 optional string
393 other_config : mcast_ip4_src
394 optional string
395 other_config : mcast_ip6_src
396 optional string
397 Interconnection:
398 other_config : interconn-ts
399 optional string
400 Tunnel Key:
401 other_config : requested-tnl-key
402 optional string, containing an integer,
403 in range 1 to 16,777,215
404 Other options:
405 other_config : vlan-passthru
406 optional string, either true or false
407 Common Columns:
408 external_ids map of string-string pairs
409 Details:
411 ports: set of Logical_Switch_Ports
412 The logical ports connected to the logical switch.
413 It is an error for multiple logical switches to include the same
415 logical port.
416 load_balancer: set of weak reference to Load_Balancers
418 Load balance a virtual ip address to a set of logical port end‐
419 point ip addresses.
420 acls: set of ACLs
422 Access control rules that apply to packets within the logical
423 switch.
424 qos_rules: set of QoSes
426 QoS marking and metering rules that apply to packets within the
427 logical switch.
428 dns_records: set of weak reference to DNSes
430 This column defines the DNS records to be used for resolving
431 internal DNS queries within the logical switch by the native DNS
432 resolver. Please see the DNS table.
433 forwarding_groups: set of Forwarding_Groups
435 Groups a set of logical port endpoints for traffic going out of
436 the logical switch.
437 Naming:
439 These columns provide names for the logical switch. From OVN’s perspec‐
441 tive, these names have no special meaning or purpose other than to pro‐
442 vide convenience for human interaction with the database. There is no
443 requirement for the name to be unique. (For a unique identifier for a
444 logical switch, use its row UUID.)
445 (Originally, name was intended to serve the purpose of a human-friendly
447 name, but the Neutron integration used it to uniquely identify its own
448 switch object, in the format neutron-uuid. Later on, Neutron started
449 propagating the friendly name of a switch as external_ids:neutron:net‐
450 work_name. Perhaps this can be cleaned up someday.)
451 name: string
453 A name for the logical switch.
454 external_ids : neutron:network_name: optional string
456 Another name for the logical switch.
457 IP Address Assignment:
459 These options control automatic IP address management (IPAM) for ports
461 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
462 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
463 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled
464 together or separately.
465 To request dynamic address assignment for a particular port, use the
467 dynamic keyword in the addresses column of the port’s Logi‐
468 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
469 IPAM for IPv4 and IPv6 are both enabled.
470 other_config : subnet: optional string
472 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
473 ovn-northd to automatically assign IP addresses within that sub‐
474 net.
475 other_config : exclude_ips: optional string
477 To exclude some addresses from automatic IP address management,
478 set this to a list of the IPv4 addresses or ..-delimited ranges
479 to exclude. The addresses or ranges should be a subset of those
480 in other_config:subnet.
481 Whether listed or not, ovn-northd will never allocate the first
483 or last address in a subnet, such as 192.168.0.0 or
484 192.168.0.255 in 192.168.0.0/24.
485 Examples:
487 · 192.168.0.2 192.168.0.10
489 · 192.168.0.4 192.168.0.30..192.168.0.60
491 192.168.0.110..192.168.0.120
492 · 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
494 192.168.0.144
495 other_config : ipv6_prefix: optional string
497 Set this to an IPv6 prefix to enable ovn-northd to automatically
498 assign IPv6 addresses using this prefix. The assigned IPv6
499 address will be generated using the IPv6 prefix and the MAC
500 address (converted to an IEEE EUI64 identifier) of the port. The
501 IPv6 prefix defined here should be a valid IPv6 address ending
502 with ::.
503 Examples:
505 · aef0::
507 · bef0:1234:a890:5678::
509 · 8230:5678::
511 other_config : mac_only: optional string, either true or false
513 Value used to request to assign L2 address only if neither sub‐
514 net nor ipv6_prefix are specified
515 IP Multicast Snooping Options:
517 These options control IP Multicast Snooping configuration of the logi‐
519 cal switch. To enable IP Multicast Snooping set other_con‐
520 fig:mcast_snoop to true. To enable IP Multicast Querier set other_con‐
521 fig:mcast_snoop to true. If IP Multicast Querier is enabled other_con‐
522 fig:mcast_eth_src and other_config:mcast_ip4_src must be set.
523 other_config : mcast_snoop: optional string, either true or false
525 Enables/disables IP Multicast Snooping on the logical switch.
526 other_config : mcast_querier: optional string, either true or false
528 Enables/disables IP Multicast Querier on the logical switch.
529 other_config : mcast_flood_unregistered: optional string, either true
531 or false
532 Determines whether unregistered multicast traffic should be
533 flooded or not. Only applicable if other_config:mcast_snoop is
534 enabled.
535 other_config : mcast_table_size: optional string, containing an inte‐
537 ger, in range 1 to 32,766
538 Number of multicast groups to be stored. Default: 2048.
539 other_config : mcast_idle_timeout: optional string, containing an inte‐
541 ger, in range 15 to 3,600
542 Configures the IP Multicast Snooping group idle timeout (in sec‐
543 onds). Default: 300 seconds.
544 other_config : mcast_query_interval: optional string, containing an
546 integer, in range 1 to 3,600
547 Configures the IP Multicast Querier interval between queries (in
548 seconds). Default: other_config:mcast_idle_timeout / 2.
549 other_config : mcast_query_max_response: optional string, containing an
551 integer, in range 1 to 10
552 Configures the value of the "max-response" field in the multi‐
553 cast queries originated by the logical switch. Default: 1 sec‐
554 ond.
555 other_config : mcast_eth_src: optional string
557 Configures the source Ethernet address for queries originated by
558 the logical switch.
559 other_config : mcast_ip4_src: optional string
561 Configures the source IPv4 address for queries originated by the
562 logical switch.
563 other_config : mcast_ip6_src: optional string
565 Configures the source IPv6 address for queries originated by the
566 logical switch.
567 Interconnection:
569 other_config : interconn-ts: optional string
571 The name of corresponding transit switch in OVN_IC_Northbound
572 database. This kind of logical switch is created and controlled
573 by ovn-ic.
574 Tunnel Key:
576 other_config : requested-tnl-key: optional string, containing an inte‐
578 ger, in range 1 to 16,777,215
579 Configures the datapath tunnel key for the logical switch. Usu‐
580 ally this is not needed because ovn-northd will assign an unique
581 key for each datapath by itself. However, if it is configured,
582 ovn-northd honors the configured value. The typical use case is
583 for interconnection: the tunnel keys for transit switches need
584 to be unique globally, so they are maintained in the global
585 OVN_IC_Southbound database, and ovn-ic simply syncs the value
586 from OVN_IC_Southbound through this config.
587 Other options:
589 other_config : vlan-passthru: optional string, either true or false
591 Determines whether VLAN tagged incoming traffic should be
592 allowed.
593 Common Columns:
595 external_ids: map of string-string pairs
597 See External IDs at the beginning of this document.
598
600 A port within an L2 logical switch.
601 Summary:
603 Core Features:
604 name string (must be unique within table)
605 type string
606 Options:
607 options map of string-string pairs
608 Options for router ports:
609 options : router-port optional string
610 options : nat-addresses optional string
611 Options for localnet ports:
612 options : network_name optional string
613 Options for l2gateway ports:
614 options : network_name optional string
615 options : l2gateway-chassis
616 optional string
617 Options for vtep ports:
618 options : vtep-physical-switch
619 optional string
620 options : vtep-logical-switch
621 optional string
622 VMI (or VIF) Options:
623 options : requested-chassis
624 optional string
625 options : qos_max_rate optional string
626 options : qos_burst optional string
627 Virtual port Options:
628 options : virtual-ip optional string
629 options : virtual-parents
630 optional string
631 IP Multicast Snooping Options:
632 options : mcast_flood optional string, either true or false
633 options : mcast_flood_reports
634 optional string, either true or false
635 Containers:
636 parent_name optional string
637 tag_request optional integer, in range 0 to 4,095
638 tag optional integer, in range 1 to 4,095
639 Port State:
640 up optional boolean
641 enabled optional boolean
642 Addressing:
643 addresses set of strings
644 dynamic_addresses optional string
645 port_security set of strings
646 DHCP:
647 dhcpv4_options optional weak reference to DHCP_Options
648 dhcpv6_options optional weak reference to DHCP_Options
649 ha_chassis_group optional HA_Chassis_Group
650 Naming:
651 external_ids : neutron:port_name
652 optional string
653 Tunnel Key:
654 options : requested-tnl-key
655 optional string, containing an integer,
656 in range 1 to 32,767
657 Common Columns:
658 external_ids map of string-string pairs
659 Details:
661 Core Features:
662 name: string (must be unique within table)
664 The logical port name.
665 For entities (VMs or containers) that are spawned in the hyper‐
667 visor, the name used here must match those used in the exter‐
668 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
669 because hypervisors use external_ids:iface-id as a lookup key to
670 identify the network interface of that entity.
671 For containers that share a VIF within a VM, the name can be any
673 unique identifier. See Containers, below, for more information.
674 A logical switch port may not have the same name as a logical
676 router port, but the database schema cannot enforce this.
677 type: string
679 Specify a type for this logical port. Logical ports can be used
680 to model other types of connectivity into an OVN logical switch.
681 The following types are defined:
682 (empty string)
684 A VM (or VIF) interface.
685 router A connection to a logical router. The value of
687 options:router-port specifies the name of the Logi‐
688 cal_Router_Port to which this logical switch port is con‐
689 nected.
690 localnet
692 A connection to a locally accessible network from
693 ovn-controller instances that have a corresponding bridge
694 mapping. A logical switch can have multiple localnet
695 ports attached. This type is used to model direct connec‐
696 tivity to existing networks. In this case, each chassis
697 should have a mapping for one of the physical networks
698 only. Note: nothing said above implies that a chassis
699 cannot be plugged to multiple physical networks as long
700 as they belong to different switches.
701 localport
703 A connection to a local VIF. Traffic that arrives on a
704 localport is never forwarded over a tunnel to another
705 chassis. These ports are present on every chassis and
706 have the same address in all of them. This is used to
707 model connectivity to local services that run on every
708 hypervisor.
709 l2gateway
711 A connection to a physical network.
712 vtep A port to a logical switch on a VTEP gateway.
714 external
716 Represents a logical port which is external and not hav‐
717 ing an OVS port in the integration bridge. OVN will never
718 receive any traffic from this port or send any traffic to
719 this port. OVN can support native services like
720 DHCPv4/DHCPv6/DNS for this port. If ha_chassis_group is
721 defined, ovn-controller running in the master chassis of
722 the HA chassis group will bind this port to provide these
723 native services. It is expected that this port belong to
724 a bridged logical switch (with a localnet port).
725 It is recommended to use the same HA chassis group for
727 all the external ports of a logical switch. Otherwise,
728 the physical switch might see MAC flap issue when differ‐
729 ent chassis provide the native services. For example when
730 supporting native DHCPv4 service, DHCPv4 server mac (con‐
731 figured in options:server_mac column in table
732 DHCP_Options) originating from different ports can cause
733 MAC flap issue. The MAC of the logical router IP(s) can
734 also flap if the same HA chassis group is not set for all
735 the external ports of a logical switch.
736 Below are some of the use cases where external ports can
738 be used.
739 · VMs connected to SR-IOV nics - Traffic from these
741 VMs by passes the kernel stack and local ovn-con‐
742 troller do not bind these ports and cannot serve
743 the native services.
744 · When CMS supports provisioning baremetal servers.
746 virtual
748 Represents a logical port which does not have an OVS port
749 in the integration bridge and has a virtual ip configured
750 in the options:virtual-ip column. This virtual ip can
751 move around between the logical ports configured in the
752 options:virtual-parents column.
753 One of the use case where virtual ports can be used is.
755 · The virtual ip represents a load balancer vip and
757 the virtual parents provide load balancer service
758 in an active-standby setup with the active virtual
759 parent owning the virtual ip.
760 remote A remote port is to model a port that resides remotely on
762 another OVN, which is on the other side of a transit log‐
763 ical switch for OVN interconnection. This type of ports
764 are created by ovn-ic instead of by CMS. Any change to
765 the port will be automatically overwritten by ovn-ic.
766 Options:
768 options: map of string-string pairs
770 This column provides key/value settings specific to the logical
771 port type. The type-specific options are described individually
772 below.
773 Options for router ports:
775 These options apply when type is router.
777 options : router-port: optional string
779 Required. The name of the Logical_Router_Port to which this log‐
780 ical switch port is connected.
781 options : nat-addresses: optional string
783 This is used to send gratuitous ARPs for SNAT and DNAT IP
784 addresses via the localnet port that is attached to the same
785 logical switch as this type router port. This option is speci‐
786 fied on a logical switch port that is connected to a gateway
787 router, or a logical switch port that is connected to a distrib‐
788 uted gateway port on a logical router.
789 This must take one of the following forms:
791 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
793 nal IP addresses and for all load balancer IP addresses
794 defined on the options:router-port’s logical router,
795 using the options:router-port’s MAC address.
796 This form of options:nat-addresses is valid for logical
798 switch ports where options:router-port is the name of a
799 port on a gateway router, or the name of a distributed
800 gateway port.
801 Supported only in OVN 2.8 and later. Earlier versions
803 required NAT addresses to be manually synchronized.
804 Ethernet address followed by one or more IPv4 addresses
806 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
807 This would result in generation of gratuitous ARPs for IP
808 addresses 158.36.44.22 and 158.36.44.24 with a MAC
809 address of 80:fa:5b:06:72:b7.
810 This form of options:nat-addresses is only valid for log‐
812 ical switch ports where options:router-port is the name
813 of a port on a gateway router.
814 Options for localnet ports:
816 These options apply when type is localnet.
818 options : network_name: optional string
820 Required. The name of the network to which the localnet port is
821 connected. Each hypervisor, via ovn-controller, uses its local
822 configuration to determine exactly how to connect to this
823 locally accessible network, if at all.
824 Options for l2gateway ports:
826 These options apply when type is l2gateway.
828 options : network_name: optional string
830 Required. The name of the network to which the l2gateway port is
831 connected. The L2 gateway, via ovn-controller, uses its local
832 configuration to determine exactly how to connect to this net‐
833 work.
834 options : l2gateway-chassis: optional string
836 Required. The chassis on which the l2gateway logical port should
837 be bound to. ovn-controller running on the defined chassis will
838 connect this logical port to the physical network.
839 Options for vtep ports:
841 These options apply when type is vtep.
843 options : vtep-physical-switch: optional string
845 Required. The name of the VTEP gateway.
846 options : vtep-logical-switch: optional string
848 Required. A logical switch name connected by the VTEP gateway.
849 VMI (or VIF) Options:
851 These options apply to logical ports with type having (empty string)
853 options : requested-chassis: optional string
855 If set, identifies a specific chassis (by name or hostname) that
856 is allowed to bind this port. Using this option will prevent
857 thrashing between two chassis trying to bind the same port dur‐
858 ing a live migration. It can also prevent similar thrashing due
859 to a mis-configuration, if a port is accidentally created on
860 more than one chassis.
861 options : qos_max_rate: optional string
863 If set, indicates the maximum rate for data sent from this
864 interface, in bit/s. The traffic will be shaped according to
865 this limit.
866 options : qos_burst: optional string
868 If set, indicates the maximum burst size for data sent from this
869 interface, in bits.
870 Virtual port Options:
872 These options apply when type is virtual.
874 options : virtual-ip: optional string
876 This option represents the virtual IPv4 address.
877 options : virtual-parents: optional string
879 This options represents a set of logical port names (with in the
880 same logical switch) which can own the virtual ip configured in
881 the options:virtual-ip. All these virtual parents should add the
882 virtual ip in the port_security if port security addressed are
883 enabled.
884 IP Multicast Snooping Options:
886 These options apply when the port is part of a logical switch which has
888 other_config :mcast_snoop set to true.
889 options : mcast_flood: optional string, either true or false
891 If set to true, multicast packets (except reports) are uncondi‐
892 tionally forwarded to the specific port.
893 options : mcast_flood_reports: optional string, either true or false
895 If set to true, multicast reports are unconditionally forwarded
896 to the specific port.
897 Containers:
899 When a large number of containers are nested within a VM, it may be too
901 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
902 support such cases. Each container is assigned a VLAN ID and each
903 packet that passes between the hypervisor and the VM is tagged with the
904 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
905 ical wire, even inside a tunnel, so they need not be unique except rel‐
906 ative to a single VM on a hypervisor.
907 These columns are used for VIFs that represent nested containers using
909 shared VIFs. For VMs and for containers that have dedicated VIFs, they
910 are empty.
911 parent_name: optional string
913 The VM interface through which the nested container sends its
914 network traffic. This must match the name column for some other
915 Logical_Switch_Port.
916 tag_request: optional integer, in range 0 to 4,095
918 The VLAN tag in the network traffic associated with a con‐
919 tainer’s network interface. The client can request ovn-northd to
920 allocate a tag that is unique within the scope of a specific
921 parent (specified in parent_name) by setting a value of 0 in
922 this column. The allocated value is written by ovn-northd in the
923 tag column. (Note that these tags are allocated and managed
924 locally in ovn-northd, so they cannot be reconstructed in the
925 event that the database is lost.) The client can also request a
926 specific non-zero tag and ovn-northd will honor it and copy that
927 value to the tag column.
928 When type is set to localnet or l2gateway, this can be set to
930 indicate that the port represents a connection to a specific
931 VLAN on a locally accessible network. The VLAN ID is used to
932 match incoming traffic and is also added to outgoing traffic.
933 tag: optional integer, in range 1 to 4,095
935 The VLAN tag allocated by ovn-northd based on the contents of
936 the tag_request column.
937 Port State:
939 up: optional boolean
941 This column is populated by ovn-northd, rather than by the CMS
942 plugin as is most of this database. When a logical port is bound
943 to a physical location in the OVN Southbound database Binding
944 table, ovn-northd sets this column to true; otherwise, or if the
945 port becomes unbound later, it sets it to false. If this column
946 is empty, the port is not considered up. This allows the CMS to
947 wait for a VM’s (or container’s) networking to become active
948 before it allows the VM (or container) to start.
949 Logical ports of router type are an exception to this rule. They
951 are considered to be always up, that is this column is always
952 set to true.
953 enabled: optional boolean
955 This column is used to administratively set port state. If this
956 column is empty or is set to true, the port is enabled. If this
957 column is set to false, the port is disabled. A disabled port
958 has all ingress and egress traffic dropped.
959 Addressing:
961 addresses: set of strings
963 Addresses owned by the logical port.
964 Each element in the set must take one of the following forms:
966 Ethernet address followed by zero or more IPv4 or IPv6 addresses
968 (or both)
969 An Ethernet address defined is owned by the logical port.
970 Like a physical Ethernet NIC, a logical port ordinarily
971 has a single fixed Ethernet address.
972 When a OVN logical switch processes a unicast Ethernet
974 frame whose destination MAC address is in a logical
975 port’s addresses column, it delivers it only to that
976 port, as if a MAC learning process had learned that MAC
977 address on the port.
978 If IPv4 or IPv6 address(es) (or both) are defined, it
980 indicates that the logical port owns the given IP
981 addresses.
982 If IPv4 address(es) are defined, the OVN logical switch
984 uses this information to synthesize responses to ARP
985 requests without traversing the physical network. The OVN
986 logical router connected to the logical switch, if any,
987 uses this information to avoid issuing ARP requests for
988 logical switch ports.
989 Note that the order here is important. The Ethernet
991 address must be listed before the IP address(es) if
992 defined.
993 Examples:
995 80:fa:5b:06:72:b7
997 This indicates that the logical port owns the
998 above mac address.
999 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
1001 This indicates that the logical port owns the mac
1002 address and two IPv4 addresses.
1003 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1005 This indicates that the logical port owns the mac
1006 address and 1 IPv6 address.
1007 80:fa:5b:06:72:b7 10.0.0.4
1009 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1010 This indicates that the logical port owns the mac
1011 address and 1 IPv4 address and 1 IPv6 address.
1012 unknown
1014 This indicates that the logical port has an unknown set
1015 of Ethernet addresses. When an OVN logical switch pro‐
1016 cesses a unicast Ethernet frame whose destination MAC
1017 address is not in any logical port’s addresses column, it
1018 delivers it to the port (or ports) whose addresses col‐
1019 umns include unknown.
1020 dynamic
1022 Use dynamic to make ovn-northd generate a globally unique
1023 MAC address, choose an unused IPv4 address with the logi‐
1024 cal port’s subnet (if other_config:subnet is set in the
1025 port’s Logical_Switch), and generate an IPv6 address from
1026 the MAC address (if other_config:ipv6_prefix is set in
1027 the port’s Logical_Switch) and store them in the port’s
1028 dynamic_addresses column.
1029 Only one element containing dynamic may appear in
1031 addresses.
1032 dynamic ip
1034 dynamic ipv6
1035 dynamic ip ipv6
1036 These act like dynamic alone but specify particular IPv4 or
1037 IPv6 addresses to use. OVN IPAM will still automatically
1038 allocate the other address if configured appropriately.
1039 Example: dynamic 192.168.0.1 2001::1.
1040 mac dynamic
1042 This acts like dynamic alone but specifies a particular MAC
1043 address to use. OVN IPAM will still automatically allocate
1044 IPv4 or IPv6 addresses, or both, if configured appropri‐
1045 ately. Example: 80:fa:5b:06:72:b7 dynamic
1046 router
1048 Accepted only when type is router. This indicates that the
1049 Ethernet, IPv4, and IPv6 addresses for this logical switch
1050 port should be obtained from the connected logical router
1051 port, as specified by router-port in options.
1052 The resulting addresses are used to populate the logical
1054 switch’s destination lookup, and also for the logical
1055 switch to generate ARP and ND replies.
1056 If the connected logical router port has a distributed
1058 gateway port specified and the logical router has rules
1059 specified in nat with external_mac, then those addresses
1060 are also used to populate the switch’s destination lookup.
1061 Supported only in OVN 2.7 and later. Earlier versions
1063 required router addresses to be manually synchronized.
1064 dynamic_addresses: optional string
1066 Addresses assigned to the logical port by ovn-northd, if dynamic
1067 is specified in addresses. Addresses will be of the same format
1068 as those that populate the addresses column. Note that dynami‐
1069 cally assigned addresses are constructed and managed locally in
1070 ovn-northd, so they cannot be reconstructed in the event that
1071 the database is lost.
1072 port_security: set of strings
1074 This column controls the addresses from which the host attached
1075 to the logical port (``the host’’) is allowed to send packets
1076 and to which it is allowed to receive packets. If this column is
1077 empty, all addresses are permitted.
1078 Each element in the set must begin with one Ethernet address.
1080 This would restrict the host to sending packets from and receiv‐
1081 ing packets to the ethernet addresses defined in the logical
1082 port’s port_security column. It also restricts the inner source
1083 MAC addresses that the host may send in ARP and IPv6 Neighbor
1084 Discovery packets. The host is always allowed to receive packets
1085 to multicast and broadcast Ethernet addresses.
1086 Each element in the set may additionally contain one or more
1088 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
1089 is given, it must be a CIDR mask. In addition to the restric‐
1090 tions described for Ethernet addresses above, such an element
1091 restricts the IPv4 or IPv6 addresses from which the host may
1092 send and to which it may receive packets to the specified
1093 addresses. A masked address, if the host part is zero, indicates
1094 that the host is allowed to use any address in the subnet; if
1095 the host part is nonzero, the mask simply indicates the size of
1096 the subnet. In addition:
1097 · If any IPv4 address is given, the host is also allowed to
1099 receive packets to the IPv4 local broadcast address
1100 255.255.255.255 and to IPv4 multicast addresses
1101 (224.0.0.0/4). If an IPv4 address with a mask is given,
1102 the host is also allowed to receive packets to the broad‐
1103 cast address in that specified subnet.
1104 If any IPv4 address is given, the host is additionally
1106 restricted to sending ARP packets with the specified
1107 source IPv4 address. (RARP is not restricted.)
1108 · If any IPv6 address is given, the host is also allowed to
1110 receive packets to IPv6 multicast addresses (ff00::/8).
1111 If any IPv6 address is given, the host is additionally
1113 restricted to sending IPv6 Neighbor Discovery Solicita‐
1114 tion or Advertisement packets with the specified source
1115 address or, for solicitations, the unspecified address.
1116 If an element includes an IPv4 address, but no IPv6 addresses,
1118 then IPv6 traffic is not allowed. If an element includes an IPv6
1119 address, but no IPv4 address, then IPv4 and ARP traffic is not
1120 allowed.
1121 This column uses the same lexical syntax as the match column in
1123 the OVN Southbound database’s Pipeline table. Multiple addresses
1124 within an element may be space or comma separated.
1125 This column is provided as a convenience to cloud management
1127 systems, but all of the features that it implements can be
1128 implemented as ACLs using the ACL table.
1129 Examples:
1131 80:fa:5b:06:72:b7
1133 The host may send traffic from and receive traffic to the
1134 specified MAC address, and to receive traffic to Ethernet
1135 multicast and broadcast addresses, but not otherwise. The
1136 host may not send ARP or IPv6 Neighbor Discovery packets
1137 with inner source Ethernet addresses other than the one
1138 specified.
1139 80:fa:5b:06:72:b7 192.168.1.10/24
1141 This adds further restrictions to the first example. The
1142 host may send IPv4 packets from or receive IPv4 packets
1143 to only 192.168.1.10, except that it may also receive
1144 IPv4 packets to 192.168.1.255 (based on the subnet mask),
1145 255.255.255.255, and any address in 224.0.0.0/4. The host
1146 may not send ARPs with a source Ethernet address other
1147 than 80:fa:5b:06:72:b7 or source IPv4 address other than
1148 192.168.1.10. The host may not send or receive any IPv6
1149 (including IPv6 Neighbor Discovery) traffic.
1150 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
1152 The host may send traffic from and receive traffic to the
1153 specified MAC addresses, and to receive traffic to Ether‐
1154 net multicast and broadcast addresses, but not otherwise.
1155 With MAC 80:fa:5b:12:42:ba, the host may send traffic
1156 from and receive traffic to any L3 address. With MAC
1157 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
1158 receive IPv4 packets to only 192.168.1.10, except that it
1159 may also receive IPv4 packets to 192.168.1.255 (based on
1160 the subnet mask), 255.255.255.255, and any address in
1161 224.0.0.0/4. The host may not send or receive any IPv6
1162 (including IPv6 Neighbor Discovery) traffic.
1163 DHCP:
1165 dhcpv4_options: optional weak reference to DHCP_Options
1167 This column defines the DHCPv4 Options to be included by the
1168 ovn-controller when it replies to the DHCPv4 requests. Please
1169 see the DHCP_Options table.
1170 dhcpv6_options: optional weak reference to DHCP_Options
1172 This column defines the DHCPv6 Options to be included by the
1173 ovn-controller when it replies to the DHCPv6 requests. Please
1174 see the DHCP_Options table.
1175 ha_chassis_group: optional HA_Chassis_Group
1177 References a row in the OVN Northbound database’s HA_Chas‐
1178 sis_Group table. It indicates the HA chassis group to use if the
1179 type is set to external. If type is not external, this column is
1180 ignored.
1181 Naming:
1183 external_ids : neutron:port_name: optional string
1185 This column gives an optional human-friendly name for the port.
1186 This name has no special meaning or purpose other than to pro‐
1187 vide convenience for human interaction with the northbound data‐
1188 base.
1189 Neutron copies this from its own port object’s name. (Neutron
1191 ports do are not assigned human-friendly names by default, so it
1192 will often be empty.)
1193 Tunnel Key:
1195 options : requested-tnl-key: optional string, containing an integer, in
1197 range 1 to 32,767
1198 Configures the port binding tunnel key for the port. Usually
1199 this is not needed because ovn-northd will assign an unique key
1200 for each port by itself. However, if it is configured,
1201 ovn-northd honors the configured value. The typical use case is
1202 for interconnection: the tunnel keys for ports on transit
1203 switches need to be unique globally, so they are maintained in
1204 the global OVN_IC_Southbound database, and ovn-ic simply syncs
1205 the value from OVN_IC_Southbound through this config.
1206 Common Columns:
1208 external_ids: map of string-string pairs
1210 See External IDs at the beginning of this document.
1211 The ovn-northd program copies all these pairs into the exter‐
1213 nal_ids column of the Port_Binding table in OVN_Southbound data‐
1214 base.
1215
1217 Each row represents one forwarding group.
1218 Summary:
1220 name string
1221 vip string
1222 vmac string
1223 liveness boolean
1224 child_port set of 1 or more strings
1225 Common Columns:
1226 external_ids map of string-string pairs
1227 Details:
1229 name: string
1230 A name for the forwarding group. This name has no special mean‐
1231 ing or purpose other than to provide convenience for human
1232 interaction with the ovn-nb database.
1233 vip: string
1235 The virtual IP address assigned to the forwarding group. It will
1236 respond with vmac when an ARP request is sent for vip.
1237 vmac: string
1239 The virtual MAC address assigned to the forwarding group.
1240 liveness: boolean
1242 If set to true, liveness is enabled for child ports otherwise it
1243 is disabled.
1244 child_port: set of 1 or more strings
1246 List of child ports in the forwarding group.
1247 Common Columns:
1249 external_ids: map of string-string pairs
1251 See External IDs at the beginning of this document.
1252
1254 Each row in this table represents a named set of addresses. An address
1255 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
1256 or CIDR masks. Address set may ultimately be used in ACLs to compare
1257 against fields such as ip4.src or ip6.src. A single address set must
1258 contain addresses of the same type. As an example, the following would
1259 create an address set with three IP addresses:
1260 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1262 Address sets may be used in the match column of the ACL table. For syn‐
1265 tax information, see the details of the expression language used for
1266 the match column in the Logical_Flow table of the OVN_Southbound data‐
1267 base.
1268 Summary:
1270 name string (must be unique within table)
1271 addresses set of strings
1272 Common Columns:
1273 external_ids map of string-string pairs
1274 Details:
1276 name: string (must be unique within table)
1277 A name for the address set. Names are ASCII and must match
1278 [a-zA-Z_.][a-zA-Z_.0-9]*.
1279 addresses: set of strings
1281 The set of addresses in string form.
1282 Common Columns:
1284 external_ids: map of string-string pairs
1286 See External IDs at the beginning of this document.
1287
1289 Each row in this table represents a named group of logical switch
1290 ports.
1291 Port groups may be used in the match column of the ACL table. For syn‐
1293 tax information, see the details of the expression language used for
1294 the match column in the Logical_Flow table of the OVN_Southbound data‐
1295 base.
1296 For each port group, there are two address sets generated to the
1298 Address_Set table of the OVN_Southbound database, containing the IP
1299 addresses of the group of ports, one for IPv4, and the other for IPv6,
1300 with name being the name of the Port_Group followed by a suffix _ip4
1301 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
1302 the same way as regular address sets in the match column of the ACL ta‐
1303 ble. For syntax information, see the details of the expression language
1304 used for the match column in the Logical_Flow table of the OVN_South‐
1305 bound database.
1306 Summary:
1308 name string (must be unique within table)
1309 ports set of weak reference to Logi‐
1310 cal_Switch_Ports
1311 acls set of ACLs
1312 Common Columns:
1313 external_ids map of string-string pairs
1314 Details:
1316 name: string (must be unique within table)
1317 A name for the port group. Names are ASCII and must match
1318 [a-zA-Z_.][a-zA-Z_.0-9]*.
1319 ports: set of weak reference to Logical_Switch_Ports
1321 The logical switch ports belonging to the group in uuids.
1322 acls: set of ACLs
1324 Access control rules that apply to the port group. Applying an
1325 ACL to a port group has the same effect as applying the ACL to
1326 all logical lswitches that the ports of the port group belong
1327 to.
1328 Common Columns:
1330 external_ids: map of string-string pairs
1332 See External IDs at the beginning of this document.
1333
1335 Each row represents one load balancer.
1336 Summary:
1338 name string
1339 vips map of string-string pairs
1340 protocol optional string, one of sctp, tcp, or udp
1341 Health Checks:
1342 health_check set of Load_Balancer_Health_Checks
1343 ip_port_mappings map of string-string pairs
1344 selection_fields set of strings, one of eth_dst, eth_src,
1345 ip_dst, ip_src, tp_dst, or tp_src
1346 Common Columns:
1347 external_ids map of string-string pairs
1348 Load_Balancer options:
1349 options : reject optional string, either true or false
1350 options : hairpin_snat_ip optional string
1351 Details:
1353 name: string
1354 A name for the load balancer. This name has no special meaning
1355 or purpose other than to provide convenience for human interac‐
1356 tion with the ovn-nb database.
1357 vips: map of string-string pairs
1359 A map of virtual IP addresses (and an optional port number with
1360 : as a separator) associated with this load balancer and their
1361 corresponding endpoint IP addresses (and optional port numbers
1362 with : as separators) separated by commas. If the destination IP
1363 address (and port number) of a packet leaving a container or a
1364 VM matches the virtual IP address (and port number) provided
1365 here as a key, then OVN will statefully replace the destination
1366 IP address by one of the provided IP address (and port number)
1367 in this map as a value. IPv4 and IPv6 addresses are supported
1368 for load balancing; however a VIP of one address family may not
1369 be mapped to a destination IP address of a different family. If
1370 specifying an IPv6 address with a port, the address portion must
1371 be enclosed in square brackets. Examples for keys are
1372 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
1373 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1374 When the Load_Balancer is added to the logical_switch, the VIP
1376 has to be in a different subnet than the one used for the logi‐
1377 cal_switch. Since VIP is in a different subnet, you should con‐
1378 nect your logical switch to either a OVN logical router or a
1379 real router (this is because the client can now send a packet
1380 with VIP as the destination IP address and router’s mac address
1381 as the destination MAC address).
1382 protocol: optional string, one of sctp, tcp, or udp
1384 Valid protocols are tcp, udp, or sctp. This column is useful
1385 when a port number is provided as part of the vips column. If
1386 this column is empty and a port number is provided as part of
1387 vips column, OVN assumes the protocol to be tcp.
1388 Health Checks:
1390 OVN supports health checks for load balancer endpoints, for IPv4 load
1392 balancers only. When health checks are enabled, the load balancer uses
1393 only healthy endpoints.
1394 Suppose that vips contains a key-value pair
1396 10.0.0.10:80=10.0.0.4:8080,20.0.0.4:8080. To enable health checks for
1397 this virtual’s endpoints, add two key-value pairs to ip_port_mappings,
1398 with keys 10.0.0.4 and 20.0.0.4, and add to health_check a reference to
1399 a Load_Balancer_Health_Check row whose vip is set to 10.0.0.10.
1400 health_check: set of Load_Balancer_Health_Checks
1402 Load balancer health checks associated with this load balancer.
1403 ip_port_mappings: map of string-string pairs
1405 Maps from endpoint IP to a colon-separated pair of logical port
1406 name and source IP, e.g. port_name:sourc_ip. Health checks are
1407 sent to this port with the specified source IP.
1408 For example, in the example above, IP to port mappings might be
1410 defined as 10.0.0.4=sw0-p1:10.0.0.2 and
1411 20.0.0.4=sw1-p1:20.0.0.2, if the values given were suitable
1412 ports and IP addresses.
1413 selection_fields: set of strings, one of eth_dst, eth_src, ip_dst,
1415 ip_src, tp_dst, or tp_src
1416 OVN native load balancers are supported using the OpenFlow
1417 groups of type select. OVS supports two selection methods:
1418 dp_hash and hash (with optional fields specified) in selecting
1419 the buckets of a group. Please see the OVS documentation (man
1420 ovs-ofctl) for more details on the selection methods. Each end‐
1421 point IP (and port if set) is mapped to a bucket in the group
1422 flow.
1423 CMS can choose the hash selection method by setting the selec‐
1425 tion fields in this column. ovs-vswitchd uses the specified
1426 fields in generating the hash.
1427 dp_hash selection method uses the assistance of datapath to cal‐
1429 culate the hash and it is expected to be faster than hash selec‐
1430 tion method. So CMS should take this into consideration before
1431 using the hash method. Please consult the OVS documentation and
1432 OVS sources for the implementation details.
1433 Common Columns:
1435 external_ids: map of string-string pairs
1437 See External IDs at the beginning of this document.
1438 Load_Balancer options:
1440 options : reject: optional string, either true or false
1442 If the load balancer is created with --reject option and it has
1443 no active backends, a TCP reset segment (for tcp) or an ICMP
1444 port unreachable packet (for all other kind of traffic) will be
1445 sent whenever an incoming packet is received for this load-bal‐
1446 ancer. Please note using --reject option will disable empty_lb
1447 SB controller event for this load balancer.
1448 options : hairpin_snat_ip: optional string
1450 IP to be used as source IP for packets that have been hair-
1451 pinned after load balancing. The default behavior when the
1452 option is not set is to use the load balancer VIP as source IP.
1453 This option may have exactly one IPv4 and/or one IPv6 address on
1454 it, separated by a space character.
1455
1457 Each row represents one load balancer health check. Health checks are
1458 supported for IPv4 load balancers only.
1459 Summary:
1461 vip string
1462 Health check options:
1463 options : interval optional string, containing an integer
1464 options : timeout optional string, containing an integer
1465 options : success_count optional string, containing an integer
1466 options : failure_count optional string, containing an integer
1467 Common Columns:
1468 external_ids map of string-string pairs
1469 Details:
1471 vip: string
1472 vip whose endpoints should be monitored for health check.
1473 Health check options:
1475 options : interval: optional string, containing an integer
1477 The interval, in seconds, between health checks.
1478 options : timeout: optional string, containing an integer
1480 The time, in seconds, after which a health check times out.
1481 options : success_count: optional string, containing an integer
1483 The number of successful checks after which the endpoint is con‐
1484 sidered online.
1485 options : failure_count: optional string, containing an integer
1487 The number of failure checks after which the endpoint is consid‐
1488 ered offline.
1489 Common Columns:
1491 external_ids: map of string-string pairs
1493 See External IDs at the beginning of this document.
1494
1496 Each row in this table represents one ACL rule for a logical switch or
1497 a port group that points to it through its acls column. The action col‐
1498 umn for the highest-priority matching row in this table determines a
1499 packet’s treatment. If no row matches, packets are allowed by default.
1500 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1501 match, and deny as action.)
1502 Summary:
1504 priority integer, in range 0 to 32,767
1505 direction string, either from-lport or to-lport
1506 match string
1507 action string, one of allow-related, allow,
1508 drop, or reject
1509 Logging:
1510 log boolean
1511 name optional string, at most 63 characters
1512 long
1513 severity optional string, one of alert, debug,
1514 info, notice, or warning
1515 meter optional string
1516 Common Columns:
1517 external_ids map of string-string pairs
1518 Details:
1520 priority: integer, in range 0 to 32,767
1521 The ACL rule’s priority. Rules with numerically higher priority
1522 take precedence over those with lower. If two ACL rules with the
1523 same priority both match, then the one actually applied to a
1524 packet is undefined.
1525 Return traffic from an allow-related flow is always allowed and
1527 cannot be changed through an ACL.
1528 direction: string, either from-lport or to-lport
1530 Direction of the traffic to which this rule should apply:
1531 · from-lport: Used to implement filters on traffic arriving
1533 from a logical port. These rules are applied to the logi‐
1534 cal switch’s ingress pipeline.
1535 · to-lport: Used to implement filters on traffic forwarded
1537 to a logical port. These rules are applied to the logical
1538 switch’s egress pipeline.
1539 match: string
1541 The packets that the ACL should match, in the same expression
1542 language used for the match column in the OVN Southbound data‐
1543 base’s Logical_Flow table. The outport logical port is only
1544 available in the to-lport direction (the inport is available in
1545 both directions).
1546 By default all traffic is allowed. When writing a more restric‐
1548 tive policy, it is important to remember to allow flows such as
1549 ARP and IPv6 neighbor discovery packets.
1550 Note that you can not create an ACL matching on a port with
1552 type=router or type=localnet.
1553 action: string, one of allow-related, allow, drop, or reject
1555 The action to take when the ACL rule matches:
1556 · allow: Forward the packet.
1558 · allow-related: Forward the packet and related traffic
1560 (e.g. inbound replies to an outbound connection).
1561 · drop: Silently drop the packet.
1563 · reject: Drop the packet, replying with a RST for TCP or
1565 ICMPv4/ICMPv6 unreachable message for other
1566 IPv4/IPv6-based protocols.
1567 Logging:
1569 These columns control whether and how OVN logs packets that match an
1571 ACL.
1572 log: boolean
1574 If set to true, packets that match the ACL will trigger a log
1575 message on the transport node or nodes that perform ACL process‐
1576 ing. Logging may be combined with any action.
1577 If set to false, the remaining columns in this group have no
1579 significance.
1580 name: optional string, at most 63 characters long
1582 This name, if it is provided, is included in log records. It
1583 provides the administrator and the cloud management system a way
1584 to associate a log record with a particular ACL.
1585 severity: optional string, one of alert, debug, info, notice, or warn‐
1587 ing
1588 The severity of the ACL. The severity levels match those of sys‐
1589 log, in decreasing level of severity: alert, warning, notice,
1590 info, or debug. When the column is empty, the default is info.
1591 meter: optional string
1593 The name of a meter to rate-limit log messages for the ACL. The
1594 string must match the name column of a row in the Meter table.
1595 By default, log messages are not rate-limited. In order to
1596 ensure that the same Meter rate limits multiple ACL logs sepa‐
1597 rately, set the fair column.
1598 Common Columns:
1600 external_ids: map of string-string pairs
1602 See External IDs at the beginning of this document.
1603
1605 Each row represents one L3 logical router.
1606 Summary:
1608 ports set of Logical_Router_Ports
1609 static_routes set of Logical_Router_Static_Routes
1610 policies set of Logical_Router_Policys
1611 enabled optional boolean
1612 nat set of NATs
1613 load_balancer set of weak reference to Load_Balancers
1614 Naming:
1615 name string
1616 external_ids : neutron:router_name
1617 optional string
1618 Options:
1619 options : chassis optional string
1620 options : dnat_force_snat_ip
1621 optional string
1622 options : lb_force_snat_ip optional string
1623 options : mcast_relay optional string, either true or false
1624 options : dynamic_neigh_routers
1625 optional string, either true or false
1626 options : always_learn_from_arp_request
1627 optional string, either true or false
1628 options : requested-tnl-key
1629 optional string, containing an integer,
1630 in range 1 to 16,777,215
1631 options : snat-ct-zone optional string, containing an integer,
1632 in range 0 to 65,535
1633 Common Columns:
1634 external_ids map of string-string pairs
1635 Details:
1637 ports: set of Logical_Router_Ports
1638 The router’s ports.
1639 static_routes: set of Logical_Router_Static_Routes
1641 Zero or more static routes for the router.
1642 policies: set of Logical_Router_Policys
1644 Zero or more routing policies for the router.
1645 enabled: optional boolean
1647 This column is used to administratively set router state. If
1648 this column is empty or is set to true, the router is enabled.
1649 If this column is set to false, the router is disabled. A dis‐
1650 abled router has all ingress and egress traffic dropped.
1651 nat: set of NATs
1653 One or more NAT rules for the router. NAT rules only work on
1654 Gateway routers, and on distributed routers with logical gateway
1655 ports.
1656 load_balancer: set of weak reference to Load_Balancers
1658 Load balance a virtual ip address to a set of logical port ip
1659 addresses. Load balancer rules only work on the Gateway routers
1660 or routers with distributed gateway ports.
1661 Naming:
1663 These columns provide names for the logical router. From OVN’s perspec‐
1665 tive, these names have no special meaning or purpose other than to pro‐
1666 vide convenience for human interaction with the northbound database.
1667 There is no requirement for the name to be unique. (For a unique iden‐
1668 tifier for a logical router, use its row UUID.)
1669 (Originally, name was intended to serve the purpose of a human-friendly
1671 name, but the Neutron integration used it to uniquely identify its own
1672 router object, in the format neutron-uuid. Later on, Neutron started
1673 propagating the friendly name of a router as external_ids:neu‐
1674 tron:router_name. Perhaps this can be cleaned up someday.)
1675 name: string
1677 A name for the logical router.
1678 external_ids : neutron:router_name: optional string
1680 Another name for the logical router.
1681 Options:
1683 Additional options for the logical router.
1685 options : chassis: optional string
1687 If set, indicates that the logical router in question is a Gate‐
1688 way router (which is centralized) and resides in the set chas‐
1689 sis. The same value is also used by ovn-controller to uniquely
1690 identify the chassis in the OVN deployment and comes from exter‐
1691 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
1692 database.
1693 The Gateway router can only be connected to a distributed router
1695 via a switch if SNAT and DNAT are to be configured in the Gate‐
1696 way router.
1697 options : dnat_force_snat_ip: optional string
1699 If set, indicates a set of IP addresses to use to force SNAT a
1700 packet that has already been DNATed in the gateway router. When
1701 multiple gateway routers are configured, a packet can poten‐
1702 tially enter any of the gateway router, get DNATted and eventu‐
1703 ally reach the logical switch port. For the return traffic to go
1704 back to the same gateway router (for unDNATing), the packet
1705 needs a SNAT in the first place. This can be achieved by setting
1706 the above option with a gateway specific set of IP addresses.
1707 This option may have exactly one IPv4 and/or one IPv6 address on
1708 it, separated by a a space.
1709 options : lb_force_snat_ip: optional string
1711 If set, indicates a set of IP addresses to use to force SNAT a
1712 packet that has already been load-balanced in the gateway
1713 router. When multiple gateway routers are configured, a packet
1714 can potentially enter any of the gateway routers, get DNATted as
1715 part of the load- balancing and eventually reach the logical
1716 switch port. For the return traffic to go back to the same gate‐
1717 way router (for unDNATing), the packet needs a SNAT in the first
1718 place. This can be achieved by setting the above option with a
1719 gateway specific set of IP addresses. This option may have
1720 exactly one IPv4 and/or one IPv6 address on it, separated by a
1721 space character.
1722 options : mcast_relay: optional string, either true or false
1724 Enables/disables IP multicast relay between logical switches
1725 connected to the logical router. Default: False.
1726 options : dynamic_neigh_routers: optional string, either true or false
1728 If set to true, the router will resolve neighbor routers’ MAC
1729 addresses only by dynamic ARP/ND, instead of prepopulating
1730 static mappings for all neighbor routers in the ARP/ND Resolu‐
1731 tion stage. This reduces number of flows, but requires ARP/ND
1732 messages to resolve the IP-MAC bindings when needed. It is false
1733 by default. It is recommended to set to true when a large number
1734 of logical routers are connected to the same logical switch but
1735 most of them never need to send traffic between each other.
1736 options : always_learn_from_arp_request: optional string, either true
1738 or false
1739 This option controls the behavior when handling IPv4 ARP
1740 requests or IPv6 ND-NS packets - whether a dynamic neighbor (MAC
1741 binding) entry is added/updated.
1742 true - Always learn the MAC-IP binding, and add/update the MAC
1744 binding entry.
1745 false - If there is a MAC binding for that IP and the MAC is
1747 different, or, if TPA of ARP request belongs to any router port
1748 on this router, then update/add that MAC-IP binding. Otherwise,
1749 don’t update/add entries.
1750 It is true by default. It is recommended to set to false when a
1752 large number of logical routers are connected to the same logi‐
1753 cal switch but most of them never need to send traffic between
1754 each other, to reduce the size of the MAC binding table.
1755 options : requested-tnl-key: optional string, containing an integer, in
1757 range 1 to 16,777,215
1758 Configures the datapath tunnel key for the logical router. This
1759 is not needed because ovn-northd will assign an unique key for
1760 each datapath by itself. However, if it is configured,
1761 ovn-northd honors the configured value.
1762 options : snat-ct-zone: optional string, containing an integer, in
1764 range 0 to 65,535
1765 Use the requested conntrack zone for SNAT with this router. This
1766 can be useful if egress traffic from the host running OVN comes
1767 from both OVN and other sources. This way, OVN and the other
1768 sources can make use of the same conntrack zone.
1769 Common Columns:
1771 external_ids: map of string-string pairs
1773 See External IDs at the beginning of this document.
1774
1776 Each row in this table represents one QoS rule for a logical switch
1777 that points to it through its qos_rules column. Two types of QoS are
1778 supported: DSCP marking and metering. A match with the highest-priority
1779 will have QoS applied to it. If the action column is specified, then
1780 matching packets will have DSCP marking applied. If the bandwdith col‐
1781 umn is specified, then matching packets will have metering applied.
1782 action and bandwdith are not exclusive, so both marking and metering by
1783 defined for the same QoS entry. If no row matches, packets will not
1784 have any QoS applied.
1785 Summary:
1787 priority integer, in range 0 to 32,767
1788 direction string, either from-lport or to-lport
1789 match string
1790 action map of string-integer pairs, key must be
1791 dscp, value in range 0 to 63
1792 bandwidth map of string-integer pairs, key either
1793 burst or rate, value in range 1 to
1794 4,294,967,295
1795 external_ids map of string-string pairs
1796 Details:
1798 priority: integer, in range 0 to 32,767
1799 The QoS rule’s priority. Rules with numerically higher priority
1800 take precedence over those with lower. If two QoS rules with the
1801 same priority both match, then the one actually applied to a
1802 packet is undefined.
1803 direction: string, either from-lport or to-lport
1805 The value of this field is similar to ACL column in the OVN
1806 Northbound database’s ACL table.
1807 match: string
1809 The packets that the QoS rules should match, in the same expres‐
1810 sion language used for the match column in the OVN Southbound
1811 database’s Logical_Flow table. The outport logical port is only
1812 available in the to-lport direction (the inport is available in
1813 both directions).
1814 action: map of string-integer pairs, key must be dscp, value in range 0
1816 to 63
1817 When specified, matching flows will have DSCP marking applied.
1818 · dscp: The value of this action should be in the range of
1820 0 to 63 (inclusive).
1821 bandwidth: map of string-integer pairs, key either burst or rate, value
1823 in range 1 to 4,294,967,295
1824 When specified, matching packets will have bandwidth metering
1825 applied. Traffic over the limit will be dropped.
1826 · rate: The value of rate limit in kbps.
1828 · burst: The value of burst rate limit in kilobits. This is
1830 optional and needs to specify the rate.
1831 external_ids: map of string-string pairs
1833 See External IDs at the beginning of this document.
1834
1836 Each row in this table represents a meter that can be used for QoS or
1837 rate-limiting.
1838 Summary:
1840 name string (must be unique within table)
1841 unit string, either kbps or pktps
1842 bands set of 1 or more Meter_Bands
1843 fair optional boolean
1844 external_ids map of string-string pairs
1845 Details:
1847 name: string (must be unique within table)
1848 A name for this meter.
1849 Names that begin with "__" (two underscores) are reserved for
1851 OVN internal use and should not be added manually.
1852 unit: string, either kbps or pktps
1854 The unit for rate and burst_rate parameters in the bands entry.
1855 kbps specifies kilobits per second, and pktps specifies packets
1856 per second.
1857 bands: set of 1 or more Meter_Bands
1859 The bands associated with this meter. Each band specifies a rate
1860 above which the band is to take the action action. If multiple
1861 bands’ rates are exceeded, then the band with the highest rate
1862 among the exceeded bands is selected.
1863 fair: optional boolean
1865 This column is used to further describe the desired behavior of
1866 the meter when there are multiple references to it. If this col‐
1867 umn is empty or is set to false, the rate will be shared across
1868 all rows that refer to the same Meter name. Conversely, when
1869 this column is set to true, each user of the same Meter will be
1870 rate-limited on its own.
1871 external_ids: map of string-string pairs
1873 See External IDs at the beginning of this document.
1874
1876 Each row in this table represents a meter band which specifies the rate
1877 above which the configured action should be applied. These bands are
1878 referenced by the bands column in the Meter table.
1879 Summary:
1881 action string, must be drop
1882 rate integer, in range 1 to 4,294,967,295
1883 burst_size integer, in range 0 to 4,294,967,295
1884 external_ids map of string-string pairs
1885 Details:
1887 action: string, must be drop
1888 The action to execute when this band matches. The only supported
1889 action is drop.
1890 rate: integer, in range 1 to 4,294,967,295
1892 The rate limit for this band, in kilobits per second or bits per
1893 second, depending on whether the parent Meter entry’s unit col‐
1894 umn specified kbps or pktps.
1895 burst_size: integer, in range 0 to 4,294,967,295
1897 The maximum burst allowed for the band in kilobits or packets,
1898 depending on whether kbps or pktps was selected in the parent
1899 Meter entry’s unit column. If the size is zero, the switch is
1900 free to select some reasonable value depending on its configura‐
1901 tion.
1902 external_ids: map of string-string pairs
1904 See External IDs at the beginning of this document.
1905
1907 A port within an L3 logical router.
1908 Exactly one Logical_Router row must reference a given logical router
1910 port.
1911 Summary:
1913 name string (must be unique within table)
1914 networks set of 1 or more strings
1915 mac string
1916 enabled optional boolean
1917 Distributed Gateway Ports:
1918 ha_chassis_group optional HA_Chassis_Group
1919 gateway_chassis set of Gateway_Chassises
1920 Options for Physical VLAN MTU Issues:
1921 options : reside-on-redirect-chassis
1922 optional string, either true or false
1923 options : redirect-type optional string, either bridged or over‐
1924 lay
1925 ipv6_prefix set of strings
1926 ipv6_ra_configs:
1927 ipv6_ra_configs : address_mode
1928 optional string
1929 ipv6_ra_configs : router_preference
1930 optional string
1931 ipv6_ra_configs : route_info
1932 optional string
1933 ipv6_ra_configs : mtu optional string
1934 ipv6_ra_configs : send_periodic
1935 optional string
1936 ipv6_ra_configs : max_interval
1937 optional string
1938 ipv6_ra_configs : min_interval
1939 optional string
1940 ipv6_ra_configs : rdnss optional string
1941 ipv6_ra_configs : dnssl optional string
1942 Options:
1943 options : mcast_flood optional string, either true or false
1944 options : requested-tnl-key
1945 optional string, containing an integer,
1946 in range 1 to 32,767
1947 options : prefix_delegation
1948 optional string, either true or false
1949 options : prefix optional string, either true or false
1950 Attachment:
1951 peer optional string
1952 Common Columns:
1953 external_ids map of string-string pairs
1954 Details:
1956 name: string (must be unique within table)
1957 A name for the logical router port.
1958 In addition to provide convenience for human interaction with
1960 the northbound database, this column is used as reference by its
1961 patch port in Logical_Switch_Port or another logical router port
1962 in Logical_Router_Port.
1963 A logical router port may not have the same name as a logical
1965 switch port, but the database schema cannot enforce this.
1966 networks: set of 1 or more strings
1968 The IP addresses and netmasks of the router. For example,
1969 192.168.0.1/24 indicates that the router’s IP address is
1970 192.168.0.1 and that packets destined to 192.168.0.x should be
1971 routed to this port.
1972 A logical router port always adds a link-local IPv6 address
1974 (fe80::/64) automatically generated from the interface’s MAC
1975 address using the modified EUI-64 format.
1976 mac: string
1978 The Ethernet address that belongs to this router port.
1979 enabled: optional boolean
1981 This column is used to administratively set port state. If this
1982 column is empty or is set to true, the port is enabled. If this
1983 column is set to false, the port is disabled. A disabled port
1984 has all ingress and egress traffic dropped.
1985 Distributed Gateway Ports:
1987 Gateways, as documented under Gateways in the OVN architecture guide,
1989 provide limited connectivity between logical networks and physical
1990 ones. OVN support multiple kinds of gateways. The Logical_Router_Port
1991 table can be used two different ways to configure distributed gateway
1992 ports, which are one kind of gateway. These two forms of configuration
1993 exist for historical reasons. Both of them produce the same kind of OVN
1994 southbound records and the same behavior in practice.
1995 If either of these are set, this logical router port represents a dis‐
1997 tributed gateway port that connects this router to a logical switch
1998 with a localnet port or a connection to another OVN deployment. There
1999 may be at most one such logical router port on each logical router.
2000 The preferred way to configure a gateway is ha_chassis_group, but gate‐
2002 way_chassis is also supported for backward compatibility. Only one of
2003 these should be set at a time on a given LRP, since they configure the
2004 same features.
2005 Even when a gateway is configured, the logical router port still effec‐
2007 tively resides on each chassis. However, due to the implications of the
2008 use of L2 learning in the physical network, as well as the need to sup‐
2009 port advanced features such as one-to-many NAT (aka IP masquerading), a
2010 subset of the logical router processing is handled in a centralized
2011 manner on the gateway chassis.
2012 When more than one gateway chassis is specified, OVN only uses one at a
2014 time. OVN uses BFD to monitor gateway connectivity, preferring the
2015 highest-priority gateway that is online. Priorities are specified in
2016 the priority column of Gateway_Chassis or HA_Chassis.
2017 ovn-northd programs the external_mac rules specified in the LRP’s LR
2019 into the peer logical switch’s destination lookup on the chassis where
2020 the logical_port resides. In addition, the logical router’s MAC address
2021 is automatically programmed in the peer logical switch’s destination
2022 lookup flow on the gateway chasssis. If it is desired to generate gra‐
2023 tuitous ARPs for NAT addresses, then set the peer LSP’s options:nat-
2024 addresses to router.
2025 OVN 20.03 and earlier supported a third way to configure distributed
2027 gateway ports using options:redirect-chassis to specify the gateway
2028 chassis. This method is no longer supported. Any remaining users should
2029 switch to one of the newer methods instead. A gateway_chassis may be
2030 easily configured from the command line, e.g. ovn-nbctl lrp-set-gate‐
2031 way-chassis lrp chassis.
2032 ha_chassis_group: optional HA_Chassis_Group
2034 Designates an HA_Chassis_Group to provide gateway high avail‐
2035 ability.
2036 gateway_chassis: set of Gateway_Chassises
2038 Designates one or more Gateway_Chassis for the logical router
2039 port.
2040 Options for Physical VLAN MTU Issues:
2042 MTU issues arise in mixing tunnels with logical networks that are
2044 bridged to a physical VLAN. For an explanation of the MTU issues, see
2045 Physical VLAN MTU Issues in the OVN architecture document. The follow‐
2046 ing options, which are alternatives, provide solutions. Both of them
2047 cause packets to be sent over localnet instead of tunnels, but they
2048 differ in whether some or all packets are sent this way. The most prom‐
2049 inent tradeoff between these options is that reside-on-redirect-chassis
2050 is easier to configure and that redirect-type performs better for east-
2051 west traffic.
2052 options : reside-on-redirect-chassis: optional string, either true or
2054 false
2055 If set to true, this option forces all traffic across the logi‐
2056 cal router port to pass through the gateway chassis using a hop
2057 across a localnet port. This changes behavior in two ways:
2058 · Without this option, east-west traffic passes directly
2060 between source and destination chassis (or even within a
2061 single chassis, for co-located VMs). With this option,
2062 all east-west traffic passes through the gateway chassis.
2063 · Without this option, traffic between the gateway chassis
2065 and other chassis is encapsulated in tunnels. With this
2066 option, traffic passes over a localnet interface.
2067 This option may usefully be set only on logical router ports
2069 that connect a distributed logical router to a logical switch
2070 with VIFs. It should not be set on a distributed gateway port.
2071 OVN honors this option only if the logical router has a distrib‐
2073 uted gateway port and if the LRP’s peer switch has a localnet
2074 port.
2075 options : redirect-type: optional string, either bridged or overlay
2077 If set to bridged on a distributed gateway port, this option
2078 causes OVN to redirect packets to the gateway chassis over a
2079 localnet port instead of a tunnel. The relevant chassis must
2080 share a localnet port.
2081 This feature requires the administrator or the CMS to configure
2083 each participating chassis with a unique Ethernet address for
2084 the logical router by setting ovn-chassis-mac-mappings in the
2085 Open vSwitch database, for use by ovn-controller.
2086 Setting this option to overlay or leaving it unset has no
2088 effect. This option may usefully be set only on a distributed
2089 gateway port. It is otherwise ignored.
2090 ipv6_prefix: set of strings
2092 This column contains IPv6 prefix obtained by prefix delegation
2093 router according to RFC 3633
2094 ipv6_ra_configs:
2096 This column defines the IPv6 ND RA address mode and ND MTU Option to be
2098 included by ovn-controller when it replies to the IPv6 Router solicita‐
2099 tion requests.
2100 ipv6_ra_configs : address_mode: optional string
2102 The address mode to be used for IPv6 address configuration. The
2103 supported values are:
2104 · slaac: Address configuration using Router Advertisement
2106 (RA) packet. The IPv6 prefixes defined in the Logi‐
2107 cal_Router_Port table’s networks column will be included
2108 in the RA’s ICMPv6 option - Prefix information.
2109 · dhcpv6_stateful: Address configuration using DHCPv6.
2111 · dhcpv6_stateless: Address configuration using Router
2113 Advertisement (RA) packet. Other IPv6 options are pro‐
2114 vided by DHCPv6.
2115 ipv6_ra_configs : router_preference: optional string
2117 Default Router Preference (PRF) indicates whether to prefer this
2118 router over other default routers (RFC 4191). Possible values
2119 are:
2120 · HIGH: mapped to 0x01 in RA PRF field
2122 · MEDIUM: mapped to 0x00 in RA PRF field
2124 · LOW: mapped to 0x11 in RA PRF field
2126 ipv6_ra_configs : route_info: optional string
2128 Route Info is used to configure Route Info Option sent in Router
2129 Advertisment according to RFC 4191. Route Info is a comma sepa‐
2130 rated string where each field provides PRF and prefix for a
2131 given route (e.g: HIGH-aef1::11/48,LOW-aef2::11/96) Possible PRF
2132 values are:
2133 · HIGH: mapped to 0x01 in RA PRF field
2135 · MEDIUM: mapped to 0x00 in RA PRF field
2137 · LOW: mapped to 0x11 in RA PRF field
2139 ipv6_ra_configs : mtu: optional string
2141 The recommended MTU for the link. Default is 0, which means no
2142 MTU Option will be included in RA packet replied by ovn-con‐
2143 troller. Per RFC 2460, the mtu value is recommended no less than
2144 1280, so any mtu value less than 1280 will be considered as no
2145 MTU Option.
2146 ipv6_ra_configs : send_periodic: optional string
2148 If set to true, then this router interface will send router
2149 advertisements periodically. The default is false.
2150 ipv6_ra_configs : max_interval: optional string
2152 The maximum number of seconds to wait between sending periodic
2153 router advertisements. This option has no effect if ipv6_ra_con‐
2154 figs:send_periodic is false. The default is 600.
2155 ipv6_ra_configs : min_interval: optional string
2157 The minimum number of seconds to wait between sending periodic
2158 router advertisements. This option has no effect if ipv6_ra_con‐
2159 figs:send_periodic is false. The default is one-third of
2160 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
2161 unset.
2162 ipv6_ra_configs : rdnss: optional string
2164 IPv6 address of RDNSS server announced in RA packets. At the
2165 moment OVN supports just one RDNSS server.
2166 ipv6_ra_configs : dnssl: optional string
2168 DNS Search List announced in RA packets. Multiple DNS Search
2169 List must be ’comma’ separated (e.g. "a.b.c, d.e.f")
2170 Options:
2172 Additional options for the logical router port.
2174 options : mcast_flood: optional string, either true or false
2176 If set to true, multicast traffic (including reports) are uncon‐
2177 ditionally forwarded to the specific port.
2178 This option applies when the port is part of a logical router
2180 which has options:mcast_relay set to true.
2181 options : requested-tnl-key: optional string, containing an integer, in
2183 range 1 to 32,767
2184 Configures the port binding tunnel key for the port. Usually
2185 this is not needed because ovn-northd will assign an unique key
2186 for each port by itself. However, if it is configured,
2187 ovn-northd honors the configured value.
2188 options : prefix_delegation: optional string, either true or false
2190 If set to true, enable IPv6 prefix delegation state machine on
2191 this logical router port (RFC3633). IPv6 prefix delegation is
2192 available just on a gateway router or on a gateway router port.
2193 options : prefix: optional string, either true or false
2195 If set to true, this interface will receive an IPv6 prefix
2196 according to RFC3663
2197 Attachment:
2199 A given router port serves one of two purposes:
2201 · To attach a logical switch to a logical router. A logical
2203 router port of this type is referenced by exactly one
2204 Logical_Switch_Port of type router. The value of name is
2205 set as router-port in column options of Logi‐
2206 cal_Switch_Port. In this case peer column is empty.
2207 · To connect one logical router to another. This requires a
2209 pair of logical router ports, each connected to a differ‐
2210 ent router. Each router port in the pair specifies the
2211 other in its peer column. No Logical_Switch refers to the
2212 router port.
2213 peer: optional string
2215 For a router port used to connect two logical routers, this
2216 identifies the other router port in the pair by name.
2217 For a router port attached to a logical switch, this column is
2219 empty.
2220 Common Columns:
2222 external_ids: map of string-string pairs
2224 See External IDs at the beginning of this document.
2225
2227 Each record represents a static route.
2228 When multiple routes match a packet, the longest-prefix match is cho‐
2230 sen. For a given prefix length, a dst-ip route is preferred over a
2231 src-ip route.
2232 When there are ECMP routes, i.e. multiple routes with same prefix and
2234 policy, one of them will be selected based on the 5-tuple hashing of
2235 the packet header.
2236 Summary:
2238 ip_prefix string
2239 policy optional string, either dst-ip or src-ip
2240 nexthop string
2241 output_port optional string
2242 bfd optional weak reference to BFD
2243 external_ids : ic-learned-route
2244 optional string
2245 Common Columns:
2246 external_ids map of string-string pairs
2247 Common options:
2248 options map of string-string pairs
2249 options : ecmp_symmetric_reply
2250 optional string
2251 Details:
2253 ip_prefix: string
2254 IP prefix of this route (e.g. 192.168.100.0/24).
2255 policy: optional string, either dst-ip or src-ip
2257 If it is specified, this setting describes the policy used to
2258 make routing decisions. This setting must be one of the follow‐
2259 ing strings:
2260 · src-ip: This policy sends the packet to the nexthop when
2262 the packet’s source IP address matches ip_prefix.
2263 · dst-ip: This policy sends the packet to the nexthop when
2265 the packet’s destination IP address matches ip_prefix.
2266 If not specified, the default is dst-ip.
2268 nexthop: string
2270 Nexthop IP address for this route. Nexthop IP address should be
2271 the IP address of a connected router port or the IP address of a
2272 logical port.
2273 output_port: optional string
2275 The name of the Logical_Router_Port via which the packet needs
2276 to be sent out. This is optional and when not specified, OVN
2277 will automatically figure this out based on the nexthop. When
2278 this is specified and there are multiple IP addresses on the
2279 router port and none of them are in the same subnet of nexthop,
2280 OVN chooses the first IP address as the one via which the nex‐
2281 thop is reachable.
2282 bfd: optional weak reference to BFD
2284 Reference to BFD row if the route has associated a BFD session
2285 external_ids : ic-learned-route: optional string
2287 ovn-ic populates this key if the route is learned from the
2288 global OVN_IC_Southbound database. In this case the value will
2289 be set to the uuid of the row in Route table of the
2290 OVN_IC_Southbound database.
2291 Common Columns:
2293 external_ids: map of string-string pairs
2295 See External IDs at the beginning of this document.
2296 Common options:
2298 options: map of string-string pairs
2300 This column provides general key/value settings. The supported
2301 options are described individually below.
2302 options : ecmp_symmetric_reply: optional string
2304 It true, then new traffic that arrives over this route will have
2305 its reply traffic bypass ECMP route selection and will be sent
2306 out this route instead. Note that this option overrides any
2307 rules set in the Logical_Router_policy table. This option only
2308 works on gateway routers (routers that have options:chassis
2309 set).
2310
2312 Each row in this table represents one routing policy for a logical
2313 router that points to it through its policies column. The action column
2314 for the highest-priority matching row in this table determines a
2315 packet’s treatment. If no row matches, packets are allowed by default.
2316 (Default-deny treatment is possible: add a rule with priority 0, 1 as
2317 match, and drop as action.)
2318 Summary:
2320 priority integer, in range 0 to 32,767
2321 match string
2322 action string, one of allow, drop, or reroute
2323 nexthop optional string
2324 nexthops set of strings
2325 options : pkt_mark optional string
2326 Common Columns:
2327 external_ids map of string-string pairs
2328 Details:
2330 priority: integer, in range 0 to 32,767
2331 The routing policy’s priority. Rules with numerically higher
2332 priority take precedence over those with lower. A rule is
2333 uniquely identified by the priority and match string.
2334 match: string
2336 The packets that the routing policy should match, in the same
2337 expression language used for the match column in the OVN South‐
2338 bound database’s Logical_Flow table.
2339 By default all traffic is allowed. When writing a more restric‐
2341 tive policy, it is important to remember to allow flows such as
2342 ARP and IPv6 neighbor discovery packets.
2343 action: string, one of allow, drop, or reroute
2345 The action to take when the routing policy matches:
2346 · allow: Forward the packet.
2348 · drop: Silently drop the packet.
2350 · reroute: Reroute packet to nexthop or nexthops.
2352 nexthop: optional string
2354 Note: This column is deprecated in favor of nexthops.
2355 Next-hop IP address for this route, which should be the IP
2357 address of a connected router port or the IP address of a logi‐
2358 cal port.
2359 nexthops: set of strings
2361 Next-hop ECMP IP addresses for this route. Each IP in the list
2362 should be the IP address of a connected router port or the IP
2363 address of a logical port.
2364 One IP from the list is selected as next hop.
2366 options : pkt_mark: optional string
2368 Marks the packet with the value specified when the router policy
2369 is applied. CMS can inspect this packet marker and take some
2370 decisions if desired. This value is not preserved when the
2371 packet goes out on the wire.
2372 Common Columns:
2374 external_ids: map of string-string pairs
2376 See External IDs at the beginning of this document.
2377
2379 Each record represents a NAT rule.
2380 Summary:
2382 type string, one of dnat, dnat_and_snat, or
2383 snat
2384 external_ip string
2385 external_mac optional string
2386 external_port_range string
2387 logical_ip string
2388 logical_port optional string
2389 allowed_ext_ips optional Address_Set
2390 exempted_ext_ips optional Address_Set
2391 options : stateless optional string
2392 Common Columns:
2393 external_ids map of string-string pairs
2394 Details:
2396 type: string, one of dnat, dnat_and_snat, or snat
2397 Type of the NAT rule.
2398 · When type is dnat, the externally visible IP address
2400 external_ip is DNATted to the IP address logical_ip in
2401 the logical space.
2402 · When type is snat, IP packets with their source IP
2404 address that either matches the IP address in logical_ip
2405 or is in the network provided by logical_ip is SNATed
2406 into the IP address in external_ip.
2407 · When type is dnat_and_snat, the externally visible IP
2409 address external_ip is DNATted to the IP address logi‐
2410 cal_ip in the logical space. In addition, IP packets with
2411 the source IP address that matches logical_ip is SNATed
2412 into the IP address in external_ip.
2413 external_ip: string
2415 An IPv4 address.
2416 external_mac: optional string
2418 A MAC address.
2419 This is only used on the gateway port on distributed routers.
2421 This must be specified in order for the NAT rule to be processed
2422 in a distributed manner on all chassis. If this is not specified
2423 for a NAT rule on a distributed router, then this NAT rule will
2424 be processed in a centralized manner on the gateway port
2425 instance on the gateway chassis.
2426 This MAC address must be unique on the logical switch that the
2428 gateway port is attached to. If the MAC address used on the log‐
2429 ical_port is globally unique, then that MAC address can be spec‐
2430 ified as this external_mac.
2431 external_port_range: string
2433 L4 source port range
2434 Range of ports, from which a port number will be picked that
2436 will replace the source port of to be NATed packet. This is
2437 basically PAT (port address translation).
2438 Value of the column is in the format, port_lo-port_hi. For exam‐
2440 ple: external_port_range : "1-30000"
2441 Valid range of ports is 1-65535.
2443 logical_ip: string
2445 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
2446 logical_port: optional string
2448 The name of the logical port where the logical_ip resides.
2449 This is only used on distributed routers. This must be specified
2451 in order for the NAT rule to be processed in a distributed man‐
2452 ner on all chassis. If this is not specified for a NAT rule on a
2453 distributed router, then this NAT rule will be processed in a
2454 centralized manner on the gateway port instance on the gateway
2455 chassis.
2456 allowed_ext_ips: optional Address_Set
2458 It represents Address Set of external ips that NAT rule is
2459 applicable to. For SNAT type NAT rules, this refers to destina‐
2460 tion addresses. For DNAT type NAT rules, this refers to source
2461 addresses.
2462 This configuration overrides the default NAT behavior of apply‐
2464 ing a rule solely based on internal IP. Without this configura‐
2465 tion, NAT happens without considering the external IP (i.e
2466 dest/source for snat/dnat type rule). With this configuration
2467 NAT rule is applied ONLY if external ip is in the input Address
2468 Set.
2469 exempted_ext_ips: optional Address_Set
2471 It represents Address Set of external ips that NAT rule is NOT
2472 applicable to. For SNAT type NAT rules, this refers to destina‐
2473 tion addresses. For DNAT type NAT rules, this refers to source
2474 addresses.
2475 This configuration overrides the default NAT behavior of apply‐
2477 ing a rule solely based on internal IP. Without this configura‐
2478 tion, NAT happens without considering the external IP (i.e
2479 dest/source for snat/dnat type rule). With this configuration
2480 NAT rule is NOT applied if external ip is in the input Address
2481 Set.
2482 If there are NAT rules in a logical router with overlapping IP
2484 prefixes (including /32), then usage of exempted_ext_ips should
2485 be avoided in following scenario. a. SNAT rule (let us say
2486 RULE1) with logical_ip PREFIX/MASK (let us say 50.0.0.0/24). b.
2487 SNAT rule (let us say RULE2) with logical_ip PREFIX/MASK+1 (let
2488 us say 50.0.0.0/25). c. Now, if exempted_ext_ips is associated
2489 with RULE2, then a logical ip which matches both 50.0.0.0/24 and
2490 50.0.0.0/25 may get the RULE2 applied to it instead of RULE1.
2491 allowed_ext_ips and exempted_ext_ips are mutually exclusive to
2493 each other. If both Address Sets are set for a rule, then the
2494 NAT rule is not considered.
2495 options : stateless: optional string
2497 Indicates if a dnat_and_snat rule should lead to connection
2498 tracking state or not.
2499 Common Columns:
2501 external_ids: map of string-string pairs
2503 See External IDs at the beginning of this document.
2504
2506 OVN implements native DHCPv4 support which caters to the common use
2507 case of providing an IPv4 address to a booting instance by providing
2508 stateless replies to DHCPv4 requests based on statically configured
2509 address mappings. To do this it allows a short list of DHCPv4 options
2510 to be configured and applied at each compute host running ovn-con‐
2511 troller.
2512 OVN also implements native DHCPv6 support which provides stateless
2514 replies to DHCPv6 requests.
2515 Summary:
2517 cidr string
2518 DHCPv4 options:
2519 Mandatory DHCPv4 options:
2520 options : server_id optional string
2521 options : server_mac optional string
2522 options : lease_time optional string, containing an integer,
2523 in range 0 to 4,294,967,295
2524 IPv4 DHCP Options:
2525 options : router optional string
2526 options : netmask optional string
2527 options : dns_server optional string
2528 options : log_server optional string
2529 options : lpr_server optional string
2530 options : swap_server optional string
2531 options : policy_filter optional string
2532 options : router_solicitation
2533 optional string
2534 options : nis_server optional string
2535 options : ntp_server optional string
2536 options : classless_static_route
2537 optional string
2538 options : ms_classless_static_route
2539 optional string
2540 Boolean DHCP Options:
2541 options : ip_forward_enable
2542 optional string, either 0 or 1
2543 options : router_discovery
2544 optional string, either 0 or 1
2545 options : ethernet_encap optional string, either 0 or 1
2546 Integer DHCP Options:
2547 options : default_ttl optional string, containing an integer,
2548 in range 0 to 255
2549 options : tcp_ttl optional string, containing an integer,
2550 in range 0 to 255
2551 options : mtu optional string, containing an integer,
2552 in range 68 to 65,535
2553 options : T1 optional string, containing an integer,
2554 in range 68 to 4,294,967,295
2555 options : T2 optional string, containing an integer,
2556 in range 68 to 4,294,967,295
2557 options : arp_cache_timeout
2558 optional string, containing an integer,
2559 in range 0 to 255
2560 options : tcp_keepalive_interval
2561 optional string, containing an integer,
2562 in range 0 to 255
2563 String DHCP Options:
2564 options : wpad optional string
2565 options : bootfile_name optional string
2566 options : path_prefix optional string
2567 options : tftp_server_address
2568 optional string
2569 options : domain_name optional string
2570 options : bootfile_name_alt
2571 optional string
2572 options : broadcast_address
2573 optional string
2574 DHCP Options of type host_id:
2575 options : tftp_server optional string
2576 DHCP Options of type domains:
2577 options : domain_search_list
2578 optional string
2579 DHCPv6 options:
2580 Mandatory DHCPv6 options:
2581 options : server_id optional string
2582 IPv6 DHCPv6 options:
2583 options : dns_server optional string
2584 String DHCPv6 options:
2585 options : domain_search optional string
2586 options : dhcpv6_stateless
2587 optional string
2588 Common Columns:
2589 external_ids map of string-string pairs
2590 Details:
2592 cidr: string
2593 The DHCPv4/DHCPv6 options will be included if the logical port
2594 has its IP address in this cidr.
2595 DHCPv4 options:
2597 The CMS should define the set of DHCPv4 options as key/value pairs in
2599 the options column of this table. For ovn-controller to include these
2600 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
2601 to an entry in this table.
2602 Mandatory DHCPv4 options:
2604 The following options must be defined.
2606 options : server_id: optional string
2608 The IP address for the DHCP server to use. This should be in the
2609 subnet of the offered IP. This is also included in the DHCP
2610 offer as option 54, ``server identifier.’’
2611 options : server_mac: optional string
2613 The Ethernet address for the DHCP server to use.
2614 options : lease_time: optional string, containing an integer, in range
2616 0 to 4,294,967,295
2617 The offered lease time in seconds,
2618 The DHCPv4 option code for this option is 51.
2620 IPv4 DHCP Options:
2622 Below are the supported DHCPv4 options whose values are an IPv4
2624 address, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
2625 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
2626 refer to RFC 2132 for more details on DHCPv4 options and their codes.
2627 options : router: optional string
2629 The IP address of a gateway for the client to use. This should
2630 be in the subnet of the offered IP. The DHCPv4 option code for
2631 this option is 3.
2632 options : netmask: optional string
2634 The DHCPv4 option code for this option is 1.
2635 options : dns_server: optional string
2637 The DHCPv4 option code for this option is 6.
2638 options : log_server: optional string
2640 The DHCPv4 option code for this option is 7.
2641 options : lpr_server: optional string
2643 The DHCPv4 option code for this option is 9.
2644 options : swap_server: optional string
2646 The DHCPv4 option code for this option is 16.
2647 options : policy_filter: optional string
2649 The DHCPv4 option code for this option is 21.
2650 options : router_solicitation: optional string
2652 The DHCPv4 option code for this option is 32.
2653 options : nis_server: optional string
2655 The DHCPv4 option code for this option is 41.
2656 options : ntp_server: optional string
2658 The DHCPv4 option code for this option is 42.
2659 options : classless_static_route: optional string
2661 The DHCPv4 option code for this option is 121.
2662 This option can contain one or more static routes, each of which
2664 consists of a destination descriptor and the IP address of the
2665 router that should be used to reach that destination. Please see
2666 RFC 3442 for more details.
2667 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
2669 options : ms_classless_static_route: optional string
2671 The DHCPv4 option code for this option is 249. This option is
2672 similar to classless_static_route supported by Microsoft Windows
2673 DHCPv4 clients.
2674 Boolean DHCP Options:
2676 These options accept a Boolean value, expressed as 0 for false or 1 for
2678 true.
2679 options : ip_forward_enable: optional string, either 0 or 1
2681 The DHCPv4 option code for this option is 19.
2682 options : router_discovery: optional string, either 0 or 1
2684 The DHCPv4 option code for this option is 31.
2685 options : ethernet_encap: optional string, either 0 or 1
2687 The DHCPv4 option code for this option is 36.
2688 Integer DHCP Options:
2690 These options accept a nonnegative integer value.
2692 options : default_ttl: optional string, containing an integer, in range
2694 0 to 255
2695 The DHCPv4 option code for this option is 23.
2696 options : tcp_ttl: optional string, containing an integer, in range 0
2698 to 255
2699 The DHCPv4 option code for this option is 37.
2700 options : mtu: optional string, containing an integer, in range 68 to
2702 65,535
2703 The DHCPv4 option code for this option is 26.
2704 options : T1: optional string, containing an integer, in range 68 to
2706 4,294,967,295
2707 This specifies the time interval from address assignment until
2708 the client begins trying to renew its address. The DHCPv4 option
2709 code for this option is 58.
2710 options : T2: optional string, containing an integer, in range 68 to
2712 4,294,967,295
2713 This specifies the time interval from address assignment until
2714 the client begins trying to rebind its address. The DHCPv4
2715 option code for this option is 59.
2716 options : arp_cache_timeout: optional string, containing an integer, in
2718 range 0 to 255
2719 The DHCPv4 option code for this option is 35. This option speci‐
2720 fies the timeout in seconds for ARP cache entries.
2721 options : tcp_keepalive_interval: optional string, containing an inte‐
2723 ger, in range 0 to 255
2724 The DHCPv4 option code for this option is 38. This option speci‐
2725 fies the interval that the client TCP should wait before sending
2726 a keepalive message on a TCP connection.
2727 String DHCP Options:
2729 These options accept a string value.
2731 options : wpad: optional string
2733 The DHCPv4 option code for this option is 252. This option is
2734 used as part of web proxy auto discovery to provide a URL for a
2735 web proxy.
2736 options : bootfile_name: optional string
2738 The DHCPv4 option code for this option is 67. This option is
2739 used to identify a bootfile.
2740 options : path_prefix: optional string
2742 The DHCPv4 option code for this option is 210. In PXELINUX’ case
2743 this option is used to set a common path prefix, instead of
2744 deriving it from the bootfile name.
2745 options : tftp_server_address: optional string
2747 The DHCPv4 option code for this option is 150. The option con‐
2748 tains one or more IPv4 addresses that the client MAY use. This
2749 option is Cisco proprietary, the IEEE standard that matches with
2750 this requirement is option 66 (tftp_server).
2751 options : domain_name: optional string
2753 The DHCPv4 option code for this option is 15. This option speci‐
2754 fies the domain name that client should use when resolving host‐
2755 names via the Domain Name System.
2756 options : bootfile_name_alt: optional string
2758 "bootfile_name_alt" option is used to support iPXE. When both
2759 "bootfile_name" and "bootfile_name_alt" are provided by the CMS,
2760 "bootfile_name" will be used for option 67 if the dhcp request
2761 contains etherboot option (175), otherwise "bootfile_name_alt"
2762 will be used.
2763 options : broadcast_address: optional string
2765 The DHCPv4 option code for this option is 28. This option speci‐
2766 fies the IP address used as a broadcast address.
2767 DHCP Options of type host_id:
2769 These options accept either an IPv4 address or a string value.
2771 options : tftp_server: optional string
2773 The DHCPv4 option code for this option is 66.
2774 DHCP Options of type domains:
2776 These options accept string value which is a comma separated list of
2778 domain names. The domain names are encoded based on RFC 1035.
2779 options : domain_search_list: optional string
2781 The DHCPv4 option code for this option is 119.
2782 DHCPv6 options:
2784 OVN also implements native DHCPv6 support. The CMS should define the
2786 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
2787 will be included in the DHCPv6 response to the DHCPv6
2788 Solicit/Request/Confirm packet from the logical ports having the IPv6
2789 addresses in the cidr.
2790 Mandatory DHCPv6 options:
2792 The following options must be defined.
2794 options : server_id: optional string
2796 The Ethernet address for the DHCP server to use. This is also
2797 included in the DHCPv6 reply as option 2, ``Server Identifier’’
2798 to carry a DUID identifying a server between a client and a
2799 server. ovn-controller defines DUID based on Link-layer Address
2800 [DUID-LL].
2801 IPv6 DHCPv6 options:
2803 Below are the supported DHCPv6 options whose values are an IPv6
2805 address, e.g. aef0::4. Some options accept multiple IPv6 addresses
2806 enclosed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
2807 RFC 3315 for more details on DHCPv6 options and their codes.
2808 options : dns_server: optional string
2810 The DHCPv6 option code for this option is 23. This option speci‐
2811 fies the DNS servers that the VM should use.
2812 String DHCPv6 options:
2814 These options accept string values.
2816 options : domain_search: optional string
2818 The DHCPv6 option code for this option is 24. This option speci‐
2819 fies the domain search list the client should use to resolve
2820 hostnames with DNS.
2821 Example: "ovn.org".
2823 options : dhcpv6_stateless: optional string
2825 This option specifies the OVN native DHCPv6 will work in state‐
2826 less mode, which means OVN native DHCPv6 will not offer IPv6
2827 addresses for VM/VIF ports, but only reply other configurations,
2828 such as DNS and domain search list. When setting this option
2829 with string value "true", VM/VIF will configure IPv6 addresses
2830 by stateless way. Default value for this option is false.
2831 Common Columns:
2833 external_ids: map of string-string pairs
2835 See External IDs at the beginning of this document.
2836
2838 Configuration for a database connection to an Open vSwitch database
2839 (OVSDB) client.
2840 This table primarily configures the Open vSwitch database server
2842 (ovsdb-server).
2843 The Open vSwitch database server can initiate and maintain active con‐
2845 nections to remote clients. It can also listen for database connec‐
2846 tions.
2847 Summary:
2849 Core Features:
2850 target string (must be unique within table)
2851 Client Failure Detection and Handling:
2852 max_backoff optional integer, at least 1,000
2853 inactivity_probe optional integer
2854 Status:
2855 is_connected boolean
2856 status : last_error optional string
2857 status : state optional string, one of ACTIVE, BACKOFF,
2858 CONNECTING, IDLE, or VOID
2859 status : sec_since_connect optional string, containing an integer,
2860 at least 0
2861 status : sec_since_disconnect
2862 optional string, containing an integer,
2863 at least 0
2864 status : locks_held optional string
2865 status : locks_waiting optional string
2866 status : locks_lost optional string
2867 status : n_connections optional string, containing an integer,
2868 at least 2
2869 status : bound_port optional string, containing an integer
2870 Common Columns:
2871 external_ids map of string-string pairs
2872 other_config map of string-string pairs
2873 Details:
2875 Core Features:
2876 target: string (must be unique within table)
2878 Connection methods for clients.
2879 The following connection methods are currently supported:
2881 ssl:host[:port]
2883 The specified SSL port on the host at the given host,
2884 which can either be a DNS name (if built with unbound
2885 library) or an IP address. A valid SSL configuration must
2886 be provided when this form is used, this configuration
2887 can be specified via command-line options or the SSL ta‐
2888 ble.
2889 If port is not specified, it defaults to 6640.
2891 SSL support is an optional feature that is not always
2893 built as part of Open vSwitch.
2894 tcp:host[:port]
2896 The specified TCP port on the host at the given host,
2897 which can either be a DNS name (if built with unbound
2898 library) or an IP address. If host is an IPv6 address,
2899 wrap it in square brackets, e.g. tcp:[::1]:6640.
2900 If port is not specified, it defaults to 6640.
2902 pssl:[port][:host]
2904 Listens for SSL connections on the specified TCP port.
2905 Specify 0 for port to have the kernel automatically
2906 choose an available port. If host, which can either be a
2907 DNS name (if built with unbound library) or an IP
2908 address, is specified, then connections are restricted to
2909 the resolved or specified local IPaddress (either IPv4 or
2910 IPv6 address). If host is an IPv6 address, wrap in square
2911 brackets, e.g. pssl:6640:[::1]. If host is not specified
2912 then it listens only on IPv4 (but not IPv6) addresses. A
2913 valid SSL configuration must be provided when this form
2914 is used, this can be specified either via command-line
2915 options or the SSL table.
2916 If port is not specified, it defaults to 6640.
2918 SSL support is an optional feature that is not always
2920 built as part of Open vSwitch.
2921 ptcp:[port][:host]
2923 Listens for connections on the specified TCP port. Spec‐
2924 ify 0 for port to have the kernel automatically choose an
2925 available port. If host, which can either be a DNS name
2926 (if built with unbound library) or an IP address, is
2927 specified, then connections are restricted to the
2928 resolved or specified local IP address (either IPv4 or
2929 IPv6 address). If host is an IPv6 address, wrap it in
2930 square brackets, e.g. ptcp:6640:[::1]. If host is not
2931 specified then it listens only on IPv4 addresses.
2932 If port is not specified, it defaults to 6640.
2934 When multiple clients are configured, the target values must be
2936 unique. Duplicate target values yield unspecified results.
2937 Client Failure Detection and Handling:
2939 max_backoff: optional integer, at least 1,000
2941 Maximum number of milliseconds to wait between connection
2942 attempts. Default is implementation-specific.
2943 inactivity_probe: optional integer
2945 Maximum number of milliseconds of idle time on connection to the
2946 client before sending an inactivity probe message. If Open
2947 vSwitch does not communicate with the client for the specified
2948 number of seconds, it will send a probe. If a response is not
2949 received for the same additional amount of time, Open vSwitch
2950 assumes the connection has been broken and attempts to recon‐
2951 nect. Default is implementation-specific. A value of 0 disables
2952 inactivity probes.
2953 Status:
2955 Key-value pair of is_connected is always updated. Other key-value pairs
2957 in the status columns may be updated depends on the target type.
2958 When target specifies a connection method that listens for inbound con‐
2960 nections (e.g. ptcp: or punix:), both n_connections and is_connected
2961 may also be updated while the remaining key-value pairs are omitted.
2962 On the other hand, when target specifies an outbound connection, all
2964 key-value pairs may be updated, except the above-mentioned two key-
2965 value pairs associated with inbound connection targets. They are omit‐
2966 ted.
2967 is_connected: boolean
2969 true if currently connected to this client, false otherwise.
2970 status : last_error: optional string
2972 A human-readable description of the last error on the connection
2973 to the manager; i.e. strerror(errno). This key will exist only
2974 if an error has occurred.
2975 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
2977 IDLE, or VOID
2978 The state of the connection to the manager:
2979 VOID Connection is disabled.
2981 BACKOFF
2983 Attempting to reconnect at an increasing period.
2984 CONNECTING
2986 Attempting to connect.
2987 ACTIVE Connected, remote host responsive.
2989 IDLE Connection is idle. Waiting for response to keep-alive.
2991 These values may change in the future. They are provided only
2993 for human consumption.
2994 status : sec_since_connect: optional string, containing an integer, at
2996 least 0
2997 The amount of time since this client last successfully connected
2998 to the database (in seconds). Value is empty if client has never
2999 successfully been connected.
3000 status : sec_since_disconnect: optional string, containing an integer,
3002 at least 0
3003 The amount of time since this client last disconnected from the
3004 database (in seconds). Value is empty if client has never dis‐
3005 connected.
3006 status : locks_held: optional string
3008 Space-separated list of the names of OVSDB locks that the con‐
3009 nection holds. Omitted if the connection does not hold any
3010 locks.
3011 status : locks_waiting: optional string
3013 Space-separated list of the names of OVSDB locks that the con‐
3014 nection is currently waiting to acquire. Omitted if the connec‐
3015 tion is not waiting for any locks.
3016 status : locks_lost: optional string
3018 Space-separated list of the names of OVSDB locks that the con‐
3019 nection has had stolen by another OVSDB client. Omitted if no
3020 locks have been stolen from this connection.
3021 status : n_connections: optional string, containing an integer, at
3023 least 2
3024 When target specifies a connection method that listens for
3025 inbound connections (e.g. ptcp: or pssl:) and more than one con‐
3026 nection is actually active, the value is the number of active
3027 connections. Otherwise, this key-value pair is omitted.
3028 status : bound_port: optional string, containing an integer
3030 When target is ptcp: or pssl:, this is the TCP port on which the
3031 OVSDB server is listening. (This is particularly useful when
3032 target specifies a port of 0, allowing the kernel to choose any
3033 available port.)
3034 Common Columns:
3036 The overall purpose of these columns is described under Common Columns
3038 at the beginning of this document.
3039 external_ids: map of string-string pairs
3041 other_config: map of string-string pairs
3043
3045 Each row in this table stores the DNS records. The Logical_Switch ta‐
3046 ble’s dns_records references these records.
3047 Summary:
3049 records map of string-string pairs
3050 external_ids map of string-string pairs
3051 Details:
3053 records: map of string-string pairs
3054 Key-value pair of DNS records with DNS query name as the key and
3055 value as a string of IP address(es) separated by comma or space.
3056 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
3058 external_ids: map of string-string pairs
3060 See External IDs at the beginning of this document.
3061
3063 SSL configuration for ovn-nb database access.
3064 Summary:
3066 private_key string
3067 certificate string
3068 ca_cert string
3069 bootstrap_ca_cert boolean
3070 ssl_protocols string
3071 ssl_ciphers string
3072 Common Columns:
3073 external_ids map of string-string pairs
3074 Details:
3076 private_key: string
3077 Name of a PEM file containing the private key used as the
3078 switch’s identity for SSL connections to the controller.
3079 certificate: string
3081 Name of a PEM file containing a certificate, signed by the cer‐
3082 tificate authority (CA) used by the controller and manager, that
3083 certifies the switch’s private key, identifying a trustworthy
3084 switch.
3085 ca_cert: string
3087 Name of a PEM file containing the CA certificate used to verify
3088 that the switch is connected to a trustworthy controller.
3089 bootstrap_ca_cert: boolean
3091 If set to true, then Open vSwitch will attempt to obtain the CA
3092 certificate from the controller on its first SSL connection and
3093 save it to the named PEM file. If it is successful, it will
3094 immediately drop the connection and reconnect, and from then on
3095 all SSL connections must be authenticated by a certificate
3096 signed by the CA certificate thus obtained. This option exposes
3097 the SSL connection to a man-in-the-middle attack obtaining the
3098 initial CA certificate. It may still be useful for bootstrap‐
3099 ping.
3100 ssl_protocols: string
3102 List of SSL protocols to be enabled for SSL connections. The
3103 default when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
3104 ssl_ciphers: string
3106 List of ciphers (in OpenSSL cipher string format) to be sup‐
3107 ported for SSL connections. The default when this option is
3108 omitted is HIGH:!aNULL:!MD5.
3109 Common Columns:
3111 The overall purpose of these columns is described under Common Columns
3113 at the beginning of this document.
3114 external_ids: map of string-string pairs
3116
3118 Association of a chassis to a logical router port. The traffic going
3119 out through an specific router port will be redirected to a chassis, or
3120 a set of them in high availability configurations.
3121 Summary:
3123 name string (must be unique within table)
3124 chassis_name string
3125 priority integer, in range 0 to 32,767
3126 options map of string-string pairs
3127 Common Columns:
3128 external_ids map of string-string pairs
3129 Details:
3131 name: string (must be unique within table)
3132 Name of the Gateway_Chassis.
3133 A suggested, but not required naming convention is
3135 ${port_name}_${chassis_name}.
3136 chassis_name: string
3138 Name of the chassis that we want to redirect traffic through for
3139 the associated logical router port. The value must match the
3140 name column of the Chassis table in the OVN_Southbound database.
3141 priority: integer, in range 0 to 32,767
3143 This is the priority of a chassis among all Gateway_Chassis
3144 belonging to the same logical router port.
3145 options: map of string-string pairs
3147 Reserved for future use.
3148 Common Columns:
3150 external_ids: map of string-string pairs
3152 See External IDs at the beginning of this document.
3153
3155 Table representing a group of chassis which can provide high availabil‐
3156 ity services. Each chassis in the group is represented by the table
3157 HA_Chassis. The HA chassis with highest priority will be the master of
3158 this group. If the master chassis failover is detected, the HA chassis
3159 with the next higher priority takes over the responsibility of provid‐
3160 ing the HA. If a distributed gateway router port references a row in
3161 this table, then the master HA chassis in this group provides the gate‐
3162 way functionality.
3163 Summary:
3165 name string (must be unique within table)
3166 ha_chassis set of HA_Chassises
3167 Common Columns:
3168 external_ids map of string-string pairs
3169 Details:
3171 name: string (must be unique within table)
3172 Name of the HA_Chassis_Group. Name should be unique.
3173 ha_chassis: set of HA_Chassises
3175 A list of HA chassis which belongs to this group.
3176 Common Columns:
3178 external_ids: map of string-string pairs
3180 See External IDs at the beginning of this document.
3181
3183 Summary:
3184 chassis_name string
3185 priority integer, in range 0 to 32,767
3186 Common Columns:
3187 external_ids map of string-string pairs
3188 Details:
3190 chassis_name: string
3191 Name of the chassis which is part of the HA chassis group. The
3192 value must match the name column of the Chassis table in the
3193 OVN_Southbound database.
3194 priority: integer, in range 0 to 32,767
3196 Priority of the chassis. Chassis with highest priority will be
3197 the master.
3198 Common Columns:
3200 external_ids: map of string-string pairs
3202 See External IDs at the beginning of this document.
3203
3205 Contains BFD parameter for ovn-controller bfd configuration.
3206 Summary:
3208 Configuration:
3209 logical_port string
3210 dst_ip string
3211 min_tx optional integer, at least 1
3212 min_rx optional integer
3213 detect_mult optional integer, at least 1
3214 options map of string-string pairs
3215 external_ids map of string-string pairs
3216 Status Reporting:
3217 status optional string, one of admin_down, down,
3218 init, or up
3219 Details:
3221 Configuration:
3222 logical_port: string
3224 OVN logical port when BFD engine is running.
3225 dst_ip: string
3227 BFD peer IP address.
3228 min_tx: optional integer, at least 1
3230 This is the minimum interval, in milliseconds, that the local
3231 system would like to use when transmitting BFD Control packets,
3232 less any jitter applied. The value zero is reserved. Default
3233 value is 1000 ms.
3234 min_rx: optional integer
3236 This is the minimum interval, in milliseconds, between received
3237 BFD Control packets that this system is capable of supporting,
3238 less any jitter applied by the sender. If this value is zero,
3239 the transmitting system does not want the remote system to send
3240 any periodic BFD Control packets.
3241 detect_mult: optional integer, at least 1
3243 Detection time multiplier. The negotiated transmit interval,
3244 multiplied by this value, provides the Detection Time for the
3245 receiving system in Asynchronous mode. Default value is 5.
3246 options: map of string-string pairs
3248 Reserved for future use.
3249 external_ids: map of string-string pairs
3251 See External IDs at the beginning of this document.
3252 Status Reporting:
3254 status: optional string, one of admin_down, down, init, or up
3256 BFD port logical states. Possible values are:
3257 · admin_down
3259 · down
3261 · init
3263 · up
3265Open vSwitch 20.12.0 DB Schema 5.31.0 ovn-nb(5)