1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
6 ovn-nb - OVN_Northbound database schema
7 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces al‐
10 most all of the contents of the database. The ovn-northd program moni‐
11 tors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32 Table Purpose
34 NB_Global Northbound configuration
35 Copp Control plane protection
36 Logical_Switch
37 L2 logical switch
38 Logical_Switch_Port
39 L2 logical switch port
40 Forwarding_Group
41 forwarding group
42 Address_Set
43 Address Sets
44 Port_Group
45 Port Groups
46 Load_Balancer
47 load balancer
48 Load_Balancer_Group
49 load balancer group
50 Load_Balancer_Health_Check
51 load balancer
52 ACL Access Control List (ACL) rule
53 Logical_Router
54 L3 logical router
55 QoS QoS rule
56 Meter Meter entry
57 Meter_Band
58 Band for meter entries
59 Logical_Router_Port
60 L3 logical router port
61 Logical_Router_Static_Route
62 Logical router static routes
63 Logical_Router_Policy
64 Logical router policies
65 NAT NAT rules
66 DHCP_Options
67 DHCP options
68 Connection
69 OVSDB client connections.
70 DNS Native DNS resolution
71 SSL SSL configuration.
72 Gateway_Chassis
73 Gateway_Chassis configuration.
74 HA_Chassis_Group
75 HA_Chassis_Group configuration.
76 HA_Chassis
77 HA_Chassis configuration.
78 BFD BFD configuration.
79
81 Northbound configuration for an OVN system. This table must have ex‐
82 actly one row.
83 Summary:
85 Identity:
86 name string
87 Status:
88 nb_cfg integer
89 nb_cfg_timestamp integer
90 sb_cfg integer
91 sb_cfg_timestamp integer
92 hv_cfg integer
93 hv_cfg_timestamp integer
94 Common Columns:
95 external_ids map of string-string pairs
96 Common options:
97 options map of string-string pairs
98 Options for configuring OVS BFD:
99 options : bfd-min-rx optional string
100 options : bfd-decay-min-rx
101 optional string
102 options : bfd-min-tx optional string
103 options : bfd-mult optional string
104 options : mac_prefix optional string
105 options : controller_event optional string, either true or false
106 options : northd_probe_interval
107 optional string
108 options : use_logical_dp_groups
109 optional string
110 options : use_parallel_build
111 optional string
112 options : ignore_lsp_down optional string
113 options : use_ct_inv_match optional string
114 Options for configuring interconnection route advertisement:
115 options : ic-route-adv optional string
116 options : ic-route-learn optional string
117 options : ic-route-adv-default
118 optional string
119 options : ic-route-learn-default
120 optional string
121 options : ic-route-blacklist
122 optional string
123 Connection Options:
124 connections set of Connections
125 ssl optional SSL
126 Security Configurations:
127 ipsec boolean
128 Read-only Options:
129 options : max_tunid optional string
130 Details:
132 Identity:
133 name: string
135 The name of the OVN cluster, which uniquely identifies the OVN
136 cluster throughout all OVN clusters supposed to interconnect
137 with each other.
138 Status:
140 These columns allow a client to track the overall configuration state
142 of the system.
143 nb_cfg: integer
145 Sequence number for client to increment. When a client modifies
146 any part of the northbound database configuration and wishes to
147 wait for ovn-northd and possibly all of the hypervisors to fin‐
148 ish applying the changes, it may increment this sequence number.
149 nb_cfg_timestamp: integer
151 The timestamp, in milliseconds since the epoch, when ovn-northd
152 sees the latest nb_cfg and starts processing.
153 To print the timestamp as a human-readable date:
155 date -d "@$(ovn-nbctl get NB_Global . nb_cfg_timestamp | sed ’s/...$//’)"
157 sb_cfg: integer
160 Sequence number that ovn-northd sets to the value of nb_cfg af‐
161 ter it finishes applying the corresponding configuration changes
162 to the OVN_Southbound database.
163 sb_cfg_timestamp: integer
165 The timestamp, in milliseconds since the epoch, when ovn-northd
166 finishes applying the corresponding configuration changes to the
167 OVN_Southbound database successfully.
168 hv_cfg: integer
170 Sequence number that ovn-northd sets to the smallest sequence
171 number of all the chassis in the system, as reported in the
172 Chassis_Private table in the southbound database. Thus, hv_cfg
173 equals nb_cfg if all chassis are caught up with the northbound
174 configuration (which may never happen, if any chassis is down).
175 This value can regress, if a chassis was removed from the system
176 and rejoins before catching up.
177 If there are no chassis, then ovn-northd copies nb_cfg to
179 hv_cfg. Thus, in this case, the (nonexistent) hypervisors are
180 always considered to be caught up. This means that hypervisors
181 can be "caught up" even in cases where sb_cfg would show that
182 the southbound database is not. To detect when both the hypervi‐
183 sors and the southbound database are caught up, a client should
184 take the smaller of sb_cfg and hv_cfg.
185 hv_cfg_timestamp: integer
187 The largest timestamp, in milliseconds since the epoch, of the
188 smallest sequence number of all the chassis in the system, as
189 reported in the Chassis_Private table in the southbound data‐
190 base. In other words, this timestamp reflects the time when the
191 slowest chassis catches up with the northbound configuration,
192 which is useful for end-to-end control plane latency measure‐
193 ment.
194 Common Columns:
196 external_ids: map of string-string pairs
198 See External IDs at the beginning of this document.
199 Common options:
201 options: map of string-string pairs
203 This column provides general key/value settings. The supported
204 options are described individually below.
205 Options for configuring OVS BFD:
207 These options apply when ovn-controller configures OVS BFD on tunnels
209 interfaces. Please note these parameters refer to legacy OVS BFD imple‐
210 mentation and not to OVN BFD one.
211 options : bfd-min-rx: optional string
213 BFD option min-rx value to use when configuring BFD on tunnel
214 interfaces.
215 options : bfd-decay-min-rx: optional string
217 BFD option decay-min-rx value to use when configuring BFD on
218 tunnel interfaces.
219 options : bfd-min-tx: optional string
221 BFD option min-tx value to use when configuring BFD on tunnel
222 interfaces.
223 options : bfd-mult: optional string
225 BFD option mult value to use when configuring BFD on tunnel in‐
226 terfaces.
227 options : mac_prefix: optional string
229 Configure a given OUI to be used as prefix when L2 address is
230 dynamically assigned, e.g. 00:11:22
231 options : controller_event: optional string, either true or false
233 Value set by the CMS to enable/disable ovn-controller event re‐
234 porting. Traffic into OVS can raise a ’controller’ event that
235 results in a Controller_Event being written to the Con‐
236 troller_Event table in SBDB. When the CMS has seen the event and
237 taken appropriate action, it can remove the correponding row in
238 Controller_Event table. The intention is for a CMS to see the
239 events and take some sort of action. Please see the Con‐
240 troller_Event table in SBDB. It is possible to associate a meter
241 to each controller event type in order to not overload the pinc‐
242 trl thread under heavy load. Each event type relies on a meter
243 with a defined name:
244 • empty_lb_backends: event-elb
246 options : northd_probe_interval: optional string
248 The inactivity probe interval of the connection to the OVN
249 Northbound and Southbound databases from ovn-northd, in mil‐
250 liseconds. If the value is zero, it disables the connection
251 keepalive feature.
252 If the value is nonzero, then it will be forced to a value of at
254 least 1000 ms.
255 options : use_logical_dp_groups: optional string
257 If set to true, ovn-northd will combine logical flows that dif‐
258 fers only by logical datapath into a single logical flow with
259 logical datapath group attached.
260 While this should significantly reduce number of logical flows
262 stored in Southbound database this could also increase process‐
263 ing complexity on the ovn-controller side, e.g., ovn-controller
264 will re-consider logical flow for all logical datapaths in a
265 group. If the option set to false, there will be separate logi‐
266 cal flow per logical datapath and only this flow will be re-con‐
267 sidered.
268 The default value is false.
270 options : use_parallel_build: optional string
272 If set to true, ovn-northd will attempt to compute logical flows
273 in parallel.
274 Parallel computation is enabled only if the system has 4 or more
276 cores/threads available to be used by ovn-northd.
277 The default value is false.
279 options : ignore_lsp_down: optional string
281 If set to false, ARP/ND reply flows for logical switch ports
282 will be installed only if the port is up, i.e. claimed by a
283 Chassis. If set to true, these flows are installed regardless of
284 the status of the port, which can result in a situation that ARP
285 request to an IP is resolved even before the relevant VM/con‐
286 tainer is running. For environments where this is not an issue,
287 setting it to true can reduce the load and latency of the con‐
288 trol plane. The default value is true.
289 options : use_ct_inv_match: optional string
291 If set to false, ovn-northd will not use the ct.inv field in any
292 of the logical flow matches. The default value is true. If the
293 NIC supports offloading OVS datapath flows but doesn’t support
294 offloading ct_state inv flag, then the datapath flows matching
295 on this flag (either +inv or -inv) will not be offloaded. CMS
296 should consider setting use_ct_inv_match to false in such cases.
297 This results in a side effect of the invalid packets getting de‐
298 livered to the destination VIF, which otherwise would have been
299 dropped by OVN.
300 Options for configuring interconnection route advertisement:
302 These options control how routes are advertised between OVN deployments
304 for interconnection. If enabled, ovn-ic from different OVN deployments
305 exchanges routes between each other through the global OVN_IC_South‐
306 bound database. Only routers with ports connected to interconnection
307 transit switches participate in route advertisement. For each of these
308 routers, there are two types of routes to be advertised:
309 Firstly, the static routes configured in the router are advertised.
311 Secondly, the networks configured in the logical router ports that are
313 not on the transit switches are advertised. These are considered as di‐
314 rectly connected subnets on the router.
315 Link local prefixes (IPv4 169.254.0.0/16 and IPv6 FE80::/10) are never
317 advertised.
318 The learned routes are added to the static_routes column of the Logi‐
320 cal_Router table, with external_ids:ic-learned-route set to the uuid of
321 the row in Route table of the OVN_IC_Southbound database.
322 options : ic-route-adv: optional string
324 A boolean value that enables route advertisement to the global
325 OVN_IC_Southbound database. Default is false.
326 options : ic-route-learn: optional string
328 A boolean value that enables route learning from the global
329 OVN_IC_Southbound database. Default is false.
330 options : ic-route-adv-default: optional string
332 A boolean value that enables advertising default route to the
333 global OVN_IC_Southbound database. Default is false. This option
334 takes effect only when option ic-route-adv is true.
335 options : ic-route-learn-default: optional string
337 A boolean value that enables learning default route from the
338 global OVN_IC_Southbound database. Default is false. This option
339 takes effect only when option ic-route-learn is true.
340 options : ic-route-blacklist: optional string
342 A string value contains a list of CIDRs delimited by ",". A
343 route will not be advertised or learned if the route’s prefix
344 belongs to any of the CIDRs listed.
345 Connection Options:
347 connections: set of Connections
349 Database clients to which the Open vSwitch database server
350 should connect or on which it should listen, along with options
351 for how these connections should be configured. See the Connec‐
352 tion table for more information.
353 ssl: optional SSL
355 Global SSL configuration.
356 Security Configurations:
358 ipsec: boolean
360 Tunnel encryption configuration. If this column is set to be
361 true, all OVN tunnels will be encrypted with IPsec.
362 Read-only Options:
364 options : max_tunid: optional string
366 The maximum supported tunnel ID. Depends on types of encapsula‐
367 tion enabled in the cluster.
368
370 This table is used to define control plane protection policies, i.e.,
371 associate entries from table Meter to control protocol names.
372 Summary:
374 meters : arp optional string
375 meters : arp-resolve optional string
376 meters : dhcpv4-opts optional string
377 meters : dhcpv6-opts optional string
378 meters : dns optional string
379 meters : event-elb optional string
380 meters : icmp4-error optional string
381 meters : icmp6-error optional string
382 meters : igmp optional string
383 meters : nd-na optional string
384 meters : nd-ns optional string
385 meters : nd-ns-resolve optional string
386 meters : nd-ra-opts optional string
387 meters : tcp-reset optional string
388 meters : bfd optional string
389 meters : reject optional string
390 Details:
392 meters : arp: optional string
393 Rate limiting meter for ARP packets (request/reply) used for
394 learning neighbors.
395 meters : arp-resolve: optional string
397 Rate limiting meter for packets that require resolving the next-
398 hop (through ARP).
399 meters : dhcpv4-opts: optional string
401 Rate limiting meter for packets that require adding DHCPv4 op‐
402 tions.
403 meters : dhcpv6-opts: optional string
405 Rate limiting meter for packets that require adding DHCPv6 op‐
406 tions.
407 meters : dns: optional string
409 Rate limiting meter for DNS query packets that need to be
410 replied to.
411 meters : event-elb: optional string
413 Rate limiting meter for empty load balancer events.
414 meters : icmp4-error: optional string
416 Rate limiting meter for packets that require replying with an
417 ICMP error.
418 meters : icmp6-error: optional string
420 Rate limiting meter for packets that require replying with an
421 ICMPv6 error.
422 meters : igmp: optional string
424 Rate limiting meter for IGMP packets.
425 meters : nd-na: optional string
427 Rate limiting meter for ND neighbor advertisement packets used
428 for learning neighbors.
429 meters : nd-ns: optional string
431 Rate limiting meter for ND neighbor solicitation packets used
432 for learning neighbors.
433 meters : nd-ns-resolve: optional string
435 Rate limiting meter for packets that require resolving the next-
436 hop (through ND).
437 meters : nd-ra-opts: optional string
439 Rate limiting meter for packets that require adding ND router
440 advertisement options.
441 meters : tcp-reset: optional string
443 Rate limiting meter for packets that require replying with TCP
444 RST packet.
445 meters : bfd: optional string
447 Rate limiting meter for BFD packets.
448 meters : reject: optional string
450 Rate limiting meter for packets that trigger a reject action
451
453 Each row represents one L2 logical switch.
454 There are two kinds of logical switches, that is, ones that fully vir‐
456 tualize the network (overlay logical switches) and ones that provide
457 simple connectivity to physical networks (bridged logical switches).
458 They work in the same way when providing connectivity between logical
459 ports on same chassis, but differently when connecting remote logical
460 ports. Overlay logical switches connect remote logical ports by tun‐
461 nels, while bridged logical switches provide connectivity to remote
462 ports by bridging the packets to directly connected physical L2 seg‐
463 ments with the help of localnet ports. Each bridged logical switch has
464 one or more localnet ports, which have only one special address un‐
465 known.
466 Summary:
468 ports set of Logical_Switch_Ports
469 load_balancer set of weak reference to Load_Balancers
470 load_balancer_group set of Load_Balancer_Groups
471 acls set of ACLs
472 qos_rules set of QoSes
473 dns_records set of weak reference to DNSes
474 forwarding_groups set of Forwarding_Groups
475 Naming:
476 name string
477 external_ids : neutron:network_name
478 optional string
479 IP Address Assignment:
480 other_config : subnet optional string
481 other_config : exclude_ips optional string
482 other_config : ipv6_prefix optional string
483 other_config : mac_only optional string, either true or false
484 IP Multicast Snooping Options:
485 other_config : mcast_snoop optional string, either true or false
486 other_config : mcast_querier
487 optional string, either true or false
488 other_config : mcast_flood_unregistered
489 optional string, either true or false
490 other_config : mcast_table_size
491 optional string, containing an integer,
492 in range 1 to 32,766
493 other_config : mcast_idle_timeout
494 optional string, containing an integer,
495 in range 15 to 3,600
496 other_config : mcast_query_interval
497 optional string, containing an integer,
498 in range 1 to 3,600
499 other_config : mcast_query_max_response
500 optional string, containing an integer,
501 in range 1 to 10
502 other_config : mcast_eth_src
503 optional string
504 other_config : mcast_ip4_src
505 optional string
506 other_config : mcast_ip6_src
507 optional string
508 Interconnection:
509 other_config : interconn-ts
510 optional string
511 Tunnel Key:
512 other_config : requested-tnl-key
513 optional string, containing an integer,
514 in range 1 to 16,777,215
515 copp optional weak reference to Copp
516 Other options:
517 other_config : vlan-passthru
518 optional string, either true or false
519 Common Columns:
520 external_ids map of string-string pairs
521 Details:
523 ports: set of Logical_Switch_Ports
524 The logical ports connected to the logical switch.
525 It is an error for multiple logical switches to include the same
527 logical port.
528 load_balancer: set of weak reference to Load_Balancers
530 Set of load balancers associated to this logical switch.
531 load_balancer_group: set of Load_Balancer_Groups
533 Set of load balancers groups associated to this logical switch.
534 acls: set of ACLs
536 Access control rules that apply to packets within the logical
537 switch.
538 qos_rules: set of QoSes
540 QoS marking and metering rules that apply to packets within the
541 logical switch.
542 dns_records: set of weak reference to DNSes
544 This column defines the DNS records to be used for resolving in‐
545 ternal DNS queries within the logical switch by the native DNS
546 resolver. Please see the DNS table.
547 forwarding_groups: set of Forwarding_Groups
549 Groups a set of logical port endpoints for traffic going out of
550 the logical switch.
551 Naming:
553 These columns provide names for the logical switch. From OVN’s perspec‐
555 tive, these names have no special meaning or purpose other than to pro‐
556 vide convenience for human interaction with the database. There is no
557 requirement for the name to be unique. (For a unique identifier for a
558 logical switch, use its row UUID.)
559 (Originally, name was intended to serve the purpose of a human-friendly
561 name, but the Neutron integration used it to uniquely identify its own
562 switch object, in the format neutron-uuid. Later on, Neutron started
563 propagating the friendly name of a switch as external_ids:neutron:net‐
564 work_name. Perhaps this can be cleaned up someday.)
565 name: string
567 A name for the logical switch.
568 external_ids : neutron:network_name: optional string
570 Another name for the logical switch.
571 IP Address Assignment:
573 These options control automatic IP address management (IPAM) for ports
575 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
576 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
577 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled to‐
578 gether or separately.
579 To request dynamic address assignment for a particular port, use the
581 dynamic keyword in the addresses column of the port’s Logi‐
582 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
583 IPAM for IPv4 and IPv6 are both enabled.
584 other_config : subnet: optional string
586 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
587 ovn-northd to automatically assign IP addresses within that sub‐
588 net.
589 other_config : exclude_ips: optional string
591 To exclude some addresses from automatic IP address management,
592 set this to a list of the IPv4 addresses or ..-delimited ranges
593 to exclude. The addresses or ranges should be a subset of those
594 in other_config:subnet.
595 Whether listed or not, ovn-northd will never allocate the first
597 or last address in a subnet, such as 192.168.0.0 or
598 192.168.0.255 in 192.168.0.0/24.
599 Examples:
601 • 192.168.0.2 192.168.0.10
603 • 192.168.0.4 192.168.0.30..192.168.0.60
605 192.168.0.110..192.168.0.120
606 • 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
608 192.168.0.144
609 other_config : ipv6_prefix: optional string
611 Set this to an IPv6 prefix to enable ovn-northd to automatically
612 assign IPv6 addresses using this prefix. The assigned IPv6 ad‐
613 dress will be generated using the IPv6 prefix and the MAC ad‐
614 dress (converted to an IEEE EUI64 identifier) of the port. The
615 IPv6 prefix defined here should be a valid IPv6 address ending
616 with ::.
617 Examples:
619 • aef0::
621 • bef0:1234:a890:5678::
623 • 8230:5678::
625 other_config : mac_only: optional string, either true or false
627 Value used to request to assign L2 address only if neither sub‐
628 net nor ipv6_prefix are specified
629 IP Multicast Snooping Options:
631 These options control IP Multicast Snooping configuration of the logi‐
633 cal switch. To enable IP Multicast Snooping set other_con‐
634 fig:mcast_snoop to true. To enable IP Multicast Querier set other_con‐
635 fig:mcast_snoop to true. If IP Multicast Querier is enabled other_con‐
636 fig:mcast_eth_src and other_config:mcast_ip4_src must be set.
637 other_config : mcast_snoop: optional string, either true or false
639 Enables/disables IP Multicast Snooping on the logical switch.
640 other_config : mcast_querier: optional string, either true or false
642 Enables/disables IP Multicast Querier on the logical switch.
643 other_config : mcast_flood_unregistered: optional string, either true
645 or false
646 Determines whether unregistered multicast traffic should be
647 flooded or not. Only applicable if other_config:mcast_snoop is
648 enabled.
649 other_config : mcast_table_size: optional string, containing an inte‐
651 ger, in range 1 to 32,766
652 Number of multicast groups to be stored. Default: 2048.
653 other_config : mcast_idle_timeout: optional string, containing an inte‐
655 ger, in range 15 to 3,600
656 Configures the IP Multicast Snooping group idle timeout (in sec‐
657 onds). Default: 300 seconds.
658 other_config : mcast_query_interval: optional string, containing an in‐
660 teger, in range 1 to 3,600
661 Configures the IP Multicast Querier interval between queries (in
662 seconds). Default: other_config:mcast_idle_timeout / 2.
663 other_config : mcast_query_max_response: optional string, containing an
665 integer, in range 1 to 10
666 Configures the value of the "max-response" field in the multi‐
667 cast queries originated by the logical switch. Default: 1 sec‐
668 ond.
669 other_config : mcast_eth_src: optional string
671 Configures the source Ethernet address for queries originated by
672 the logical switch.
673 other_config : mcast_ip4_src: optional string
675 Configures the source IPv4 address for queries originated by the
676 logical switch.
677 other_config : mcast_ip6_src: optional string
679 Configures the source IPv6 address for queries originated by the
680 logical switch.
681 Interconnection:
683 other_config : interconn-ts: optional string
685 The name of corresponding transit switch in OVN_IC_Northbound
686 database. This kind of logical switch is created and controlled
687 by ovn-ic.
688 Tunnel Key:
690 other_config : requested-tnl-key: optional string, containing an inte‐
692 ger, in range 1 to 16,777,215
693 Configures the datapath tunnel key for the logical switch. Usu‐
694 ally this is not needed because ovn-northd will assign an unique
695 key for each datapath by itself. However, if it is configured,
696 ovn-northd honors the configured value. The typical use case is
697 for interconnection: the tunnel keys for transit switches need
698 to be unique globally, so they are maintained in the global
699 OVN_IC_Southbound database, and ovn-ic simply syncs the value
700 from OVN_IC_Southbound through this config.
701 copp: optional weak reference to Copp
703 The control plane protection policy from table Copp used for me‐
704 tering packets sent to ovn-controller from ports of this logical
705 switch.
706 Other options:
708 other_config : vlan-passthru: optional string, either true or false
710 Determines whether VLAN tagged incoming traffic should be al‐
711 lowed. Note that this may have security implications when en‐
712 abled for a logical switch with a tag=0 localnet port. If not
713 properly isolated from other localnet ports, fabric traffic that
714 belongs to other tagged networks may be passed through such a
715 port.
716 Common Columns:
718 external_ids: map of string-string pairs
720 See External IDs at the beginning of this document.
721
723 A port within an L2 logical switch.
724 Summary:
726 Core Features:
727 name string (must be unique within table)
728 type string
729 Options:
730 options map of string-string pairs
731 Options for router ports:
732 options : router-port optional string
733 options : nat-addresses optional string
734 options : arp_proxy optional string
735 Options for localnet ports:
736 options : network_name optional string
737 options : ethtype optional string
738 Options for l2gateway ports:
739 options : network_name optional string
740 options : l2gateway-chassis
741 optional string
742 Options for vtep ports:
743 options : vtep-physical-switch
744 optional string
745 options : vtep-logical-switch
746 optional string
747 VMI (or VIF) Options:
748 options : requested-chassis
749 optional string
750 options : iface-id-ver optional string
751 options : qos_max_rate optional string
752 options : qos_burst optional string
753 options : hostname optional string
754 Virtual port Options:
755 options : virtual-ip optional string
756 options : virtual-parents
757 optional string
758 IP Multicast Snooping Options:
759 options : mcast_flood optional string, either true or false
760 options : mcast_flood_reports
761 optional string, either true or false
762 Containers:
763 parent_name optional string
764 tag_request optional integer, in range 0 to 4,095
765 tag optional integer, in range 1 to 4,095
766 Port State:
767 up optional boolean
768 enabled optional boolean
769 Addressing:
770 addresses set of strings
771 dynamic_addresses optional string
772 port_security set of strings
773 DHCP:
774 dhcpv4_options optional weak reference to DHCP_Options
775 dhcpv6_options optional weak reference to DHCP_Options
776 ha_chassis_group optional HA_Chassis_Group
777 Naming:
778 external_ids : neutron:port_name
779 optional string
780 Tunnel Key:
781 options : requested-tnl-key
782 optional string, containing an integer,
783 in range 1 to 32,767
784 Common Columns:
785 external_ids map of string-string pairs
786 Details:
788 Core Features:
789 name: string (must be unique within table)
791 The logical port name.
792 For entities (VMs or containers) that are spawned in the hyper‐
794 visor, the name used here must match those used in the exter‐
795 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
796 because hypervisors use external_ids:iface-id as a lookup key to
797 identify the network interface of that entity.
798 For containers that share a VIF within a VM, the name can be any
800 unique identifier. See Containers, below, for more information.
801 A logical switch port may not have the same name as a logical
803 router port, but the database schema cannot enforce this.
804 type: string
806 Specify a type for this logical port. Logical ports can be used
807 to model other types of connectivity into an OVN logical switch.
808 The following types are defined:
809 (empty string)
811 A VM (or VIF) interface.
812 router A connection to a logical router. The value of op‐
814 tions:router-port specifies the name of the Logi‐
815 cal_Router_Port to which this logical switch port is con‐
816 nected.
817 localnet
819 A connection to a locally accessible network from
820 ovn-controller instances that have a corresponding bridge
821 mapping. A logical switch can have multiple localnet
822 ports attached. This type is used to model direct connec‐
823 tivity to existing networks. In this case, each chassis
824 should have a mapping for one of the physical networks
825 only. Note: nothing said above implies that a chassis
826 cannot be plugged to multiple physical networks as long
827 as they belong to different switches.
828 localport
830 A connection to a local VIF. Traffic that arrives on a
831 localport is never forwarded over a tunnel to another
832 chassis. These ports are present on every chassis and
833 have the same address in all of them. This is used to
834 model connectivity to local services that run on every
835 hypervisor.
836 l2gateway
838 A connection to a physical network.
839 vtep A port to a logical switch on a VTEP gateway.
841 external
843 Represents a logical port which is external and not hav‐
844 ing an OVS port in the integration bridge. OVN will never
845 receive any traffic from this port or send any traffic to
846 this port. OVN can support native services like
847 DHCPv4/DHCPv6/DNS for this port. If ha_chassis_group is
848 defined, ovn-controller running in the master chassis of
849 the HA chassis group will bind this port to provide these
850 native services. It is expected that this port belong to
851 a bridged logical switch (with a localnet port).
852 It is recommended to use the same HA chassis group for
854 all the external ports of a logical switch. Otherwise,
855 the physical switch might see MAC flap issue when differ‐
856 ent chassis provide the native services. For example when
857 supporting native DHCPv4 service, DHCPv4 server mac (con‐
858 figured in options:server_mac column in table DHCP_Op‐
859 tions) originating from different ports can cause MAC
860 flap issue. The MAC of the logical router IP(s) can also
861 flap if the same HA chassis group is not set for all the
862 external ports of a logical switch.
863 Below are some of the use cases where external ports can
865 be used.
866 • VMs connected to SR-IOV nics - Traffic from these
868 VMs by passes the kernel stack and local ovn-con‐
869 troller do not bind these ports and cannot serve
870 the native services.
871 • When CMS supports provisioning baremetal servers.
873 virtual
875 Represents a logical port which does not have an OVS port
876 in the integration bridge and has a virtual ip configured
877 in the options:virtual-ip column. This virtual ip can
878 move around between the logical ports configured in the
879 options:virtual-parents column.
880 One of the use case where virtual ports can be used is.
882 • The virtual ip represents a load balancer vip and
884 the virtual parents provide load balancer service
885 in an active-standby setup with the active virtual
886 parent owning the virtual ip.
887 remote A remote port is to model a port that resides remotely on
889 another OVN, which is on the other side of a transit log‐
890 ical switch for OVN interconnection. This type of ports
891 are created by ovn-ic instead of by CMS. Any change to
892 the port will be automatically overwritten by ovn-ic.
893 Options:
895 options: map of string-string pairs
897 This column provides key/value settings specific to the logical
898 port type. The type-specific options are described individually
899 below.
900 Options for router ports:
902 These options apply when type is router.
904 options : router-port: optional string
906 Required. The name of the Logical_Router_Port to which this log‐
907 ical switch port is connected.
908 options : nat-addresses: optional string
910 This is used to send gratuitous ARPs for SNAT and DNAT IP ad‐
911 dresses via the localnet port that is attached to the same logi‐
912 cal switch as this type router port. This option is specified on
913 a logical switch port that is connected to a gateway router, or
914 a logical switch port that is connected to a distributed gateway
915 port on a logical router.
916 This must take one of the following forms:
918 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
920 nal IP addresses and for all load balancer IP addresses
921 defined on the options:router-port’s logical router, us‐
922 ing the options:router-port’s MAC address.
923 This form of options:nat-addresses is valid for logical
925 switch ports where options:router-port is the name of a
926 port on a gateway router, or the name of a distributed
927 gateway port.
928 Supported only in OVN 2.8 and later. Earlier versions re‐
930 quired NAT addresses to be manually synchronized.
931 Ethernet address followed by one or more IPv4 addresses
933 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
934 This would result in generation of gratuitous ARPs for IP
935 addresses 158.36.44.22 and 158.36.44.24 with a MAC ad‐
936 dress of 80:fa:5b:06:72:b7.
937 This form of options:nat-addresses is only valid for log‐
939 ical switch ports where options:router-port is the name
940 of a port on a gateway router.
941 options : arp_proxy: optional string
943 Optional. A list of IPv4 addresses that this logical switch
944 router port will reply to ARP requests. Example: 169.254.239.254
945 169.254.239.2. The options:router-port’s logical router should
946 have a route to forward packets sent to configured proxy ARP IPs
947 to an appropriate destination.
948 Options for localnet ports:
950 These options apply when type is localnet.
952 options : network_name: optional string
954 Required. The name of the network to which the localnet port is
955 connected. Each hypervisor, via ovn-controller, uses its local
956 configuration to determine exactly how to connect to this lo‐
957 cally accessible network, if at all.
958 options : ethtype: optional string
960 Optional. VLAN EtherType field value for encapsulating VLAN
961 headers. Supported values: 802.11q (default), 802.11ad.
962 Options for l2gateway ports:
964 These options apply when type is l2gateway.
966 options : network_name: optional string
968 Required. The name of the network to which the l2gateway port is
969 connected. The L2 gateway, via ovn-controller, uses its local
970 configuration to determine exactly how to connect to this net‐
971 work.
972 options : l2gateway-chassis: optional string
974 Required. The chassis on which the l2gateway logical port should
975 be bound to. ovn-controller running on the defined chassis will
976 connect this logical port to the physical network.
977 Options for vtep ports:
979 These options apply when type is vtep.
981 options : vtep-physical-switch: optional string
983 Required. The name of the VTEP gateway.
984 options : vtep-logical-switch: optional string
986 Required. A logical switch name connected by the VTEP gateway.
987 VMI (or VIF) Options:
989 These options apply to logical ports with type having (empty string)
991 options : requested-chassis: optional string
993 If set, identifies a specific chassis (by name or hostname) that
994 is allowed to bind this port. Using this option will prevent
995 thrashing between two chassis trying to bind the same port dur‐
996 ing a live migration. It can also prevent similar thrashing due
997 to a mis-configuration, if a port is accidentally created on
998 more than one chassis.
999 options : iface-id-ver: optional string
1001 If set, this port will be bound by ovn-controller only if this
1002 same key and value is configured in the external_ids column in
1003 the Open_vSwitch database’s Interface table.
1004 options : qos_max_rate: optional string
1006 If set, indicates the maximum rate for data sent from this in‐
1007 terface, in bit/s. The traffic will be shaped according to this
1008 limit.
1009 options : qos_burst: optional string
1011 If set, indicates the maximum burst size for data sent from this
1012 interface, in bits.
1013 options : hostname: optional string
1015 If set, indicates the DHCPv4 option "Hostname" (option code 12)
1016 associated for this Logical Switch Port. If DHCPv4 is enabled
1017 for this Logical Switch Port, hostname dhcp option will be in‐
1018 cluded in DHCP reply.
1019 Virtual port Options:
1021 These options apply when type is virtual.
1023 options : virtual-ip: optional string
1025 This option represents the virtual IPv4 address.
1026 options : virtual-parents: optional string
1028 This options represents a set of logical port names (with in the
1029 same logical switch) which can own the virtual ip configured in
1030 the options:virtual-ip. All these virtual parents should add the
1031 virtual ip in the port_security if port security addressed are
1032 enabled.
1033 IP Multicast Snooping Options:
1035 These options apply when the port is part of a logical switch which has
1037 other_config :mcast_snoop set to true.
1038 options : mcast_flood: optional string, either true or false
1040 If set to true, multicast packets (except reports) are uncondi‐
1041 tionally forwarded to the specific port.
1042 options : mcast_flood_reports: optional string, either true or false
1044 If set to true, multicast reports are unconditionally forwarded
1045 to the specific port.
1046 Containers:
1048 When a large number of containers are nested within a VM, it may be too
1050 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
1051 support such cases. Each container is assigned a VLAN ID and each
1052 packet that passes between the hypervisor and the VM is tagged with the
1053 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
1054 ical wire, even inside a tunnel, so they need not be unique except rel‐
1055 ative to a single VM on a hypervisor.
1056 These columns are used for VIFs that represent nested containers using
1058 shared VIFs. For VMs and for containers that have dedicated VIFs, they
1059 are empty.
1060 parent_name: optional string
1062 The VM interface through which the nested container sends its
1063 network traffic. This must match the name column for some other
1064 Logical_Switch_Port.
1065 tag_request: optional integer, in range 0 to 4,095
1067 The VLAN tag in the network traffic associated with a con‐
1068 tainer’s network interface. The client can request ovn-northd to
1069 allocate a tag that is unique within the scope of a specific
1070 parent (specified in parent_name) by setting a value of 0 in
1071 this column. The allocated value is written by ovn-northd in the
1072 tag column. (Note that these tags are allocated and managed lo‐
1073 cally in ovn-northd, so they cannot be reconstructed in the
1074 event that the database is lost.) The client can also request a
1075 specific non-zero tag and ovn-northd will honor it and copy that
1076 value to the tag column.
1077 When type is set to localnet or l2gateway, this can be set to
1079 indicate that the port represents a connection to a specific
1080 VLAN on a locally accessible network. The VLAN ID is used to
1081 match incoming traffic and is also added to outgoing traffic.
1082 tag: optional integer, in range 1 to 4,095
1084 The VLAN tag allocated by ovn-northd based on the contents of
1085 the tag_request column.
1086 Port State:
1088 up: optional boolean
1090 This column is populated by ovn-northd, rather than by the CMS
1091 plugin as is most of this database. When a logical port is bound
1092 to a physical location in the OVN Southbound database Binding
1093 table, ovn-northd sets this column to true; otherwise, or if the
1094 port becomes unbound later, it sets it to false. If this column
1095 is empty, the port is not considered up. This allows the CMS to
1096 wait for a VM’s (or container’s) networking to become active be‐
1097 fore it allows the VM (or container) to start.
1098 Logical ports of router type are an exception to this rule. They
1100 are considered to be always up, that is this column is always
1101 set to true.
1102 enabled: optional boolean
1104 This column is used to administratively set port state. If this
1105 column is empty or is set to true, the port is enabled. If this
1106 column is set to false, the port is disabled. A disabled port
1107 has all ingress and egress traffic dropped.
1108 Addressing:
1110 addresses: set of strings
1112 Addresses owned by the logical port.
1113 Each element in the set must take one of the following forms:
1115 Ethernet address followed by zero or more IPv4 or IPv6 addresses
1117 (or both)
1118 An Ethernet address defined is owned by the logical port.
1119 Like a physical Ethernet NIC, a logical port ordinarily
1120 has a single fixed Ethernet address.
1121 When a OVN logical switch processes a unicast Ethernet
1123 frame whose destination MAC address is in a logical
1124 port’s addresses column, it delivers it only to that
1125 port, as if a MAC learning process had learned that MAC
1126 address on the port.
1127 If IPv4 or IPv6 address(es) (or both) are defined, it in‐
1129 dicates that the logical port owns the given IP ad‐
1130 dresses.
1131 If IPv4 address(es) are defined, the OVN logical switch
1133 uses this information to synthesize responses to ARP re‐
1134 quests without traversing the physical network. The OVN
1135 logical router connected to the logical switch, if any,
1136 uses this information to avoid issuing ARP requests for
1137 logical switch ports.
1138 Note that the order here is important. The Ethernet ad‐
1140 dress must be listed before the IP address(es) if de‐
1141 fined.
1142 Examples:
1144 80:fa:5b:06:72:b7
1146 This indicates that the logical port owns the
1147 above mac address.
1148 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
1150 This indicates that the logical port owns the mac
1151 address and two IPv4 addresses.
1152 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1154 This indicates that the logical port owns the mac
1155 address and 1 IPv6 address.
1156 80:fa:5b:06:72:b7 10.0.0.4
1158 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1159 This indicates that the logical port owns the mac
1160 address and 1 IPv4 address and 1 IPv6 address.
1161 unknown
1163 This indicates that the logical port has an unknown set
1164 of Ethernet addresses. When an OVN logical switch pro‐
1165 cesses a unicast Ethernet frame whose destination MAC ad‐
1166 dress is not in any logical port’s addresses column, it
1167 delivers it to the port (or ports) whose addresses col‐
1168 umns include unknown.
1169 dynamic
1171 Use dynamic to make ovn-northd generate a globally unique
1172 MAC address, choose an unused IPv4 address with the logi‐
1173 cal port’s subnet (if other_config:subnet is set in the
1174 port’s Logical_Switch), and generate an IPv6 address from
1175 the MAC address (if other_config:ipv6_prefix is set in
1176 the port’s Logical_Switch) and store them in the port’s
1177 dynamic_addresses column.
1178 Only one element containing dynamic may appear in ad‐
1180 dresses.
1181 dynamic ip
1183 dynamic ipv6
1184 dynamic ip ipv6
1185 These act like dynamic alone but specify particular IPv4 or
1186 IPv6 addresses to use. OVN IPAM will still automatically
1187 allocate the other address if configured appropriately. Ex‐
1188 ample: dynamic 192.168.0.1 2001::1.
1189 mac dynamic
1191 This acts like dynamic alone but specifies a particular MAC
1192 address to use. OVN IPAM will still automatically allocate
1193 IPv4 or IPv6 addresses, or both, if configured appropri‐
1194 ately. Example: 80:fa:5b:06:72:b7 dynamic
1195 router
1197 Accepted only when type is router. This indicates that the
1198 Ethernet, IPv4, and IPv6 addresses for this logical switch
1199 port should be obtained from the connected logical router
1200 port, as specified by router-port in options.
1201 The resulting addresses are used to populate the logical
1203 switch’s destination lookup, and also for the logical
1204 switch to generate ARP and ND replies.
1205 If the connected logical router port has a distributed
1207 gateway port specified and the logical router has rules
1208 specified in nat with external_mac, then those addresses
1209 are also used to populate the switch’s destination lookup.
1210 Supported only in OVN 2.7 and later. Earlier versions re‐
1212 quired router addresses to be manually synchronized.
1213 dynamic_addresses: optional string
1215 Addresses assigned to the logical port by ovn-northd, if dynamic
1216 is specified in addresses. Addresses will be of the same format
1217 as those that populate the addresses column. Note that dynami‐
1218 cally assigned addresses are constructed and managed locally in
1219 ovn-northd, so they cannot be reconstructed in the event that
1220 the database is lost.
1221 port_security: set of strings
1223 This column controls the addresses from which the host attached
1224 to the logical port (``the host’’) is allowed to send packets
1225 and to which it is allowed to receive packets. If this column is
1226 empty, all addresses are permitted.
1227 Each element in the set must begin with one Ethernet address.
1229 This would restrict the host to sending packets from and receiv‐
1230 ing packets to the ethernet addresses defined in the logical
1231 port’s port_security column. It also restricts the inner source
1232 MAC addresses that the host may send in ARP and IPv6 Neighbor
1233 Discovery packets. The host is always allowed to receive packets
1234 to multicast and broadcast Ethernet addresses.
1235 Each element in the set may additionally contain one or more
1237 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
1238 is given, it must be a CIDR mask. In addition to the restric‐
1239 tions described for Ethernet addresses above, such an element
1240 restricts the IPv4 or IPv6 addresses from which the host may
1241 send and to which it may receive packets to the specified ad‐
1242 dresses. A masked address, if the host part is zero, indicates
1243 that the host is allowed to use any address in the subnet; if
1244 the host part is nonzero, the mask simply indicates the size of
1245 the subnet. In addition:
1246 • If any IPv4 address is given, the host is also allowed to
1248 receive packets to the IPv4 local broadcast address
1249 255.255.255.255 and to IPv4 multicast addresses
1250 (224.0.0.0/4). If an IPv4 address with a mask is given,
1251 the host is also allowed to receive packets to the broad‐
1252 cast address in that specified subnet.
1253 If any IPv4 address is given, the host is additionally
1255 restricted to sending ARP packets with the specified
1256 source IPv4 address. (RARP is not restricted.)
1257 • If any IPv6 address is given, the host is also allowed to
1259 receive packets to IPv6 multicast addresses (ff00::/8).
1260 If any IPv6 address is given, the host is additionally
1262 restricted to sending IPv6 Neighbor Discovery Solicita‐
1263 tion or Advertisement packets with the specified source
1264 address or, for solicitations, the unspecified address.
1265 If an element includes an IPv4 address, but no IPv6 addresses,
1267 then IPv6 traffic is not allowed. If an element includes an IPv6
1268 address, but no IPv4 address, then IPv4 and ARP traffic is not
1269 allowed.
1270 This column uses the same lexical syntax as the match column in
1272 the OVN Southbound database’s Pipeline table. Multiple addresses
1273 within an element may be space or comma separated.
1274 This column is provided as a convenience to cloud management
1276 systems, but all of the features that it implements can be im‐
1277 plemented as ACLs using the ACL table.
1278 Examples:
1280 80:fa:5b:06:72:b7
1282 The host may send traffic from and receive traffic to the
1283 specified MAC address, and to receive traffic to Ethernet
1284 multicast and broadcast addresses, but not otherwise. The
1285 host may not send ARP or IPv6 Neighbor Discovery packets
1286 with inner source Ethernet addresses other than the one
1287 specified.
1288 80:fa:5b:06:72:b7 192.168.1.10/24
1290 This adds further restrictions to the first example. The
1291 host may send IPv4 packets from or receive IPv4 packets
1292 to only 192.168.1.10, except that it may also receive
1293 IPv4 packets to 192.168.1.255 (based on the subnet mask),
1294 255.255.255.255, and any address in 224.0.0.0/4. The host
1295 may not send ARPs with a source Ethernet address other
1296 than 80:fa:5b:06:72:b7 or source IPv4 address other than
1297 192.168.1.10. The host may not send or receive any IPv6
1298 (including IPv6 Neighbor Discovery) traffic.
1299 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
1301 The host may send traffic from and receive traffic to the
1302 specified MAC addresses, and to receive traffic to Ether‐
1303 net multicast and broadcast addresses, but not otherwise.
1304 With MAC 80:fa:5b:12:42:ba, the host may send traffic
1305 from and receive traffic to any L3 address. With MAC
1306 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
1307 receive IPv4 packets to only 192.168.1.10, except that it
1308 may also receive IPv4 packets to 192.168.1.255 (based on
1309 the subnet mask), 255.255.255.255, and any address in
1310 224.0.0.0/4. The host may not send or receive any IPv6
1311 (including IPv6 Neighbor Discovery) traffic.
1312 DHCP:
1314 dhcpv4_options: optional weak reference to DHCP_Options
1316 This column defines the DHCPv4 Options to be included by the
1317 ovn-controller when it replies to the DHCPv4 requests. Please
1318 see the DHCP_Options table.
1319 dhcpv6_options: optional weak reference to DHCP_Options
1321 This column defines the DHCPv6 Options to be included by the
1322 ovn-controller when it replies to the DHCPv6 requests. Please
1323 see the DHCP_Options table.
1324 ha_chassis_group: optional HA_Chassis_Group
1326 References a row in the OVN Northbound database’s HA_Chas‐
1327 sis_Group table. It indicates the HA chassis group to use if the
1328 type is set to external. If type is not external, this column is
1329 ignored.
1330 Naming:
1332 external_ids : neutron:port_name: optional string
1334 This column gives an optional human-friendly name for the port.
1335 This name has no special meaning or purpose other than to pro‐
1336 vide convenience for human interaction with the northbound data‐
1337 base.
1338 Neutron copies this from its own port object’s name. (Neutron
1340 ports do are not assigned human-friendly names by default, so it
1341 will often be empty.)
1342 Tunnel Key:
1344 options : requested-tnl-key: optional string, containing an integer, in
1346 range 1 to 32,767
1347 Configures the port binding tunnel key for the port. Usually
1348 this is not needed because ovn-northd will assign an unique key
1349 for each port by itself. However, if it is configured,
1350 ovn-northd honors the configured value. The typical use case is
1351 for interconnection: the tunnel keys for ports on transit
1352 switches need to be unique globally, so they are maintained in
1353 the global OVN_IC_Southbound database, and ovn-ic simply syncs
1354 the value from OVN_IC_Southbound through this config.
1355 Common Columns:
1357 external_ids: map of string-string pairs
1359 See External IDs at the beginning of this document.
1360 The ovn-northd program copies all these pairs into the exter‐
1362 nal_ids column of the Port_Binding table in OVN_Southbound data‐
1363 base.
1364
1366 Each row represents one forwarding group.
1367 Summary:
1369 name string
1370 vip string
1371 vmac string
1372 liveness boolean
1373 child_port set of 1 or more strings
1374 Common Columns:
1375 external_ids map of string-string pairs
1376 Details:
1378 name: string
1379 A name for the forwarding group. This name has no special mean‐
1380 ing or purpose other than to provide convenience for human in‐
1381 teraction with the ovn-nb database.
1382 vip: string
1384 The virtual IP address assigned to the forwarding group. It will
1385 respond with vmac when an ARP request is sent for vip.
1386 vmac: string
1388 The virtual MAC address assigned to the forwarding group.
1389 liveness: boolean
1391 If set to true, liveness is enabled for child ports otherwise it
1392 is disabled.
1393 child_port: set of 1 or more strings
1395 List of child ports in the forwarding group.
1396 Common Columns:
1398 external_ids: map of string-string pairs
1400 See External IDs at the beginning of this document.
1401
1403 Each row in this table represents a named set of addresses. An address
1404 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
1405 or CIDR masks. Address set may ultimately be used in ACLs to compare
1406 against fields such as ip4.src or ip6.src. A single address set must
1407 contain addresses of the same type. As an example, the following would
1408 create an address set with three IP addresses:
1409 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1411 Address sets may be used in the match column of the ACL table. For syn‐
1414 tax information, see the details of the expression language used for
1415 the match column in the Logical_Flow table of the OVN_Southbound data‐
1416 base.
1417 Summary:
1419 name string (must be unique within table)
1420 addresses set of strings
1421 Common Columns:
1422 external_ids map of string-string pairs
1423 Details:
1425 name: string (must be unique within table)
1426 A name for the address set. Names are ASCII and must match
1427 [a-zA-Z_.][a-zA-Z_.0-9]*.
1428 addresses: set of strings
1430 The set of addresses in string form.
1431 Common Columns:
1433 external_ids: map of string-string pairs
1435 See External IDs at the beginning of this document.
1436
1438 Each row in this table represents a named group of logical switch
1439 ports.
1440 Port groups may be used in the match column of the ACL table. For syn‐
1442 tax information, see the details of the expression language used for
1443 the match column in the Logical_Flow table of the OVN_Southbound data‐
1444 base.
1445 For each port group, there are two address sets generated to the Ad‐
1447 dress_Set table of the OVN_Southbound database, containing the IP ad‐
1448 dresses of the group of ports, one for IPv4, and the other for IPv6,
1449 with name being the name of the Port_Group followed by a suffix _ip4
1450 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
1451 the same way as regular address sets in the match column of the ACL ta‐
1452 ble. For syntax information, see the details of the expression language
1453 used for the match column in the Logical_Flow table of the OVN_South‐
1454 bound database.
1455 Summary:
1457 name string (must be unique within table)
1458 ports set of weak reference to Logi‐
1459 cal_Switch_Ports
1460 acls set of ACLs
1461 Common Columns:
1462 external_ids map of string-string pairs
1463 Details:
1465 name: string (must be unique within table)
1466 A name for the port group. Names are ASCII and must match
1467 [a-zA-Z_.][a-zA-Z_.0-9]*.
1468 ports: set of weak reference to Logical_Switch_Ports
1470 The logical switch ports belonging to the group in uuids.
1471 acls: set of ACLs
1473 Access control rules that apply to the port group. Applying an
1474 ACL to a port group has the same effect as applying the ACL to
1475 all logical lswitches that the ports of the port group belong
1476 to.
1477 Common Columns:
1479 external_ids: map of string-string pairs
1481 See External IDs at the beginning of this document.
1482
1484 Each row represents one load balancer.
1485 Summary:
1487 name string
1488 vips map of string-string pairs
1489 protocol optional string, one of sctp, tcp, or udp
1490 Health Checks:
1491 health_check set of Load_Balancer_Health_Checks
1492 ip_port_mappings map of string-string pairs
1493 selection_fields set of strings, one of eth_dst, eth_src,
1494 ip_dst, ip_src, tp_dst, or tp_src
1495 Common Columns:
1496 external_ids map of string-string pairs
1497 Load_Balancer options:
1498 options : reject optional string, either true or false
1499 options : hairpin_snat_ip optional string
1500 options : skip_snat optional string
1501 options : add_route optional string
1502 Details:
1504 name: string
1505 A name for the load balancer. This name has no special meaning
1506 or purpose other than to provide convenience for human interac‐
1507 tion with the ovn-nb database.
1508 vips: map of string-string pairs
1510 A map of virtual IP addresses (and an optional port number with
1511 : as a separator) associated with this load balancer and their
1512 corresponding endpoint IP addresses (and optional port numbers
1513 with : as separators) separated by commas. If the destination IP
1514 address (and port number) of a packet leaving a container or a
1515 VM matches the virtual IP address (and port number) provided
1516 here as a key, then OVN will statefully replace the destination
1517 IP address by one of the provided IP address (and port number)
1518 in this map as a value. IPv4 and IPv6 addresses are supported
1519 for load balancing; however a VIP of one address family may not
1520 be mapped to a destination IP address of a different family. If
1521 specifying an IPv6 address with a port, the address portion must
1522 be enclosed in square brackets. Examples for keys are
1523 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
1524 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1525 When the Load_Balancer is added to the logical_switch, the VIP
1527 has to be in a different subnet than the one used for the logi‐
1528 cal_switch. Since VIP is in a different subnet, you should con‐
1529 nect your logical switch to either a OVN logical router or a
1530 real router (this is because the client can now send a packet
1531 with VIP as the destination IP address and router’s mac address
1532 as the destination MAC address).
1533 protocol: optional string, one of sctp, tcp, or udp
1535 Valid protocols are tcp, udp, or sctp. This column is useful
1536 when a port number is provided as part of the vips column. If
1537 this column is empty and a port number is provided as part of
1538 vips column, OVN assumes the protocol to be tcp.
1539 Health Checks:
1541 OVN supports health checks for load balancer endpoints, for IPv4 load
1543 balancers only. When health checks are enabled, the load balancer uses
1544 only healthy endpoints.
1545 Suppose that vips contains a key-value pair
1547 10.0.0.10:80=10.0.0.4:8080,20.0.0.4:8080. To enable health checks for
1548 this virtual’s endpoints, add two key-value pairs to ip_port_mappings,
1549 with keys 10.0.0.4 and 20.0.0.4, and add to health_check a reference to
1550 a Load_Balancer_Health_Check row whose vip is set to 10.0.0.10.
1551 health_check: set of Load_Balancer_Health_Checks
1553 Load balancer health checks associated with this load balancer.
1554 ip_port_mappings: map of string-string pairs
1556 Maps from endpoint IP to a colon-separated pair of logical port
1557 name and source IP, e.g. port_name:sourc_ip. Health checks are
1558 sent to this port with the specified source IP.
1559 For example, in the example above, IP to port mappings might be
1561 defined as 10.0.0.4=sw0-p1:10.0.0.2 and
1562 20.0.0.4=sw1-p1:20.0.0.2, if the values given were suitable
1563 ports and IP addresses.
1564 selection_fields: set of strings, one of eth_dst, eth_src, ip_dst,
1566 ip_src, tp_dst, or tp_src
1567 OVN native load balancers are supported using the OpenFlow
1568 groups of type select. OVS supports two selection methods:
1569 dp_hash and hash (with optional fields specified) in selecting
1570 the buckets of a group. Please see the OVS documentation (man
1571 ovs-ofctl) for more details on the selection methods. Each end‐
1572 point IP (and port if set) is mapped to a bucket in the group
1573 flow.
1574 CMS can choose the hash selection method by setting the selec‐
1576 tion fields in this column. ovs-vswitchd uses the specified
1577 fields in generating the hash.
1578 dp_hash selection method uses the assistance of datapath to cal‐
1580 culate the hash and it is expected to be faster than hash selec‐
1581 tion method. So CMS should take this into consideration before
1582 using the hash method. Please consult the OVS documentation and
1583 OVS sources for the implementation details.
1584 Common Columns:
1586 external_ids: map of string-string pairs
1588 See External IDs at the beginning of this document.
1589 Load_Balancer options:
1591 options : reject: optional string, either true or false
1593 If the load balancer is created with --reject option and it has
1594 no active backends, a TCP reset segment (for tcp) or an ICMP
1595 port unreachable packet (for all other kind of traffic) will be
1596 sent whenever an incoming packet is received for this load-bal‐
1597 ancer. Please note using --reject option will disable empty_lb
1598 SB controller event for this load balancer.
1599 options : hairpin_snat_ip: optional string
1601 IP to be used as source IP for packets that have been hair-
1602 pinned after load balancing. The default behavior when the op‐
1603 tion is not set is to use the load balancer VIP as source IP.
1604 This option may have exactly one IPv4 and/or one IPv6 address on
1605 it, separated by a space character.
1606 options : skip_snat: optional string
1608 If the load balancing rule is configured with skip_snat option,
1609 the option lb_force_snat_ip configured for the logical router
1610 that references this load balancer will not be applied for this
1611 load balancer.
1612 options : add_route: optional string
1614 If set to true, then neighbor routers will have logical flows
1615 added that will allow for routing to the VIP IP. It also will
1616 have ARP resolution logical flows added. By setting this option,
1617 it means there is no reason to create a Logi‐
1618 cal_Router_Static_Route from neighbor routers to this NAT ad‐
1619 dress. It also means that no ARP request is required for neigh‐
1620 bor routers to learn the IP-MAC mapping for this VIP IP. For
1621 more information about what flows are added for IP routes,
1622 please see the ovn-northd manpage section on IP Routing.
1623
1625 Each row represents a logical grouping of load balancers. It is up to
1626 the CMS to decide the criteria on which load balancers are grouped to‐
1627 gether. To simplify configuration and to optimize its processing load
1628 balancers that must be associated to the same set of logical switches
1629 and/or logical routers should be grouped together.
1630 Summary:
1632 name string (must be unique within table)
1633 load_balancer set of weak reference to Load_Balancers
1634 Details:
1636 name: string (must be unique within table)
1637 A name for the load balancer group. This name has no special
1638 meaning or purpose other than to provide convenience for human
1639 interaction with the ovn-nb database.
1640 load_balancer: set of weak reference to Load_Balancers
1642 A set of load balancers.
1643
1645 Each row represents one load balancer health check. Health checks are
1646 supported for IPv4 load balancers only.
1647 Summary:
1649 vip string
1650 Health check options:
1651 options : interval optional string, containing an integer
1652 options : timeout optional string, containing an integer
1653 options : success_count optional string, containing an integer
1654 options : failure_count optional string, containing an integer
1655 Common Columns:
1656 external_ids map of string-string pairs
1657 Details:
1659 vip: string
1660 vip whose endpoints should be monitored for health check.
1661 Health check options:
1663 options : interval: optional string, containing an integer
1665 The interval, in seconds, between health checks.
1666 options : timeout: optional string, containing an integer
1668 The time, in seconds, after which a health check times out.
1669 options : success_count: optional string, containing an integer
1671 The number of successful checks after which the endpoint is con‐
1672 sidered online.
1673 options : failure_count: optional string, containing an integer
1675 The number of failure checks after which the endpoint is consid‐
1676 ered offline.
1677 Common Columns:
1679 external_ids: map of string-string pairs
1681 See External IDs at the beginning of this document.
1682
1684 Each row in this table represents one ACL rule for a logical switch or
1685 a port group that points to it through its acls column. The action col‐
1686 umn for the highest-priority matching row in this table determines a
1687 packet’s treatment. If no row matches, packets are allowed by default.
1688 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1689 match, and deny as action.)
1690 Summary:
1692 label integer, in range 0 to 4,294,967,295
1693 priority integer, in range 0 to 32,767
1694 direction string, either from-lport or to-lport
1695 match string
1696 action string, one of allow-related, al‐
1697 low-stateless, allow, drop, or reject
1698 Logging:
1699 log boolean
1700 name optional string, at most 63 characters
1701 long
1702 severity optional string, one of alert, debug,
1703 info, notice, or warning
1704 meter optional string
1705 Common Columns:
1706 external_ids map of string-string pairs
1707 Details:
1709 label: integer, in range 0 to 4,294,967,295
1710 Associates an identifier with the ACL. The same value will be
1711 written to corresponding connection tracker entry. The value
1712 should be a valid 32-bit unsigned integer. This value can help
1713 in debugging from connection tracker side. For example, through
1714 this "label" we can backtrack to the ACL rule which is causing a
1715 "leaked" connection. Connection tracker entries are created only
1716 for allowed connections so the label is valid only for allow and
1717 allow-related actions.
1718 priority: integer, in range 0 to 32,767
1720 The ACL rule’s priority. Rules with numerically higher priority
1721 take precedence over those with lower. If two ACL rules with the
1722 same priority both match, then the one actually applied to a
1723 packet is undefined.
1724 Return traffic from an allow-related flow is always allowed and
1726 cannot be changed through an ACL.
1727 allow-stateless flows always take precedence before stateful
1729 ACLs, regardless of their priority. (Both allow and allow-re‐
1730 lated ACLs can be stateful.)
1731 direction: string, either from-lport or to-lport
1733 Direction of the traffic to which this rule should apply:
1734 • from-lport: Used to implement filters on traffic arriving
1736 from a logical port. These rules are applied to the logi‐
1737 cal switch’s ingress pipeline.
1738 • to-lport: Used to implement filters on traffic forwarded
1740 to a logical port. These rules are applied to the logical
1741 switch’s egress pipeline.
1742 match: string
1744 The packets that the ACL should match, in the same expression
1745 language used for the match column in the OVN Southbound data‐
1746 base’s Logical_Flow table. The outport logical port is only
1747 available in the to-lport direction (the inport is available in
1748 both directions).
1749 By default all traffic is allowed. When writing a more restric‐
1751 tive policy, it is important to remember to allow flows such as
1752 ARP and IPv6 neighbor discovery packets.
1753 Note that you can not create an ACL matching on a port with
1755 type=router or type=localnet.
1756 action: string, one of allow-related, allow-stateless, allow, drop, or
1758 reject
1759 The action to take when the ACL rule matches:
1760 • allow-stateless: Always forward the packet in stateless
1762 manner, omitting connection tracking mechanism, regard‐
1763 less of other rules defined for the switch. May require
1764 defining additional rules for inbound replies. For exam‐
1765 ple, if you define a rule to allow outgoing TCP traffic
1766 directed to an IP address, then you probably also want to
1767 define another rule to allow incoming TCP traffic coming
1768 from this same IP address.
1769 • allow: Forward the packet. It will also send the packets
1771 through connection tracking when allow-related rules ex‐
1772 ist on the logical switch. Otherwise, it’s equivalent to
1773 allow-stateless.
1774 • allow-related: Forward the packet and related traffic
1776 (e.g. inbound replies to an outbound connection).
1777 • drop: Silently drop the packet.
1779 • reject: Drop the packet, replying with a RST for TCP or
1781 ICMPv4/ICMPv6 unreachable message for other
1782 IPv4/IPv6-based protocols.
1783 Logging:
1785 These columns control whether and how OVN logs packets that match an
1787 ACL.
1788 log: boolean
1790 If set to true, packets that match the ACL will trigger a log
1791 message on the transport node or nodes that perform ACL process‐
1792 ing. Logging may be combined with any action.
1793 If set to false, the remaining columns in this group have no
1795 significance.
1796 name: optional string, at most 63 characters long
1798 This name, if it is provided, is included in log records. It
1799 provides the administrator and the cloud management system a way
1800 to associate a log record with a particular ACL.
1801 severity: optional string, one of alert, debug, info, notice, or warn‐
1803 ing
1804 The severity of the ACL. The severity levels match those of sys‐
1805 log, in decreasing level of severity: alert, warning, notice,
1806 info, or debug. When the column is empty, the default is info.
1807 meter: optional string
1809 The name of a meter to rate-limit log messages for the ACL. The
1810 string must match the name column of a row in the Meter table.
1811 By default, log messages are not rate-limited. In order to en‐
1812 sure that the same Meter rate limits multiple ACL logs sepa‐
1813 rately, set the fair column.
1814 Common Columns:
1816 external_ids: map of string-string pairs
1818 See External IDs at the beginning of this document.
1819
1821 Each row represents one L3 logical router.
1822 Summary:
1824 ports set of Logical_Router_Ports
1825 static_routes set of Logical_Router_Static_Routes
1826 policies set of Logical_Router_Policys
1827 enabled optional boolean
1828 nat set of NATs
1829 load_balancer set of weak reference to Load_Balancers
1830 load_balancer_group set of Load_Balancer_Groups
1831 Naming:
1832 name string
1833 external_ids : neutron:router_name
1834 optional string
1835 copp optional weak reference to Copp
1836 Options:
1837 options : chassis optional string
1838 options : dnat_force_snat_ip
1839 optional string
1840 options : lb_force_snat_ip optional string
1841 options : mcast_relay optional string, either true or false
1842 options : dynamic_neigh_routers
1843 optional string, either true or false
1844 options : always_learn_from_arp_request
1845 optional string, either true or false
1846 options : requested-tnl-key
1847 optional string, containing an integer,
1848 in range 1 to 16,777,215
1849 options : snat-ct-zone optional string, containing an integer,
1850 in range 0 to 65,535
1851 Common Columns:
1852 external_ids map of string-string pairs
1853 Details:
1855 ports: set of Logical_Router_Ports
1856 The router’s ports.
1857 static_routes: set of Logical_Router_Static_Routes
1859 Zero or more static routes for the router.
1860 policies: set of Logical_Router_Policys
1862 Zero or more routing policies for the router.
1863 enabled: optional boolean
1865 This column is used to administratively set router state. If
1866 this column is empty or is set to true, the router is enabled.
1867 If this column is set to false, the router is disabled. A dis‐
1868 abled router has all ingress and egress traffic dropped.
1869 nat: set of NATs
1871 One or more NAT rules for the router. NAT rules only work on
1872 Gateway routers, and on distributed routers with one and only
1873 one distributed gateway port.
1874 load_balancer: set of weak reference to Load_Balancers
1876 Set of load balancers associated to this logical router. Load
1877 balancer Load balancer rules only work on the Gateway routers or
1878 routers with one and only one distributed gateway port.
1879 load_balancer_group: set of Load_Balancer_Groups
1881 Set of load balancers groups associated to this logical router.
1882 Naming:
1884 These columns provide names for the logical router. From OVN’s perspec‐
1886 tive, these names have no special meaning or purpose other than to pro‐
1887 vide convenience for human interaction with the northbound database.
1888 There is no requirement for the name to be unique. (For a unique iden‐
1889 tifier for a logical router, use its row UUID.)
1890 (Originally, name was intended to serve the purpose of a human-friendly
1892 name, but the Neutron integration used it to uniquely identify its own
1893 router object, in the format neutron-uuid. Later on, Neutron started
1894 propagating the friendly name of a router as external_ids:neu‐
1895 tron:router_name. Perhaps this can be cleaned up someday.)
1896 name: string
1898 A name for the logical router.
1899 external_ids : neutron:router_name: optional string
1901 Another name for the logical router.
1902 copp: optional weak reference to Copp
1904 The control plane protection policy from table Copp used for me‐
1905 tering packets sent to ovn-controller from logical ports of this
1906 router.
1907 Options:
1909 Additional options for the logical router.
1911 options : chassis: optional string
1913 If set, indicates that the logical router in question is a Gate‐
1914 way router (which is centralized) and resides in the set chas‐
1915 sis. The same value is also used by ovn-controller to uniquely
1916 identify the chassis in the OVN deployment and comes from exter‐
1917 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
1918 database.
1919 The Gateway router can only be connected to a distributed router
1921 via a switch if SNAT and DNAT are to be configured in the Gate‐
1922 way router.
1923 options : dnat_force_snat_ip: optional string
1925 If set, indicates a set of IP addresses to use to force SNAT a
1926 packet that has already been DNATed in the gateway router. When
1927 multiple gateway routers are configured, a packet can poten‐
1928 tially enter any of the gateway router, get DNATted and eventu‐
1929 ally reach the logical switch port. For the return traffic to go
1930 back to the same gateway router (for unDNATing), the packet
1931 needs a SNAT in the first place. This can be achieved by setting
1932 the above option with a gateway specific set of IP addresses.
1933 This option may have exactly one IPv4 and/or one IPv6 address on
1934 it, separated by a a space.
1935 options : lb_force_snat_ip: optional string
1937 If set, this option can take two possible type of values. Either
1938 a set of IP addresses or the string value - router_ip.
1939 If a set of IP addresses are configured, it indicates to use to
1941 force SNAT a packet that has already been load-balanced in the
1942 gateway router. When multiple gateway routers are configured, a
1943 packet can potentially enter any of the gateway routers, get
1944 DNATted as part of the load-balancing and eventually reach the
1945 logical switch port. For the return traffic to go back to the
1946 same gateway router (for unDNATing), the packet needs a SNAT in
1947 the first place. This can be achieved by setting the above op‐
1948 tion with a gateway specific set of IP addresses. This option
1949 may have exactly one IPv4 and/or one IPv6 address on it, sepa‐
1950 rated by a space character.
1951 If it is configured with the value router_ip, then the load bal‐
1953 anced packet is SNATed with the IP of router port (attached to
1954 the gateway router) selected as the destination after taking the
1955 routing decision.
1956 options : mcast_relay: optional string, either true or false
1958 Enables/disables IP multicast relay between logical switches
1959 connected to the logical router. Default: False.
1960 options : dynamic_neigh_routers: optional string, either true or false
1962 If set to true, the router will resolve neighbor routers’ MAC
1963 addresses only by dynamic ARP/ND, instead of prepopulating
1964 static mappings for all neighbor routers in the ARP/ND Resolu‐
1965 tion stage. This reduces number of flows, but requires ARP/ND
1966 messages to resolve the IP-MAC bindings when needed. It is false
1967 by default. It is recommended to set to true when a large number
1968 of logical routers are connected to the same logical switch but
1969 most of them never need to send traffic between each other. By
1970 default, ovn-northd does not create mappings to NAT and load
1971 balancer addresess. However, for NAT and load balancer addresses
1972 that have the add_route option added, ovn-northd will create
1973 logical flows that map NAT and load balancer IP addresses to the
1974 appropriate MAC address. Setting dynamic_neigh_routers to true
1975 will prevent the automatic creation of these logical flows.
1976 options : always_learn_from_arp_request: optional string, either true
1978 or false
1979 This option controls the behavior when handling IPv4 ARP re‐
1980 quests or IPv6 ND-NS packets - whether a dynamic neighbor (MAC
1981 binding) entry is added/updated.
1982 true - Always learn the MAC-IP binding, and add/update the MAC
1984 binding entry.
1985 false - If there is a MAC binding for that IP and the MAC is
1987 different, or, if TPA of ARP request belongs to any router port
1988 on this router, then update/add that MAC-IP binding. Otherwise,
1989 don’t update/add entries.
1990 It is true by default. It is recommended to set to false when a
1992 large number of logical routers are connected to the same logi‐
1993 cal switch but most of them never need to send traffic between
1994 each other, to reduce the size of the MAC binding table.
1995 options : requested-tnl-key: optional string, containing an integer, in
1997 range 1 to 16,777,215
1998 Configures the datapath tunnel key for the logical router. This
1999 is not needed because ovn-northd will assign an unique key for
2000 each datapath by itself. However, if it is configured,
2001 ovn-northd honors the configured value.
2002 options : snat-ct-zone: optional string, containing an integer, in
2004 range 0 to 65,535
2005 Use the requested conntrack zone for SNAT with this router. This
2006 can be useful if egress traffic from the host running OVN comes
2007 from both OVN and other sources. This way, OVN and the other
2008 sources can make use of the same conntrack zone.
2009 Common Columns:
2011 external_ids: map of string-string pairs
2013 See External IDs at the beginning of this document.
2014
2016 Each row in this table represents one QoS rule for a logical switch
2017 that points to it through its qos_rules column. Two types of QoS are
2018 supported: DSCP marking and metering. A match with the highest-priority
2019 will have QoS applied to it. If the action column is specified, then
2020 matching packets will have DSCP marking applied. If the bandwdith col‐
2021 umn is specified, then matching packets will have metering applied. ac‐
2022 tion and bandwdith are not exclusive, so both marking and metering by
2023 defined for the same QoS entry. If no row matches, packets will not
2024 have any QoS applied.
2025 Summary:
2027 priority integer, in range 0 to 32,767
2028 direction string, either from-lport or to-lport
2029 match string
2030 action map of string-integer pairs, key must be
2031 dscp, value in range 0 to 63
2032 bandwidth map of string-integer pairs, key either
2033 burst or rate, value in range 1 to
2034 4,294,967,295
2035 external_ids map of string-string pairs
2036 Details:
2038 priority: integer, in range 0 to 32,767
2039 The QoS rule’s priority. Rules with numerically higher priority
2040 take precedence over those with lower. If two QoS rules with the
2041 same priority both match, then the one actually applied to a
2042 packet is undefined.
2043 direction: string, either from-lport or to-lport
2045 The value of this field is similar to ACL column in the OVN
2046 Northbound database’s ACL table.
2047 match: string
2049 The packets that the QoS rules should match, in the same expres‐
2050 sion language used for the match column in the OVN Southbound
2051 database’s Logical_Flow table. The outport logical port is only
2052 available in the to-lport direction (the inport is available in
2053 both directions).
2054 action: map of string-integer pairs, key must be dscp, value in range 0
2056 to 63
2057 When specified, matching flows will have DSCP marking applied.
2058 • dscp: The value of this action should be in the range of
2060 0 to 63 (inclusive).
2061 bandwidth: map of string-integer pairs, key either burst or rate, value
2063 in range 1 to 4,294,967,295
2064 When specified, matching packets will have bandwidth metering
2065 applied. Traffic over the limit will be dropped.
2066 • rate: The value of rate limit in kbps.
2068 • burst: The value of burst rate limit in kilobits. This is
2070 optional and needs to specify the rate.
2071 external_ids: map of string-string pairs
2073 See External IDs at the beginning of this document.
2074
2076 Each row in this table represents a meter that can be used for QoS or
2077 rate-limiting.
2078 Summary:
2080 name string (must be unique within table)
2081 unit string, either kbps or pktps
2082 bands set of 1 or more Meter_Bands
2083 fair optional boolean
2084 external_ids map of string-string pairs
2085 Details:
2087 name: string (must be unique within table)
2088 A name for this meter.
2089 Names that begin with "__" (two underscores) are reserved for
2091 OVN internal use and should not be added manually.
2092 unit: string, either kbps or pktps
2094 The unit for rate and burst_rate parameters in the bands entry.
2095 kbps specifies kilobits per second, and pktps specifies packets
2096 per second.
2097 bands: set of 1 or more Meter_Bands
2099 The bands associated with this meter. Each band specifies a rate
2100 above which the band is to take the action action. If multiple
2101 bands’ rates are exceeded, then the band with the highest rate
2102 among the exceeded bands is selected.
2103 fair: optional boolean
2105 This column is used to further describe the desired behavior of
2106 the meter when there are multiple references to it. If this col‐
2107 umn is empty or is set to false, the rate will be shared across
2108 all rows that refer to the same Meter name. Conversely, when
2109 this column is set to true, each user of the same Meter will be
2110 rate-limited on its own.
2111 external_ids: map of string-string pairs
2113 See External IDs at the beginning of this document.
2114
2116 Each row in this table represents a meter band which specifies the rate
2117 above which the configured action should be applied. These bands are
2118 referenced by the bands column in the Meter table.
2119 Summary:
2121 action string, must be drop
2122 rate integer, in range 1 to 4,294,967,295
2123 burst_size integer, in range 0 to 4,294,967,295
2124 external_ids map of string-string pairs
2125 Details:
2127 action: string, must be drop
2128 The action to execute when this band matches. The only supported
2129 action is drop.
2130 rate: integer, in range 1 to 4,294,967,295
2132 The rate limit for this band, in kilobits per second or bits per
2133 second, depending on whether the parent Meter entry’s unit col‐
2134 umn specified kbps or pktps.
2135 burst_size: integer, in range 0 to 4,294,967,295
2137 The maximum burst allowed for the band in kilobits or packets,
2138 depending on whether kbps or pktps was selected in the parent
2139 Meter entry’s unit column. If the size is zero, the switch is
2140 free to select some reasonable value depending on its configura‐
2141 tion.
2142 external_ids: map of string-string pairs
2144 See External IDs at the beginning of this document.
2145
2147 A port within an L3 logical router.
2148 Exactly one Logical_Router row must reference a given logical router
2150 port.
2151 Summary:
2153 name string (must be unique within table)
2154 networks set of 1 or more strings
2155 mac string
2156 enabled optional boolean
2157 Distributed Gateway Ports:
2158 ha_chassis_group optional HA_Chassis_Group
2159 gateway_chassis set of Gateway_Chassises
2160 Options for Physical VLAN MTU Issues:
2161 options : reside-on-redirect-chassis
2162 optional string, either true or false
2163 options : redirect-type optional string, either bridged or over‐
2164 lay
2165 ipv6_prefix set of strings
2166 ipv6_ra_configs:
2167 ipv6_ra_configs : address_mode
2168 optional string
2169 ipv6_ra_configs : router_preference
2170 optional string
2171 ipv6_ra_configs : route_info
2172 optional string
2173 ipv6_ra_configs : mtu optional string
2174 ipv6_ra_configs : send_periodic
2175 optional string
2176 ipv6_ra_configs : max_interval
2177 optional string
2178 ipv6_ra_configs : min_interval
2179 optional string
2180 ipv6_ra_configs : rdnss optional string
2181 ipv6_ra_configs : dnssl optional string
2182 Options:
2183 options : mcast_flood optional string, either true or false
2184 options : requested-tnl-key
2185 optional string, containing an integer,
2186 in range 1 to 32,767
2187 options : prefix_delegation
2188 optional string, either true or false
2189 options : prefix optional string, either true or false
2190 Attachment:
2191 peer optional string
2192 Common Columns:
2193 external_ids map of string-string pairs
2194 Details:
2196 name: string (must be unique within table)
2197 A name for the logical router port.
2198 In addition to provide convenience for human interaction with
2200 the northbound database, this column is used as reference by its
2201 patch port in Logical_Switch_Port or another logical router port
2202 in Logical_Router_Port.
2203 A logical router port may not have the same name as a logical
2205 switch port, but the database schema cannot enforce this.
2206 networks: set of 1 or more strings
2208 The IP addresses and netmasks of the router. For example,
2209 192.168.0.1/24 indicates that the router’s IP address is
2210 192.168.0.1 and that packets destined to 192.168.0.x should be
2211 routed to this port.
2212 A logical router port always adds a link-local IPv6 address
2214 (fe80::/64) automatically generated from the interface’s MAC ad‐
2215 dress using the modified EUI-64 format.
2216 mac: string
2218 The Ethernet address that belongs to this router port.
2219 enabled: optional boolean
2221 This column is used to administratively set port state. If this
2222 column is empty or is set to true, the port is enabled. If this
2223 column is set to false, the port is disabled. A disabled port
2224 has all ingress and egress traffic dropped.
2225 Distributed Gateway Ports:
2227 Gateways, as documented under Gateways in the OVN architecture guide,
2229 provide limited connectivity between logical networks and physical
2230 ones. OVN support multiple kinds of gateways. The Logical_Router_Port
2231 table can be used two different ways to configure distributed gateway
2232 ports, which are one kind of gateway. These two forms of configuration
2233 exist for historical reasons. Both of them produce the same kind of OVN
2234 southbound records and the same behavior in practice.
2235 If either of these are set, this logical router port represents a dis‐
2237 tributed gateway port that connects this router to a logical switch
2238 with a localnet port or a connection to another OVN deployment.
2239 Also mentioned in the OVN architecture guide, distributed gateway ports
2241 can also be used for scalability reasons in deployments where logical
2242 switches are dedicated to chassises rather than distributed.
2243 The preferred way to configure a gateway is ha_chassis_group, but gate‐
2245 way_chassis is also supported for backward compatibility. Only one of
2246 these should be set at a time on a given LRP, since they configure the
2247 same features.
2248 Even when a gateway is configured, the logical router port still effec‐
2250 tively resides on each chassis. However, due to the implications of the
2251 use of L2 learning in the physical network, as well as the need to sup‐
2252 port advanced features such as one-to-many NAT (aka IP masquerading), a
2253 subset of the logical router processing is handled in a centralized
2254 manner on the gateway chassis.
2255 There can be more than one distributed gateway ports configured on each
2257 logical router, each connecting to different L2 segments. However, fea‐
2258 tures such as NAT and load-balancer are not supported on logical
2259 routers with more than one distributed gateway ports.
2260 For each distributed gateway port, it may have more than one gateway
2262 chassises. When more than one gateway chassis is specified, OVN only
2263 uses one at a time. OVN can rely on OVS BFD implementation to monitor
2264 gateway connectivity, preferring the highest-priority gateway that is
2265 online. Priorities are specified in the priority column of Gate‐
2266 way_Chassis or HA_Chassis.
2267 ovn-northd programs the external_mac rules specified in the LRP’s LR
2269 into the peer logical switch’s destination lookup on the chassis where
2270 the logical_port resides. In addition, the logical router’s MAC address
2271 is automatically programmed in the peer logical switch’s destination
2272 lookup flow on the gateway chasssis. If it is desired to generate gra‐
2273 tuitous ARPs for NAT addresses, then set the peer LSP’s options:nat-ad‐
2274 dresses to router.
2275 OVN 20.03 and earlier supported a third way to configure distributed
2277 gateway ports using options:redirect-chassis to specify the gateway
2278 chassis. This method is no longer supported. Any remaining users should
2279 switch to one of the newer methods instead. A gateway_chassis may be
2280 easily configured from the command line, e.g. ovn-nbctl lrp-set-gate‐
2281 way-chassis lrp chassis.
2282 ha_chassis_group: optional HA_Chassis_Group
2284 Designates an HA_Chassis_Group to provide gateway high avail‐
2285 ability.
2286 gateway_chassis: set of Gateway_Chassises
2288 Designates one or more Gateway_Chassis for the logical router
2289 port.
2290 Options for Physical VLAN MTU Issues:
2292 MTU issues arise in mixing tunnels with logical networks that are
2294 bridged to a physical VLAN. For an explanation of the MTU issues, see
2295 Physical VLAN MTU Issues in the OVN architecture document. The follow‐
2296 ing options, which are alternatives, provide solutions. Both of them
2297 cause packets to be sent over localnet instead of tunnels, but they
2298 differ in whether some or all packets are sent this way. The most prom‐
2299 inent tradeoff between these options is that reside-on-redirect-chassis
2300 is easier to configure and that redirect-type performs better for east-
2301 west traffic.
2302 options : reside-on-redirect-chassis: optional string, either true or
2304 false
2305 If set to true, this option forces all traffic across the logi‐
2306 cal router port to pass through the gateway chassis using a hop
2307 across a localnet port. This changes behavior in two ways:
2308 • Without this option, east-west traffic passes directly
2310 between source and destination chassis (or even within a
2311 single chassis, for co-located VMs). With this option,
2312 all east-west traffic passes through the gateway chassis.
2313 • Without this option, traffic between the gateway chassis
2315 and other chassis is encapsulated in tunnels. With this
2316 option, traffic passes over a localnet interface.
2317 This option may usefully be set only on logical router ports
2319 that connect a distributed logical router to a logical switch
2320 with VIFs. It should not be set on a distributed gateway port.
2321 OVN honors this option only if the logical router has one and
2323 only one distributed gateway port and if the LRP’s peer switch
2324 has a localnet port.
2325 options : redirect-type: optional string, either bridged or overlay
2327 If set to bridged on a distributed gateway port, this option
2328 causes OVN to redirect packets to the gateway chassis over a lo‐
2329 calnet port instead of a tunnel. The relevant chassis must share
2330 a localnet port.
2331 This feature requires the administrator or the CMS to configure
2333 each participating chassis with a unique Ethernet address for
2334 the logical router by setting ovn-chassis-mac-mappings in the
2335 Open vSwitch database, for use by ovn-controller.
2336 Setting this option to overlay or leaving it unset has no ef‐
2338 fect. This option may usefully be set only on a distributed
2339 gateway port when there is one and only one distributed gateway
2340 port on the logical router. It is otherwise ignored.
2341 ipv6_prefix: set of strings
2343 This column contains IPv6 prefix obtained by prefix delegation
2344 router according to RFC 3633
2345 ipv6_ra_configs:
2347 This column defines the IPv6 ND RA address mode and ND MTU Option to be
2349 included by ovn-controller when it replies to the IPv6 Router solicita‐
2350 tion requests.
2351 ipv6_ra_configs : address_mode: optional string
2353 The address mode to be used for IPv6 address configuration. The
2354 supported values are:
2355 • slaac: Address configuration using Router Advertisement
2357 (RA) packet. The IPv6 prefixes defined in the Logi‐
2358 cal_Router_Port table’s networks column will be included
2359 in the RA’s ICMPv6 option - Prefix information.
2360 • dhcpv6_stateful: Address configuration using DHCPv6.
2362 • dhcpv6_stateless: Address configuration using Router Ad‐
2364 vertisement (RA) packet. Other IPv6 options are provided
2365 by DHCPv6.
2366 ipv6_ra_configs : router_preference: optional string
2368 Default Router Preference (PRF) indicates whether to prefer this
2369 router over other default routers (RFC 4191). Possible values
2370 are:
2371 • HIGH: mapped to 0x01 in RA PRF field
2373 • MEDIUM: mapped to 0x00 in RA PRF field
2375 • LOW: mapped to 0x11 in RA PRF field
2377 ipv6_ra_configs : route_info: optional string
2379 Route Info is used to configure Route Info Option sent in Router
2380 Advertisment according to RFC 4191. Route Info is a comma sepa‐
2381 rated string where each field provides PRF and prefix for a
2382 given route (e.g: HIGH-aef1::11/48,LOW-aef2::11/96) Possible PRF
2383 values are:
2384 • HIGH: mapped to 0x01 in RA PRF field
2386 • MEDIUM: mapped to 0x00 in RA PRF field
2388 • LOW: mapped to 0x11 in RA PRF field
2390 ipv6_ra_configs : mtu: optional string
2392 The recommended MTU for the link. Default is 0, which means no
2393 MTU Option will be included in RA packet replied by ovn-con‐
2394 troller. Per RFC 2460, the mtu value is recommended no less than
2395 1280, so any mtu value less than 1280 will be considered as no
2396 MTU Option.
2397 ipv6_ra_configs : send_periodic: optional string
2399 If set to true, then this router interface will send router ad‐
2400 vertisements periodically. The default is false.
2401 ipv6_ra_configs : max_interval: optional string
2403 The maximum number of seconds to wait between sending periodic
2404 router advertisements. This option has no effect if ipv6_ra_con‐
2405 figs:send_periodic is false. The default is 600.
2406 ipv6_ra_configs : min_interval: optional string
2408 The minimum number of seconds to wait between sending periodic
2409 router advertisements. This option has no effect if ipv6_ra_con‐
2410 figs:send_periodic is false. The default is one-third of
2411 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
2412 unset.
2413 ipv6_ra_configs : rdnss: optional string
2415 IPv6 address of RDNSS server announced in RA packets. At the mo‐
2416 ment OVN supports just one RDNSS server.
2417 ipv6_ra_configs : dnssl: optional string
2419 DNS Search List announced in RA packets. Multiple DNS Search
2420 List must be ’comma’ separated (e.g. "a.b.c, d.e.f")
2421 Options:
2423 Additional options for the logical router port.
2425 options : mcast_flood: optional string, either true or false
2427 If set to true, multicast traffic (including reports) are uncon‐
2428 ditionally forwarded to the specific port.
2429 This option applies when the port is part of a logical router
2431 which has options:mcast_relay set to true.
2432 options : requested-tnl-key: optional string, containing an integer, in
2434 range 1 to 32,767
2435 Configures the port binding tunnel key for the port. Usually
2436 this is not needed because ovn-northd will assign an unique key
2437 for each port by itself. However, if it is configured,
2438 ovn-northd honors the configured value.
2439 options : prefix_delegation: optional string, either true or false
2441 If set to true, enable IPv6 prefix delegation state machine on
2442 this logical router port (RFC3633). IPv6 prefix delegation is
2443 available just on a gateway router or on a gateway router port.
2444 options : prefix: optional string, either true or false
2446 If set to true, this interface will receive an IPv6 prefix ac‐
2447 cording to RFC3663
2448 Attachment:
2450 A given router port serves one of two purposes:
2452 • To attach a logical switch to a logical router. A logical
2454 router port of this type is referenced by exactly one
2455 Logical_Switch_Port of type router. The value of name is
2456 set as router-port in column options of Logi‐
2457 cal_Switch_Port. In this case peer column is empty.
2458 • To connect one logical router to another. This requires a
2460 pair of logical router ports, each connected to a differ‐
2461 ent router. Each router port in the pair specifies the
2462 other in its peer column. No Logical_Switch refers to the
2463 router port.
2464 peer: optional string
2466 For a router port used to connect two logical routers, this
2467 identifies the other router port in the pair by name.
2468 For a router port attached to a logical switch, this column is
2470 empty.
2471 Common Columns:
2473 external_ids: map of string-string pairs
2475 See External IDs at the beginning of this document.
2476
2478 Each record represents a static route.
2479 When multiple routes match a packet, the longest-prefix match is cho‐
2481 sen. For a given prefix length, a dst-ip route is preferred over a
2482 src-ip route.
2483 When there are ECMP routes, i.e. multiple routes with same prefix and
2485 policy, one of them will be selected based on the 5-tuple hashing of
2486 the packet header.
2487 Summary:
2489 ip_prefix string
2490 policy optional string, either dst-ip or src-ip
2491 nexthop string
2492 output_port optional string
2493 bfd optional weak reference to BFD
2494 external_ids : ic-learned-route
2495 optional string
2496 Common Columns:
2497 external_ids map of string-string pairs
2498 Common options:
2499 options map of string-string pairs
2500 options : ecmp_symmetric_reply
2501 optional string
2502 Details:
2504 ip_prefix: string
2505 IP prefix of this route (e.g. 192.168.100.0/24).
2506 policy: optional string, either dst-ip or src-ip
2508 If it is specified, this setting describes the policy used to
2509 make routing decisions. This setting must be one of the follow‐
2510 ing strings:
2511 • src-ip: This policy sends the packet to the nexthop when
2513 the packet’s source IP address matches ip_prefix.
2514 • dst-ip: This policy sends the packet to the nexthop when
2516 the packet’s destination IP address matches ip_prefix.
2517 If not specified, the default is dst-ip.
2519 nexthop: string
2521 Nexthop IP address for this route. Nexthop IP address should be
2522 the IP address of a connected router port or the IP address of a
2523 logical port or can be set to discard for dropping packets which
2524 match the given route.
2525 output_port: optional string
2527 The name of the Logical_Router_Port via which the packet needs
2528 to be sent out. This is optional and when not specified, OVN
2529 will automatically figure this out based on the nexthop. When
2530 this is specified and there are multiple IP addresses on the
2531 router port and none of them are in the same subnet of nexthop,
2532 OVN chooses the first IP address as the one via which the nex‐
2533 thop is reachable.
2534 bfd: optional weak reference to BFD
2536 Reference to BFD row if the route has associated a BFD session
2537 external_ids : ic-learned-route: optional string
2539 ovn-ic populates this key if the route is learned from the
2540 global OVN_IC_Southbound database. In this case the value will
2541 be set to the uuid of the row in Route table of the
2542 OVN_IC_Southbound database.
2543 Common Columns:
2545 external_ids: map of string-string pairs
2547 See External IDs at the beginning of this document.
2548 Common options:
2550 options: map of string-string pairs
2552 This column provides general key/value settings. The supported
2553 options are described individually below.
2554 options : ecmp_symmetric_reply: optional string
2556 If true, then new traffic that arrives over this route will have
2557 its reply traffic bypass ECMP route selection and will be sent
2558 out this route instead. Note that this option overrides any
2559 rules set in the Logical_Router_policy table. This option only
2560 works on gateway routers (routers that have options:chassis
2561 set).
2562
2564 Each row in this table represents one routing policy for a logical
2565 router that points to it through its policies column. The action column
2566 for the highest-priority matching row in this table determines a
2567 packet’s treatment. If no row matches, packets are allowed by default.
2568 (Default-deny treatment is possible: add a rule with priority 0, 1 as
2569 match, and drop as action.)
2570 Summary:
2572 priority integer, in range 0 to 32,767
2573 match string
2574 action string, one of allow, drop, or reroute
2575 nexthop optional string
2576 nexthops set of strings
2577 options : pkt_mark optional string
2578 Common Columns:
2579 external_ids map of string-string pairs
2580 Details:
2582 priority: integer, in range 0 to 32,767
2583 The routing policy’s priority. Rules with numerically higher
2584 priority take precedence over those with lower. A rule is
2585 uniquely identified by the priority and match string.
2586 match: string
2588 The packets that the routing policy should match, in the same
2589 expression language used for the match column in the OVN South‐
2590 bound database’s Logical_Flow table.
2591 By default all traffic is allowed. When writing a more restric‐
2593 tive policy, it is important to remember to allow flows such as
2594 ARP and IPv6 neighbor discovery packets.
2595 action: string, one of allow, drop, or reroute
2597 The action to take when the routing policy matches:
2598 • allow: Forward the packet.
2600 • drop: Silently drop the packet.
2602 • reroute: Reroute packet to nexthop or nexthops.
2604 nexthop: optional string
2606 Note: This column is deprecated in favor of nexthops.
2607 Next-hop IP address for this route, which should be the IP ad‐
2609 dress of a connected router port or the IP address of a logical
2610 port.
2611 nexthops: set of strings
2613 Next-hop ECMP IP addresses for this route. Each IP in the list
2614 should be the IP address of a connected router port or the IP
2615 address of a logical port.
2616 One IP from the list is selected as next hop.
2618 options : pkt_mark: optional string
2620 Marks the packet with the value specified when the router policy
2621 is applied. CMS can inspect this packet marker and take some de‐
2622 cisions if desired. This value is not preserved when the packet
2623 goes out on the wire.
2624 Common Columns:
2626 external_ids: map of string-string pairs
2628 See External IDs at the beginning of this document.
2629
2631 Each record represents a NAT rule.
2632 Summary:
2634 type string, one of dnat, dnat_and_snat, or
2635 snat
2636 external_ip string
2637 external_mac optional string
2638 external_port_range string
2639 logical_ip string
2640 logical_port optional string
2641 allowed_ext_ips optional Address_Set
2642 exempted_ext_ips optional Address_Set
2643 options : stateless optional string
2644 options : add_route optional string
2645 Common Columns:
2646 external_ids map of string-string pairs
2647 Details:
2649 type: string, one of dnat, dnat_and_snat, or snat
2650 Type of the NAT rule.
2651 • When type is dnat, the externally visible IP address ex‐
2653 ternal_ip is DNATted to the IP address logical_ip in the
2654 logical space.
2655 • When type is snat, IP packets with their source IP ad‐
2657 dress that either matches the IP address in logical_ip or
2658 is in the network provided by logical_ip is SNATed into
2659 the IP address in external_ip.
2660 • When type is dnat_and_snat, the externally visible IP ad‐
2662 dress external_ip is DNATted to the IP address logical_ip
2663 in the logical space. In addition, IP packets with the
2664 source IP address that matches logical_ip is SNATed into
2665 the IP address in external_ip.
2666 external_ip: string
2668 An IPv4 address.
2669 external_mac: optional string
2671 A MAC address.
2672 This is only used on the gateway port on distributed routers.
2674 This must be specified in order for the NAT rule to be processed
2675 in a distributed manner on all chassis. If this is not specified
2676 for a NAT rule on a distributed router, then this NAT rule will
2677 be processed in a centralized manner on the gateway port in‐
2678 stance on the gateway chassis.
2679 This MAC address must be unique on the logical switch that the
2681 gateway port is attached to. If the MAC address used on the log‐
2682 ical_port is globally unique, then that MAC address can be spec‐
2683 ified as this external_mac.
2684 external_port_range: string
2686 L4 source port range
2687 Range of ports, from which a port number will be picked that
2689 will replace the source port of to be NATed packet. This is ba‐
2690 sically PAT (port address translation).
2691 Value of the column is in the format, port_lo-port_hi. For exam‐
2693 ple: external_port_range : "1-30000"
2694 Valid range of ports is 1-65535.
2696 logical_ip: string
2698 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
2699 logical_port: optional string
2701 The name of the logical port where the logical_ip resides.
2702 This is only used on distributed routers. This must be specified
2704 in order for the NAT rule to be processed in a distributed man‐
2705 ner on all chassis. If this is not specified for a NAT rule on a
2706 distributed router, then this NAT rule will be processed in a
2707 centralized manner on the gateway port instance on the gateway
2708 chassis.
2709 allowed_ext_ips: optional Address_Set
2711 It represents Address Set of external ips that NAT rule is ap‐
2712 plicable to. For SNAT type NAT rules, this refers to destination
2713 addresses. For DNAT type NAT rules, this refers to source ad‐
2714 dresses.
2715 This configuration overrides the default NAT behavior of apply‐
2717 ing a rule solely based on internal IP. Without this configura‐
2718 tion, NAT happens without considering the external IP (i.e
2719 dest/source for snat/dnat type rule). With this configuration
2720 NAT rule is applied ONLY if external ip is in the input Address
2721 Set.
2722 exempted_ext_ips: optional Address_Set
2724 It represents Address Set of external ips that NAT rule is NOT
2725 applicable to. For SNAT type NAT rules, this refers to destina‐
2726 tion addresses. For DNAT type NAT rules, this refers to source
2727 addresses.
2728 This configuration overrides the default NAT behavior of apply‐
2730 ing a rule solely based on internal IP. Without this configura‐
2731 tion, NAT happens without considering the external IP (i.e
2732 dest/source for snat/dnat type rule). With this configuration
2733 NAT rule is NOT applied if external ip is in the input Address
2734 Set.
2735 If there are NAT rules in a logical router with overlapping IP
2737 prefixes (including /32), then usage of exempted_ext_ips should
2738 be avoided in following scenario. a. SNAT rule (let us say
2739 RULE1) with logical_ip PREFIX/MASK (let us say 50.0.0.0/24). b.
2740 SNAT rule (let us say RULE2) with logical_ip PREFIX/MASK+1 (let
2741 us say 50.0.0.0/25). c. Now, if exempted_ext_ips is associated
2742 with RULE2, then a logical ip which matches both 50.0.0.0/24 and
2743 50.0.0.0/25 may get the RULE2 applied to it instead of RULE1.
2744 allowed_ext_ips and exempted_ext_ips are mutually exclusive to
2746 each other. If both Address Sets are set for a rule, then the
2747 NAT rule is not considered.
2748 options : stateless: optional string
2750 Indicates if a dnat_and_snat rule should lead to connection
2751 tracking state or not.
2752 options : add_route: optional string
2754 If set to true, then neighbor routers will have logical flows
2755 added that will allow for routing to the NAT address. It also
2756 will have ARP resolution logical flows added. By setting this
2757 option, it means there is no reason to create a Logi‐
2758 cal_Router_Static_Route from neighbor routers to this NAT ad‐
2759 dress. It also means that no ARP request is required for neigh‐
2760 bor routers to learn the IP-MAC mapping for this NAT address.
2761 This option only applies to NATs of type dnat and dnat_and_snat.
2762 For more information about what flows are added for IP routes,
2763 please see the ovn-northd manpage section on IP Routing.
2764 Common Columns:
2766 external_ids: map of string-string pairs
2768 See External IDs at the beginning of this document.
2769
2771 OVN implements native DHCPv4 support which caters to the common use
2772 case of providing an IPv4 address to a booting instance by providing
2773 stateless replies to DHCPv4 requests based on statically configured ad‐
2774 dress mappings. To do this it allows a short list of DHCPv4 options to
2775 be configured and applied at each compute host running ovn-controller.
2776 OVN also implements native DHCPv6 support which provides stateless
2778 replies to DHCPv6 requests.
2779 Summary:
2781 cidr string
2782 DHCPv4 options:
2783 Mandatory DHCPv4 options:
2784 options : server_id optional string
2785 options : server_mac optional string
2786 options : lease_time optional string, containing an integer,
2787 in range 0 to 4,294,967,295
2788 IPv4 DHCP Options:
2789 options : router optional string
2790 options : netmask optional string
2791 options : dns_server optional string
2792 options : log_server optional string
2793 options : lpr_server optional string
2794 options : swap_server optional string
2795 options : policy_filter optional string
2796 options : router_solicitation
2797 optional string
2798 options : nis_server optional string
2799 options : ntp_server optional string
2800 options : netbios_name_server
2801 optional string
2802 options : classless_static_route
2803 optional string
2804 options : ms_classless_static_route
2805 optional string
2806 Boolean DHCP Options:
2807 options : ip_forward_enable
2808 optional string, either 0 or 1
2809 options : router_discovery
2810 optional string, either 0 or 1
2811 options : ethernet_encap optional string, either 0 or 1
2812 Integer DHCP Options:
2813 options : default_ttl optional string, containing an integer,
2814 in range 0 to 255
2815 options : tcp_ttl optional string, containing an integer,
2816 in range 0 to 255
2817 options : mtu optional string, containing an integer,
2818 in range 68 to 65,535
2819 options : T1 optional string, containing an integer,
2820 in range 68 to 4,294,967,295
2821 options : T2 optional string, containing an integer,
2822 in range 68 to 4,294,967,295
2823 options : arp_cache_timeout
2824 optional string, containing an integer,
2825 in range 0 to 255
2826 options : tcp_keepalive_interval
2827 optional string, containing an integer,
2828 in range 0 to 255
2829 options : netbios_node_type
2830 optional string, containing an integer,
2831 in range 0 to 255
2832 String DHCP Options:
2833 options : wpad optional string
2834 options : bootfile_name optional string
2835 options : path_prefix optional string
2836 options : tftp_server_address
2837 optional string
2838 options : hostname optional string
2839 options : domain_name optional string
2840 options : bootfile_name_alt
2841 optional string
2842 options : broadcast_address
2843 optional string
2844 DHCP Options of type host_id:
2845 options : tftp_server optional string
2846 DHCP Options of type domains:
2847 options : domain_search_list
2848 optional string
2849 DHCPv6 options:
2850 Mandatory DHCPv6 options:
2851 options : server_id optional string
2852 IPv6 DHCPv6 options:
2853 options : dns_server optional string
2854 String DHCPv6 options:
2855 options : domain_search optional string
2856 options : dhcpv6_stateless
2857 optional string
2858 Common Columns:
2859 external_ids map of string-string pairs
2860 Details:
2862 cidr: string
2863 The DHCPv4/DHCPv6 options will be included if the logical port
2864 has its IP address in this cidr.
2865 DHCPv4 options:
2867 The CMS should define the set of DHCPv4 options as key/value pairs in
2869 the options column of this table. For ovn-controller to include these
2870 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
2871 to an entry in this table.
2872 Mandatory DHCPv4 options:
2874 The following options must be defined.
2876 options : server_id: optional string
2878 The IP address for the DHCP server to use. This should be in the
2879 subnet of the offered IP. This is also included in the DHCP of‐
2880 fer as option 54, ``server identifier.’’
2881 options : server_mac: optional string
2883 The Ethernet address for the DHCP server to use.
2884 options : lease_time: optional string, containing an integer, in range
2886 0 to 4,294,967,295
2887 The offered lease time in seconds,
2888 The DHCPv4 option code for this option is 51.
2890 IPv4 DHCP Options:
2892 Below are the supported DHCPv4 options whose values are an IPv4 ad‐
2894 dress, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
2895 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
2896 refer to RFC 2132 for more details on DHCPv4 options and their codes.
2897 options : router: optional string
2899 The IP address of a gateway for the client to use. This should
2900 be in the subnet of the offered IP. The DHCPv4 option code for
2901 this option is 3.
2902 options : netmask: optional string
2904 The DHCPv4 option code for this option is 1.
2905 options : dns_server: optional string
2907 The DHCPv4 option code for this option is 6.
2908 options : log_server: optional string
2910 The DHCPv4 option code for this option is 7.
2911 options : lpr_server: optional string
2913 The DHCPv4 option code for this option is 9.
2914 options : swap_server: optional string
2916 The DHCPv4 option code for this option is 16.
2917 options : policy_filter: optional string
2919 The DHCPv4 option code for this option is 21.
2920 options : router_solicitation: optional string
2922 The DHCPv4 option code for this option is 32.
2923 options : nis_server: optional string
2925 The DHCPv4 option code for this option is 41.
2926 options : ntp_server: optional string
2928 The DHCPv4 option code for this option is 42.
2929 options : netbios_name_server: optional string
2931 The DHCPv4 option code for this option is 44.
2932 options : classless_static_route: optional string
2934 The DHCPv4 option code for this option is 121.
2935 This option can contain one or more static routes, each of which
2937 consists of a destination descriptor and the IP address of the
2938 router that should be used to reach that destination. Please see
2939 RFC 3442 for more details.
2940 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
2942 options : ms_classless_static_route: optional string
2944 The DHCPv4 option code for this option is 249. This option is
2945 similar to classless_static_route supported by Microsoft Windows
2946 DHCPv4 clients.
2947 Boolean DHCP Options:
2949 These options accept a Boolean value, expressed as 0 for false or 1 for
2951 true.
2952 options : ip_forward_enable: optional string, either 0 or 1
2954 The DHCPv4 option code for this option is 19.
2955 options : router_discovery: optional string, either 0 or 1
2957 The DHCPv4 option code for this option is 31.
2958 options : ethernet_encap: optional string, either 0 or 1
2960 The DHCPv4 option code for this option is 36.
2961 Integer DHCP Options:
2963 These options accept a nonnegative integer value.
2965 options : default_ttl: optional string, containing an integer, in range
2967 0 to 255
2968 The DHCPv4 option code for this option is 23.
2969 options : tcp_ttl: optional string, containing an integer, in range 0
2971 to 255
2972 The DHCPv4 option code for this option is 37.
2973 options : mtu: optional string, containing an integer, in range 68 to
2975 65,535
2976 The DHCPv4 option code for this option is 26.
2977 options : T1: optional string, containing an integer, in range 68 to
2979 4,294,967,295
2980 This specifies the time interval from address assignment until
2981 the client begins trying to renew its address. The DHCPv4 option
2982 code for this option is 58.
2983 options : T2: optional string, containing an integer, in range 68 to
2985 4,294,967,295
2986 This specifies the time interval from address assignment until
2987 the client begins trying to rebind its address. The DHCPv4 op‐
2988 tion code for this option is 59.
2989 options : arp_cache_timeout: optional string, containing an integer, in
2991 range 0 to 255
2992 The DHCPv4 option code for this option is 35. This option speci‐
2993 fies the timeout in seconds for ARP cache entries.
2994 options : tcp_keepalive_interval: optional string, containing an inte‐
2996 ger, in range 0 to 255
2997 The DHCPv4 option code for this option is 38. This option speci‐
2998 fies the interval that the client TCP should wait before sending
2999 a keepalive message on a TCP connection.
3000 options : netbios_node_type: optional string, containing an integer, in
3002 range 0 to 255
3003 The DHCPv4 option code for this option is 46.
3004 String DHCP Options:
3006 These options accept a string value.
3008 options : wpad: optional string
3010 The DHCPv4 option code for this option is 252. This option is
3011 used as part of web proxy auto discovery to provide a URL for a
3012 web proxy.
3013 options : bootfile_name: optional string
3015 The DHCPv4 option code for this option is 67. This option is
3016 used to identify a bootfile.
3017 options : path_prefix: optional string
3019 The DHCPv4 option code for this option is 210. In PXELINUX’ case
3020 this option is used to set a common path prefix, instead of de‐
3021 riving it from the bootfile name.
3022 options : tftp_server_address: optional string
3024 The DHCPv4 option code for this option is 150. The option con‐
3025 tains one or more IPv4 addresses that the client MAY use. This
3026 option is Cisco proprietary, the IEEE standard that matches with
3027 this requirement is option 66 (tftp_server).
3028 options : hostname: optional string
3030 The DHCPv4 option code for this option is 12. If set, indicates
3031 the DHCPv4 option "Hostname". Alternatively, this option can be
3032 configured in options:hostname column in table Logi‐
3033 cal_Switch_Port. If Hostname option value is set in both con‐
3034 flicting Logical_Switch_Port and DHCP_Options tables, Logi‐
3035 cal_Switch_Port takes precedence.
3036 options : domain_name: optional string
3038 The DHCPv4 option code for this option is 15. This option speci‐
3039 fies the domain name that client should use when resolving host‐
3040 names via the Domain Name System.
3041 options : bootfile_name_alt: optional string
3043 "bootfile_name_alt" option is used to support iPXE. When both
3044 "bootfile_name" and "bootfile_name_alt" are provided by the CMS,
3045 "bootfile_name" will be used for option 67 if the dhcp request
3046 contains etherboot option (175), otherwise "bootfile_name_alt"
3047 will be used.
3048 options : broadcast_address: optional string
3050 The DHCPv4 option code for this option is 28. This option speci‐
3051 fies the IP address used as a broadcast address.
3052 DHCP Options of type host_id:
3054 These options accept either an IPv4 address or a string value.
3056 options : tftp_server: optional string
3058 The DHCPv4 option code for this option is 66.
3059 DHCP Options of type domains:
3061 These options accept string value which is a comma separated list of
3063 domain names. The domain names are encoded based on RFC 1035.
3064 options : domain_search_list: optional string
3066 The DHCPv4 option code for this option is 119.
3067 DHCPv6 options:
3069 OVN also implements native DHCPv6 support. The CMS should define the
3071 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
3072 will be included in the DHCPv6 response to the DHCPv6 Solicit/Re‐
3073 quest/Confirm packet from the logical ports having the IPv6 addresses
3074 in the cidr.
3075 Mandatory DHCPv6 options:
3077 The following options must be defined.
3079 options : server_id: optional string
3081 The Ethernet address for the DHCP server to use. This is also
3082 included in the DHCPv6 reply as option 2, ``Server Identifier’’
3083 to carry a DUID identifying a server between a client and a
3084 server. ovn-controller defines DUID based on Link-layer Address
3085 [DUID-LL].
3086 IPv6 DHCPv6 options:
3088 Below are the supported DHCPv6 options whose values are an IPv6 ad‐
3090 dress, e.g. aef0::4. Some options accept multiple IPv6 addresses en‐
3091 closed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
3092 RFC 3315 for more details on DHCPv6 options and their codes.
3093 options : dns_server: optional string
3095 The DHCPv6 option code for this option is 23. This option speci‐
3096 fies the DNS servers that the VM should use.
3097 String DHCPv6 options:
3099 These options accept string values.
3101 options : domain_search: optional string
3103 The DHCPv6 option code for this option is 24. This option speci‐
3104 fies the domain search list the client should use to resolve
3105 hostnames with DNS.
3106 Example: "ovn.org".
3108 options : dhcpv6_stateless: optional string
3110 This option specifies the OVN native DHCPv6 will work in state‐
3111 less mode, which means OVN native DHCPv6 will not offer IPv6 ad‐
3112 dresses for VM/VIF ports, but only reply other configurations,
3113 such as DNS and domain search list. When setting this option
3114 with string value "true", VM/VIF will configure IPv6 addresses
3115 by stateless way. Default value for this option is false.
3116 Common Columns:
3118 external_ids: map of string-string pairs
3120 See External IDs at the beginning of this document.
3121
3123 Configuration for a database connection to an Open vSwitch database
3124 (OVSDB) client.
3125 This table primarily configures the Open vSwitch database server
3127 (ovsdb-server).
3128 The Open vSwitch database server can initiate and maintain active con‐
3130 nections to remote clients. It can also listen for database connec‐
3131 tions.
3132 Summary:
3134 Core Features:
3135 target string (must be unique within table)
3136 Client Failure Detection and Handling:
3137 max_backoff optional integer, at least 1,000
3138 inactivity_probe optional integer
3139 Status:
3140 is_connected boolean
3141 status : last_error optional string
3142 status : state optional string, one of ACTIVE, BACKOFF,
3143 CONNECTING, IDLE, or VOID
3144 status : sec_since_connect optional string, containing an integer,
3145 at least 0
3146 status : sec_since_disconnect
3147 optional string, containing an integer,
3148 at least 0
3149 status : locks_held optional string
3150 status : locks_waiting optional string
3151 status : locks_lost optional string
3152 status : n_connections optional string, containing an integer,
3153 at least 2
3154 status : bound_port optional string, containing an integer
3155 Common Columns:
3156 external_ids map of string-string pairs
3157 other_config map of string-string pairs
3158 Details:
3160 Core Features:
3161 target: string (must be unique within table)
3163 Connection methods for clients.
3164 The following connection methods are currently supported:
3166 ssl:host[:port]
3168 The specified SSL port on the host at the given host,
3169 which can either be a DNS name (if built with unbound li‐
3170 brary) or an IP address. A valid SSL configuration must
3171 be provided when this form is used, this configuration
3172 can be specified via command-line options or the SSL ta‐
3173 ble.
3174 If port is not specified, it defaults to 6640.
3176 SSL support is an optional feature that is not always
3178 built as part of Open vSwitch.
3179 tcp:host[:port]
3181 The specified TCP port on the host at the given host,
3182 which can either be a DNS name (if built with unbound li‐
3183 brary) or an IP address. If host is an IPv6 address, wrap
3184 it in square brackets, e.g. tcp:[::1]:6640.
3185 If port is not specified, it defaults to 6640.
3187 pssl:[port][:host]
3189 Listens for SSL connections on the specified TCP port.
3190 Specify 0 for port to have the kernel automatically
3191 choose an available port. If host, which can either be a
3192 DNS name (if built with unbound library) or an IP ad‐
3193 dress, is specified, then connections are restricted to
3194 the resolved or specified local IPaddress (either IPv4 or
3195 IPv6 address). If host is an IPv6 address, wrap in square
3196 brackets, e.g. pssl:6640:[::1]. If host is not specified
3197 then it listens only on IPv4 (but not IPv6) addresses. A
3198 valid SSL configuration must be provided when this form
3199 is used, this can be specified either via command-line
3200 options or the SSL table.
3201 If port is not specified, it defaults to 6640.
3203 SSL support is an optional feature that is not always
3205 built as part of Open vSwitch.
3206 ptcp:[port][:host]
3208 Listens for connections on the specified TCP port. Spec‐
3209 ify 0 for port to have the kernel automatically choose an
3210 available port. If host, which can either be a DNS name
3211 (if built with unbound library) or an IP address, is
3212 specified, then connections are restricted to the re‐
3213 solved or specified local IP address (either IPv4 or IPv6
3214 address). If host is an IPv6 address, wrap it in square
3215 brackets, e.g. ptcp:6640:[::1]. If host is not specified
3216 then it listens only on IPv4 addresses.
3217 If port is not specified, it defaults to 6640.
3219 When multiple clients are configured, the target values must be
3221 unique. Duplicate target values yield unspecified results.
3222 Client Failure Detection and Handling:
3224 max_backoff: optional integer, at least 1,000
3226 Maximum number of milliseconds to wait between connection at‐
3227 tempts. Default is implementation-specific.
3228 inactivity_probe: optional integer
3230 Maximum number of milliseconds of idle time on connection to the
3231 client before sending an inactivity probe message. If Open
3232 vSwitch does not communicate with the client for the specified
3233 number of seconds, it will send a probe. If a response is not
3234 received for the same additional amount of time, Open vSwitch
3235 assumes the connection has been broken and attempts to recon‐
3236 nect. Default is implementation-specific. A value of 0 disables
3237 inactivity probes.
3238 Status:
3240 Key-value pair of is_connected is always updated. Other key-value pairs
3242 in the status columns may be updated depends on the target type.
3243 When target specifies a connection method that listens for inbound con‐
3245 nections (e.g. ptcp: or punix:), both n_connections and is_connected
3246 may also be updated while the remaining key-value pairs are omitted.
3247 On the other hand, when target specifies an outbound connection, all
3249 key-value pairs may be updated, except the above-mentioned two key-
3250 value pairs associated with inbound connection targets. They are omit‐
3251 ted.
3252 is_connected: boolean
3254 true if currently connected to this client, false otherwise.
3255 status : last_error: optional string
3257 A human-readable description of the last error on the connection
3258 to the manager; i.e. strerror(errno). This key will exist only
3259 if an error has occurred.
3260 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
3262 IDLE, or VOID
3263 The state of the connection to the manager:
3264 VOID Connection is disabled.
3266 BACKOFF
3268 Attempting to reconnect at an increasing period.
3269 CONNECTING
3271 Attempting to connect.
3272 ACTIVE Connected, remote host responsive.
3274 IDLE Connection is idle. Waiting for response to keep-alive.
3276 These values may change in the future. They are provided only
3278 for human consumption.
3279 status : sec_since_connect: optional string, containing an integer, at
3281 least 0
3282 The amount of time since this client last successfully connected
3283 to the database (in seconds). Value is empty if client has never
3284 successfully been connected.
3285 status : sec_since_disconnect: optional string, containing an integer,
3287 at least 0
3288 The amount of time since this client last disconnected from the
3289 database (in seconds). Value is empty if client has never dis‐
3290 connected.
3291 status : locks_held: optional string
3293 Space-separated list of the names of OVSDB locks that the con‐
3294 nection holds. Omitted if the connection does not hold any
3295 locks.
3296 status : locks_waiting: optional string
3298 Space-separated list of the names of OVSDB locks that the con‐
3299 nection is currently waiting to acquire. Omitted if the connec‐
3300 tion is not waiting for any locks.
3301 status : locks_lost: optional string
3303 Space-separated list of the names of OVSDB locks that the con‐
3304 nection has had stolen by another OVSDB client. Omitted if no
3305 locks have been stolen from this connection.
3306 status : n_connections: optional string, containing an integer, at
3308 least 2
3309 When target specifies a connection method that listens for in‐
3310 bound connections (e.g. ptcp: or pssl:) and more than one con‐
3311 nection is actually active, the value is the number of active
3312 connections. Otherwise, this key-value pair is omitted.
3313 status : bound_port: optional string, containing an integer
3315 When target is ptcp: or pssl:, this is the TCP port on which the
3316 OVSDB server is listening. (This is particularly useful when
3317 target specifies a port of 0, allowing the kernel to choose any
3318 available port.)
3319 Common Columns:
3321 The overall purpose of these columns is described under Common Columns
3323 at the beginning of this document.
3324 external_ids: map of string-string pairs
3326 other_config: map of string-string pairs
3328
3330 Each row in this table stores the DNS records. The Logical_Switch ta‐
3331 ble’s dns_records references these records.
3332 Summary:
3334 records map of string-string pairs
3335 external_ids map of string-string pairs
3336 Details:
3338 records: map of string-string pairs
3339 Key-value pair of DNS records with DNS query name as the key and
3340 value as a string of IP address(es) separated by comma or space.
3341 For PTR requests, the key-value pair can be Reverse IPv4 ad‐
3342 dress.in-addr.arpa and the value DNS domain name. For IPv6 ad‐
3343 dresses, the key has to be Reverse IPv6 address.ip6.arpa.
3344 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
3346 Example: "4.0.0.10.in-addr.arpa" = "vm1.ovn.org"
3348 external_ids: map of string-string pairs
3350 See External IDs at the beginning of this document.
3351
3353 SSL configuration for ovn-nb database access.
3354 Summary:
3356 private_key string
3357 certificate string
3358 ca_cert string
3359 bootstrap_ca_cert boolean
3360 ssl_protocols string
3361 ssl_ciphers string
3362 Common Columns:
3363 external_ids map of string-string pairs
3364 Details:
3366 private_key: string
3367 Name of a PEM file containing the private key used as the
3368 switch’s identity for SSL connections to the controller.
3369 certificate: string
3371 Name of a PEM file containing a certificate, signed by the cer‐
3372 tificate authority (CA) used by the controller and manager, that
3373 certifies the switch’s private key, identifying a trustworthy
3374 switch.
3375 ca_cert: string
3377 Name of a PEM file containing the CA certificate used to verify
3378 that the switch is connected to a trustworthy controller.
3379 bootstrap_ca_cert: boolean
3381 If set to true, then Open vSwitch will attempt to obtain the CA
3382 certificate from the controller on its first SSL connection and
3383 save it to the named PEM file. If it is successful, it will im‐
3384 mediately drop the connection and reconnect, and from then on
3385 all SSL connections must be authenticated by a certificate
3386 signed by the CA certificate thus obtained. This option exposes
3387 the SSL connection to a man-in-the-middle attack obtaining the
3388 initial CA certificate. It may still be useful for bootstrap‐
3389 ping.
3390 ssl_protocols: string
3392 List of SSL protocols to be enabled for SSL connections. The de‐
3393 fault when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
3394 ssl_ciphers: string
3396 List of ciphers (in OpenSSL cipher string format) to be sup‐
3397 ported for SSL connections. The default when this option is
3398 omitted is HIGH:!aNULL:!MD5.
3399 Common Columns:
3401 The overall purpose of these columns is described under Common Columns
3403 at the beginning of this document.
3404 external_ids: map of string-string pairs
3406
3408 Association of a chassis to a logical router port. The traffic going
3409 out through an specific router port will be redirected to a chassis, or
3410 a set of them in high availability configurations.
3411 Summary:
3413 name string (must be unique within table)
3414 chassis_name string
3415 priority integer, in range 0 to 32,767
3416 options map of string-string pairs
3417 Common Columns:
3418 external_ids map of string-string pairs
3419 Details:
3421 name: string (must be unique within table)
3422 Name of the Gateway_Chassis.
3423 A suggested, but not required naming convention is
3425 ${port_name}_${chassis_name}.
3426 chassis_name: string
3428 Name of the chassis that we want to redirect traffic through for
3429 the associated logical router port. The value must match the
3430 name column of the Chassis table in the OVN_Southbound database.
3431 priority: integer, in range 0 to 32,767
3433 This is the priority of a chassis among all Gateway_Chassis be‐
3434 longing to the same logical router port.
3435 options: map of string-string pairs
3437 Reserved for future use.
3438 Common Columns:
3440 external_ids: map of string-string pairs
3442 See External IDs at the beginning of this document.
3443
3445 Table representing a group of chassis which can provide high availabil‐
3446 ity services. Each chassis in the group is represented by the table
3447 HA_Chassis. The HA chassis with highest priority will be the master of
3448 this group. If the master chassis failover is detected, the HA chassis
3449 with the next higher priority takes over the responsibility of provid‐
3450 ing the HA. If a distributed gateway router port references a row in
3451 this table, then the master HA chassis in this group provides the gate‐
3452 way functionality.
3453 Summary:
3455 name string (must be unique within table)
3456 ha_chassis set of HA_Chassises
3457 Common Columns:
3458 external_ids map of string-string pairs
3459 Details:
3461 name: string (must be unique within table)
3462 Name of the HA_Chassis_Group. Name should be unique.
3463 ha_chassis: set of HA_Chassises
3465 A list of HA chassis which belongs to this group.
3466 Common Columns:
3468 external_ids: map of string-string pairs
3470 See External IDs at the beginning of this document.
3471
3473 Summary:
3474 chassis_name string
3475 priority integer, in range 0 to 32,767
3476 Common Columns:
3477 external_ids map of string-string pairs
3478 Details:
3480 chassis_name: string
3481 Name of the chassis which is part of the HA chassis group. The
3482 value must match the name column of the Chassis table in the
3483 OVN_Southbound database.
3484 priority: integer, in range 0 to 32,767
3486 Priority of the chassis. Chassis with highest priority will be
3487 the master.
3488 Common Columns:
3490 external_ids: map of string-string pairs
3492 See External IDs at the beginning of this document.
3493
3495 Contains BFD parameter for ovn-controller BFD configuration. OVN BFD
3496 implementation is used to provide detection of failures in the path be‐
3497 tween adjacent forwarding engines, including the OVN interfaces. OVN
3498 BFD provides link status info to OVN northd in order to update logical
3499 flows according to the status of BFD endpoints. In the current imple‐
3500 mentation OVN BFD is used to check next-hop status for ECMP routes.
3501 Please note BFD table refers to OVN BFD implementation and not to OVS
3502 legacy one.
3503 Summary:
3505 Configuration:
3506 logical_port string
3507 dst_ip string
3508 min_tx optional integer, at least 1
3509 min_rx optional integer
3510 detect_mult optional integer, at least 1
3511 options map of string-string pairs
3512 external_ids map of string-string pairs
3513 Status Reporting:
3514 status optional string, one of admin_down, down,
3515 init, or up
3516 Details:
3518 Configuration:
3519 ovn-northd reads configuration from these columns.
3521 logical_port: string
3523 OVN logical port when BFD engine is running.
3524 dst_ip: string
3526 BFD peer IP address.
3527 min_tx: optional integer, at least 1
3529 This is the minimum interval, in milliseconds, that the local
3530 system would like to use when transmitting BFD Control packets,
3531 less any jitter applied. The value zero is reserved. Default
3532 value is 1000 ms.
3533 min_rx: optional integer
3535 This is the minimum interval, in milliseconds, between received
3536 BFD Control packets that this system is capable of supporting,
3537 less any jitter applied by the sender. If this value is zero,
3538 the transmitting system does not want the remote system to send
3539 any periodic BFD Control packets.
3540 detect_mult: optional integer, at least 1
3542 Detection time multiplier. The negotiated transmit interval,
3543 multiplied by this value, provides the Detection Time for the
3544 receiving system in Asynchronous mode. Default value is 5.
3545 options: map of string-string pairs
3547 Reserved for future use.
3548 external_ids: map of string-string pairs
3550 See External IDs at the beginning of this document.
3551 Status Reporting:
3553 ovn-northd writes BFD status into these columns.
3555 status: optional string, one of admin_down, down, init, or up
3557 BFD port logical states. Possible values are:
3558 • admin_down
3560 • down
3562 • init
3564 • up
3566Open vSwitch 21.09.0 DB Schema 5.33.1 ovn-nb(5)