1ovn-sb(5) Open vSwitch Manual ovn-sb(5)
2
6 ovn-sb - OVN_Southbound database schema
7 This database holds logical and physical configuration and state for
9 the Open Virtual Network (OVN) system to support virtual network ab‐
10 straction. For an introduction to OVN, please see ovn-architecture(7).
11 The OVN Southbound database sits at the center of the OVN architecture.
13 It is the one component that speaks both southbound directly to all the
14 hypervisors and gateways, via ovn-controller/ovn-controller-vtep, and
15 northbound to the Cloud Management System, via ovn-northd:
16 Database Structure
18 The OVN Southbound database contains classes of data with different
19 properties, as described in the sections below.
20 Physical network
22 Physical network tables contain information about the chassis nodes in
24 the system. This contains all the information necessary to wire the
25 overlay, such as IP addresses, supported tunnel types, and security
26 keys.
27 The amount of physical network data is small (O(n) in the number of
29 chassis) and it changes infrequently, so it can be replicated to every
30 chassis.
31 The Chassis and Encap tables are the physical network tables.
33 Logical Network
35 Logical network tables contain the topology of logical switches and
37 routers, ACLs, firewall rules, and everything needed to describe how
38 packets traverse a logical network, represented as logical datapath
39 flows (see Logical Datapath Flows, below).
40 Logical network data may be large (O(n) in the number of logical ports,
42 ACL rules, etc.). Thus, to improve scaling, each chassis should receive
43 only data related to logical networks in which that chassis partici‐
44 pates.
45 The logical network data is ultimately controlled by the cloud manage‐
47 ment system (CMS) running northbound of OVN. That CMS determines the
48 entire OVN logical configuration and therefore the logical network data
49 at any given time is a deterministic function of the CMS’s configura‐
50 tion, although that happens indirectly via the OVN_Northbound database
51 and ovn-northd.
52 Logical network data is likely to change more quickly than physical
54 network data. This is especially true in a container environment where
55 containers are created and destroyed (and therefore added to and
56 deleted from logical switches) quickly.
57 The Logical_Flow, Multicast_Group, Address_Group, DHCP_Options,
59 DHCPv6_Options, and DNS tables contain logical network data.
60 Logical-physical bindings
62 These tables link logical and physical components. They show the cur‐
64 rent placement of logical components (such as VMs and VIFs) onto chas‐
65 sis, and map logical entities to the values that represent them in tun‐
66 nel encapsulations.
67 These tables change frequently, at least every time a VM powers up or
69 down or migrates, and especially quickly in a container environment.
70 The amount of data per VM (or VIF) is small.
71 Each chassis is authoritative about the VMs and VIFs that it hosts at
73 any given time and can efficiently flood that state to a central loca‐
74 tion, so the consistency needs are minimal.
75 The Port_Binding and Datapath_Binding tables contain binding data.
77 MAC bindings
79 The MAC_Binding table tracks the bindings from IP addresses to Ethernet
81 addresses that are dynamically discovered using ARP (for IPv4) and
82 neighbor discovery (for IPv6). Usually, IP-to-MAC bindings for virtual
83 machines are statically populated into the Port_Binding table, so
84 MAC_Binding is primarily used to discover bindings on physical net‐
85 works.
86 Common Columns
88 Some tables contain a special column named external_ids. This column
89 has the same form and purpose each place that it appears, so we de‐
90 scribe it here to save space later.
91 external_ids: map of string-string pairs
93 Key-value pairs for use by the software that manages the
94 OVN Southbound database rather than by ovn-con‐
95 troller/ovn-controller-vtep. In particular, ovn-northd
96 can use key-value pairs in this column to relate entities
97 in the southbound database to higher-level entities (such
98 as entities in the OVN Northbound database). Individual
99 key-value pairs in this column may be documented in some
100 cases to aid in understanding and troubleshooting, but
101 the reader should not mistake such documentation as com‐
102 prehensive.
103
105 The following list summarizes the purpose of each of the tables in the
106 OVN_Southbound database. Each table is described in more detail on a
107 later page.
108 Table Purpose
110 SB_Global Southbound configuration
111 Chassis Physical Network Hypervisor and Gateway Information
112 Chassis_Private
113 Chassis Private
114 Encap Encapsulation Types
115 Address_Set
116 Address Sets
117 Port_Group
118 Port Groups
119 Logical_Flow
120 Logical Network Flows
121 Logical_DP_Group
122 Logical Datapath Groups
123 Multicast_Group
124 Logical Port Multicast Groups
125 Meter Meter entry
126 Meter_Band
127 Band for meter entries
128 Datapath_Binding
129 Physical-Logical Datapath Bindings
130 Port_Binding
131 Physical-Logical Port Bindings
132 MAC_Binding
133 IP to MAC bindings
134 DHCP_Options
135 DHCP Options supported by native OVN DHCP
136 DHCPv6_Options
137 DHCPv6 Options supported by native OVN DHCPv6
138 Connection
139 OVSDB client connections.
140 SSL SSL configuration.
141 DNS Native DNS resolution
142 RBAC_Role RBAC_Role configuration.
143 RBAC_Permission
144 RBAC_Permission configuration.
145 Gateway_Chassis
146 Gateway_Chassis configuration.
147 HA_Chassis
148 HA_Chassis configuration.
149 HA_Chassis_Group
150 HA_Chassis_Group configuration.
151 Controller_Event
152 Controller Event table
153 IP_Multicast
154 IP_Multicast configuration.
155 IGMP_Group
156 IGMP_Group configuration.
157 Service_Monitor
158 Service_Monitor configuration.
159 Load_Balancer
160 Load_Balancer configuration.
161 BFD BFD configuration.
162 FDB Port to MAC bindings
163
165 Southbound configuration for an OVN system. This table must have ex‐
166 actly one row.
167 Summary:
169 Status:
170 nb_cfg integer
171 Common Columns:
172 external_ids map of string-string pairs
173 options map of string-string pairs
174 Common options:
175 options map of string-string pairs
176 Options for configuring BFD:
177 options : bfd-min-rx optional string
178 options : bfd-decay-min-rx
179 optional string
180 options : bfd-min-tx optional string
181 options : bfd-mult optional string
182 Connection Options:
183 connections set of Connections
184 ssl optional SSL
185 Security Configurations:
186 ipsec boolean
187 Details:
189 Status:
190 This column allow a client to track the overall configuration state of
192 the system.
193 nb_cfg: integer
195 Sequence number for the configuration. When a CMS or ovn-nbctl
196 updates the northbound database, it increments the nb_cfg column
197 in the NB_Global table in the northbound database. In turn, when
198 ovn-northd updates the southbound database to bring it up to
199 date with these changes, it updates this column to the same
200 value.
201 Common Columns:
203 external_ids: map of string-string pairs
205 See External IDs at the beginning of this document.
206 options: map of string-string pairs
208 Common options:
210 options: map of string-string pairs
212 This column provides general key/value settings. The supported
213 options are described individually below.
214 Options for configuring BFD:
216 These options apply when ovn-controller configures BFD on tunnels in‐
218 terfaces.
219 options : bfd-min-rx: optional string
221 BFD option min-rx value to use when configuring BFD on tunnel
222 interfaces.
223 options : bfd-decay-min-rx: optional string
225 BFD option decay-min-rx value to use when configuring BFD on
226 tunnel interfaces.
227 options : bfd-min-tx: optional string
229 BFD option min-tx value to use when configuring BFD on tunnel
230 interfaces.
231 options : bfd-mult: optional string
233 BFD option mult value to use when configuring BFD on tunnel in‐
234 terfaces.
235 Connection Options:
237 connections: set of Connections
239 Database clients to which the Open vSwitch database server
240 should connect or on which it should listen, along with options
241 for how these connections should be configured. See the Connec‐
242 tion table for more information.
243 ssl: optional SSL
245 Global SSL configuration.
246 Security Configurations:
248 ipsec: boolean
250 Tunnel encryption configuration. If this column is set to be
251 true, all OVN tunnels will be encrypted with IPsec.
252
254 Each row in this table represents a hypervisor or gateway (a chassis)
255 in the physical network. Each chassis, via ovn-controller/ovn-con‐
256 troller-vtep, adds and updates its own row, and keeps a copy of the re‐
257 maining rows to determine how to reach other hypervisors.
258 When a chassis shuts down gracefully, it should remove its own row.
260 (This is not critical because resources hosted on the chassis are
261 equally unreachable regardless of whether the row is present.) If a
262 chassis shuts down permanently without removing its row, some kind of
263 manual or automatic cleanup is eventually needed; we can devise a
264 process for that as necessary.
265 Summary:
267 name string (must be unique within table)
268 hostname string
269 nb_cfg integer
270 other_config : ovn-bridge-mappings
271 optional string
272 other_config : datapath-type optional string
273 other_config : iface-types optional string
274 other_config : ovn-cms-options
275 optional string
276 other_config : is-interconn optional string
277 other_config : is-remote optional string
278 transport_zones set of strings
279 other_config : ovn-chassis-mac-mappings
280 optional string
281 other_config : port-up-notif optional string
282 Common Columns:
283 external_ids map of string-string pairs
284 Encapsulation Configuration:
285 encaps set of 1 or more Encaps
286 Gateway Configuration:
287 vtep_logical_switches set of strings
288 Details:
290 name: string (must be unique within table)
291 OVN does not prescribe a particular format for chassis names.
292 ovn-controller populates this column using external_ids:system-
293 id in the Open_vSwitch database’s Open_vSwitch table. ovn-con‐
294 troller-vtep populates this column with name in the hard‐
295 ware_vtep database’s Physical_Switch table.
296 hostname: string
298 The hostname of the chassis, if applicable. ovn-controller will
299 populate this column with the hostname of the host it is running
300 on. ovn-controller-vtep will leave this column empty.
301 nb_cfg: integer
303 Deprecated. This column is replaced by the nb_cfg column of the
304 Chassis_Private table.
305 other_config : ovn-bridge-mappings: optional string
307 ovn-controller populates this key with the set of bridge map‐
308 pings it has been configured to use. Other applications should
309 treat this key as read-only. See ovn-controller(8) for more in‐
310 formation.
311 other_config : datapath-type: optional string
313 ovn-controller populates this key with the datapath type config‐
314 ured in the datapath_type column of the Open_vSwitch database’s
315 Bridge table. Other applications should treat this key as read-
316 only. See ovn-controller(8) for more information.
317 other_config : iface-types: optional string
319 ovn-controller populates this key with the interface types con‐
320 figured in the iface_types column of the Open_vSwitch database’s
321 Open_vSwitch table. Other applications should treat this key as
322 read-only. See ovn-controller(8) for more information.
323 other_config : ovn-cms-options: optional string
325 ovn-controller populates this key with the set of options con‐
326 figured in the external_ids:ovn-cms-options column of the
327 Open_vSwitch database’s Open_vSwitch table. See ovn-con‐
328 troller(8) for more information.
329 other_config : is-interconn: optional string
331 ovn-controller populates this key with the setting configured in
332 the external_ids:ovn-is-interconn column of the Open_vSwitch
333 database’s Open_vSwitch table. If set to true, the chassis is
334 used as an interconnection gateway. See ovn-controller(8) for
335 more information.
336 other_config : is-remote: optional string
338 ovn-ic set this key to true for remote interconnection gateway
339 chassises learned from the interconnection southbound database.
340 See ovn-ic(8) for more information.
341 transport_zones: set of strings
343 ovn-controller populates this key with the transport zones con‐
344 figured in the external_ids:ovn-transport-zones column of the
345 Open_vSwitch database’s Open_vSwitch table. See ovn-con‐
346 troller(8) for more information.
347 other_config : ovn-chassis-mac-mappings: optional string
349 ovn-controller populates this key with the set of options con‐
350 figured in the external_ids:ovn-chassis-mac-mappings column of
351 the Open_vSwitch database’s Open_vSwitch table. See ovn-con‐
352 troller(8) for more information.
353 other_config : port-up-notif: optional string
355 ovn-controller populates this key with true when it supports
356 Port_Binding.up.
357 Common Columns:
359 The overall purpose of these columns is described under Common Columns
361 at the beginning of this document.
362 external_ids: map of string-string pairs
364 Encapsulation Configuration:
366 OVN uses encapsulation to transmit logical dataplane packets between
368 chassis.
369 encaps: set of 1 or more Encaps
371 Points to supported encapsulation configurations to transmit
372 logical dataplane packets to this chassis. Each entry is a Encap
373 record that describes the configuration.
374 Gateway Configuration:
376 A gateway is a chassis that forwards traffic between the OVN-managed
378 part of a logical network and a physical VLAN, extending a tunnel-based
379 logical network into a physical network. Gateways are typically dedi‐
380 cated nodes that do not host VMs and will be controlled by ovn-con‐
381 troller-vtep.
382 vtep_logical_switches: set of strings
384 Stores all VTEP logical switch names connected by this gateway
385 chassis. The Port_Binding table entry with options:vtep-physi‐
386 cal-switch equal Chassis name, and options:vtep-logical-switch
387 value in Chassis vtep_logical_switches, will be associated with
388 this Chassis.
389
391 Each row in this table maintains per chassis private data that are ac‐
392 cessed only by the owning chassis (write only) and ovn-northd, not by
393 any other chassis. These data are stored in this separate table instead
394 of the Chassis table for performance considerations: the rows in this
395 table can be conditionally monitored by chassises so that each chassis
396 only get update notifications for its own row, to avoid unnecessary
397 chassis private data update flooding in a large scale deployment.
398 Summary:
400 name string (must be unique within table)
401 chassis optional weak reference to Chassis
402 nb_cfg integer
403 nb_cfg_timestamp integer
404 Common Columns:
405 external_ids map of string-string pairs
406 Details:
408 name: string (must be unique within table)
409 The name of the chassis that owns these chassis-private data.
410 chassis: optional weak reference to Chassis
412 The reference to Chassis table for the chassis that owns these
413 chassis-private data.
414 nb_cfg: integer
416 Sequence number for the configuration. When ovn-controller up‐
417 dates the configuration of a chassis from the contents of the
418 southbound database, it copies nb_cfg from the SB_Global table
419 into this column.
420 nb_cfg_timestamp: integer
422 The timestamp when ovn-controller finishes processing the change
423 corresponding to nb_cfg.
424 Common Columns:
426 The overall purpose of these columns is described under Common Columns
428 at the beginning of this document.
429 external_ids: map of string-string pairs
431
433 The encaps column in the Chassis table refers to rows in this table to
434 identify how OVN may transmit logical dataplane packets to this chas‐
435 sis. Each chassis, via ovn-controller(8) or ovn-controller-vtep(8),
436 adds and updates its own rows and keeps a copy of the remaining rows to
437 determine how to reach other chassis.
438 Summary:
440 type string, one of geneve, stt, or vxlan
441 options map of string-string pairs
442 options : csum optional string, either true or false
443 options : dst_port optional string, containing an integer
444 ip string
445 chassis_name string
446 Details:
448 type: string, one of geneve, stt, or vxlan
449 The encapsulation to use to transmit packets to this chassis.
450 Hypervisors must use either geneve or stt. Gateways may use
451 vxlan, geneve, or stt.
452 options: map of string-string pairs
454 Options for configuring the encapsulation, which may be type
455 specific.
456 options : csum: optional string, either true or false
458 csum indicates whether this chassis can transmit and receive
459 packets that include checksums with reasonable performance. It
460 hints to senders transmitting data to this chassis that they
461 should use checksums to protect OVN metadata. ovn-controller
462 populates this key with the value defined in external_ids:ovn-
463 encap-csum column of the Open_vSwitch database’s Open_vSwitch
464 table. Other applications should treat this key as read-only.
465 See ovn-controller(8) for more information.
466 In terms of performance, checksumming actually significantly in‐
468 creases throughput in most common cases when running on Linux
469 based hosts without NICs supporting encapsulation hardware off‐
470 load (around 60% for bulk traffic). The reason is that generally
471 all NICs are capable of offloading transmitted and received
472 TCP/UDP checksums (viewed as ordinary data packets and not as
473 tunnels). The benefit comes on the receive side where the vali‐
474 dated outer checksum can be used to additionally validate an in‐
475 ner checksum (such as TCP), which in turn allows aggregation of
476 packets to be more efficiently handled by the rest of the stack.
477 Not all devices see such a benefit. The most notable exception
479 is hardware VTEPs. These devices are designed to not buffer en‐
480 tire packets in their switching engines and are therefore unable
481 to efficiently compute or validate full packet checksums. In ad‐
482 dition certain versions of the Linux kernel are not able to
483 fully take advantage of encapsulation NIC offloads in the pres‐
484 ence of checksums. (This is actually a pretty narrow corner case
485 though: earlier versions of Linux don’t support encapsulation
486 offloads at all and later versions support both offloads and
487 checksums well.)
488 csum defaults to false for hardware VTEPs and true for all other
490 cases.
491 This option applies to geneve and vxlan encapsulations.
493 options : dst_port: optional string, containing an integer
495 If set, overrides the UDP (for geneve and vxlan) or TCP (for
496 stt) destination port.
497 ip: string
499 The IPv4 address of the encapsulation tunnel endpoint.
500 chassis_name: string
502 The name of the chassis that created this encap.
503
505 This table contains address sets synced from the Address_Set table in
506 the OVN_Northbound database and address sets generated from the
507 Port_Group table in the OVN_Northbound database.
508 See the documentation for the Address_Set table and Port_Group table in
510 the OVN_Northbound database for details.
511 Summary:
513 name string (must be unique within table)
514 addresses set of strings
515 Details:
517 name: string (must be unique within table)
518 addresses: set of strings
520
522 This table contains names for the logical switch ports in the
523 OVN_Northbound database that belongs to the same group that is defined
524 in Port_Group in the OVN_Northbound database.
525 Summary:
527 name string (must be unique within table)
528 ports set of strings
529 Details:
531 name: string (must be unique within table)
532 ports: set of strings
534
536 Each row in this table represents one logical flow. ovn-northd popu‐
537 lates this table with logical flows that implement the L2 and L3
538 topologies specified in the OVN_Northbound database. Each hypervisor,
539 via ovn-controller, translates the logical flows into OpenFlow flows
540 specific to its hypervisor and installs them into Open vSwitch.
541 Logical flows are expressed in an OVN-specific format, described here.
543 A logical datapath flow is much like an OpenFlow flow, except that the
544 flows are written in terms of logical ports and logical datapaths in‐
545 stead of physical ports and physical datapaths. Translation between
546 logical and physical flows helps to ensure isolation between logical
547 datapaths. (The logical flow abstraction also allows the OVN central‐
548 ized components to do less work, since they do not have to separately
549 compute and push out physical flows to each chassis.)
550 The default action when no flow matches is to drop packets.
552 Architectural Logical Life Cycle of a Packet
554 This following description focuses on the life cycle of a packet
556 through a logical datapath, ignoring physical details of the implemen‐
557 tation. Please refer to Architectural Physical Life Cycle of a Packet
558 in ovn-architecture(7) for the physical information.
559 The description here is written as if OVN itself executes these steps,
561 but in fact OVN (that is, ovn-controller) programs Open vSwitch, via
562 OpenFlow and OVSDB, to execute them on its behalf.
563 At a high level, OVN passes each packet through the logical datapath’s
565 logical ingress pipeline, which may output the packet to one or more
566 logical port or logical multicast groups. For each such logical output
567 port, OVN passes the packet through the datapath’s logical egress pipe‐
568 line, which may either drop the packet or deliver it to the destina‐
569 tion. Between the two pipelines, outputs to logical multicast groups
570 are expanded into logical ports, so that the egress pipeline only pro‐
571 cesses a single logical output port at a time. Between the two pipe‐
572 lines is also where, when necessary, OVN encapsulates a packet in a
573 tunnel (or tunnels) to transmit to remote hypervisors.
574 In more detail, to start, OVN searches the Logical_Flow table for a row
576 with correct logical_datapath or a logical_dp_group, a pipeline of
577 ingress, a table_id of 0, and a match that is true for the packet. If
578 none is found, OVN drops the packet. If OVN finds more than one, it
579 chooses the match with the highest priority. Then OVN executes each of
580 the actions specified in the row’s actions column, in the order speci‐
581 fied. Some actions, such as those to modify packet headers, require no
582 further details. The next and output actions are special.
583 The next action causes the above process to be repeated recursively,
585 except that OVN searches for table_id of 1 instead of 0. Similarly, any
586 next action in a row found in that table would cause a further search
587 for a table_id of 2, and so on. When recursive processing completes,
588 flow control returns to the action following next.
589 The output action also introduces recursion. Its effect depends on the
591 current value of the outport field. Suppose outport designates a logi‐
592 cal port. First, OVN compares inport to outport; if they are equal, it
593 treats the output as a no-op by default. In the common case, where they
594 are different, the packet enters the egress pipeline. This transition
595 to the egress pipeline discards register data, e.g. reg0 ... reg9 and
596 connection tracking state, to achieve uniform behavior regardless of
597 whether the egress pipeline is on a different hypervisor (because reg‐
598 isters aren’t preserve across tunnel encapsulation).
599 To execute the egress pipeline, OVN again searches the Logical_Flow ta‐
601 ble for a row with correct logical_datapath or a logical_dp_group, a
602 table_id of 0, a match that is true for the packet, but now looking for
603 a pipeline of egress. If no matching row is found, the output becomes a
604 no-op. Otherwise, OVN executes the actions for the matching flow (which
605 is chosen from multiple, if necessary, as already described).
606 In the egress pipeline, the next action acts as already described, ex‐
608 cept that it, of course, searches for egress flows. The output action,
609 however, now directly outputs the packet to the output port (which is
610 now fixed, because outport is read-only within the egress pipeline).
611 The description earlier assumed that outport referred to a logical
613 port. If it instead designates a logical multicast group, then the de‐
614 scription above still applies, with the addition of fan-out from the
615 logical multicast group to each logical port in the group. For each
616 member of the group, OVN executes the logical pipeline as described,
617 with the logical output port replaced by the group member.
618 Pipeline Stages
620 ovn-northd populates the Logical_Flow table with the logical flows de‐
622 scribed in detail in ovn-northd(8).
623 Summary:
625 logical_datapath optional Datapath_Binding
626 logical_dp_group optional Logical_DP_Group
627 pipeline string, either egress or ingress
628 table_id integer, in range 0 to 32
629 priority integer, in range 0 to 65,535
630 match string
631 actions string
632 tags map of string-string pairs
633 controller_meter optional string
634 external_ids : stage-name optional string
635 external_ids : stage-hint optional string, containing an uuid
636 external_ids : source optional string
637 Common Columns:
638 external_ids map of string-string pairs
639 Details:
641 logical_datapath: optional Datapath_Binding
642 The logical datapath to which the logical flow belongs.
643 logical_dp_group: optional Logical_DP_Group
645 The group of logical datapaths to which the logical flow be‐
646 longs. This means that the same logical flow belongs to all
647 datapaths in a group.
648 pipeline: string, either egress or ingress
650 The primary flows used for deciding on a packet’s destination
651 are the ingress flows. The egress flows implement ACLs. See Log‐
652 ical Life Cycle of a Packet, above, for details.
653 table_id: integer, in range 0 to 32
655 The stage in the logical pipeline, analogous to an OpenFlow ta‐
656 ble number.
657 priority: integer, in range 0 to 65,535
659 The flow’s priority. Flows with numerically higher priority take
660 precedence over those with lower. If two logical datapath flows
661 with the same priority both match, then the one actually applied
662 to the packet is undefined.
663 match: string
665 A matching expression. OVN provides a superset of OpenFlow
666 matching capabilities, using a syntax similar to Boolean expres‐
667 sions in a programming language.
668 The most important components of match expression are compar‐
670 isons between symbols and constants, e.g. ip4.dst ==
671 192.168.0.1, ip.proto == 6, arp.op == 1, eth.type == 0x800. The
672 logical AND operator && and logical OR operator || can combine
673 comparisons into a larger expression.
674 Matching expressions also support parentheses for grouping, the
676 logical NOT prefix operator !, and literals 0 and 1 to express
677 ``false’’ or ``true,’’ respectively. The latter is useful by it‐
678 self as a catch-all expression that matches every packet.
679 Match expressions also support a kind of function syntax. The
681 following functions are supported:
682 is_chassis_resident(lport)
684 Evaluates to true on a chassis on which logical port
685 lport (a quoted string) resides, and to false elsewhere.
686 This function was introduced in OVN 2.7.
687 Symbols
689 Type. Symbols have integer or string type. Integer symbols have
691 a width in bits.
692 Kinds. There are three kinds of symbols:
694 • Fields. A field symbol represents a packet header or
696 metadata field. For example, a field named vlan.tci might
697 represent the VLAN TCI field in a packet.
698 A field symbol can have integer or string type. Integer
700 fields can be nominal or ordinal (see Level of Measure‐
701 ment, below).
702 • Subfields. A subfield represents a subset of bits from a
704 larger field. For example, a field vlan.vid might be de‐
705 fined as an alias for vlan.tci[0..11]. Subfields are pro‐
706 vided for syntactic convenience, because it is always
707 possible to instead refer to a subset of bits from a
708 field directly.
709 Only ordinal fields (see Level of Measurement, below) may
711 have subfields. Subfields are always ordinal.
712 • Predicates. A predicate is shorthand for a Boolean ex‐
714 pression. Predicates may be used much like 1-bit fields.
715 For example, ip4 might expand to eth.type == 0x800. Pred‐
716 icates are provided for syntactic convenience, because it
717 is always possible to instead specify the underlying ex‐
718 pression directly.
719 A predicate whose expansion refers to any nominal field
721 or predicate (see Level of Measurement, below) is nomi‐
722 nal; other predicates have Boolean level of measurement.
723 Level of Measurement. See
725 http://en.wikipedia.org/wiki/Level_of_measurement for the sta‐
726 tistical concept on which this classification is based. There
727 are three levels:
728 • Ordinal. In statistics, ordinal values can be ordered on
730 a scale. OVN considers a field (or subfield) to be ordi‐
731 nal if its bits can be examined individually. This is
732 true for the OpenFlow fields that OpenFlow or Open
733 vSwitch makes ``maskable.’’
734 Any use of a ordinal field may specify a single bit or a
736 range of bits, e.g. vlan.tci[13..15] refers to the PCP
737 field within the VLAN TCI, and eth.dst[40] refers to the
738 multicast bit in the Ethernet destination address.
739 OVN supports all the usual arithmetic relations (==, !=,
741 <, <=, >, and >=) on ordinal fields and their subfields,
742 because OVN can implement these in OpenFlow and Open
743 vSwitch as collections of bitwise tests.
744 • Nominal. In statistics, nominal values cannot be usefully
746 compared except for equality. This is true of OpenFlow
747 port numbers, Ethernet types, and IP protocols are exam‐
748 ples: all of these are just identifiers assigned arbi‐
749 trarily with no deeper meaning. In OpenFlow and Open
750 vSwitch, bits in these fields generally aren’t individu‐
751 ally addressable.
752 OVN only supports arithmetic tests for equality on nomi‐
754 nal fields, because OpenFlow and Open vSwitch provide no
755 way for a flow to efficiently implement other comparisons
756 on them. (A test for inequality can be sort of built out
757 of two flows with different priorities, but OVN matching
758 expressions always generate flows with a single prior‐
759 ity.)
760 String fields are always nominal.
762 • Boolean. A nominal field that has only two values, 0 and
764 1, is somewhat exceptional, since it is easy to support
765 both equality and inequality tests on such a field: ei‐
766 ther one can be implemented as a test for 0 or 1.
767 Only predicates (see above) have a Boolean level of mea‐
769 surement.
770 This isn’t a standard level of measurement.
772 Prerequisites. Any symbol can have prerequisites, which are ad‐
774 ditional condition implied by the use of the symbol. For exam‐
775 ple, For example, icmp4.type symbol might have prerequisite
776 icmp4, which would cause an expression icmp4.type == 0 to be in‐
777 terpreted as icmp4.type == 0 && icmp4, which would in turn ex‐
778 pand to icmp4.type == 0 && eth.type == 0x800 && ip4.proto == 1
779 (assuming icmp4 is a predicate defined as suggested under Types
780 above).
781 Relational operators
783 All of the standard relational operators ==, !=, <, <=, >, and
785 >= are supported. Nominal fields support only == and !=, and
786 only in a positive sense when outer ! are taken into account,
787 e.g. given string field inport, inport == "eth0" and !(inport !=
788 "eth0") are acceptable, but not inport != "eth0".
789 The implementation of == (or != when it is negated), is more ef‐
791 ficient than that of the other relational operators.
792 Constants
794 Integer constants may be expressed in decimal, hexadecimal pre‐
796 fixed by 0x, or as dotted-quad IPv4 addresses, IPv6 addresses in
797 their standard forms, or Ethernet addresses as colon-separated
798 hex digits. A constant in any of these forms may be followed by
799 a slash and a second constant (the mask) in the same form, to
800 form a masked constant. IPv4 and IPv6 masks may be given as in‐
801 tegers, to express CIDR prefixes.
802 String constants have the same syntax as quoted strings in JSON
804 (thus, they are Unicode strings).
805 Some operators support sets of constants written inside curly
807 braces { ... }. Commas between elements of a set, and after the
808 last elements, are optional. With ==, ``field == { constant1,
809 constant2, ... }’’ is syntactic sugar for ``field == constant1
810 || field == constant2 || .... Similarly, ``field != { constant1,
811 constant2, ... }’’ is equivalent to ``field != constant1 &&
812 field != constant2 && ...’’.
813 You may refer to a set of IPv4, IPv6, or MAC addresses stored in
815 the Address_Set table by its name. An Address_Set with a name of
816 set1 can be referred to as $set1.
817 You may refer to a group of logical switch ports stored in the
819 Port_Group table by its name. An Port_Group with a name of
820 port_group1 can be referred to as @port_group1.
821 Additionally, you may refer to the set of addresses belonging to
823 a group of logical switch ports stored in the Port_Group table
824 by its name followed by a suffix ’_ip4’/’_ip6’. The IPv4 address
825 set of a Port_Group with a name of port_group1 can be referred
826 to as $port_group1_ip4, and the IPv6 address set of the same
827 Port_Group can be referred to as $port_group1_ip6
828 Miscellaneous
830 Comparisons may name the symbol or the constant first, e.g.
832 tcp.src == 80 and 80 == tcp.src are both acceptable.
833 Tests for a range may be expressed using a syntax like 1024 <=
835 tcp.src <= 49151, which is equivalent to 1024 <= tcp.src &&
836 tcp.src <= 49151.
837 For a one-bit field or predicate, a mention of its name is
839 equivalent to symobl == 1, e.g. vlan.present is equivalent to
840 vlan.present == 1. The same is true for one-bit subfields, e.g.
841 vlan.tci[12]. There is no technical limitation to implementing
842 the same for ordinal fields of all widths, but the implementa‐
843 tion is expensive enough that the syntax parser requires writing
844 an explicit comparison against zero to make mistakes less
845 likely, e.g. in tcp.src != 0 the comparison against 0 is re‐
846 quired.
847 Operator precedence is as shown below, from highest to lowest.
849 There are two exceptions where parentheses are required even
850 though the table would suggest that they are not: && and || re‐
851 quire parentheses when used together, and ! requires parentheses
852 when applied to a relational expression. Thus, in (eth.type ==
853 0x800 || eth.type == 0x86dd) && ip.proto == 6 or !(arp.op == 1),
854 the parentheses are mandatory.
855 • ()
857 • == != < <= > >=
859 • !
861 • && ||
863 Comments may be introduced by //, which extends to the next new-
865 line. Comments within a line may be bracketed by /* and */. Mul‐
866 tiline comments are not supported.
867 Symbols
869 Most of the symbols below have integer type. Only inport and
871 outport have string type. inport names a logical port. Thus, its
872 value is a logical_port name from the Port_Binding table. out‐
873 port may name a logical port, as inport, or a logical multicast
874 group defined in the Multicast_Group table. For both symbols,
875 only names within the flow’s logical datapath may be used.
876 The regX symbols are 32-bit integers. The xxregX symbols are
878 128-bit integers, which overlay four of the 32-bit registers:
879 xxreg0 overlays reg0 through reg3, with reg0 supplying the most-
880 significant bits of xxreg0 and reg3 the least-significant.
881 xxreg1 similarly overlays reg4 through reg7.
882 • reg0...reg9
884 • xxreg0 xxreg1
886 • inport outport
888 • flags.loopback
890 • pkt.mark
892 • eth.src eth.dst eth.type
894 • vlan.tci vlan.vid vlan.pcp vlan.present
896 • ip.proto ip.dscp ip.ecn ip.ttl ip.frag
898 • ip4.src ip4.dst
900 • ip6.src ip6.dst ip6.label
902 • arp.op arp.spa arp.tpa arp.sha arp.tha
904 • tcp.src tcp.dst tcp.flags
906 • udp.src udp.dst
908 • sctp.src sctp.dst
910 • icmp4.type icmp4.code
912 • icmp6.type icmp6.code
914 • nd.target nd.sll nd.tll
916 • ct_mark ct_label
918 • ct_state, which has several Boolean subfields. The
920 ct_next action initializes the following subfields:
921 • ct.trk: Always set to true by ct_next to indicate
923 that connection tracking has taken place. All
924 other ct subfields have ct.trk as a prerequisite.
925 • ct.new: True for a new flow
927 • ct.est: True for an established flow
929 • ct.rel: True for a related flow
931 • ct.rpl: True for a reply flow
933 • ct.inv: True for a connection entry in a bad state
935 The ct_dnat, ct_snat, and ct_lb actions initialize the
937 following subfields:
938 • ct.dnat: True for a packet whose destination IP
940 address has been changed.
941 • ct.snat: True for a packet whose source IP address
943 has been changed.
944 The following predicates are supported:
946 • eth.bcast expands to eth.dst == ff:ff:ff:ff:ff:ff
948 • eth.mcast expands to eth.dst[40]
950 • vlan.present expands to vlan.tci[12]
952 • ip4 expands to eth.type == 0x800
954 • ip4.src_mcast expands to ip4.src[28..31] == 0xe
956 • ip4.mcast expands to ip4.dst[28..31] == 0xe
958 • ip6 expands to eth.type == 0x86dd
960 • ip expands to ip4 || ip6
962 • icmp4 expands to ip4 && ip.proto == 1
964 • icmp6 expands to ip6 && ip.proto == 58
966 • icmp expands to icmp4 || icmp6
968 • ip.is_frag expands to ip.frag[0]
970 • ip.later_frag expands to ip.frag[1]
972 • ip.first_frag expands to ip.is_frag && !ip.later_frag
974 • arp expands to eth.type == 0x806
976 • nd expands to icmp6.type == {135, 136} && icmp6.code == 0
978 && ip.ttl == 255
979 • nd_ns expands to icmp6.type == 135 && icmp6.code == 0 &&
981 ip.ttl == 255
982 • nd_na expands to icmp6.type == 136 && icmp6.code == 0 &&
984 ip.ttl == 255
985 • nd_rs expands to icmp6.type == 133 && icmp6.code == 0 &&
987 ip.ttl == 255
988 • nd_ra expands to icmp6.type == 134 && icmp6.code == 0 &&
990 ip.ttl == 255
991 • tcp expands to ip.proto == 6
993 • udp expands to ip.proto == 17
995 • sctp expands to ip.proto == 132
997 actions: string
999 Logical datapath actions, to be executed when the logical flow
1000 represented by this row is the highest-priority match.
1001 Actions share lexical syntax with the match column. An empty set
1003 of actions (or one that contains just white space or comments),
1004 or a set of actions that consists of just drop;, causes the
1005 matched packets to be dropped. Otherwise, the column should con‐
1006 tain a sequence of actions, each terminated by a semicolon.
1007 The following actions are defined:
1009 output;
1011 In the ingress pipeline, this action executes the egress
1012 pipeline as a subroutine. If outport names a logical
1013 port, the egress pipeline executes once; if it is a mul‐
1014 ticast group, the egress pipeline runs once for each log‐
1015 ical port in the group.
1016 In the egress pipeline, this action performs the actual
1018 output to the outport logical port. (In the egress pipe‐
1019 line, outport never names a multicast group.)
1020 By default, output to the input port is implicitly
1022 dropped, that is, output becomes a no-op if outport ==
1023 inport. Occasionally it may be useful to override this
1024 behavior, e.g. to send an ARP reply to an ARP request; to
1025 do so, use flags.loopback = 1 to allow the packet to
1026 "hair-pin" back to the input port.
1027 next;
1029 next(table);
1030 next(pipeline=pipeline, table=table);
1031 Executes the given logical datapath table in pipeline as a
1032 subroutine. The default table is just after the current
1033 one. If pipeline is specified, it may be ingress or egress;
1034 the default pipeline is the one currently executing. Ac‐
1035 tions in the both ingress and egress pipeline can use next
1036 to jump across the other pipeline. Actions in the ingress
1037 pipeline should use next to jump into the specific table of
1038 egress pipeline only if it is certain that the packets are
1039 local and not tunnelled and wants to skip certain stages in
1040 the packet processing.
1041 field = constant;
1043 Sets data or metadata field field to constant value con‐
1044 stant, e.g. outport = "vif0"; to set the logical output
1045 port. To set only a subset of bits in a field, specify a
1046 subfield for field or a masked constant, e.g. one may use
1047 vlan.pcp[2] = 1; or vlan.pcp = 4/4; to set the most signif‐
1048 icant bit of the VLAN PCP.
1049 Assigning to a field with prerequisites implicitly adds
1051 those prerequisites to match; thus, for example, a flow
1052 that sets tcp.dst applies only to TCP flows, regardless of
1053 whether its match mentions any TCP field.
1054 Not all fields are modifiable (e.g. eth.type and ip.proto
1056 are read-only), and not all modifiable fields may be par‐
1057 tially modified (e.g. ip.ttl must assigned as a whole). The
1058 outport field is modifiable in the ingress pipeline but not
1059 in the egress pipeline.
1060 ovn_field = constant;
1062 Sets OVN field ovn_field to constant value constant.
1063 OVN supports setting the values of certain fields which are
1065 not yet supported in OpenFlow to set or modify them.
1066 Below are the supported OVN fields:
1068 • icmp4.frag_mtu icmp6.frag_mtu
1070 This field sets the low-order 16 bits of the
1072 ICMP{4,6} header field that is labelled "unused" in
1073 the ICMP specification as defined in the RFC 1191
1074 with the value specified in constant.
1075 Eg. icmp4.frag_mtu = 1500;
1077 field1 = field2;
1079 Sets data or metadata field field1 to the value of data or
1080 metadata field field2, e.g. reg0 = ip4.src; copies ip4.src
1081 into reg0. To modify only a subset of a field’s bits, spec‐
1082 ify a subfield for field1 or field2 or both, e.g. vlan.pcp
1083 = reg0[0..2]; copies the least-significant bits of reg0
1084 into the VLAN PCP.
1085 field1 and field2 must be the same type, either both string
1087 or both integer fields. If they are both integer fields,
1088 they must have the same width.
1089 If field1 or field2 has prerequisites, they are added im‐
1091 plicitly to match. It is possible to write an assignment
1092 with contradictory prerequisites, such as ip4.src =
1093 ip6.src[0..31];, but the contradiction means that a logical
1094 flow with such an assignment will never be matched.
1095 field1 <-> field2;
1097 Similar to field1 = field2; except that the two values are
1098 exchanged instead of copied. Both field1 and field2 must
1099 modifiable.
1100 ip.ttl--;
1102 Decrements the IPv4 or IPv6 TTL. If this would make the TTL
1103 zero or negative, then processing of the packet halts; no
1104 further actions are processed. (To properly handle such
1105 cases, a higher-priority flow should match on ip.ttl == {0,
1106 1};.)
1107 Prerequisite: ip
1109 ct_next;
1111 Apply connection tracking to the flow, initializing
1112 ct_state for matching in later tables. Automatically moves
1113 on to the next table, as if followed by next.
1114 As a side effect, IP fragments will be reassembled for
1116 matching. If a fragmented packet is output, then it will be
1117 sent with any overlapping fragments squashed. The connec‐
1118 tion tracking state is scoped by the logical port when the
1119 action is used in a flow for a logical switch, so overlap‐
1120 ping addresses may be used. To allow traffic related to the
1121 matched flow, execute ct_commit . Connection tracking state
1122 is scoped by the logical topology when the action is used
1123 in a flow for a router.
1124 It is possible to have actions follow ct_next, but they
1126 will not have access to any of its side-effects and is not
1127 generally useful.
1128 ct_commit { };
1130 ct_commit { ct_mark=value[/mask]; };
1131 ct_commit { ct_label=value[/mask]; };
1132 ct_commit { ct_mark=value[/mask]; ct_label=value[/mask]; };
1133 Commit the flow to the connection tracking entry associated
1134 with it by a previous call to ct_next. When
1135 ct_mark=value[/mask] and/or ct_label=value[/mask] are sup‐
1136 plied, ct_mark and/or ct_label will be set to the values
1137 indicated by value[/mask] on the connection tracking entry.
1138 ct_mark is a 32-bit field. ct_label is a 128-bit field. The
1139 value[/mask] should be specified in hex string if more than
1140 64bits are to be used. Registers and other named fields can
1141 be used for value. ct_mark and ct_label may be sub-ad‐
1142 dressed in order to have specific bits set.
1143 Note that if you want processing to continue in the next
1145 table, you must execute the next action after ct_commit.
1146 You may also leave out next which will commit connection
1147 tracking state, and then drop the packet. This could be
1148 useful for setting ct_mark on a connection tracking entry
1149 before dropping a packet, for example.
1150 ct_dnat;
1152 ct_dnat(IP);
1153 ct_dnat sends the packet through the DNAT zone in connec‐
1154 tion tracking table to unDNAT any packet that was DNATed in
1155 the opposite direction. The packet is then automatically
1156 sent to to the next tables as if followed by next; action.
1157 The next tables will see the changes in the packet caused
1158 by the connection tracker.
1159 ct_dnat(IP) sends the packet through the DNAT zone to
1161 change the destination IP address of the packet to the one
1162 provided inside the parentheses and commits the connection.
1163 The packet is then automatically sent to the next tables as
1164 if followed by next; action. The next tables will see the
1165 changes in the packet caused by the connection tracker.
1166 ct_snat;
1168 ct_snat(IP);
1169 ct_snat sends the packet through the SNAT zone to unSNAT
1170 any packet that was SNATed in the opposite direction. The
1171 packet is automatically sent to the next tables as if fol‐
1172 lowed by the next; action. The next tables will see the
1173 changes in the packet caused by the connection tracker.
1174 ct_snat(IP) sends the packet through the SNAT zone to
1176 change the source IP address of the packet to the one pro‐
1177 vided inside the parenthesis and commits the connection.
1178 The packet is then automatically sent to the next tables as
1179 if followed by next; action. The next tables will see the
1180 changes in the packet caused by the connection tracker.
1181 ct_clear;
1183 Clears connection tracking state.
1184 clone { action; ... };
1186 Makes a copy of the packet being processed and executes
1187 each action on the copy. Actions following the clone ac‐
1188 tion, if any, apply to the original, unmodified packet.
1189 This can be used as a way to ``save and restore’’ the
1190 packet around a set of actions that may modify it and
1191 should not persist.
1192 arp { action; ... };
1194 Temporarily replaces the IPv4 packet being processed by an
1195 ARP packet and executes each nested action on the ARP
1196 packet. Actions following the arp action, if any, apply to
1197 the original, unmodified packet.
1198 The ARP packet that this action operates on is initialized
1200 based on the IPv4 packet being processed, as follows. These
1201 are default values that the nested actions will probably
1202 want to change:
1203 • eth.src unchanged
1205 • eth.dst unchanged
1207 • eth.type = 0x0806
1209 • arp.op = 1 (ARP request)
1211 • arp.sha copied from eth.src
1213 • arp.spa copied from ip4.src
1215 • arp.tha = 00:00:00:00:00:00
1217 • arp.tpa copied from ip4.dst
1219 The ARP packet has the same VLAN header, if any, as the IP
1221 packet it replaces.
1222 Prerequisite: ip4
1224 get_arp(P, A);
1226 Parameters: logical port string field P, 32-bit IP address
1227 field A.
1228 Looks up A in P’s mac binding table. If an entry is found,
1230 stores its Ethernet address in eth.dst, otherwise stores
1231 00:00:00:00:00:00 in eth.dst.
1232 Example: get_arp(outport, ip4.dst);
1234 put_arp(P, A, E);
1236 Parameters: logical port string field P, 32-bit IP address
1237 field A, 48-bit Ethernet address field E.
1238 Adds or updates the entry for IP address A in logical port
1240 P’s mac binding table, setting its Ethernet address to E.
1241 Example: put_arp(inport, arp.spa, arp.sha);
1243 R = lookup_arp(P, A, M);
1245 Parameters: logical port string field P, 32-bit IP address
1246 field A, 48-bit MAC address field M.
1247 Result: stored to a 1-bit subfield R.
1249 Looks up A and M in P’s mac binding table. If an entry is
1251 found, stores 1 in the 1-bit subfield R, else 0.
1252 Example: reg0[0] = lookup_arp(inport, arp.spa, arp.sha);
1254 R = lookup_arp_ip(P, A);
1256 Parameters: logical port string field P, 32-bit IP address
1257 field A.
1258 Result: stored to a 1-bit subfield R.
1260 Looks up A in P’s mac binding table. If an entry is found,
1262 stores 1 in the 1-bit subfield R, else 0.
1263 Example: reg0[0] = lookup_arp_ip(inport, arp.spa);
1265 P = get_fdb(A);
1267 Parameters:48-bit MAC address field A.
1268 Looks up A in fdb table. If an entry is found, stores the
1270 logical port key to the out parameter P.
1271 Example: outport = get_fdb(eth.src);
1273 put_fdb(P, A);
1275 Parameters: logical port string field P, 48-bit MAC address
1276 field A.
1277 Adds or updates the entry for Ethernet address A in fdb ta‐
1279 ble, setting its logical port key to P.
1280 Example: put_fdb(inport, arp.spa);
1282 R = lookup_fdb(P, A);
1284 Parameters: 48-bit MAC address field M, logical port string
1285 field P.
1286 Result: stored to a 1-bit subfield R.
1288 Looks up A in fdb table. If an entry is found and the the
1290 logical port key is P, P, stores 1 in the 1-bit subfield R,
1291 else 0.
1292 Example: reg0[0] = lookup_fdb(inport, eth.src);
1294 nd_ns { action; ... };
1296 Temporarily replaces the IPv6 packet being processed by an
1297 IPv6 Neighbor Solicitation packet and executes each nested
1298 action on the IPv6 NS packet. Actions following the nd_ns
1299 action, if any, apply to the original, unmodified packet.
1300 The IPv6 NS packet that this action operates on is initial‐
1302 ized based on the IPv6 packet being processed, as follows.
1303 These are default values that the nested actions will prob‐
1304 ably want to change:
1305 • eth.src unchanged
1307 • eth.dst set to IPv6 multicast MAC address
1309 • eth.type = 0x86dd
1311 • ip6.src copied from ip6.src
1313 • ip6.dst set to IPv6 Solicited-Node multicast address
1315 • icmp6.type = 135 (Neighbor Solicitation)
1317 • nd.target copied from ip6.dst
1319 The IPv6 NS packet has the same VLAN header, if any, as the
1321 IP packet it replaces.
1322 Prerequisite: ip6
1324 nd_na { action; ... };
1326 Temporarily replaces the IPv6 neighbor solicitation packet
1327 being processed by an IPv6 neighbor advertisement (NA)
1328 packet and executes each nested action on the NA packet.
1329 Actions following the nd_na action, if any, apply to the
1330 original, unmodified packet.
1331 The NA packet that this action operates on is initialized
1333 based on the IPv6 packet being processed, as follows. These
1334 are default values that the nested actions will probably
1335 want to change:
1336 • eth.dst exchanged with eth.src
1338 • eth.type = 0x86dd
1340 • ip6.dst copied from ip6.src
1342 • ip6.src copied from nd.target
1344 • icmp6.type = 136 (Neighbor Advertisement)
1346 • nd.target unchanged
1348 • nd.sll = 00:00:00:00:00:00
1350 • nd.tll copied from eth.dst
1352 The ND packet has the same VLAN header, if any, as the IPv6
1354 packet it replaces.
1355 Prerequisite: nd_ns
1357 nd_na_router { action; ... };
1359 Temporarily replaces the IPv6 neighbor solicitation packet
1360 being processed by an IPv6 neighbor advertisement (NA)
1361 packet, sets ND_NSO_ROUTER in the RSO flags and executes
1362 each nested action on the NA packet. Actions following the
1363 nd_na_router action, if any, apply to the original, unmodi‐
1364 fied packet.
1365 The NA packet that this action operates on is initialized
1367 based on the IPv6 packet being processed, as follows. These
1368 are default values that the nested actions will probably
1369 want to change:
1370 • eth.dst exchanged with eth.src
1372 • eth.type = 0x86dd
1374 • ip6.dst copied from ip6.src
1376 • ip6.src copied from nd.target
1378 • icmp6.type = 136 (Neighbor Advertisement)
1380 • nd.target unchanged
1382 • nd.sll = 00:00:00:00:00:00
1384 • nd.tll copied from eth.dst
1386 The ND packet has the same VLAN header, if any, as the IPv6
1388 packet it replaces.
1389 Prerequisite: nd_ns
1391 get_nd(P, A);
1393 Parameters: logical port string field P, 128-bit IPv6 ad‐
1394 dress field A.
1395 Looks up A in P’s mac binding table. If an entry is found,
1397 stores its Ethernet address in eth.dst, otherwise stores
1398 00:00:00:00:00:00 in eth.dst.
1399 Example: get_nd(outport, ip6.dst);
1401 put_nd(P, A, E);
1403 Parameters: logical port string field P, 128-bit IPv6 ad‐
1404 dress field A, 48-bit Ethernet address field E.
1405 Adds or updates the entry for IPv6 address A in logical
1407 port P’s mac binding table, setting its Ethernet address to
1408 E.
1409 Example: put_nd(inport, nd.target, nd.tll);
1411 R = lookup_nd(P, A, M);
1413 Parameters: logical port string field P, 128-bit IP address
1414 field A, 48-bit MAC address field M.
1415 Result: stored to a 1-bit subfield R.
1417 Looks up A and M in P’s mac binding table. If an entry is
1419 found, stores 1 in the 1-bit subfield R, else 0.
1420 Example: reg0[0] = lookup_nd(inport, ip6.src, eth.src);
1422 R = lookup_nd_ip(P, A);
1424 Parameters: logical port string field P, 128-bit IP address
1425 field A.
1426 Result: stored to a 1-bit subfield R.
1428 Looks up A in P’s mac binding table. If an entry is found,
1430 stores 1 in the 1-bit subfield R, else 0.
1431 Example: reg0[0] = lookup_nd_ip(inport, ip6.src);
1433 R = put_dhcp_opts(D1 = V1, D2 = V2, ..., Dn = Vn);
1435 Parameters: one or more DHCP option/value pairs, which must
1436 include an offerip option (with code 0).
1437 Result: stored to a 1-bit subfield R.
1439 Valid only in the ingress pipeline.
1441 When this action is applied to a DHCP request packet
1443 (DHCPDISCOVER or DHCPREQUEST), it changes the packet into a
1444 DHCP reply (DHCPOFFER or DHCPACK, respectively), replaces
1445 the options by those specified as parameters, and stores 1
1446 in R.
1447 When this action is applied to a non-DHCP packet or a DHCP
1449 packet that is not DHCPDISCOVER or DHCPREQUEST, it leaves
1450 the packet unchanged and stores 0 in R.
1451 The contents of the DHCP_Option table control the DHCP op‐
1453 tion names and values that this action supports.
1454 Example: reg0[0] = put_dhcp_opts(offerip = 10.0.0.2, router
1456 = 10.0.0.1, netmask = 255.255.255.0, dns_server = {8.8.8.8,
1457 7.7.7.7});
1458 R = put_dhcpv6_opts(D1 = V1, D2 = V2, ..., Dn = Vn);
1460 Parameters: one or more DHCPv6 option/value pairs.
1461 Result: stored to a 1-bit subfield R.
1463 Valid only in the ingress pipeline.
1465 When this action is applied to a DHCPv6 request packet, it
1467 changes the packet into a DHCPv6 reply, replaces the op‐
1468 tions by those specified as parameters, and stores 1 in R.
1469 When this action is applied to a non-DHCPv6 packet or an
1471 invalid DHCPv6 request packet , it leaves the packet un‐
1472 changed and stores 0 in R.
1473 The contents of the DHCPv6_Options table control the DHCPv6
1475 option names and values that this action supports.
1476 Example: reg0[3] = put_dhcpv6_opts(ia_addr = aef0::4,
1478 server_id = 00:00:00:00:10:02,
1479 dns_server={ae70::1,ae70::2});
1480 set_queue(queue_number);
1482 Parameters: Queue number queue_number, in the range 0 to
1483 61440.
1484 This is a logical equivalent of the OpenFlow set_queue ac‐
1486 tion. It affects packets that egress a hypervisor through a
1487 physical interface. For nonzero queue_number, it configures
1488 packet queuing to match the settings configured for the
1489 Port_Binding with options:qdisc_queue_id matching
1490 queue_number. When queue_number is zero, it resets queuing
1491 to the default strategy.
1492 Example: set_queue(10);
1494 ct_lb;
1496 ct_lb(ip[:port]...);
1497 With one or more arguments, ct_lb commits the packet to the
1498 connection tracking table and DNATs the packet’s destina‐
1499 tion IP address (and port) to the IP address or addresses
1500 (and optional ports) specified in the string. If multiple
1501 comma-separated IP addresses are specified, each is given
1502 equal weight for picking the DNAT address. Processing auto‐
1503 matically moves on to the next table, as if next; were
1504 specified, and later tables act on the packet as modified
1505 by the connection tracker. Connection tracking state is
1506 scoped by the logical port when the action is used in a
1507 flow for a logical switch, so overlapping addresses may be
1508 used. Connection tracking state is scoped by the logical
1509 topology when the action is used in a flow for a router.
1510 Without arguments, ct_lb sends the packet to the connection
1512 tracking table to NAT the packets. If the packet is part of
1513 an established connection that was previously committed to
1514 the connection tracker via ct_lb(...), it will automati‐
1515 cally get DNATed to the same IP address as the first packet
1516 in that connection.
1517 R = dns_lookup();
1519 Parameters: No parameters.
1520 Result: stored to a 1-bit subfield R.
1522 Valid only in the ingress pipeline.
1524 When this action is applied to a valid DNS request (a UDP
1526 packet typically directed to port 53), it attempts to re‐
1527 solve the query using the contents of the DNS table. If it
1528 is successful, it changes the packet into a DNS reply and
1529 stores 1 in R. If the action is applied to a non-DNS
1530 packet, an invalid DNS request packet, or a valid DNS re‐
1531 quest for which the DNS table does not supply an answer, it
1532 leaves the packet unchanged and stores 0 in R.
1533 Regardless of success, the action does not make any of the
1535 changes to the flow that are necessary to direct the packet
1536 back to the requester. The logical pipeline can implement
1537 this behavior with matches and actions in later tables.
1538 Example: reg0[3] = dns_lookup();
1540 Prerequisite: udp
1542 R = put_nd_ra_opts(D1 = V1, D2 = V2, ..., Dn = Vn);
1544 Parameters: The following IPv6 ND Router Advertisement op‐
1545 tion/value pairs as defined in RFC 4861.
1546 • addr_mode
1548 Mandatory parameter which specifies the address mode
1550 flag to be set in the RA flag options field. The
1551 value of this option is a string and the following
1552 values can be defined - "slaac", "dhcpv6_stateful"
1553 and "dhcpv6_stateless".
1554 • slla
1556 Mandatory parameter which specifies the link-layer
1558 address of the interface from which the Router Ad‐
1559 vertisement is sent.
1560 • mtu
1562 Optional parameter which specifies the MTU.
1564 • prefix
1566 Optional parameter which should be specified if the
1568 addr_mode is "slaac" or "dhcpv6_stateless". The
1569 value should be an IPv6 prefix which will be used
1570 for stateless IPv6 address configuration. This op‐
1571 tion can be defined multiple times.
1572 Result: stored to a 1-bit subfield R.
1574 Valid only in the ingress pipeline.
1576 When this action is applied to an IPv6 Router solicitation
1578 request packet, it changes the packet into an IPv6 Router
1579 Advertisement reply and adds the options specified in the
1580 parameters, and stores 1 in R.
1581 When this action is applied to a non-IPv6 Router solicita‐
1583 tion packet or an invalid IPv6 request packet , it leaves
1584 the packet unchanged and stores 0 in R.
1585 Example: reg0[3] = put_nd_ra_opts(addr_mode = "slaac", slla
1587 = 00:00:00:00:10:02, prefix = aef0::/64, mtu = 1450);
1588 set_meter(rate);
1590 set_meter(rate, burst);
1591 Parameters: rate limit int field rate in kbps, burst rate
1592 limits int field burst in kbps.
1593 This action sets the rate limit for a flow.
1595 Example: set_meter(100, 1000);
1597 R = check_pkt_larger(L)
1599 Parameters: packet length L to check for in bytes.
1600 Result: stored to a 1-bit subfield R.
1602 This is a logical equivalent of the OpenFlow
1604 check_pkt_larger action. If the packet is larger than the
1605 length specified in L, it stores 1 in the subfield R.
1606 Example: reg0[6] = check_pkt_larger(1000);
1608 log(key=value, ...);
1610 Causes ovn-controller to log the packet on the chassis
1611 that processes it. Packet logging currently uses the same
1612 logging mechanism as other Open vSwitch and OVN messages,
1613 which means that whether and where log messages appear
1614 depends on the local logging configuration that can be
1615 configured with ovs-appctl, etc.
1616 The log action takes zero or more of the following key-
1618 value pair arguments that control what is logged:
1619 name=string
1621 An optional name for the ACL. The string is cur‐
1622 rently limited to 64 bytes.
1623 severity=level
1625 Indicates the severity of the event. The level is
1626 one of following (from more to less serious):
1627 alert, warning, notice, info, or debug. If a
1628 severity is not provided, the default is info.
1629 verdict=value
1631 The verdict for packets matching the flow. The
1632 value must be one of allow, deny, or reject.
1633 meter=string
1635 An optional rate-limiting meter to be applied to
1636 the logs. The string should reference a name entry
1637 from the Meter table. The only meter action that
1638 is appropriate is drop.
1639 fwd_group(liveness=bool, childports=port, ...);
1641 Parameters: optional liveness, either true or false, de‐
1642 faulting to false; childports, a comma-delimited list of
1643 strings denoting logical ports to load balance across.
1644 Load balance traffic to one or more child ports in a log‐
1646 ical switch. ovn-controller translates the fwd_group into
1647 an OpenFlow group with one bucket for each child port. If
1648 liveness=true is specified, it also integrates the bucket
1649 selection with BFD status on the tunnel interface corre‐
1650 sponding to child port.
1651 Example: fwd_group(liveness=true, childports="p1", "p2");
1653 icmp4 { action; ... };
1655 icmp4_error { action; ... };
1656 Temporarily replaces the IPv4 packet being processed by an
1657 ICMPv4 packet and executes each nested action on the ICMPv4
1658 packet. Actions following these actions, if any, apply to
1659 the original, unmodified packet.
1660 The ICMPv4 packet that these actions operates on is ini‐
1662 tialized based on the IPv4 packet being processed, as fol‐
1663 lows. These are default values that the nested actions will
1664 probably want to change. Ethernet and IPv4 fields not
1665 listed here are not changed:
1666 • ip.proto = 1 (ICMPv4)
1668 • ip.frag = 0 (not a fragment)
1670 • ip.ttl = 255
1672 • icmp4.type = 3 (destination unreachable)
1674 • icmp4.code = 1 (host unreachable)
1676 icmp4_error action is expected to be used to generate an
1678 ICMPv4 packet in response to an error in original IP
1679 packet. When this action generates the ICMPv4 packet, it
1680 also copies the original IP datagram following the ICMPv4
1681 header as per RFC 1122: 3.2.2.
1682 Prerequisite: ip4
1684 icmp6 { action; ... };
1686 icmp6_error { action; ... };
1687 Temporarily replaces the IPv6 packet being processed by an
1688 ICMPv6 packet and executes each nested action on the ICMPv6
1689 packet. Actions following the icmp6 action, if any, apply
1690 to the original, unmodified packet.
1691 The ICMPv6 packet that this action operates on is initial‐
1693 ized based on the IPv6 packet being processed, as follows.
1694 These are default values that the nested actions will prob‐
1695 ably want to change. Ethernet and IPv6 fields not listed
1696 here are not changed:
1697 • ip.proto = 58 (ICMPv6)
1699 • ip.ttl = 255
1701 • icmp6.type = 1 (destination unreachable)
1703 • icmp6.code = 1 (administratively prohibited)
1705 icmp6_error action is expected to be used to generate an
1707 ICMPv6 packet in response to an error in original IPv6
1708 packet.
1709 Prerequisite: ip6
1711 tcp_reset;
1713 This action transforms the current TCP packet according to
1714 the following pseudocode:
1715 if (tcp.ack) {
1717 tcp.seq = tcp.ack;
1718 } else {
1719 tcp.ack = tcp.seq + length(tcp.payload);
1720 tcp.seq = 0;
1721 }
1722 tcp.flags = RST;
1723 Then, the action drops all TCP options and payload data,
1725 and updates the TCP checksum. IP ttl is set to 255.
1726 Prerequisite: tcp
1728 reject { action; ... };
1730 If the original packet is IPv4 or IPv6 TCP packet, it re‐
1731 places it with IPv4 or IPv6 TCP RST packet and executes the
1732 inner actions. Otherwise it replaces it with an ICMPv4 or
1733 ICMPv6 packet and executes the inner actions.
1734 The inner actions should not attempt to swap eth source
1736 with eth destination and IP source with IP destination as
1737 this action implicitly does that.
1738 trigger_event;
1740 This action is used to allow ovs-vswitchd to report CMS re‐
1741 lated events writing them in Controller_Event table. It is
1742 possible to associate a meter to a each event in order to
1743 not overload pinctrl thread under heavy load; each meter is
1744 identified though a defined naming convention. Supported
1745 events:
1746 • empty_lb_backends. This event is raised if a re‐
1748 ceived packet is destined for a load balancer VIP
1749 that has no configured backend destinations. For
1750 this event, the event info includes the load bal‐
1751 ancer VIP, the load balancer UUID, and the transport
1752 protocol. Associated meter: event-elb
1753 igmp;
1755 This action sends the packet to ovn-controller for multi‐
1756 cast snooping.
1757 Prerequisite: igmp
1759 bind_vport(V, P);
1761 Parameters: logical port string field V of type virtual,
1762 logical port string field P.
1763 Binds the virtual logical port V and sets the chassis col‐
1765 umn and virtual_parent of the table Port_Binding. vir‐
1766 tual_parent is set to P.
1767 handle_svc_check(P);
1769 Parameters: logical port string field P.
1770 Handles the service monitor reply received from the VIF of
1772 the logical port P. ovn-controller periodically sends out
1773 the service monitor packets for the services configured in
1774 the Service_Monitor table and this action updates the sta‐
1775 tus of those services.
1776 Example: handle_svc_check(inport);
1778 handle_dhcpv6_reply;
1780 Handle DHCPv6 prefix delegation advertisements/replies from
1781 a IPv6 delegation server. ovn-controller will add an entry
1782 ipv6_ra_pd_list in the options table for each prefix re‐
1783 ceived from the delegation server
1784 R = select(N1[=W1], N2[=W2], ...);
1786 Parameters: Integer N1, N2..., with optional weight W1, W2,
1787 ...
1788 Result: stored to a logical field or subfield R.
1790 Select from a list of integers N1, N2..., each within the
1792 range 0 ~ 65535, and store the selected one in the field R.
1793 There must be 2 or more integers listed, each with an op‐
1794 tional weight, which is an integer within the range 1 ~
1795 65535. If weight is not specified, it defaults to 100. The
1796 selection method is based on the 5-tuple hash of packet
1797 header.
1798 Processing automatically moves on to the next table, as if
1800 next; were specified. The select action must be put as the
1801 last action of the logical flow when there are multiple ac‐
1802 tions (actions put after select will not take effect).
1803 Example: reg8[16..31] = select(1=20, 2=30, 3=50);
1805 handle_dhcpv6_reply;
1807 This action is used to parse DHCPv6 replies from IPv6 Dele‐
1808 gation Router and managed IPv6 Prefix delegation state ma‐
1809 chine
1810 R = chk_lb_hairpin();
1812 This action checks if the packet under consideration was
1813 destined to a load balancer VIP and it is hairpinned, i.e.,
1814 after load balancing the destination IP matches the source
1815 IP. If it is so, then the 1-bit destination register R is
1816 set to 1.
1817 R = chk_lb_hairpin_reply();
1819 This action checks if the packet under consideration is
1820 from one of the backend IP of a load balancer VIP and the
1821 destination IP is the load balancer VIP. If it is so, then
1822 the 1-bit destination register R is set to 1.
1823 R = ct_snat_to_vip;
1825 This action sends the packet through the SNAT zone to
1826 change the source IP address of the packet to the load bal‐
1827 ancer VIP if the original destination IP was load balancer
1828 VIP and commits the connection. This action applies suc‐
1829 cessfully only for the hairpinned traffic i.e if the action
1830 chk_lb_hairpin returned success. This action doesn’t take
1831 any arguments and it determines the SNAT IP internally. The
1832 packet is not automatically sent to the next table. The
1833 caller has to execute the next; action explicitly after
1834 this action to advance the packet to the next stage.
1835 tags: map of string-string pairs
1837 Key-value pairs that provide additional information to help ovn-
1838 controller processing the logical flow. Below are the tags used
1839 by ovn-controller.
1840 in_out_port
1842 In the logical flow’s "match" column, if a logical port P
1843 is compared with "inport" and the logical flow is on a
1844 logical switch ingress pipeline, or if P is compared with
1845 "outport" and the logical flow is on a logical switch
1846 egress pipeline, and the expression is combined with
1847 other expressions (if any) using the operator &&, then
1848 the port P should be added as the value in this tag. If
1849 there are multiple logical ports meeting this criteria,
1850 one of them can be added. ovn-controller uses this infor‐
1851 mation to skip parsing flows that are not needed on the
1852 chassis. Failing to add the tag will affect efficiency,
1853 while adding wrong value will affect correctness.
1854 controller_meter: optional string
1856 The name of the meter in table Meter to be used for all packets
1857 that the logical flow might send to ovn-controller.
1858 external_ids : stage-name: optional string
1860 Human-readable name for this flow’s stage in the pipeline.
1861 external_ids : stage-hint: optional string, containing an uuid
1863 UUID of a OVN_Northbound record that caused this logical flow to
1864 be created. Currently used only for attribute of logical flows
1865 to northbound ACL records.
1866 external_ids : source: optional string
1868 Source file and line number of the code that added this flow to
1869 the pipeline.
1870 Common Columns:
1872 The overall purpose of these columns is described under Common Columns
1874 at the beginning of this document.
1875 external_ids: map of string-string pairs
1877
1879 Each row in this table represents a group of logical datapaths refer‐
1880 enced by the logical_dp_group column in the Logical_Flow table.
1881 Summary:
1883 datapaths set of weak reference to Datapath_Bind‐
1884 ings
1885 Details:
1887 datapaths: set of weak reference to Datapath_Bindings
1888 List of Datapath_Binding entries.
1889
1891 The rows in this table define multicast groups of logical ports. Multi‐
1892 cast groups allow a single packet transmitted over a tunnel to a hyper‐
1893 visor to be delivered to multiple VMs on that hypervisor, which uses
1894 bandwidth more efficiently.
1895 Each row in this table defines a logical multicast group numbered tun‐
1897 nel_key within datapath, whose logical ports are listed in the ports
1898 column.
1899 Summary:
1901 datapath Datapath_Binding
1902 tunnel_key integer, in range 32,768 to 65,535
1903 name string
1904 ports set of weak reference to Port_Bindings
1905 Details:
1907 datapath: Datapath_Binding
1908 The logical datapath in which the multicast group resides.
1909 tunnel_key: integer, in range 32,768 to 65,535
1911 The value used to designate this logical egress port in tunnel
1912 encapsulations. An index forces the key to be unique within the
1913 datapath. The unusual range ensures that multicast group IDs do
1914 not overlap with logical port IDs.
1915 name: string
1917 The logical multicast group’s name. An index forces the name to
1918 be unique within the datapath. Logical flows in the ingress
1919 pipeline may output to the group just as for individual logical
1920 ports, by assigning the group’s name to outport and executing an
1921 output action.
1922 Multicast group names and logical port names share a single
1924 namespace and thus should not overlap (but the database schema
1925 cannot enforce this). To try to avoid conflicts, ovn-northd uses
1926 names that begin with _MC_.
1927 ports: set of weak reference to Port_Bindings
1929 The logical ports included in the multicast group. All of these
1930 ports must be in the datapath logical datapath (but the database
1931 schema cannot enforce this).
1932
1934 Each row in this table represents a meter that can be used for QoS or
1935 rate-limiting.
1936 Summary:
1938 name string (must be unique within table)
1939 unit string, either kbps or pktps
1940 bands set of 1 or more Meter_Bands
1941 Details:
1943 name: string (must be unique within table)
1944 A name for this meter.
1945 Names that begin with "__" (two underscores) are reserved for
1947 OVN internal use and should not be added manually.
1948 unit: string, either kbps or pktps
1950 The unit for rate and burst_rate parameters in the bands entry.
1951 kbps specifies kilobits per second, and pktps specifies packets
1952 per second.
1953 bands: set of 1 or more Meter_Bands
1955 The bands associated with this meter. Each band specifies a rate
1956 above which the band is to take the action action. If multiple
1957 bands’ rates are exceeded, then the band with the highest rate
1958 among the exceeded bands is selected.
1959
1961 Each row in this table represents a meter band which specifies the rate
1962 above which the configured action should be applied. These bands are
1963 referenced by the bands column in the Meter table.
1964 Summary:
1966 action string, must be drop
1967 rate integer, in range 1 to 4,294,967,295
1968 burst_size integer, in range 0 to 4,294,967,295
1969 Details:
1971 action: string, must be drop
1972 The action to execute when this band matches. The only supported
1973 action is drop.
1974 rate: integer, in range 1 to 4,294,967,295
1976 The rate limit for this band, in kilobits per second or bits per
1977 second, depending on whether the parent Meter entry’s unit col‐
1978 umn specified kbps or pktps.
1979 burst_size: integer, in range 0 to 4,294,967,295
1981 The maximum burst allowed for the band in kilobits or packets,
1982 depending on whether kbps or pktps was selected in the parent
1983 Meter entry’s unit column. If the size is zero, the switch is
1984 free to select some reasonable value depending on its configura‐
1985 tion.
1986
1988 Each row in this table represents a logical datapath, which implements
1989 a logical pipeline among the ports in the Port_Binding table associated
1990 with it. In practice, the pipeline in a given logical datapath imple‐
1991 ments either a logical switch or a logical router.
1992 The main purpose of a row in this table is provide a physical binding
1994 for a logical datapath. A logical datapath does not have a physical lo‐
1995 cation, so its physical binding information is limited: just tun‐
1996 nel_key. The rest of the data in this table does not affect packet for‐
1997 warding.
1998 Summary:
2000 tunnel_key integer, in range 1 to 16,777,215 (must
2001 be unique within table)
2002 load_balancers set of uuids
2003 OVN_Northbound Relationship:
2004 external_ids : logical-switch
2005 optional string, containing an uuid
2006 external_ids : logical-router
2007 optional string, containing an uuid
2008 external_ids : interconn-ts
2009 optional string
2010 Naming:
2011 external_ids : name optional string
2012 external_ids : name2 optional string
2013 Common Columns:
2014 external_ids map of string-string pairs
2015 Details:
2017 tunnel_key: integer, in range 1 to 16,777,215 (must be unique within
2018 table)
2019 The tunnel key value to which the logical datapath is bound. The
2020 Tunnel Encapsulation section in ovn-architecture(7) describes
2021 how tunnel keys are constructed for each supported encapsula‐
2022 tion.
2023 load_balancers: set of uuids
2025 Not used anymore; kept for backwards compatibility of the
2026 schema.
2027 OVN_Northbound Relationship:
2029 Each row in Datapath_Binding is associated with some logical datapath.
2031 ovn-northd uses these keys to track the association of a logical data‐
2032 path with concepts in the OVN_Northbound database.
2033 external_ids : logical-switch: optional string, containing an uuid
2035 For a logical datapath that represents a logical switch,
2036 ovn-northd stores in this key the UUID of the corresponding Log‐
2037 ical_Switch row in the OVN_Northbound database.
2038 external_ids : logical-router: optional string, containing an uuid
2040 For a logical datapath that represents a logical router,
2041 ovn-northd stores in this key the UUID of the corresponding Log‐
2042 ical_Router row in the OVN_Northbound database.
2043 external_ids : interconn-ts: optional string
2045 For a logical datapath that represents a logical switch that
2046 represents a transit switch for interconnection, ovn-northd
2047 stores in this key the value of the same interconn-ts key of the
2048 external_ids column of the corresponding Logical_Switch row in
2049 the OVN_Northbound database.
2050 Naming:
2052 ovn-northd copies these from the name fields in the OVN_Northbound
2054 database, either from name and external_ids:neutron:router_name in the
2055 Logical_Router table or from name and external_ids:neutron:network_name
2056 in the Logical_Switch table.
2057 external_ids : name: optional string
2059 A name for the logical datapath.
2060 external_ids : name2: optional string
2062 Another name for the logical datapath.
2063 Common Columns:
2065 The overall purpose of these columns is described under Common Columns
2067 at the beginning of this document.
2068 external_ids: map of string-string pairs
2070
2072 Each row in this table binds a logical port to a realization. For most
2073 logical ports, this means binding to some physical location, for exam‐
2074 ple by binding a logical port to a VIF that belongs to a VM running on
2075 a particular hypervisor. Other logical ports, such as logical patch
2076 ports, can be realized without a specific physical location, but their
2077 bindings are still expressed through rows in this table.
2078 For every Logical_Switch_Port record in OVN_Northbound database,
2080 ovn-northd creates a record in this table. ovn-northd populates and
2081 maintains every column except the chassis and virtual_parent columns,
2082 which it leaves empty in new records.
2083 ovn-controller/ovn-controller-vtep populates the chassis column for the
2085 records that identify the logical ports that are located on its hyper‐
2086 visor/gateway, which ovn-controller/ovn-controller-vtep in turn finds
2087 out by monitoring the local hypervisor’s Open_vSwitch database, which
2088 identifies logical ports via the conventions described in Integra‐
2089 tionGuide.rst. (The exceptions are for Port_Binding records with type
2090 of l3gateway, whose locations are identified by ovn-northd via the op‐
2091 tions:l3gateway-chassis column in this table. ovn-controller is still
2092 responsible to populate the chassis column.)
2093 ovn-controller also populates the virtual_parent column of records
2095 whose type is virtual.
2096 When a chassis shuts down gracefully, it should clean up the chassis
2098 column that it previously had populated. (This is not critical because
2099 resources hosted on the chassis are equally unreachable regardless of
2100 whether their rows are present.) To handle the case where a VM is shut
2101 down abruptly on one chassis, then brought up again on a different one,
2102 ovn-controller/ovn-controller-vtep must overwrite the chassis column
2103 with new information.
2104 Summary:
2106 Core Features:
2107 datapath Datapath_Binding
2108 logical_port string (must be unique within table)
2109 encap optional weak reference to Encap
2110 chassis optional weak reference to Chassis
2111 gateway_chassis set of Gateway_Chassises
2112 ha_chassis_group optional HA_Chassis_Group
2113 up optional boolean
2114 tunnel_key integer, in range 1 to 32,767
2115 mac set of strings
2116 type string
2117 Patch Options:
2118 options : peer optional string
2119 nat_addresses set of strings
2120 L3 Gateway Options:
2121 options : peer optional string
2122 options : l3gateway-chassis
2123 optional string
2124 nat_addresses set of strings
2125 Localnet Options:
2126 options : network_name optional string
2127 tag optional integer, in range 1 to 4,095
2128 L2 Gateway Options:
2129 options : network_name optional string
2130 options : l2gateway-chassis
2131 optional string
2132 tag optional integer, in range 1 to 4,095
2133 VTEP Options:
2134 options : vtep-physical-switch
2135 optional string
2136 options : vtep-logical-switch
2137 optional string
2138 VMI (or VIF) Options:
2139 options : requested-chassis
2140 optional string
2141 options : iface-id-ver optional string
2142 options : qos_max_rate optional string
2143 options : qos_burst optional string
2144 options : qdisc_queue_id optional string, containing an integer,
2145 in range 1 to 61,440
2146 Distributed Gateway Port Options:
2147 options : chassis-redirect-port
2148 optional string
2149 Chassis Redirect Options:
2150 options : distributed-port optional string
2151 options : redirect-type optional string
2152 options : always-redirect optional string
2153 Nested Containers:
2154 parent_port optional string
2155 tag optional integer, in range 1 to 4,095
2156 Virtual ports:
2157 virtual_parent optional string
2158 Naming:
2159 external_ids : name optional string
2160 Common Columns:
2161 external_ids map of string-string pairs
2162 Details:
2164 Core Features:
2165 datapath: Datapath_Binding
2167 The logical datapath to which the logical port belongs.
2168 logical_port: string (must be unique within table)
2170 A logical port. For a logical switch port, this is taken from
2171 name in the OVN_Northbound database’s Logical_Switch_Port table.
2172 For a logical router port, this is taken from name in the
2173 OVN_Northbound database’s Logical_Router_port table. (This means
2174 that logical switch ports and router port names must not share
2175 names in an OVN deployment.) OVN does not prescribe a particular
2176 format for the logical port ID.
2177 encap: optional weak reference to Encap
2179 Points to supported encapsulation configurations to transmit
2180 logical dataplane packets to this chassis. Each entry is a Encap
2181 record that describes the configuration.
2182 chassis: optional weak reference to Chassis
2184 The meaning of this column depends on the value of the type col‐
2185 umn. This is the meaning for each type
2186 (empty string)
2188 The physical location of the logical port. To success‐
2189 fully identify a chassis, this column must be a Chassis
2190 record. This is populated by ovn-controller.
2191 vtep The physical location of the hardware_vtep gateway. To
2193 successfully identify a chassis, this column must be a
2194 Chassis record. This is populated by ovn-controller-vtep.
2195 localnet
2197 Always empty. A localnet port is realized on every chas‐
2198 sis that has connectivity to the corresponding physical
2199 network.
2200 localport
2202 Always empty. A localport port is present on every chas‐
2203 sis.
2204 l3gateway
2206 The physical location of the L3 gateway. To successfully
2207 identify a chassis, this column must be a Chassis record.
2208 This is populated by ovn-controller based on the value of
2209 the options:l3gateway-chassis column in this table.
2210 l2gateway
2212 The physical location of this L2 gateway. To successfully
2213 identify a chassis, this column must be a Chassis record.
2214 This is populated by ovn-controller based on the value of
2215 the options:l2gateway-chassis column in this table.
2216 gateway_chassis: set of Gateway_Chassises
2218 A list of Gateway_Chassis.
2219 This should only be populated for ports with type set to chas‐
2221 sisredirect. This column defines the list of chassis used as
2222 gateways where traffic will be redirected through.
2223 ha_chassis_group: optional HA_Chassis_Group
2225 This should only be populated for ports with type set to chas‐
2226 sisredirect. This column defines the HA chassis group with a
2227 list of HA chassis used as gateways where traffic will be redi‐
2228 rected through.
2229 up: optional boolean
2231 This is set to true whenever all OVS flows required by this
2232 Port_Binding have been installed. This is populated by ovn-con‐
2233 troller.
2234 tunnel_key: integer, in range 1 to 32,767
2236 A number that represents the logical port in the key (e.g. STT
2237 key or Geneve TLV) field carried within tunnel protocol packets.
2238 The tunnel ID must be unique within the scope of a logical data‐
2240 path.
2241 mac: set of strings
2243 This column is a misnomer as it may contain MAC addresses and IP
2244 addresses. It is copied from the addresses column in the Logi‐
2245 cal_Switch_Port table in the Northbound database. It follows the
2246 same format as that column.
2247 type: string
2249 A type for this logical port. Logical ports can be used to model
2250 other types of connectivity into an OVN logical switch. The fol‐
2251 lowing types are defined:
2252 (empty string)
2254 VM (or VIF) interface.
2255 patch One of a pair of logical ports that act as if connected
2257 by a patch cable. Useful for connecting two logical data‐
2258 paths, e.g. to connect a logical router to a logical
2259 switch or to another logical router.
2260 l3gateway
2262 One of a pair of logical ports that act as if connected
2263 by a patch cable across multiple chassis. Useful for con‐
2264 necting a logical switch with a Gateway router (which is
2265 only resident on a particular chassis).
2266 localnet
2268 A connection to a locally accessible network from
2269 ovn-controller instances that have a corresponding bridge
2270 mapping. A logical switch can have multiple localnet
2271 ports attached. This type is used to model direct connec‐
2272 tivity to existing networks. In this case, each chassis
2273 should have a mapping for one of the physical networks
2274 only. Note: nothing said above implies that a chassis
2275 cannot be plugged to multiple physical networks as long
2276 as they belong to different switches.
2277 localport
2279 A connection to a local VIF. Traffic that arrives on a
2280 localport is never forwarded over a tunnel to another
2281 chassis. These ports are present on every chassis and
2282 have the same address in all of them. This is used to
2283 model connectivity to local services that run on every
2284 hypervisor.
2285 l2gateway
2287 An L2 connection to a physical network. The chassis this
2288 Port_Binding is bound to will serve as an L2 gateway to
2289 the network named by options:network_name.
2290 vtep A port to a logical switch on a VTEP gateway chassis. In
2292 order to get this port correctly recognized by the OVN
2293 controller, the options:vtep-physical-switch and op‐
2294 tions:vtep-logical-switch must also be defined.
2295 chassisredirect
2297 A logical port that represents a particular instance,
2298 bound to a specific chassis, of an otherwise distributed
2299 parent port (e.g. of type patch). A chassisredirect port
2300 should never be used as an inport. When an ingress pipe‐
2301 line sets the outport, it may set the value to a logical
2302 port of type chassisredirect. This will cause the packet
2303 to be directed to a specific chassis to carry out the
2304 egress pipeline. At the beginning of the egress pipeline,
2305 the outport will be reset to the value of the distributed
2306 port.
2307 virtual
2309 Represents a logical port with an virtual ip. This vir‐
2310 tual ip can be configured on a logical port (which is
2311 refered as virtual parent).
2312 Patch Options:
2314 These options apply to logical ports with type of patch.
2316 options : peer: optional string
2318 The logical_port in the Port_Binding record for the other side
2319 of the patch. The named logical_port must specify this logi‐
2320 cal_port in its own peer option. That is, the two patch logical
2321 ports must have reversed logical_port and peer values.
2322 nat_addresses: set of strings
2324 MAC address followed by a list of SNAT and DNAT external IP ad‐
2325 dresses, followed by is_chassis_resident("lport"), where lport
2326 is the name of a logical port on the same chassis where the cor‐
2327 responding NAT rules are applied. This is used to send gratu‐
2328 itous ARPs for SNAT and DNAT external IP addresses via localnet,
2329 from the chassis where lport resides. Example: 80:fa:5b:06:72:b7
2330 158.36.44.22 158.36.44.24 is_chassis_resident("foo1"). This
2331 would result in generation of gratuitous ARPs for IP addresses
2332 158.36.44.22 and 158.36.44.24 with a MAC address of
2333 80:fa:5b:06:72:b7 from the chassis where the logical port "foo1"
2334 resides.
2335 L3 Gateway Options:
2337 These options apply to logical ports with type of l3gateway.
2339 options : peer: optional string
2341 The logical_port in the Port_Binding record for the other side
2342 of the ’l3gateway’ port. The named logical_port must specify
2343 this logical_port in its own peer option. That is, the two
2344 ’l3gateway’ logical ports must have reversed logical_port and
2345 peer values.
2346 options : l3gateway-chassis: optional string
2348 The chassis in which the port resides.
2349 nat_addresses: set of strings
2351 MAC address of the l3gateway port followed by a list of SNAT and
2352 DNAT external IP addresses. This is used to send gratuitous ARPs
2353 for SNAT and DNAT external IP addresses via localnet. Example:
2354 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24. This would result
2355 in generation of gratuitous ARPs for IP addresses 158.36.44.22
2356 and 158.36.44.24 with a MAC address of 80:fa:5b:06:72:b7. This
2357 is used in OVS version 2.8 and later versions.
2358 Localnet Options:
2360 These options apply to logical ports with type of localnet.
2362 options : network_name: optional string
2364 Required. ovn-controller uses the configuration entry
2365 ovn-bridge-mappings to determine how to connect to this network.
2366 ovn-bridge-mappings is a list of network names mapped to a local
2367 OVS bridge that provides access to that network. An example of
2368 configuring ovn-bridge-mappings would be: .IP
2369 $ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1
2370 When a logical switch has a localnet port attached, every chas‐
2372 sis that may have a local vif attached to that logical switch
2373 must have a bridge mapping configured to reach that localnet.
2374 Traffic that arrives on a localnet port is never forwarded over
2375 a tunnel to another chassis. If there are multiple localnet
2376 ports in a logical switch, each chassis should only have a sin‐
2377 gle bridge mapping for one of the physical networks. Note: In
2378 case of multiple localnet ports, to provide interconnectivity
2379 between all VIFs located on different chassis with different
2380 fabric connectivity, the fabric should implement some form of
2381 routing between the segments.
2382 tag: optional integer, in range 1 to 4,095
2384 If set, indicates that the port represents a connection to a
2385 specific VLAN on a locally accessible network. The VLAN ID is
2386 used to match incoming traffic and is also added to outgoing
2387 traffic.
2388 L2 Gateway Options:
2390 These options apply to logical ports with type of l2gateway.
2392 options : network_name: optional string
2394 Required. ovn-controller uses the configuration entry
2395 ovn-bridge-mappings to determine how to connect to this network.
2396 ovn-bridge-mappings is a list of network names mapped to a local
2397 OVS bridge that provides access to that network. An example of
2398 configuring ovn-bridge-mappings would be: .IP
2399 $ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1
2400 When a logical switch has a l2gateway port attached, the chassis
2402 that the l2gateway port is bound to must have a bridge mapping
2403 configured to reach the network identified by network_name.
2404 options : l2gateway-chassis: optional string
2406 Required. The chassis in which the port resides.
2407 tag: optional integer, in range 1 to 4,095
2409 If set, indicates that the gateway is connected to a specific
2410 VLAN on the physical network. The VLAN ID is used to match in‐
2411 coming traffic and is also added to outgoing traffic.
2412 VTEP Options:
2414 These options apply to logical ports with type of vtep.
2416 options : vtep-physical-switch: optional string
2418 Required. The name of the VTEP gateway.
2419 options : vtep-logical-switch: optional string
2421 Required. A logical switch name connected by the VTEP gateway.
2422 Must be set when type is vtep.
2423 VMI (or VIF) Options:
2425 These options apply to logical ports with type having (empty string)
2427 options : requested-chassis: optional string
2429 If set, identifies a specific chassis (by name or hostname) that
2430 is allowed to bind this port. Using this option will prevent
2431 thrashing between two chassis trying to bind the same port dur‐
2432 ing a live migration. It can also prevent similar thrashing due
2433 to a mis-configuration, if a port is accidentally created on
2434 more than one chassis.
2435 options : iface-id-ver: optional string
2437 If set, this port will be bound by ovn-controller only if this
2438 same key and value is configured in the external_ids column in
2439 the Open_vSwitch database’s Interface table.
2440 options : qos_max_rate: optional string
2442 If set, indicates the maximum rate for data sent from this in‐
2443 terface, in bit/s. The traffic will be shaped according to this
2444 limit.
2445 options : qos_burst: optional string
2447 If set, indicates the maximum burst size for data sent from this
2448 interface, in bits.
2449 options : qdisc_queue_id: optional string, containing an integer, in
2451 range 1 to 61,440
2452 Indicates the queue number on the physical device. This is same
2453 as the queue_id used in OpenFlow in struct ofp_action_enqueue.
2454 Distributed Gateway Port Options:
2456 These options apply to the distributed parent ports of logical ports
2458 with type of chasssisredirect.
2459 options : chassis-redirect-port: optional string
2461 The name of the chassis redirect port derived from this port if
2462 this port is a distributed parent of a chassis redirect port.
2463 Chassis Redirect Options:
2465 These options apply to logical ports with type of chassisredirect.
2467 options : distributed-port: optional string
2469 The name of the distributed port for which this chassisredirect
2470 port represents a particular instance.
2471 options : redirect-type: optional string
2473 The value is copied from the column options in the OVN_North‐
2474 bound database’s Logical_Router_Port table for the distributed
2475 parent of this port.
2476 options : always-redirect: optional string
2478 A boolean option that is set to true if the distributed parent
2479 of this chassis redirect port does not need distributed process‐
2480 ing.
2481 Nested Containers:
2483 These columns support containers nested within a VM. Specifically, they
2485 are used when type is empty and logical_port identifies the interface
2486 of a container spawned inside a VM. They are empty for containers or
2487 VMs that run directly on a hypervisor.
2488 parent_port: optional string
2490 This is taken from parent_name in the OVN_Northbound database’s
2491 Logical_Switch_Port table.
2492 tag: optional integer, in range 1 to 4,095
2494 Identifies the VLAN tag in the network traffic associated with
2495 that container’s network interface.
2496 This column is used for a different purpose when type is local‐
2498 net (see Localnet Options, above) or l2gateway (see L2 Gateway
2499 Options, above).
2500 Virtual ports:
2502 virtual_parent: optional string
2504 This column is set by ovn-controller with one of the value from
2505 the options:virtual-parents in the OVN_Northbound database’s
2506 Logical_Switch_Port table when the OVN action bind_vport is exe‐
2507 cuted. ovn-controller also sets the chassis column when it exe‐
2508 cutes this action with its chassis id.
2509 ovn-controller sets this column only if the type is "virtual".
2511 Naming:
2513 external_ids : name: optional string
2515 For a logical switch port, ovn-northd copies this from exter‐
2516 nal_ids:neutron:port_name in the Logical_Switch_Port table in
2517 the OVN_Northbound database, if it is a nonempty string.
2518 For a logical switch port, ovn-northd does not currently set
2520 this key.
2521 Common Columns:
2523 external_ids: map of string-string pairs
2525 See External IDs at the beginning of this document.
2526 The ovn-northd program populates this column with all entries
2528 into the external_ids column of the Logical_Switch_Port table of
2529 the OVN_Northbound database.
2530
2532 Each row in this table specifies a binding from an IP address to an
2533 Ethernet address that has been discovered through ARP (for IPv4) or
2534 neighbor discovery (for IPv6). This table is primarily used to discover
2535 bindings on physical networks, because IP-to-MAC bindings for virtual
2536 machines are usually populated statically into the Port_Binding table.
2537 This table expresses a functional relationship: MAC_Binding(logi‐
2539 cal_port, ip) = mac.
2540 In outline, the lifetime of a logical router’s MAC binding looks like
2542 this:
2543 1. On hypervisor 1, a logical router determines that a packet
2545 should be forwarded to IP address A on one of its router
2546 ports. It uses its logical flow table to determine that A
2547 lacks a static IP-to-MAC binding and the get_arp action to
2548 determine that it lacks a dynamic IP-to-MAC binding.
2549 2. Using an OVN logical arp action, the logical router gener‐
2551 ates and sends a broadcast ARP request to the router port.
2552 It drops the IP packet.
2553 3. The logical switch attached to the router port delivers the
2555 ARP request to all of its ports. (It might make sense to de‐
2556 liver it only to ports that have no static IP-to-MAC bind‐
2557 ings, but this could also be surprising behavior.)
2558 4. A host or VM on hypervisor 2 (which might be the same as hy‐
2560 pervisor 1) attached to the logical switch owns the IP ad‐
2561 dress in question. It composes an ARP reply and unicasts it
2562 to the logical router port’s Ethernet address.
2563 5. The logical switch delivers the ARP reply to the logical
2565 router port.
2566 6. The logical router flow table executes a put_arp action. To
2568 record the IP-to-MAC binding, ovn-controller adds a row to
2569 the MAC_Binding table.
2570 7. On hypervisor 1, ovn-controller receives the updated
2572 MAC_Binding table from the OVN southbound database. The next
2573 packet destined to A through the logical router is sent di‐
2574 rectly to the bound Ethernet address.
2575 Summary:
2577 logical_port string
2578 ip string
2579 mac string
2580 datapath Datapath_Binding
2581 Details:
2583 logical_port: string
2584 The logical port on which the binding was discovered.
2585 ip: string
2587 The bound IP address.
2588 mac: string
2590 The Ethernet address to which the IP is bound.
2591 datapath: Datapath_Binding
2593 The logical datapath to which the logical port belongs.
2594
2596 Each row in this table stores the DHCP Options supported by native OVN
2597 DHCP. ovn-northd populates this table with the supported DHCP options.
2598 ovn-controller looks up this table to get the DHCP codes of the DHCP
2599 options defined in the "put_dhcp_opts" action. Please refer to the RFC
2600 2132 "https://tools.ietf.org/html/rfc2132" for the possible list of
2601 DHCP options that can be defined here.
2602 Summary:
2604 name string
2605 code integer, in range 0 to 254
2606 type string, one of bool, domains, host_id,
2607 ipv4, static_routes, str, uint16, uint32,
2608 or uint8
2609 Details:
2611 name: string
2612 Name of the DHCP option.
2613 Example. name="router"
2615 code: integer, in range 0 to 254
2617 DHCP option code for the DHCP option as defined in the RFC 2132.
2618 Example. code=3
2620 type: string, one of bool, domains, host_id, ipv4, static_routes, str,
2622 uint16, uint32, or uint8
2623 Data type of the DHCP option code.
2624 value: bool
2626 This indicates that the value of the DHCP option is a
2627 bool.
2628 Example. "name=ip_forward_enable", "code=19",
2630 "type=bool".
2631 put_dhcp_opts(..., ip_forward_enable = 1,...)
2633 value: uint8
2635 This indicates that the value of the DHCP option is an
2636 unsigned int8 (8 bits)
2637 Example. "name=default_ttl", "code=23", "type=uint8".
2639 put_dhcp_opts(..., default_ttl = 50,...)
2641 value: uint16
2643 This indicates that the value of the DHCP option is an
2644 unsigned int16 (16 bits).
2645 Example. "name=mtu", "code=26", "type=uint16".
2647 put_dhcp_opts(..., mtu = 1450,...)
2649 value: uint32
2651 This indicates that the value of the DHCP option is an
2652 unsigned int32 (32 bits).
2653 Example. "name=lease_time", "code=51", "type=uint32".
2655 put_dhcp_opts(..., lease_time = 86400,...)
2657 value: ipv4
2659 This indicates that the value of the DHCP option is an
2660 IPv4 address or addresses.
2661 Example. "name=router", "code=3", "type=ipv4".
2663 put_dhcp_opts(..., router = 10.0.0.1,...)
2665 Example. "name=dns_server", "code=6", "type=ipv4".
2667 put_dhcp_opts(..., dns_server = {8.8.8.8 7.7.7.7},...)
2669 value: static_routes
2671 This indicates that the value of the DHCP option contains
2672 a pair of IPv4 route and next hop addresses.
2673 Example. "name=classless_static_route", "code=121",
2675 "type=static_routes".
2676 put_dhcp_opts(..., classless_static_route =
2678 {30.0.0.0/24,10.0.0.4,0.0.0.0/0,10.0.0.1}...)
2679 value: str
2681 This indicates that the value of the DHCP option is a
2682 string.
2683 Example. "name=host_name", "code=12", "type=str".
2685 value: host_id
2687 This indicates that the value of the DHCP option is a
2688 host_id. It can either be a host_name or an IP address.
2689 Example. "name=tftp_server", "code=66", "type=host_id".
2691 value: domains
2693 This indicates that the value of the DHCP option is a do‐
2694 main name or a comma separated list of domain names.
2695 Example. "name=domain_search_list", "code=119", "type=do‐
2697 mains".
2698
2700 Each row in this table stores the DHCPv6 Options supported by native
2701 OVN DHCPv6. ovn-northd populates this table with the supported DHCPv6
2702 options. ovn-controller looks up this table to get the DHCPv6 codes of
2703 the DHCPv6 options defined in the put_dhcpv6_opts action. Please refer
2704 to RFC 3315 and RFC 3646 for the list of DHCPv6 options that can be de‐
2705 fined here.
2706 Summary:
2708 name string
2709 code integer, in range 0 to 254
2710 type string, one of ipv6, mac, or str
2711 Details:
2713 name: string
2714 Name of the DHCPv6 option.
2715 Example. name="ia_addr"
2717 code: integer, in range 0 to 254
2719 DHCPv6 option code for the DHCPv6 option as defined in the ap‐
2720 propriate RFC.
2721 Example. code=3
2723 type: string, one of ipv6, mac, or str
2725 Data type of the DHCPv6 option code.
2726 value: ipv6
2728 This indicates that the value of the DHCPv6 option is an
2729 IPv6 address(es).
2730 Example. "name=ia_addr", "code=5", "type=ipv6".
2732 put_dhcpv6_opts(..., ia_addr = ae70::4,...)
2734 value: str
2736 This indicates that the value of the DHCPv6 option is a
2737 string.
2738 Example. "name=domain_search", "code=24", "type=str".
2740 put_dhcpv6_opts(..., domain_search = ovn.domain,...)
2742 value: mac
2744 This indicates that the value of the DHCPv6 option is a
2745 MAC address.
2746 Example. "name=server_id", "code=2", "type=mac".
2748 put_dhcpv6_opts(..., server_id = 01:02:03:04L05:06,...)
2750
2752 Configuration for a database connection to an Open vSwitch database
2753 (OVSDB) client.
2754 This table primarily configures the Open vSwitch database server
2756 (ovsdb-server).
2757 The Open vSwitch database server can initiate and maintain active con‐
2759 nections to remote clients. It can also listen for database connec‐
2760 tions.
2761 Summary:
2763 Core Features:
2764 target string (must be unique within table)
2765 read_only boolean
2766 role string
2767 Client Failure Detection and Handling:
2768 max_backoff optional integer, at least 1,000
2769 inactivity_probe optional integer
2770 Status:
2771 is_connected boolean
2772 status : last_error optional string
2773 status : state optional string, one of ACTIVE, BACKOFF,
2774 CONNECTING, IDLE, or VOID
2775 status : sec_since_connect optional string, containing an integer,
2776 at least 0
2777 status : sec_since_disconnect
2778 optional string, containing an integer,
2779 at least 0
2780 status : locks_held optional string
2781 status : locks_waiting optional string
2782 status : locks_lost optional string
2783 status : n_connections optional string, containing an integer,
2784 at least 2
2785 status : bound_port optional string, containing an integer
2786 Common Columns:
2787 external_ids map of string-string pairs
2788 other_config map of string-string pairs
2789 Details:
2791 Core Features:
2792 target: string (must be unique within table)
2794 Connection methods for clients.
2795 The following connection methods are currently supported:
2797 ssl:host[:port]
2799 The specified SSL port on the given host, which can ei‐
2800 ther be a DNS name (if built with unbound library) or an
2801 IP address. A valid SSL configuration must be provided
2802 when this form is used, this configuration can be speci‐
2803 fied via command-line options or the SSL table.
2804 If port is not specified, it defaults to 6640.
2806 SSL support is an optional feature that is not always
2808 built as part of Open vSwitch.
2809 tcp:host[:port]
2811 The specified TCP port on the given host, which can ei‐
2812 ther be a DNS name (if built with unbound library) or an
2813 IP address (IPv4 or IPv6). If host is an IPv6 address,
2814 wrap it in square brackets, e.g. tcp:[::1]:6640.
2815 If port is not specified, it defaults to 6640.
2817 pssl:[port][:host]
2819 Listens for SSL connections on the specified TCP port.
2820 Specify 0 for port to have the kernel automatically
2821 choose an available port. If host, which can either be a
2822 DNS name (if built with unbound library) or an IP ad‐
2823 dress, is specified, then connections are restricted to
2824 the resolved or specified local IP address (either IPv4
2825 or IPv6 address). If host is an IPv6 address, wrap in
2826 square brackets, e.g. pssl:6640:[::1]. If host is not
2827 specified then it listens only on IPv4 (but not IPv6) ad‐
2828 dresses. A valid SSL configuration must be provided when
2829 this form is used, this can be specified either via com‐
2830 mand-line options or the SSL table.
2831 If port is not specified, it defaults to 6640.
2833 SSL support is an optional feature that is not always
2835 built as part of Open vSwitch.
2836 ptcp:[port][:host]
2838 Listens for connections on the specified TCP port. Spec‐
2839 ify 0 for port to have the kernel automatically choose an
2840 available port. If host, which can either be a DNS name
2841 (if built with unbound library) or an IP address, is
2842 specified, then connections are restricted to the re‐
2843 solved or specified local IP address (either IPv4 or IPv6
2844 address). If host is an IPv6 address, wrap it in square
2845 brackets, e.g. ptcp:6640:[::1]. If host is not specified
2846 then it listens only on IPv4 addresses.
2847 If port is not specified, it defaults to 6640.
2849 When multiple clients are configured, the target values must be
2851 unique. Duplicate target values yield unspecified results.
2852 read_only: boolean
2854 true to restrict these connections to read-only transactions,
2855 false to allow them to modify the database.
2856 role: string
2858 String containing role name for this connection entry.
2859 Client Failure Detection and Handling:
2861 max_backoff: optional integer, at least 1,000
2863 Maximum number of milliseconds to wait between connection at‐
2864 tempts. Default is implementation-specific.
2865 inactivity_probe: optional integer
2867 Maximum number of milliseconds of idle time on connection to the
2868 client before sending an inactivity probe message. If Open
2869 vSwitch does not communicate with the client for the specified
2870 number of seconds, it will send a probe. If a response is not
2871 received for the same additional amount of time, Open vSwitch
2872 assumes the connection has been broken and attempts to recon‐
2873 nect. Default is implementation-specific. A value of 0 disables
2874 inactivity probes.
2875 Status:
2877 Key-value pair of is_connected is always updated. Other key-value pairs
2879 in the status columns may be updated depends on the target type.
2880 When target specifies a connection method that listens for inbound con‐
2882 nections (e.g. ptcp: or punix:), both n_connections and is_connected
2883 may also be updated while the remaining key-value pairs are omitted.
2884 On the other hand, when target specifies an outbound connection, all
2886 key-value pairs may be updated, except the above-mentioned two key-
2887 value pairs associated with inbound connection targets. They are omit‐
2888 ted.
2889 is_connected: boolean
2891 true if currently connected to this client, false otherwise.
2892 status : last_error: optional string
2894 A human-readable description of the last error on the connection
2895 to the manager; i.e. strerror(errno). This key will exist only
2896 if an error has occurred.
2897 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
2899 IDLE, or VOID
2900 The state of the connection to the manager:
2901 VOID Connection is disabled.
2903 BACKOFF
2905 Attempting to reconnect at an increasing period.
2906 CONNECTING
2908 Attempting to connect.
2909 ACTIVE Connected, remote host responsive.
2911 IDLE Connection is idle. Waiting for response to keep-alive.
2913 These values may change in the future. They are provided only
2915 for human consumption.
2916 status : sec_since_connect: optional string, containing an integer, at
2918 least 0
2919 The amount of time since this client last successfully connected
2920 to the database (in seconds). Value is empty if client has never
2921 successfully been connected.
2922 status : sec_since_disconnect: optional string, containing an integer,
2924 at least 0
2925 The amount of time since this client last disconnected from the
2926 database (in seconds). Value is empty if client has never dis‐
2927 connected.
2928 status : locks_held: optional string
2930 Space-separated list of the names of OVSDB locks that the con‐
2931 nection holds. Omitted if the connection does not hold any
2932 locks.
2933 status : locks_waiting: optional string
2935 Space-separated list of the names of OVSDB locks that the con‐
2936 nection is currently waiting to acquire. Omitted if the connec‐
2937 tion is not waiting for any locks.
2938 status : locks_lost: optional string
2940 Space-separated list of the names of OVSDB locks that the con‐
2941 nection has had stolen by another OVSDB client. Omitted if no
2942 locks have been stolen from this connection.
2943 status : n_connections: optional string, containing an integer, at
2945 least 2
2946 When target specifies a connection method that listens for in‐
2947 bound connections (e.g. ptcp: or pssl:) and more than one con‐
2948 nection is actually active, the value is the number of active
2949 connections. Otherwise, this key-value pair is omitted.
2950 status : bound_port: optional string, containing an integer
2952 When target is ptcp: or pssl:, this is the TCP port on which the
2953 OVSDB server is listening. (This is particularly useful when
2954 target specifies a port of 0, allowing the kernel to choose any
2955 available port.)
2956 Common Columns:
2958 The overall purpose of these columns is described under Common Columns
2960 at the beginning of this document.
2961 external_ids: map of string-string pairs
2963 other_config: map of string-string pairs
2965
2967 SSL configuration for ovn-sb database access.
2968 Summary:
2970 private_key string
2971 certificate string
2972 ca_cert string
2973 bootstrap_ca_cert boolean
2974 ssl_protocols string
2975 ssl_ciphers string
2976 Common Columns:
2977 external_ids map of string-string pairs
2978 Details:
2980 private_key: string
2981 Name of a PEM file containing the private key used as the
2982 switch’s identity for SSL connections to the controller.
2983 certificate: string
2985 Name of a PEM file containing a certificate, signed by the cer‐
2986 tificate authority (CA) used by the controller and manager, that
2987 certifies the switch’s private key, identifying a trustworthy
2988 switch.
2989 ca_cert: string
2991 Name of a PEM file containing the CA certificate used to verify
2992 that the switch is connected to a trustworthy controller.
2993 bootstrap_ca_cert: boolean
2995 If set to true, then Open vSwitch will attempt to obtain the CA
2996 certificate from the controller on its first SSL connection and
2997 save it to the named PEM file. If it is successful, it will im‐
2998 mediately drop the connection and reconnect, and from then on
2999 all SSL connections must be authenticated by a certificate
3000 signed by the CA certificate thus obtained. This option exposes
3001 the SSL connection to a man-in-the-middle attack obtaining the
3002 initial CA certificate. It may still be useful for bootstrap‐
3003 ping.
3004 ssl_protocols: string
3006 List of SSL protocols to be enabled for SSL connections. The de‐
3007 fault when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
3008 ssl_ciphers: string
3010 List of ciphers (in OpenSSL cipher string format) to be sup‐
3011 ported for SSL connections. The default when this option is
3012 omitted is HIGH:!aNULL:!MD5.
3013 Common Columns:
3015 The overall purpose of these columns is described under Common Columns
3017 at the beginning of this document.
3018 external_ids: map of string-string pairs
3020
3022 Each row in this table stores the DNS records. The OVN action
3023 dns_lookup uses this table for DNS resolution.
3024 Summary:
3026 records map of string-string pairs
3027 datapaths set of 1 or more Datapath_Bindings
3028 Common Columns:
3029 external_ids map of string-string pairs
3030 Details:
3032 records: map of string-string pairs
3033 Key-value pair of DNS records with DNS query name as the key and
3034 a string of IP address(es) separated by comma or space as the
3035 value. ovn-northd stores the DNS query name in all lowercase in
3036 order to facilitate case-insensitive lookups.
3037 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
3039 datapaths: set of 1 or more Datapath_Bindings
3041 The DNS records defined in the column records will be applied
3042 only to the DNS queries originating from the datapaths defined
3043 in this column.
3044 Common Columns:
3046 external_ids: map of string-string pairs
3048 See External IDs at the beginning of this document.
3049
3051 Role table for role-based access controls.
3052 Summary:
3054 name string
3055 permissions map of string-weak reference to RBAC_Per‐
3056 mission pairs
3057 Details:
3059 name: string
3060 The role name, corresponding to the role column in the Connec‐
3061 tion table.
3062 permissions: map of string-weak reference to RBAC_Permission pairs
3064 A mapping of table names to rows in the RBAC_Permission table.
3065
3067 Permissions table for role-based access controls.
3068 Summary:
3070 table string
3071 authorization set of strings
3072 insert_delete boolean
3073 update set of strings
3074 Details:
3076 table: string
3077 Name of table to which this row applies.
3078 authorization: set of strings
3080 Set of strings identifying columns and column:key pairs to be
3081 compared with client ID. At least one match is required in order
3082 to be authorized. A zero-length string is treated as a special
3083 value indicating all clients should be considered authorized.
3084 insert_delete: boolean
3086 When "true", row insertions and authorized row deletions are
3087 permitted.
3088 update: set of strings
3090 Set of strings identifying columns and column:key pairs that au‐
3091 thorized clients are allowed to modify.
3092
3094 Association of Port_Binding rows of type chassisredirect to a Chassis.
3095 The traffic going out through a specific chassisredirect port will be
3096 redirected to a chassis, or a set of them in high availability configu‐
3097 rations.
3098 Summary:
3100 name string (must be unique within table)
3101 chassis optional weak reference to Chassis
3102 priority integer, in range 0 to 32,767
3103 options map of string-string pairs
3104 Common Columns:
3105 external_ids map of string-string pairs
3106 Details:
3108 name: string (must be unique within table)
3109 Name of the Gateway_Chassis.
3110 A suggested, but not required naming convention is
3112 ${port_name}_${chassis_name}.
3113 chassis: optional weak reference to Chassis
3115 The Chassis to which we send the traffic.
3116 priority: integer, in range 0 to 32,767
3118 This is the priority the specific Chassis among all Gate‐
3119 way_Chassis belonging to the same Port_Binding.
3120 options: map of string-string pairs
3122 Reserved for future use.
3123 Common Columns:
3125 The overall purpose of these columns is described under Common Columns
3127 at the beginning of this document.
3128 external_ids: map of string-string pairs
3130
3132 Summary:
3133 chassis optional weak reference to Chassis
3134 priority integer, in range 0 to 32,767
3135 Common Columns:
3136 external_ids map of string-string pairs
3137 Details:
3139 chassis: optional weak reference to Chassis
3140 The Chassis which provides the HA functionality.
3141 priority: integer, in range 0 to 32,767
3143 Priority of the HA chassis. Chassis with highest priority will
3144 be the master in the HA chassis group.
3145 Common Columns:
3147 external_ids: map of string-string pairs
3149 See External IDs at the beginning of this document.
3150
3152 Table representing a group of chassis which can provide High availabil‐
3153 ity services. Each chassis in the group is represented by the table
3154 HA_Chassis. The HA chassis with highest priority will be the master of
3155 this group. If the master chassis failover is detected, the HA chassis
3156 with the next higher priority takes over the responsibility of provid‐
3157 ing the HA. If ha_chassis_group column of the table Port_Binding refer‐
3158 ences this table, then this HA chassis group provides the gateway func‐
3159 tionality and redirects the gateway traffic to the master of this
3160 group.
3161 Summary:
3163 name string (must be unique within table)
3164 ha_chassis set of HA_Chassises
3165 ref_chassis set of weak reference to Chassis
3166 Common Columns:
3167 external_ids map of string-string pairs
3168 Details:
3170 name: string (must be unique within table)
3171 Name of the HA_Chassis_Group. Name should be unique.
3172 ha_chassis: set of HA_Chassises
3174 A list of HA_Chassis which belongs to this group.
3175 ref_chassis: set of weak reference to Chassis
3177 The set of Chassis that reference this HA chassis group. To de‐
3178 termine the correct Chassis, find the chassisredirect type
3179 Port_Binding that references this HA_Chassis_Group. This
3180 Port_Binding is derived from some particular logical router.
3181 Starting from that LR, find the set of all logical switches and
3182 routers connected to it, directly or indirectly, across router
3183 ports that link one LRP to another or to a LSP. For each LSP in
3184 these logical switches, find the corresponding Port_Binding and
3185 add its bound Chassis (if any) to ref_chassis.
3186 Common Columns:
3188 external_ids: map of string-string pairs
3190 See External IDs at the beginning of this document.
3191
3193 Database table used by ovn-controller to report CMS related events.
3194 Please note there is no guarantee a given event is written exactly once
3195 in the db. It is CMS responsibility to squash duplicated lines or to
3196 filter out duplicated events
3197 Summary:
3199 event_type string, must be empty_lb_backends
3200 event_info map of string-string pairs
3201 chassis optional weak reference to Chassis
3202 seq_num integer
3203 Details:
3205 event_type: string, must be empty_lb_backends
3206 Event type occurred
3207 event_info: map of string-string pairs
3209 Key-value pairs used to specify event info to the CMS. Possible
3210 values are:
3211 • vip: VIP reported for the empty_lb_backends event
3213 • protocol: Transport protocol reported for the
3215 empty_lb_backends event
3216 • load_balancer: UUID of the load balancer reported for the
3218 empty_lb_backends event
3219 chassis: optional weak reference to Chassis
3221 This column is a Chassis record to identify the chassis that has
3222 managed a given event.
3223 seq_num: integer
3225 Event sequence number. Global counter for controller generated
3226 events. It can be used by the CMS to detect possible duplication
3227 of the same event.
3228
3230 IP Multicast configuration options. For now only applicable to IGMP.
3231 Summary:
3233 datapath weak reference to Datapath_Binding (must
3234 be unique within table)
3235 enabled optional boolean
3236 querier optional boolean
3237 table_size optional integer
3238 idle_timeout optional integer
3239 query_interval optional integer
3240 seq_no integer
3241 Querier configuration options:
3242 eth_src string
3243 ip4_src string
3244 ip6_src string
3245 query_max_resp optional integer
3246 Details:
3248 datapath: weak reference to Datapath_Binding (must be unique within ta‐
3249 ble)
3250 Datapath_Binding entry for which these configuration options are
3251 defined.
3252 enabled: optional boolean
3254 Enables/disables multicast snooping. Default: disabled.
3255 querier: optional boolean
3257 Enables/disables multicast querying. If enabled then multicast
3258 querying is enabled by default.
3259 table_size: optional integer
3261 Limits the number of multicast groups that can be learned. De‐
3262 fault: 2048 groups per datapath.
3263 idle_timeout: optional integer
3265 Configures the idle timeout (in seconds) for IP multicast groups
3266 if multicast snooping is enabled. Default: 300 seconds.
3267 query_interval: optional integer
3269 Configures the interval (in seconds) for sending multicast
3270 queries if snooping and querier are enabled. Default: idle_time‐
3271 out/2 seconds.
3272 seq_no: integer
3274 ovn-controller reads this value and flushes all learned multi‐
3275 cast groups when it detects that seq_no was changed.
3276 Querier configuration options:
3278 The ovn-controller process that runs on OVN hypervisor nodes uses the
3280 following columns to determine field values in IGMP/MLD queries that it
3281 originates:
3282 eth_src: string
3284 Source Ethernet address.
3285 ip4_src: string
3287 Source IPv4 address.
3288 ip6_src: string
3290 Source IPv6 address.
3291 query_max_resp: optional integer
3293 Value (in seconds) to be used as "max-response" field in multi‐
3294 cast queries. Default: 1 second.
3295
3297 Contains learned IGMP groups indexed by address/datapath/chassis.
3298 Summary:
3300 address string
3301 datapath optional weak reference to Datapath_Bind‐
3302 ing
3303 chassis optional weak reference to Chassis
3304 ports set of weak reference to Port_Bindings
3305 Details:
3307 address: string
3308 Destination IPv4 address for the IGMP group.
3309 datapath: optional weak reference to Datapath_Binding
3311 Datapath to which this IGMP group belongs.
3312 chassis: optional weak reference to Chassis
3314 Chassis to which this IGMP group belongs.
3315 ports: set of weak reference to Port_Bindings
3317 The destination port bindings for this IGMP group.
3318
3320 Each row in this table configures monitoring a service for its live‐
3321 ness. The service can be an IPv4 TCP or UDP service. ovn-controller pe‐
3322 riodically sends out service monitor packets and updates the status of
3323 the service. Service monitoring for IPv6 services is not supported.
3324 ovn-northd uses this feature to implement the load balancer health
3326 check feature offered to the CMS through the northbound database.
3327 Summary:
3329 Configuration:
3330 ip string
3331 protocol optional string, either tcp or udp
3332 port integer, in range 0 to 65,535
3333 logical_port string
3334 src_mac string
3335 src_ip string
3336 options : interval optional string, containing an integer
3337 options : timeout optional string, containing an integer
3338 options : success_count optional string, containing an integer
3339 options : failure_count optional string, containing an integer
3340 Status Reporting:
3341 status optional string, one of error, offline,
3342 or online
3343 Common Columns:
3344 external_ids map of string-string pairs
3345 Details:
3347 Configuration:
3348 ovn-northd sets these columns and values to configure the service moni‐
3350 tor.
3351 ip: string
3353 IP of the service to be monitored. Only IPv4 is supported.
3354 protocol: optional string, either tcp or udp
3356 The protocol of the service.
3357 port: integer, in range 0 to 65,535
3359 The TCP or UDP port of the service.
3360 logical_port: string
3362 The VIF of the logical port on which the service is running. The
3363 ovn-controller that binds this logical_port monitors the service
3364 by sending periodic monitor packets.
3365 src_mac: string
3367 Source Ethernet address to use in the service monitor packet.
3368 src_ip: string
3370 Source IPv4 address to use in the service monitor packet.
3371 options : interval: optional string, containing an integer
3373 The interval, in seconds, between service monitor checks.
3374 options : timeout: optional string, containing an integer
3376 The time, in seconds, after which the service monitor check
3377 times out.
3378 options : success_count: optional string, containing an integer
3380 The number of successful checks after which the service is con‐
3381 sidered online.
3382 options : failure_count: optional string, containing an integer
3384 The number of failure checks after which the service is consid‐
3385 ered offline.
3386 Status Reporting:
3388 The ovn-controller on the chassis that hosts the logical_port updates
3390 this column to report the service’s status.
3391 status: optional string, one of error, offline, or online
3393 For TCP service, ovn-controller sends a SYN to the service and
3394 expects an ACK response to consider the service to be online.
3395 For UDP service, ovn-controller sends a UDP packet to the ser‐
3397 vice and doesn’t expect any reply. If it receives an ICMP reply,
3398 then it considers the service to be offline.
3399 Common Columns:
3401 external_ids: map of string-string pairs
3403 See External IDs at the beginning of this document.
3404
3406 Each row represents a load balancer.
3407 Summary:
3409 name string
3410 vips map of string-string pairs
3411 protocol optional string, one of sctp, tcp, or udp
3412 datapaths set of Datapath_Bindings
3413 Load_Balancer options:
3414 options : hairpin_snat_ip optional string
3415 options : hairpin_orig_tuple
3416 optional string, either true or false
3417 Common Columns:
3418 external_ids map of string-string pairs
3419 Details:
3421 name: string
3422 A name for the load balancer. This name has no special meaning
3423 or purpose other than to provide convenience for human interac‐
3424 tion with the ovn-nb database.
3425 vips: map of string-string pairs
3427 A map of virtual IP addresses (and an optional port number with
3428 : as a separator) associated with this load balancer and their
3429 corresponding endpoint IP addresses (and optional port numbers
3430 with : as separators) separated by commas.
3431 protocol: optional string, one of sctp, tcp, or udp
3433 Valid protocols are tcp, udp, or sctp. This column is useful
3434 when a port number is provided as part of the vips column. If
3435 this column is empty and a port number is provided as part of
3436 vips column, OVN assumes the protocol to be tcp.
3437 datapaths: set of Datapath_Bindings
3439 Datapaths to which this load balancer applies to.
3440 Load_Balancer options:
3442 options : hairpin_snat_ip: optional string
3444 IP to be used as source IP for packets that have been hair-
3445 pinned after load balancing. This value is automatically popu‐
3446 lated by ovn-northd.
3447 options : hairpin_orig_tuple: optional string, either true or false
3449 This value is automatically set to true by ovn-northd when orig‐
3450 inal destination IP and transport port of the load balanced
3451 packets are stored in registers reg1, reg2, xxreg1.
3452 Common Columns:
3454 external_ids: map of string-string pairs
3456 See External IDs at the beginning of this document.
3457
3459 Contains BFD parameter for ovn-controller bfd configuration.
3460 Summary:
3462 Configuration:
3463 src_port integer, in range 49,152 to 65,535
3464 disc integer
3465 logical_port string
3466 dst_ip string
3467 min_tx integer
3468 min_rx integer
3469 detect_mult integer
3470 options map of string-string pairs
3471 external_ids map of string-string pairs
3472 Status Reporting:
3473 status string, one of admin_down, down, init, or
3474 up
3475 Details:
3477 Configuration:
3478 src_port: integer, in range 49,152 to 65,535
3480 udp source port used in bfd control packets. The source port
3481 MUST be in the range 49152 through 65535 (RFC5881 section 4).
3482 disc: integer
3484 A unique, nonzero discriminator value generated by the transmit‐
3485 ting system, used to demultiplex multiple BFD sessions between
3486 the same pair of systems.
3487 logical_port: string
3489 OVN logical port when BFD engine is running.
3490 dst_ip: string
3492 BFD peer IP address.
3493 min_tx: integer
3495 This is the minimum interval, in milliseconds, that the local
3496 system would like to use when transmitting BFD Control packets,
3497 less any jitter applied. The value zero is reserved.
3498 min_rx: integer
3500 This is the minimum interval, in milliseconds, between received
3501 BFD Control packets that this system is capable of supporting,
3502 less any jitter applied by the sender. If this value is zero,
3503 the transmitting system does not want the remote system to send
3504 any periodic BFD Control packets.
3505 detect_mult: integer
3507 Detection time multiplier. The negotiated transmit interval,
3508 multiplied by this value, provides the Detection Time for the
3509 receiving system in Asynchronous mode.
3510 options: map of string-string pairs
3512 Reserved for future use.
3513 external_ids: map of string-string pairs
3515 See External IDs at the beginning of this document.
3516 Status Reporting:
3518 status: string, one of admin_down, down, init, or up
3520 BFD port logical states. Possible values are:
3521 • admin_down
3523 • down
3525 • init
3527 • up
3529
3531 This table is primarily used to learn the MACs observed on a VIF which
3532 belongs to a Logical_Switch_Port record in OVN_Northbound whose port
3533 security is disabled and ’unknown’ address set. If port security is
3534 disabled on a Logical_Switch_Port record, OVN should allow traffic with
3535 any source mac from the VIF. This table will be used to deliver a
3536 packet to the VIF, If a packet’s eth.dst is learnt.
3537 Summary:
3539 mac string
3540 dp_key integer, in range 1 to 16,777,215
3541 port_key integer, in range 1 to 16,777,215
3542 Details:
3544 mac: string
3545 The learnt mac address.
3546 dp_key: integer, in range 1 to 16,777,215
3548 The key of the datapath on which this FDB was learnt.
3549 port_key: integer, in range 1 to 16,777,215
3551 The key of the port binding on which this FDB was learnt.
3552Open vSwitch 21.09.0 DB Schema 20.20.0 ovn-sb(5)