1ovn-sb(5)                     Open vSwitch Manual                    ovn-sb(5)
2
3
4

NAME

6       ovn-sb - OVN_Southbound database schema
7
8       This  database  holds  logical and physical configuration and state for
9       the Open Virtual Network (OVN) system to support  virtual  network  ab‐
10       straction. For an introduction to OVN, please see ovn-architecture(7).
11
12       The OVN Southbound database sits at the center of the OVN architecture.
13       It is the one component that speaks both southbound directly to all the
14       hypervisors  and  gateways, via ovn-controller/ovn-controller-vtep, and
15       northbound to the Cloud Management System, via ovn-northd:
16
17   Database Structure
18       The OVN Southbound database contains classes  of  data  with  different
19       properties, as described in the sections below.
20
21     Physical network
22
23       Physical  network tables contain information about the chassis nodes in
24       the system. This contains all the information  necessary  to  wire  the
25       overlay,  such  as  IP  addresses, supported tunnel types, and security
26       keys.
27
28       The amount of physical network data is small (O(n)  in  the  number  of
29       chassis)  and it changes infrequently, so it can be replicated to every
30       chassis.
31
32       The Chassis and Encap tables are the physical network tables.
33
34     Logical Network
35
36       Logical network tables contain the topology  of  logical  switches  and
37       routers,  ACLs,  firewall  rules, and everything needed to describe how
38       packets traverse a logical network,  represented  as  logical  datapath
39       flows (see Logical Datapath Flows, below).
40
41       Logical network data may be large (O(n) in the number of logical ports,
42       ACL rules, etc.). Thus, to improve scaling, each chassis should receive
43       only  data  related  to logical networks in which that chassis partici‐
44       pates.
45
46       The logical network data is ultimately controlled by the cloud  manage‐
47       ment  system  (CMS)  running northbound of OVN. That CMS determines the
48       entire OVN logical configuration and therefore the logical network data
49       at  any  given time is a deterministic function of the CMS’s configura‐
50       tion, although that happens indirectly via the OVN_Northbound  database
51       and ovn-northd.
52
53       Logical  network  data  is  likely to change more quickly than physical
54       network data. This is especially true in a container environment  where
55       containers  are  created  and  destroyed  (and  therefore  added to and
56       deleted from logical switches) quickly.
57
58       The   Logical_Flow,   Multicast_Group,   Address_Group,   DHCP_Options,
59       DHCPv6_Options, and DNS tables contain logical network data.
60
61     Logical-physical bindings
62
63       These  tables  link logical and physical components. They show the cur‐
64       rent placement of logical components (such as VMs and VIFs) onto  chas‐
65       sis, and map logical entities to the values that represent them in tun‐
66       nel encapsulations.
67
68       These tables change frequently, at least every time a VM powers  up  or
69       down  or  migrates,  and especially quickly in a container environment.
70       The amount of data per VM (or VIF) is small.
71
72       Each chassis is authoritative about the VMs and VIFs that it  hosts  at
73       any  given time and can efficiently flood that state to a central loca‐
74       tion, so the consistency needs are minimal.
75
76       The Port_Binding and Datapath_Binding tables contain binding data.
77
78     MAC bindings
79
80       The MAC_Binding table tracks the bindings from IP addresses to Ethernet
81       addresses  that  are  dynamically  discovered  using ARP (for IPv4) and
82       neighbor discovery (for IPv6). Usually, IP-to-MAC bindings for  virtual
83       machines  are  statically  populated  into  the  Port_Binding table, so
84       MAC_Binding is primarily used to discover  bindings  on  physical  net‐
85       works.
86
87   Common Columns
88       Some  tables  contain  a special column named external_ids. This column
89       has the same form and purpose each place that it  appears,  so  we  de‐
90       scribe it here to save space later.
91
92              external_ids: map of string-string pairs
93                     Key-value  pairs for use by the software that manages the
94                     OVN  Southbound  database   rather   than   by   ovn-con‐
95                     troller/ovn-controller-vtep.  In  particular,  ovn-northd
96                     can use key-value pairs in this column to relate entities
97                     in the southbound database to higher-level entities (such
98                     as entities in the OVN Northbound  database).  Individual
99                     key-value  pairs in this column may be documented in some
100                     cases to aid in understanding  and  troubleshooting,  but
101                     the  reader should not mistake such documentation as com‐
102                     prehensive.
103

TABLE SUMMARY

105       The following list summarizes the purpose of each of the tables in  the
106       OVN_Southbound  database.   Each table is described in more detail on a
107       later page.
108
109       Table     Purpose
110       SB_Global Southbound configuration
111       Chassis   Physical Network Hypervisor and Gateway Information
112       Chassis_Private
113                 Chassis Private
114       Encap     Encapsulation Types
115       Address_Set
116                 Address Sets
117       Port_Group
118                 Port Groups
119       Logical_Flow
120                 Logical Network Flows
121       Logical_DP_Group
122                 Logical Datapath Groups
123       Multicast_Group
124                 Logical Port Multicast Groups
125       Meter     Meter entry
126       Meter_Band
127                 Band for meter entries
128       Datapath_Binding
129                 Physical-Logical Datapath Bindings
130       Port_Binding
131                 Physical-Logical Port Bindings
132       MAC_Binding
133                 IP to MAC bindings
134       DHCP_Options
135                 DHCP Options supported by native OVN DHCP
136       DHCPv6_Options
137                 DHCPv6 Options supported by native OVN DHCPv6
138       Connection
139                 OVSDB client connections.
140       SSL       SSL configuration.
141       DNS       Native DNS resolution
142       RBAC_Role RBAC_Role configuration.
143       RBAC_Permission
144                 RBAC_Permission configuration.
145       Gateway_Chassis
146                 Gateway_Chassis configuration.
147       HA_Chassis
148                 HA_Chassis configuration.
149       HA_Chassis_Group
150                 HA_Chassis_Group configuration.
151       Controller_Event
152                 Controller Event table
153       IP_Multicast
154                 IP_Multicast configuration.
155       IGMP_Group
156                 IGMP_Group configuration.
157       Service_Monitor
158                 Service_Monitor configuration.
159       Load_Balancer
160                 Load_Balancer configuration.
161       BFD       BFD configuration.
162       FDB       Port to MAC bindings
163

SB_Global TABLE

165       Southbound configuration for an OVN system. This table  must  have  ex‐
166       actly one row.
167
168   Summary:
169       Status:
170         nb_cfg                      integer
171       Common Columns:
172         external_ids                map of string-string pairs
173         options                     map of string-string pairs
174       Common options:
175         options                     map of string-string pairs
176         Options for configuring BFD:
177            options : bfd-min-rx     optional string
178            options : bfd-decay-min-rx
179                                     optional string
180            options : bfd-min-tx     optional string
181            options : bfd-mult       optional string
182       Connection Options:
183         connections                 set of Connections
184         ssl                         optional SSL
185       Security Configurations:
186         ipsec                       boolean
187
188   Details:
189     Status:
190
191       This  column allow a client to track the overall configuration state of
192       the system.
193
194       nb_cfg: integer
195              Sequence number for the configuration. When a CMS  or  ovn-nbctl
196              updates the northbound database, it increments the nb_cfg column
197              in the NB_Global table in the northbound database. In turn, when
198              ovn-northd  updates  the  southbound  database to bring it up to
199              date with these changes, it updates  this  column  to  the  same
200              value.
201
202     Common Columns:
203
204       external_ids: map of string-string pairs
205              See External IDs at the beginning of this document.
206
207       options: map of string-string pairs
208
209     Common options:
210
211       options: map of string-string pairs
212              This  column  provides general key/value settings. The supported
213              options are described individually below.
214
215     Options for configuring BFD:
216
217       These options apply when ovn-controller configures BFD on  tunnels  in‐
218       terfaces.
219
220       options : bfd-min-rx: optional string
221              BFD  option  min-rx  value to use when configuring BFD on tunnel
222              interfaces.
223
224       options : bfd-decay-min-rx: optional string
225              BFD option decay-min-rx value to use  when  configuring  BFD  on
226              tunnel interfaces.
227
228       options : bfd-min-tx: optional string
229              BFD  option  min-tx  value to use when configuring BFD on tunnel
230              interfaces.
231
232       options : bfd-mult: optional string
233              BFD option mult value to use when configuring BFD on tunnel  in‐
234              terfaces.
235
236     Connection Options:
237
238       connections: set of Connections
239              Database  clients  to  which  the  Open  vSwitch database server
240              should connect or on which it should listen, along with  options
241              for  how these connections should be configured. See the Connec‐
242              tion table for more information.
243
244       ssl: optional SSL
245              Global SSL configuration.
246
247     Security Configurations:
248
249       ipsec: boolean
250              Tunnel encryption configuration. If this column  is  set  to  be
251              true, all OVN tunnels will be encrypted with IPsec.
252

Chassis TABLE

254       Each  row  in this table represents a hypervisor or gateway (a chassis)
255       in the physical  network.  Each  chassis,  via  ovn-controller/ovn-con‐
256       troller-vtep, adds and updates its own row, and keeps a copy of the re‐
257       maining rows to determine how to reach other hypervisors.
258
259       When a chassis shuts down gracefully, it should  remove  its  own  row.
260       (This  is  not  critical  because  resources  hosted on the chassis are
261       equally unreachable regardless of whether the row  is  present.)  If  a
262       chassis  shuts  down permanently without removing its row, some kind of
263       manual or automatic cleanup is  eventually  needed;  we  can  devise  a
264       process for that as necessary.
265
266   Summary:
267       name                          string (must be unique within table)
268       hostname                      string
269       nb_cfg                        integer
270       other_config : ovn-bridge-mappings
271                                     optional string
272       other_config : datapath-type  optional string
273       other_config : iface-types    optional string
274       other_config : ovn-cms-options
275                                     optional string
276       other_config : is-interconn   optional string
277       other_config : is-remote      optional string
278       transport_zones               set of strings
279       other_config : ovn-chassis-mac-mappings
280                                     optional string
281       other_config : port-up-notif  optional string
282       Common Columns:
283         external_ids                map of string-string pairs
284       Encapsulation Configuration:
285         encaps                      set of 1 or more Encaps
286       Gateway Configuration:
287         vtep_logical_switches       set of strings
288
289   Details:
290       name: string (must be unique within table)
291              OVN  does  not  prescribe a particular format for chassis names.
292              ovn-controller populates this column using  external_ids:system-
293              id  in  the Open_vSwitch database’s Open_vSwitch table. ovn-con‐
294              troller-vtep populates  this  column  with  name  in  the  hard‐
295              ware_vtep database’s Physical_Switch table.
296
297       hostname: string
298              The  hostname of the chassis, if applicable. ovn-controller will
299              populate this column with the hostname of the host it is running
300              on. ovn-controller-vtep will leave this column empty.
301
302       nb_cfg: integer
303              Deprecated.  This column is replaced by the nb_cfg column of the
304              Chassis_Private table.
305
306       other_config : ovn-bridge-mappings: optional string
307              ovn-controller populates this key with the set  of  bridge  map‐
308              pings  it  has been configured to use. Other applications should
309              treat this key as read-only. See ovn-controller(8) for more  in‐
310              formation.
311
312       other_config : datapath-type: optional string
313              ovn-controller populates this key with the datapath type config‐
314              ured in the datapath_type column of the Open_vSwitch  database’s
315              Bridge  table. Other applications should treat this key as read-
316              only. See ovn-controller(8) for more information.
317
318       other_config : iface-types: optional string
319              ovn-controller populates this key with the interface types  con‐
320              figured in the iface_types column of the Open_vSwitch database’s
321              Open_vSwitch table. Other applications should treat this key  as
322              read-only. See ovn-controller(8) for more information.
323
324       other_config : ovn-cms-options: optional string
325              ovn-controller  populates  this key with the set of options con‐
326              figured  in  the  external_ids:ovn-cms-options  column  of   the
327              Open_vSwitch   database’s   Open_vSwitch   table.  See  ovn-con‐
328              troller(8) for more information.
329
330       other_config : is-interconn: optional string
331              ovn-controller populates this key with the setting configured in
332              the  external_ids:ovn-is-interconn  column  of  the Open_vSwitch
333              database’s Open_vSwitch table. If set to true,  the  chassis  is
334              used  as  an  interconnection gateway. See ovn-controller(8) for
335              more information.
336
337       other_config : is-remote: optional string
338              ovn-ic set this key to true for remote  interconnection  gateway
339              chassises  learned from the interconnection southbound database.
340              See ovn-ic(8) for more information.
341
342       transport_zones: set of strings
343              ovn-controller populates this key with the transport zones  con‐
344              figured  in  the  external_ids:ovn-transport-zones column of the
345              Open_vSwitch  database’s  Open_vSwitch   table.   See   ovn-con‐
346              troller(8) for more information.
347
348       other_config : ovn-chassis-mac-mappings: optional string
349              ovn-controller  populates  this key with the set of options con‐
350              figured in the external_ids:ovn-chassis-mac-mappings  column  of
351              the  Open_vSwitch  database’s  Open_vSwitch  table. See ovn-con‐
352              troller(8) for more information.
353
354       other_config : port-up-notif: optional string
355              ovn-controller populates this key with  true  when  it  supports
356              Port_Binding.up.
357
358     Common Columns:
359
360       The  overall purpose of these columns is described under Common Columns
361       at the beginning of this document.
362
363       external_ids: map of string-string pairs
364
365     Encapsulation Configuration:
366
367       OVN uses encapsulation to transmit logical  dataplane  packets  between
368       chassis.
369
370       encaps: set of 1 or more Encaps
371              Points  to  supported  encapsulation  configurations to transmit
372              logical dataplane packets to this chassis. Each entry is a Encap
373              record that describes the configuration.
374
375     Gateway Configuration:
376
377       A  gateway  is  a chassis that forwards traffic between the OVN-managed
378       part of a logical network and a physical VLAN, extending a tunnel-based
379       logical  network  into a physical network. Gateways are typically dedi‐
380       cated nodes that do not host VMs and will  be  controlled  by  ovn-con‐
381       troller-vtep.
382
383       vtep_logical_switches: set of strings
384              Stores  all  VTEP logical switch names connected by this gateway
385              chassis. The Port_Binding table entry  with  options:vtep-physi‐
386              cal-switch  equal  Chassis name, and options:vtep-logical-switch
387              value in Chassis vtep_logical_switches, will be associated  with
388              this Chassis.
389

Chassis_Private TABLE

391       Each  row in this table maintains per chassis private data that are ac‐
392       cessed only by the owning chassis (write only) and ovn-northd,  not  by
393       any other chassis. These data are stored in this separate table instead
394       of the Chassis table for performance considerations: the rows  in  this
395       table  can be conditionally monitored by chassises so that each chassis
396       only get update notifications for its own  row,  to  avoid  unnecessary
397       chassis private data update flooding in a large scale deployment.
398
399   Summary:
400       name                          string (must be unique within table)
401       chassis                       optional weak reference to Chassis
402       nb_cfg                        integer
403       nb_cfg_timestamp              integer
404       Common Columns:
405         external_ids                map of string-string pairs
406
407   Details:
408       name: string (must be unique within table)
409              The name of the chassis that owns these chassis-private data.
410
411       chassis: optional weak reference to Chassis
412              The  reference  to Chassis table for the chassis that owns these
413              chassis-private data.
414
415       nb_cfg: integer
416              Sequence number for the configuration. When  ovn-controller  up‐
417              dates  the  configuration  of a chassis from the contents of the
418              southbound database, it copies nb_cfg from the  SB_Global  table
419              into this column.
420
421       nb_cfg_timestamp: integer
422              The timestamp when ovn-controller finishes processing the change
423              corresponding to nb_cfg.
424
425     Common Columns:
426
427       The overall purpose of these columns is described under Common  Columns
428       at the beginning of this document.
429
430       external_ids: map of string-string pairs
431

Encap TABLE

433       The  encaps column in the Chassis table refers to rows in this table to
434       identify how OVN may transmit logical dataplane packets to  this  chas‐
435       sis.  Each  chassis,  via  ovn-controller(8) or ovn-controller-vtep(8),
436       adds and updates its own rows and keeps a copy of the remaining rows to
437       determine how to reach other chassis.
438
439   Summary:
440       type                          string, one of geneve, stt, or vxlan
441       options                       map of string-string pairs
442       options : csum                optional string, either true or false
443       options : dst_port            optional string, containing an integer
444       ip                            string
445       chassis_name                  string
446
447   Details:
448       type: string, one of geneve, stt, or vxlan
449              The  encapsulation  to  use to transmit packets to this chassis.
450              Hypervisors must use either geneve  or  stt.  Gateways  may  use
451              vxlan, geneve, or stt.
452
453       options: map of string-string pairs
454              Options  for  configuring  the  encapsulation, which may be type
455              specific.
456
457       options : csum: optional string, either true or false
458              csum indicates whether this chassis  can  transmit  and  receive
459              packets  that  include checksums with reasonable performance. It
460              hints to senders transmitting data to  this  chassis  that  they
461              should  use  checksums  to  protect OVN metadata. ovn-controller
462              populates this key with the value defined  in  external_ids:ovn-
463              encap-csum  column  of  the Open_vSwitch database’s Open_vSwitch
464              table. Other applications should treat this  key  as  read-only.
465              See ovn-controller(8) for more information.
466
467              In terms of performance, checksumming actually significantly in‐
468              creases throughput in most common cases when  running  on  Linux
469              based  hosts without NICs supporting encapsulation hardware off‐
470              load (around 60% for bulk traffic). The reason is that generally
471              all  NICs  are  capable  of  offloading transmitted and received
472              TCP/UDP checksums (viewed as ordinary data packets  and  not  as
473              tunnels).  The benefit comes on the receive side where the vali‐
474              dated outer checksum can be used to additionally validate an in‐
475              ner  checksum (such as TCP), which in turn allows aggregation of
476              packets to be more efficiently handled by the rest of the stack.
477
478              Not all devices see such a benefit. The most  notable  exception
479              is  hardware VTEPs. These devices are designed to not buffer en‐
480              tire packets in their switching engines and are therefore unable
481              to efficiently compute or validate full packet checksums. In ad‐
482              dition certain versions of the Linux  kernel  are  not  able  to
483              fully  take advantage of encapsulation NIC offloads in the pres‐
484              ence of checksums. (This is actually a pretty narrow corner case
485              though:  earlier  versions  of Linux don’t support encapsulation
486              offloads at all and later versions  support  both  offloads  and
487              checksums well.)
488
489              csum defaults to false for hardware VTEPs and true for all other
490              cases.
491
492              This option applies to geneve and vxlan encapsulations.
493
494       options : dst_port: optional string, containing an integer
495              If set, overrides the UDP (for geneve and  vxlan)  or  TCP  (for
496              stt) destination port.
497
498       ip: string
499              The IPv4 address of the encapsulation tunnel endpoint.
500
501       chassis_name: string
502              The name of the chassis that created this encap.
503

Address_Set TABLE

505       This  table  contains address sets synced from the Address_Set table in
506       the  OVN_Northbound  database  and  address  sets  generated  from  the
507       Port_Group table in the OVN_Northbound database.
508
509       See the documentation for the Address_Set table and Port_Group table in
510       the OVN_Northbound database for details.
511
512   Summary:
513       name                          string (must be unique within table)
514       addresses                     set of strings
515
516   Details:
517       name: string (must be unique within table)
518
519       addresses: set of strings
520

Port_Group TABLE

522       This  table  contains  names  for  the  logical  switch  ports  in  the
523       OVN_Northbound  database that belongs to the same group that is defined
524       in Port_Group in the OVN_Northbound database.
525
526   Summary:
527       name                          string (must be unique within table)
528       ports                         set of strings
529
530   Details:
531       name: string (must be unique within table)
532
533       ports: set of strings
534

Logical_Flow TABLE

536       Each row in this table represents one logical  flow.  ovn-northd  popu‐
537       lates  this  table  with  logical  flows  that  implement the L2 and L3
538       topologies specified in the OVN_Northbound database.  Each  hypervisor,
539       via  ovn-controller,  translates  the logical flows into OpenFlow flows
540       specific to its hypervisor and installs them into Open vSwitch.
541
542       Logical flows are expressed in an OVN-specific format, described  here.
543       A  logical datapath flow is much like an OpenFlow flow, except that the
544       flows are written in terms of logical ports and logical  datapaths  in‐
545       stead  of  physical  ports  and physical datapaths. Translation between
546       logical and physical flows helps to ensure  isolation  between  logical
547       datapaths.  (The  logical flow abstraction also allows the OVN central‐
548       ized components to do less work, since they do not have  to  separately
549       compute and push out physical flows to each chassis.)
550
551       The default action when no flow matches is to drop packets.
552
553       Architectural Logical Life Cycle of a Packet
554
555       This  following  description  focuses  on  the  life  cycle of a packet
556       through a logical datapath, ignoring physical details of the  implemen‐
557       tation.  Please  refer to Architectural Physical Life Cycle of a Packet
558       in ovn-architecture(7) for the physical information.
559
560       The description here is written as if OVN itself executes these  steps,
561       but  in  fact  OVN (that is, ovn-controller) programs Open vSwitch, via
562       OpenFlow and OVSDB, to execute them on its behalf.
563
564       At a high level, OVN passes each packet through the logical  datapath’s
565       logical  ingress  pipeline,  which may output the packet to one or more
566       logical port or logical multicast groups. For each such logical  output
567       port, OVN passes the packet through the datapath’s logical egress pipe‐
568       line, which may either drop the packet or deliver it  to  the  destina‐
569       tion.  Between  the  two pipelines, outputs to logical multicast groups
570       are expanded into logical ports, so that the egress pipeline only  pro‐
571       cesses  a  single  logical output port at a time. Between the two pipe‐
572       lines is also where, when necessary, OVN encapsulates  a  packet  in  a
573       tunnel (or tunnels) to transmit to remote hypervisors.
574
575       In more detail, to start, OVN searches the Logical_Flow table for a row
576       with correct logical_datapath or  a  logical_dp_group,  a  pipeline  of
577       ingress,  a  table_id of 0, and a match that is true for the packet. If
578       none is found, OVN drops the packet. If OVN finds  more  than  one,  it
579       chooses  the match with the highest priority. Then OVN executes each of
580       the actions specified in the row’s actions column, in the order  speci‐
581       fied.  Some actions, such as those to modify packet headers, require no
582       further details. The next and output actions are special.
583
584       The next action causes the above process to  be  repeated  recursively,
585       except that OVN searches for table_id of 1 instead of 0. Similarly, any
586       next action in a row found in that table would cause a  further  search
587       for  a  table_id  of 2, and so on. When recursive processing completes,
588       flow control returns to the action following next.
589
590       The output action also introduces recursion. Its effect depends on  the
591       current  value of the outport field. Suppose outport designates a logi‐
592       cal port. First, OVN compares inport to outport; if they are equal,  it
593       treats the output as a no-op by default. In the common case, where they
594       are different, the packet enters the egress pipeline.  This  transition
595       to  the  egress pipeline discards register data, e.g. reg0 ... reg9 and
596       connection tracking state, to achieve uniform  behavior  regardless  of
597       whether  the egress pipeline is on a different hypervisor (because reg‐
598       isters aren’t preserve across tunnel encapsulation).
599
600       To execute the egress pipeline, OVN again searches the Logical_Flow ta‐
601       ble  for  a  row with correct logical_datapath or a logical_dp_group, a
602       table_id of 0, a match that is true for the packet, but now looking for
603       a pipeline of egress. If no matching row is found, the output becomes a
604       no-op. Otherwise, OVN executes the actions for the matching flow (which
605       is chosen from multiple, if necessary, as already described).
606
607       In  the egress pipeline, the next action acts as already described, ex‐
608       cept that it, of course, searches for egress flows. The output  action,
609       however,  now  directly outputs the packet to the output port (which is
610       now fixed, because outport is read-only within the egress pipeline).
611
612       The description earlier assumed that  outport  referred  to  a  logical
613       port.  If it instead designates a logical multicast group, then the de‐
614       scription above still applies, with the addition of  fan-out  from  the
615       logical  multicast  group  to  each logical port in the group. For each
616       member of the group, OVN executes the logical  pipeline  as  described,
617       with the logical output port replaced by the group member.
618
619       Pipeline Stages
620
621       ovn-northd  populates the Logical_Flow table with the logical flows de‐
622       scribed in detail in ovn-northd(8).
623
624   Summary:
625       logical_datapath              optional Datapath_Binding
626       logical_dp_group              optional Logical_DP_Group
627       pipeline                      string, either egress or ingress
628       table_id                      integer, in range 0 to 32
629       priority                      integer, in range 0 to 65,535
630       match                         string
631       actions                       string
632       tags                          map of string-string pairs
633       controller_meter              optional string
634       external_ids : stage-name     optional string
635       external_ids : stage-hint     optional string, containing an uuid
636       external_ids : source         optional string
637       Common Columns:
638         external_ids                map of string-string pairs
639
640   Details:
641       logical_datapath: optional Datapath_Binding
642              The logical datapath to which the logical flow belongs.
643
644       logical_dp_group: optional Logical_DP_Group
645              The group of logical datapaths to which  the  logical  flow  be‐
646              longs.  This  means  that  the  same logical flow belongs to all
647              datapaths in a group.
648
649       pipeline: string, either egress or ingress
650              The primary flows used for deciding on  a  packet’s  destination
651              are the ingress flows. The egress flows implement ACLs. See Log‐
652              ical Life Cycle of a Packet, above, for details.
653
654       table_id: integer, in range 0 to 32
655              The stage in the logical pipeline, analogous to an OpenFlow  ta‐
656              ble number.
657
658       priority: integer, in range 0 to 65,535
659              The flow’s priority. Flows with numerically higher priority take
660              precedence over those with lower. If two logical datapath  flows
661              with the same priority both match, then the one actually applied
662              to the packet is undefined.
663
664       match: string
665              A matching expression.  OVN  provides  a  superset  of  OpenFlow
666              matching capabilities, using a syntax similar to Boolean expres‐
667              sions in a programming language.
668
669              The most important components of match  expression  are  compar‐
670              isons   between   symbols   and   constants,   e.g.  ip4.dst  ==
671              192.168.0.1, ip.proto == 6, arp.op == 1, eth.type == 0x800.  The
672              logical  AND  operator && and logical OR operator || can combine
673              comparisons into a larger expression.
674
675              Matching expressions also support parentheses for grouping,  the
676              logical  NOT  prefix operator !, and literals 0 and 1 to express
677              ``false’’ or ``true,’’ respectively. The latter is useful by it‐
678              self as a catch-all expression that matches every packet.
679
680              Match  expressions  also  support a kind of function syntax. The
681              following functions are supported:
682
683              is_chassis_resident(lport)
684                     Evaluates to true on a  chassis  on  which  logical  port
685                     lport  (a quoted string) resides, and to false elsewhere.
686                     This function was introduced in OVN 2.7.
687
688              Symbols
689
690              Type. Symbols have integer or string type. Integer symbols  have
691              a width in bits.
692
693              Kinds. There are three kinds of symbols:
694
695Fields.  A  field  symbol  represents  a packet header or
696                     metadata field. For example, a field named vlan.tci might
697                     represent the VLAN TCI field in a packet.
698
699                     A  field  symbol can have integer or string type. Integer
700                     fields can be nominal or ordinal (see Level  of  Measure‐
701                     ment, below).
702
703Subfields.  A subfield represents a subset of bits from a
704                     larger field. For example, a field vlan.vid might be  de‐
705                     fined as an alias for vlan.tci[0..11]. Subfields are pro‐
706                     vided for syntactic convenience,  because  it  is  always
707                     possible  to  instead  refer  to  a subset of bits from a
708                     field directly.
709
710                     Only ordinal fields (see Level of Measurement, below) may
711                     have subfields. Subfields are always ordinal.
712
713Predicates.  A  predicate  is shorthand for a Boolean ex‐
714                     pression. Predicates may be used much like 1-bit  fields.
715                     For example, ip4 might expand to eth.type == 0x800. Pred‐
716                     icates are provided for syntactic convenience, because it
717                     is  always possible to instead specify the underlying ex‐
718                     pression directly.
719
720                     A predicate whose expansion refers to any  nominal  field
721                     or  predicate  (see Level of Measurement, below) is nomi‐
722                     nal; other predicates have Boolean level of measurement.
723
724              Level              of              Measurement.              See
725              http://en.wikipedia.org/wiki/Level_of_measurement  for  the sta‐
726              tistical concept on which this classification  is  based.  There
727              are three levels:
728
729Ordinal.  In statistics, ordinal values can be ordered on
730                     a scale. OVN considers a field (or subfield) to be  ordi‐
731                     nal  if  its  bits  can be examined individually. This is
732                     true for  the  OpenFlow  fields  that  OpenFlow  or  Open
733                     vSwitch makes ``maskable.’’
734
735                     Any  use of a ordinal field may specify a single bit or a
736                     range of bits, e.g. vlan.tci[13..15] refers  to  the  PCP
737                     field  within the VLAN TCI, and eth.dst[40] refers to the
738                     multicast bit in the Ethernet destination address.
739
740                     OVN supports all the usual arithmetic relations (==,  !=,
741                     <,  <=, >, and >=) on ordinal fields and their subfields,
742                     because OVN can implement  these  in  OpenFlow  and  Open
743                     vSwitch as collections of bitwise tests.
744
745Nominal. In statistics, nominal values cannot be usefully
746                     compared except for equality. This is  true  of  OpenFlow
747                     port  numbers, Ethernet types, and IP protocols are exam‐
748                     ples: all of these are just  identifiers  assigned  arbi‐
749                     trarily  with  no  deeper  meaning.  In OpenFlow and Open
750                     vSwitch, bits in these fields generally aren’t  individu‐
751                     ally addressable.
752
753                     OVN  only supports arithmetic tests for equality on nomi‐
754                     nal fields, because OpenFlow and Open vSwitch provide  no
755                     way for a flow to efficiently implement other comparisons
756                     on them. (A test for inequality can be sort of built  out
757                     of  two flows with different priorities, but OVN matching
758                     expressions always generate flows with  a  single  prior‐
759                     ity.)
760
761                     String fields are always nominal.
762
763Boolean.  A nominal field that has only two values, 0 and
764                     1, is somewhat exceptional, since it is easy  to  support
765                     both  equality  and inequality tests on such a field: ei‐
766                     ther one can be implemented as a test for 0 or 1.
767
768                     Only predicates (see above) have a Boolean level of  mea‐
769                     surement.
770
771                     This isn’t a standard level of measurement.
772
773              Prerequisites.  Any symbol can have prerequisites, which are ad‐
774              ditional condition implied by the use of the symbol.  For  exam‐
775              ple,  For  example,  icmp4.type  symbol  might have prerequisite
776              icmp4, which would cause an expression icmp4.type == 0 to be in‐
777              terpreted  as  icmp4.type == 0 && icmp4, which would in turn ex‐
778              pand to icmp4.type == 0 && eth.type == 0x800 && ip4.proto  ==  1
779              (assuming  icmp4 is a predicate defined as suggested under Types
780              above).
781
782              Relational operators
783
784              All of the standard relational operators ==, !=, <, <=,  >,  and
785              >=  are  supported.  Nominal  fields support only == and !=, and
786              only in a positive sense when outer ! are  taken  into  account,
787              e.g. given string field inport, inport == "eth0" and !(inport !=
788              "eth0") are acceptable, but not inport != "eth0".
789
790              The implementation of == (or != when it is negated), is more ef‐
791              ficient than that of the other relational operators.
792
793              Constants
794
795              Integer  constants may be expressed in decimal, hexadecimal pre‐
796              fixed by 0x, or as dotted-quad IPv4 addresses, IPv6 addresses in
797              their  standard  forms, or Ethernet addresses as colon-separated
798              hex digits. A constant in any of these forms may be followed  by
799              a  slash  and  a second constant (the mask) in the same form, to
800              form a masked constant. IPv4 and IPv6 masks may be given as  in‐
801              tegers, to express CIDR prefixes.
802
803              String  constants have the same syntax as quoted strings in JSON
804              (thus, they are Unicode strings).
805
806              Some operators support sets of constants  written  inside  curly
807              braces  { ... }. Commas between elements of a set, and after the
808              last elements, are optional. With ==, ``field  ==  {  constant1,
809              constant2,  ...  }’’ is syntactic sugar for ``field == constant1
810              || field == constant2 || .... Similarly, ``field != { constant1,
811              constant2,  ...  }’’  is  equivalent  to ``field != constant1 &&
812              field != constant2 && ...’’.
813
814              You may refer to a set of IPv4, IPv6, or MAC addresses stored in
815              the Address_Set table by its name. An Address_Set with a name of
816              set1 can be referred to as $set1.
817
818              You may refer to a group of logical switch ports stored  in  the
819              Port_Group  table  by  its  name.  An  Port_Group with a name of
820              port_group1 can be referred to as @port_group1.
821
822              Additionally, you may refer to the set of addresses belonging to
823              a  group  of logical switch ports stored in the Port_Group table
824              by its name followed by a suffix ’_ip4’/’_ip6’. The IPv4 address
825              set  of  a Port_Group with a name of port_group1 can be referred
826              to as $port_group1_ip4, and the IPv6 address  set  of  the  same
827              Port_Group can be referred to as $port_group1_ip6
828
829              Miscellaneous
830
831              Comparisons  may  name  the  symbol  or the constant first, e.g.
832              tcp.src == 80 and 80 == tcp.src are both acceptable.
833
834              Tests for a range may be expressed using a syntax like  1024  <=
835              tcp.src  <=  49151,  which  is  equivalent to 1024 <= tcp.src &&
836              tcp.src <= 49151.
837
838              For a one-bit field or predicate,  a  mention  of  its  name  is
839              equivalent  to  symobl  == 1, e.g. vlan.present is equivalent to
840              vlan.present == 1. The same is true for one-bit subfields,  e.g.
841              vlan.tci[12].  There  is no technical limitation to implementing
842              the same for ordinal fields of all widths, but  the  implementa‐
843              tion is expensive enough that the syntax parser requires writing
844              an explicit  comparison  against  zero  to  make  mistakes  less
845              likely,  e.g.  in  tcp.src  != 0 the comparison against 0 is re‐
846              quired.
847
848              Operator precedence is as shown below, from highest  to  lowest.
849              There  are  two  exceptions  where parentheses are required even
850              though the table would suggest that they are not: && and ||  re‐
851              quire parentheses when used together, and ! requires parentheses
852              when applied to a relational expression. Thus, in  (eth.type  ==
853              0x800 || eth.type == 0x86dd) && ip.proto == 6 or !(arp.op == 1),
854              the parentheses are mandatory.
855
856()
857
858==   !=   <   <=   >   >=
859
860!
861
862&&   ||
863
864              Comments may be introduced by //, which extends to the next new-
865              line. Comments within a line may be bracketed by /* and */. Mul‐
866              tiline comments are not supported.
867
868              Symbols
869
870              Most of the symbols below have integer  type.  Only  inport  and
871              outport have string type. inport names a logical port. Thus, its
872              value is a logical_port name from the Port_Binding  table.  out‐
873              port  may name a logical port, as inport, or a logical multicast
874              group defined in the Multicast_Group table.  For  both  symbols,
875              only names within the flow’s logical datapath may be used.
876
877              The  regX  symbols  are  32-bit integers. The xxregX symbols are
878              128-bit integers, which overlay four of  the  32-bit  registers:
879              xxreg0 overlays reg0 through reg3, with reg0 supplying the most-
880              significant bits  of  xxreg0  and  reg3  the  least-significant.
881              xxreg1 similarly overlays reg4 through reg7.
882
883reg0...reg9
884
885xxreg0 xxreg1
886
887inport outport
888
889flags.loopback
890
891pkt.mark
892
893eth.src eth.dst eth.type
894
895vlan.tci vlan.vid vlan.pcp vlan.present
896
897ip.proto ip.dscp ip.ecn ip.ttl ip.frag
898
899ip4.src ip4.dst
900
901ip6.src ip6.dst ip6.label
902
903arp.op arp.spa arp.tpa arp.sha arp.tha
904
905tcp.src tcp.dst tcp.flags
906
907udp.src udp.dst
908
909sctp.src sctp.dst
910
911icmp4.type icmp4.code
912
913icmp6.type icmp6.code
914
915nd.target nd.sll nd.tll
916
917ct_mark ct_label
918
919ct_state,   which  has  several  Boolean  subfields.  The
920                     ct_next action initializes the following subfields:
921
922ct.trk: Always set to true by ct_next to  indicate
923                            that  connection  tracking  has  taken  place. All
924                            other ct subfields have ct.trk as a prerequisite.
925
926ct.new: True for a new flow
927
928ct.est: True for an established flow
929
930ct.rel: True for a related flow
931
932ct.rpl: True for a reply flow
933
934ct.inv: True for a connection entry in a bad state
935
936                     The ct_dnat, ct_snat, and ct_lb  actions  initialize  the
937                     following subfields:
938
939ct.dnat:  True  for  a packet whose destination IP
940                            address has been changed.
941
942ct.snat: True for a packet whose source IP address
943                            has been changed.
944
945              The following predicates are supported:
946
947eth.bcast expands to eth.dst == ff:ff:ff:ff:ff:ff
948
949eth.mcast expands to eth.dst[40]
950
951vlan.present expands to vlan.tci[12]
952
953ip4 expands to eth.type == 0x800
954
955ip4.src_mcast expands to ip4.src[28..31] == 0xe
956
957ip4.mcast expands to ip4.dst[28..31] == 0xe
958
959ip6 expands to eth.type == 0x86dd
960
961ip expands to ip4 || ip6
962
963icmp4 expands to ip4 && ip.proto == 1
964
965icmp6 expands to ip6 && ip.proto == 58
966
967icmp expands to icmp4 || icmp6
968
969ip.is_frag expands to ip.frag[0]
970
971ip.later_frag expands to ip.frag[1]
972
973ip.first_frag expands to ip.is_frag && !ip.later_frag
974
975arp expands to eth.type == 0x806
976
977nd expands to icmp6.type == {135, 136} && icmp6.code == 0
978                     && ip.ttl == 255
979
980nd_ns expands to icmp6.type == 135 && icmp6.code == 0  &&
981                     ip.ttl == 255
982
983nd_na  expands to icmp6.type == 136 && icmp6.code == 0 &&
984                     ip.ttl == 255
985
986nd_rs expands to icmp6.type == 133 && icmp6.code == 0  &&
987                     ip.ttl == 255
988
989nd_ra  expands to icmp6.type == 134 && icmp6.code == 0 &&
990                     ip.ttl == 255
991
992tcp expands to ip.proto == 6
993
994udp expands to ip.proto == 17
995
996sctp expands to ip.proto == 132
997
998       actions: string
999              Logical datapath actions, to be executed when the  logical  flow
1000              represented by this row is the highest-priority match.
1001
1002              Actions share lexical syntax with the match column. An empty set
1003              of actions (or one that contains just white space or  comments),
1004              or  a  set  of  actions  that consists of just drop;, causes the
1005              matched packets to be dropped. Otherwise, the column should con‐
1006              tain a sequence of actions, each terminated by a semicolon.
1007
1008              The following actions are defined:
1009
1010              output;
1011                     In  the ingress pipeline, this action executes the egress
1012                     pipeline as a subroutine.  If  outport  names  a  logical
1013                     port,  the egress pipeline executes once; if it is a mul‐
1014                     ticast group, the egress pipeline runs once for each log‐
1015                     ical port in the group.
1016
1017                     In  the  egress pipeline, this action performs the actual
1018                     output to the outport logical port. (In the egress  pipe‐
1019                     line, outport never names a multicast group.)
1020
1021                     By  default,  output  to  the  input  port  is implicitly
1022                     dropped, that is, output becomes a no-op  if  outport  ==
1023                     inport.  Occasionally  it  may be useful to override this
1024                     behavior, e.g. to send an ARP reply to an ARP request; to
1025                     do  so,  use  flags.loopback  =  1 to allow the packet to
1026                     "hair-pin" back to the input port.
1027
1028              next;
1029              next(table);
1030              next(pipeline=pipeline, table=table);
1031                   Executes the given logical datapath table in pipeline as  a
1032                   subroutine.  The  default  table  is just after the current
1033                   one. If pipeline is specified, it may be ingress or egress;
1034                   the  default  pipeline  is the one currently executing. Ac‐
1035                   tions in the both ingress and egress pipeline can use  next
1036                   to  jump  across the other pipeline. Actions in the ingress
1037                   pipeline should use next to jump into the specific table of
1038                   egress  pipeline only if it is certain that the packets are
1039                   local and not tunnelled and wants to skip certain stages in
1040                   the packet processing.
1041
1042              field = constant;
1043                   Sets  data  or  metadata field field to constant value con‐
1044                   stant, e.g. outport = "vif0"; to  set  the  logical  output
1045                   port.  To  set  only a subset of bits in a field, specify a
1046                   subfield for field or a masked constant, e.g. one  may  use
1047                   vlan.pcp[2] = 1; or vlan.pcp = 4/4; to set the most signif‐
1048                   icant bit of the VLAN PCP.
1049
1050                   Assigning to a field  with  prerequisites  implicitly  adds
1051                   those  prerequisites  to  match;  thus, for example, a flow
1052                   that sets tcp.dst applies only to TCP flows, regardless  of
1053                   whether its match mentions any TCP field.
1054
1055                   Not  all  fields are modifiable (e.g. eth.type and ip.proto
1056                   are read-only), and not all modifiable fields may  be  par‐
1057                   tially modified (e.g. ip.ttl must assigned as a whole). The
1058                   outport field is modifiable in the ingress pipeline but not
1059                   in the egress pipeline.
1060
1061              ovn_field = constant;
1062                   Sets OVN field ovn_field to constant value constant.
1063
1064                   OVN supports setting the values of certain fields which are
1065                   not yet supported in OpenFlow to set or modify them.
1066
1067                   Below are the supported OVN fields:
1068
1069icmp4.frag_mtu icmp6.frag_mtu
1070
1071                          This  field  sets  the  low-order  16  bits  of  the
1072                          ICMP{4,6}  header field that is labelled "unused" in
1073                          the ICMP specification as defined in  the  RFC  1191
1074                          with the value specified in constant.
1075
1076                          Eg. icmp4.frag_mtu = 1500;
1077
1078              field1 = field2;
1079                   Sets  data or metadata field field1 to the value of data or
1080                   metadata field field2, e.g. reg0 = ip4.src; copies  ip4.src
1081                   into reg0. To modify only a subset of a field’s bits, spec‐
1082                   ify a subfield for field1 or field2 or both, e.g.  vlan.pcp
1083                   =  reg0[0..2];  copies  the  least-significant bits of reg0
1084                   into the VLAN PCP.
1085
1086                   field1 and field2 must be the same type, either both string
1087                   or  both  integer  fields. If they are both integer fields,
1088                   they must have the same width.
1089
1090                   If field1 or field2 has prerequisites, they are  added  im‐
1091                   plicitly  to  match.  It is possible to write an assignment
1092                   with  contradictory  prerequisites,  such  as   ip4.src   =
1093                   ip6.src[0..31];, but the contradiction means that a logical
1094                   flow with such an assignment will never be matched.
1095
1096              field1 <-> field2;
1097                   Similar to field1 = field2; except that the two values  are
1098                   exchanged  instead  of  copied. Both field1 and field2 must
1099                   modifiable.
1100
1101              ip.ttl--;
1102                   Decrements the IPv4 or IPv6 TTL. If this would make the TTL
1103                   zero  or  negative, then processing of the packet halts; no
1104                   further actions are processed.  (To  properly  handle  such
1105                   cases, a higher-priority flow should match on ip.ttl == {0,
1106                   1};.)
1107
1108                   Prerequisite: ip
1109
1110              ct_next;
1111                   Apply  connection  tracking  to  the   flow,   initializing
1112                   ct_state  for matching in later tables. Automatically moves
1113                   on to the next table, as if followed by next.
1114
1115                   As a side effect, IP  fragments  will  be  reassembled  for
1116                   matching. If a fragmented packet is output, then it will be
1117                   sent with any overlapping fragments squashed.  The  connec‐
1118                   tion  tracking state is scoped by the logical port when the
1119                   action is used in a flow for a logical switch, so  overlap‐
1120                   ping addresses may be used. To allow traffic related to the
1121                   matched flow, execute ct_commit . Connection tracking state
1122                   is  scoped  by the logical topology when the action is used
1123                   in a flow for a router.
1124
1125                   It is possible to have actions  follow  ct_next,  but  they
1126                   will  not have access to any of its side-effects and is not
1127                   generally useful.
1128
1129              ct_commit { };
1130              ct_commit { ct_mark=value[/mask]; };
1131              ct_commit { ct_label=value[/mask]; };
1132              ct_commit { ct_mark=value[/mask]; ct_label=value[/mask]; };
1133                   Commit the flow to the connection tracking entry associated
1134                   with   it   by   a   previous   call   to   ct_next.   When
1135                   ct_mark=value[/mask] and/or ct_label=value[/mask] are  sup‐
1136                   plied,  ct_mark  and/or  ct_label will be set to the values
1137                   indicated by value[/mask] on the connection tracking entry.
1138                   ct_mark is a 32-bit field. ct_label is a 128-bit field. The
1139                   value[/mask] should be specified in hex string if more than
1140                   64bits are to be used. Registers and other named fields can
1141                   be used for value. ct_mark  and  ct_label  may  be  sub-ad‐
1142                   dressed in order to have specific bits set.
1143
1144                   Note  that  if  you want processing to continue in the next
1145                   table, you must execute the next  action  after  ct_commit.
1146                   You  may  also  leave out next which will commit connection
1147                   tracking state, and then drop the  packet.  This  could  be
1148                   useful  for  setting ct_mark on a connection tracking entry
1149                   before dropping a packet, for example.
1150
1151              ct_dnat;
1152              ct_dnat(IP);
1153                   ct_dnat sends the packet through the DNAT zone  in  connec‐
1154                   tion tracking table to unDNAT any packet that was DNATed in
1155                   the opposite direction. The packet  is  then  automatically
1156                   sent  to to the next tables as if followed by next; action.
1157                   The next tables will see the changes in the  packet  caused
1158                   by the connection tracker.
1159
1160                   ct_dnat(IP)  sends  the  packet  through  the  DNAT zone to
1161                   change the destination IP address of the packet to the  one
1162                   provided inside the parentheses and commits the connection.
1163                   The packet is then automatically sent to the next tables as
1164                   if  followed  by next; action. The next tables will see the
1165                   changes in the packet caused by the connection tracker.
1166
1167              ct_snat;
1168              ct_snat(IP);
1169                   ct_snat sends the packet through the SNAT  zone  to  unSNAT
1170                   any  packet  that was SNATed in the opposite direction. The
1171                   packet is automatically sent to the next tables as if  fol‐
1172                   lowed  by  the  next;  action. The next tables will see the
1173                   changes in the packet caused by the connection tracker.
1174
1175                   ct_snat(IP) sends the  packet  through  the  SNAT  zone  to
1176                   change  the source IP address of the packet to the one pro‐
1177                   vided inside the parenthesis and  commits  the  connection.
1178                   The packet is then automatically sent to the next tables as
1179                   if followed by next; action. The next tables will  see  the
1180                   changes in the packet caused by the connection tracker.
1181
1182              ct_clear;
1183                   Clears connection tracking state.
1184
1185              clone { action; ... };
1186                   Makes  a  copy  of  the packet being processed and executes
1187                   each action on the copy. Actions following  the  clone  ac‐
1188                   tion,  if  any,  apply  to the original, unmodified packet.
1189                   This can be used as a  way  to  ``save  and  restore’’  the
1190                   packet  around  a  set  of  actions  that may modify it and
1191                   should not persist.
1192
1193              arp { action; ... };
1194                   Temporarily replaces the IPv4 packet being processed by  an
1195                   ARP  packet  and  executes  each  nested  action on the ARP
1196                   packet. Actions following the arp action, if any, apply  to
1197                   the original, unmodified packet.
1198
1199                   The  ARP packet that this action operates on is initialized
1200                   based on the IPv4 packet being processed, as follows. These
1201                   are  default  values  that the nested actions will probably
1202                   want to change:
1203
1204eth.src unchanged
1205
1206eth.dst unchanged
1207
1208eth.type = 0x0806
1209
1210arp.op = 1 (ARP request)
1211
1212arp.sha copied from eth.src
1213
1214arp.spa copied from ip4.src
1215
1216arp.tha = 00:00:00:00:00:00
1217
1218arp.tpa copied from ip4.dst
1219
1220                   The ARP packet has the same VLAN header, if any, as the  IP
1221                   packet it replaces.
1222
1223                   Prerequisite: ip4
1224
1225              get_arp(P, A);
1226                   Parameters:  logical port string field P, 32-bit IP address
1227                   field A.
1228
1229                   Looks up A in P’s mac binding table. If an entry is  found,
1230                   stores  its  Ethernet  address in eth.dst, otherwise stores
1231                   00:00:00:00:00:00 in eth.dst.
1232
1233                   Example: get_arp(outport, ip4.dst);
1234
1235              put_arp(P, A, E);
1236                   Parameters: logical port string field P, 32-bit IP  address
1237                   field A, 48-bit Ethernet address field E.
1238
1239                   Adds  or updates the entry for IP address A in logical port
1240                   P’s mac binding table, setting its Ethernet address to E.
1241
1242                   Example: put_arp(inport, arp.spa, arp.sha);
1243
1244              R = lookup_arp(P, A, M);
1245                   Parameters: logical port string field P, 32-bit IP  address
1246                   field A, 48-bit MAC address field M.
1247
1248                   Result: stored to a 1-bit subfield R.
1249
1250                   Looks  up  A and M in P’s mac binding table. If an entry is
1251                   found, stores 1 in the 1-bit subfield R, else 0.
1252
1253                   Example: reg0[0] = lookup_arp(inport, arp.spa, arp.sha);
1254
1255              R = lookup_arp_ip(P, A);
1256                   Parameters: logical port string field P, 32-bit IP  address
1257                   field A.
1258
1259                   Result: stored to a 1-bit subfield R.
1260
1261                   Looks  up A in P’s mac binding table. If an entry is found,
1262                   stores 1 in the 1-bit subfield R, else 0.
1263
1264                   Example: reg0[0] = lookup_arp_ip(inport, arp.spa);
1265
1266              P = get_fdb(A);
1267                   Parameters:48-bit MAC address field A.
1268
1269                   Looks up A in fdb table. If an entry is found,  stores  the
1270                   logical port key to the out parameter P.
1271
1272                   Example: outport = get_fdb(eth.src);
1273
1274              put_fdb(P, A);
1275                   Parameters: logical port string field P, 48-bit MAC address
1276                   field A.
1277
1278                   Adds or updates the entry for Ethernet address A in fdb ta‐
1279                   ble, setting its logical port key to P.
1280
1281                   Example: put_fdb(inport, arp.spa);
1282
1283              R = lookup_fdb(P, A);
1284                   Parameters: 48-bit MAC address field M, logical port string
1285                   field P.
1286
1287                   Result: stored to a 1-bit subfield R.
1288
1289                   Looks up A in fdb table. If an entry is found and  the  the
1290                   logical port key is P, P, stores 1 in the 1-bit subfield R,
1291                   else 0.
1292
1293                   Example: reg0[0] = lookup_fdb(inport, eth.src);
1294
1295              nd_ns { action; ... };
1296                   Temporarily replaces the IPv6 packet being processed by  an
1297                   IPv6  Neighbor Solicitation packet and executes each nested
1298                   action on the IPv6 NS packet. Actions following  the  nd_ns
1299                   action, if any, apply to the original, unmodified packet.
1300
1301                   The IPv6 NS packet that this action operates on is initial‐
1302                   ized based on the IPv6 packet being processed, as  follows.
1303                   These are default values that the nested actions will prob‐
1304                   ably want to change:
1305
1306eth.src unchanged
1307
1308eth.dst set to IPv6 multicast MAC address
1309
1310eth.type = 0x86dd
1311
1312ip6.src copied from ip6.src
1313
1314ip6.dst set to IPv6 Solicited-Node multicast address
1315
1316icmp6.type = 135 (Neighbor Solicitation)
1317
1318nd.target copied from ip6.dst
1319
1320                   The IPv6 NS packet has the same VLAN header, if any, as the
1321                   IP packet it replaces.
1322
1323                   Prerequisite: ip6
1324
1325              nd_na { action; ... };
1326                   Temporarily  replaces the IPv6 neighbor solicitation packet
1327                   being processed by  an  IPv6  neighbor  advertisement  (NA)
1328                   packet  and  executes  each nested action on the NA packet.
1329                   Actions following the nd_na action, if any,  apply  to  the
1330                   original, unmodified packet.
1331
1332                   The  NA  packet that this action operates on is initialized
1333                   based on the IPv6 packet being processed, as follows. These
1334                   are  default  values  that the nested actions will probably
1335                   want to change:
1336
1337eth.dst exchanged with eth.src
1338
1339eth.type = 0x86dd
1340
1341ip6.dst copied from ip6.src
1342
1343ip6.src copied from nd.target
1344
1345icmp6.type = 136 (Neighbor Advertisement)
1346
1347nd.target unchanged
1348
1349nd.sll = 00:00:00:00:00:00
1350
1351nd.tll copied from eth.dst
1352
1353                   The ND packet has the same VLAN header, if any, as the IPv6
1354                   packet it replaces.
1355
1356                   Prerequisite: nd_ns
1357
1358              nd_na_router { action; ... };
1359                   Temporarily  replaces the IPv6 neighbor solicitation packet
1360                   being processed by  an  IPv6  neighbor  advertisement  (NA)
1361                   packet,  sets  ND_NSO_ROUTER  in the RSO flags and executes
1362                   each nested action on the NA packet. Actions following  the
1363                   nd_na_router action, if any, apply to the original, unmodi‐
1364                   fied packet.
1365
1366                   The NA packet that this action operates on  is  initialized
1367                   based on the IPv6 packet being processed, as follows. These
1368                   are default values that the nested  actions  will  probably
1369                   want to change:
1370
1371eth.dst exchanged with eth.src
1372
1373eth.type = 0x86dd
1374
1375ip6.dst copied from ip6.src
1376
1377ip6.src copied from nd.target
1378
1379icmp6.type = 136 (Neighbor Advertisement)
1380
1381nd.target unchanged
1382
1383nd.sll = 00:00:00:00:00:00
1384
1385nd.tll copied from eth.dst
1386
1387                   The ND packet has the same VLAN header, if any, as the IPv6
1388                   packet it replaces.
1389
1390                   Prerequisite: nd_ns
1391
1392              get_nd(P, A);
1393                   Parameters: logical port string field P, 128-bit  IPv6  ad‐
1394                   dress field A.
1395
1396                   Looks  up A in P’s mac binding table. If an entry is found,
1397                   stores its Ethernet address in  eth.dst,  otherwise  stores
1398                   00:00:00:00:00:00 in eth.dst.
1399
1400                   Example: get_nd(outport, ip6.dst);
1401
1402              put_nd(P, A, E);
1403                   Parameters:  logical  port string field P, 128-bit IPv6 ad‐
1404                   dress field A, 48-bit Ethernet address field E.
1405
1406                   Adds or updates the entry for IPv6  address  A  in  logical
1407                   port P’s mac binding table, setting its Ethernet address to
1408                   E.
1409
1410                   Example: put_nd(inport, nd.target, nd.tll);
1411
1412              R = lookup_nd(P, A, M);
1413                   Parameters: logical port string field P, 128-bit IP address
1414                   field A, 48-bit MAC address field M.
1415
1416                   Result: stored to a 1-bit subfield R.
1417
1418                   Looks  up  A and M in P’s mac binding table. If an entry is
1419                   found, stores 1 in the 1-bit subfield R, else 0.
1420
1421                   Example: reg0[0] = lookup_nd(inport, ip6.src, eth.src);
1422
1423              R = lookup_nd_ip(P, A);
1424                   Parameters: logical port string field P, 128-bit IP address
1425                   field A.
1426
1427                   Result: stored to a 1-bit subfield R.
1428
1429                   Looks  up A in P’s mac binding table. If an entry is found,
1430                   stores 1 in the 1-bit subfield R, else 0.
1431
1432                   Example: reg0[0] = lookup_nd_ip(inport, ip6.src);
1433
1434              R = put_dhcp_opts(D1 = V1, D2 = V2, ..., Dn = Vn);
1435                   Parameters: one or more DHCP option/value pairs, which must
1436                   include an offerip option (with code 0).
1437
1438                   Result: stored to a 1-bit subfield R.
1439
1440                   Valid only in the ingress pipeline.
1441
1442                   When  this  action  is  applied  to  a  DHCP request packet
1443                   (DHCPDISCOVER or DHCPREQUEST), it changes the packet into a
1444                   DHCP  reply  (DHCPOFFER or DHCPACK, respectively), replaces
1445                   the options by those specified as parameters, and stores  1
1446                   in R.
1447
1448                   When  this action is applied to a non-DHCP packet or a DHCP
1449                   packet that is not DHCPDISCOVER or DHCPREQUEST,  it  leaves
1450                   the packet unchanged and stores 0 in R.
1451
1452                   The  contents of the DHCP_Option table control the DHCP op‐
1453                   tion names and values that this action supports.
1454
1455                   Example: reg0[0] = put_dhcp_opts(offerip = 10.0.0.2, router
1456                   = 10.0.0.1, netmask = 255.255.255.0, dns_server = {8.8.8.8,
1457                   7.7.7.7});
1458
1459              R = put_dhcpv6_opts(D1 = V1, D2 = V2, ..., Dn = Vn);
1460                   Parameters: one or more DHCPv6 option/value pairs.
1461
1462                   Result: stored to a 1-bit subfield R.
1463
1464                   Valid only in the ingress pipeline.
1465
1466                   When this action is applied to a DHCPv6 request packet,  it
1467                   changes  the  packet  into a DHCPv6 reply, replaces the op‐
1468                   tions by those specified as parameters, and stores 1 in R.
1469
1470                   When this action is applied to a non-DHCPv6  packet  or  an
1471                   invalid  DHCPv6  request  packet , it leaves the packet un‐
1472                   changed and stores 0 in R.
1473
1474                   The contents of the DHCPv6_Options table control the DHCPv6
1475                   option names and values that this action supports.
1476
1477                   Example:   reg0[3]  =  put_dhcpv6_opts(ia_addr  =  aef0::4,
1478                   server_id               =                00:00:00:00:10:02,
1479                   dns_server={ae70::1,ae70::2});
1480
1481              set_queue(queue_number);
1482                   Parameters:  Queue  number  queue_number, in the range 0 to
1483                   61440.
1484
1485                   This is a logical equivalent of the OpenFlow set_queue  ac‐
1486                   tion. It affects packets that egress a hypervisor through a
1487                   physical interface. For nonzero queue_number, it configures
1488                   packet  queuing  to  match  the settings configured for the
1489                   Port_Binding    with    options:qdisc_queue_id     matching
1490                   queue_number.  When queue_number is zero, it resets queuing
1491                   to the default strategy.
1492
1493                   Example: set_queue(10);
1494
1495              ct_lb;
1496              ct_lb(ip[:port]...);
1497                   With one or more arguments, ct_lb commits the packet to the
1498                   connection  tracking  table and DNATs the packet’s destina‐
1499                   tion IP address (and port) to the IP address  or  addresses
1500                   (and  optional  ports) specified in the string. If multiple
1501                   comma-separated IP addresses are specified, each  is  given
1502                   equal weight for picking the DNAT address. Processing auto‐
1503                   matically moves on to the next  table,  as  if  next;  were
1504                   specified,  and  later tables act on the packet as modified
1505                   by the connection tracker.  Connection  tracking  state  is
1506                   scoped  by  the  logical  port when the action is used in a
1507                   flow for a logical switch, so overlapping addresses may  be
1508                   used.  Connection  tracking  state is scoped by the logical
1509                   topology when the action is used in a flow for a router.
1510
1511                   Without arguments, ct_lb sends the packet to the connection
1512                   tracking table to NAT the packets. If the packet is part of
1513                   an established connection that was previously committed  to
1514                   the  connection  tracker  via ct_lb(...), it will automati‐
1515                   cally get DNATed to the same IP address as the first packet
1516                   in that connection.
1517
1518              R = dns_lookup();
1519                   Parameters: No parameters.
1520
1521                   Result: stored to a 1-bit subfield R.
1522
1523                   Valid only in the ingress pipeline.
1524
1525                   When  this  action is applied to a valid DNS request (a UDP
1526                   packet typically directed to port 53), it attempts  to  re‐
1527                   solve  the query using the contents of the DNS table. If it
1528                   is successful, it changes the packet into a DNS  reply  and
1529                   stores  1  in  R.  If  the  action  is applied to a non-DNS
1530                   packet, an invalid DNS request packet, or a valid  DNS  re‐
1531                   quest for which the DNS table does not supply an answer, it
1532                   leaves the packet unchanged and stores 0 in R.
1533
1534                   Regardless of success, the action does not make any of  the
1535                   changes to the flow that are necessary to direct the packet
1536                   back to the requester. The logical pipeline  can  implement
1537                   this behavior with matches and actions in later tables.
1538
1539                   Example: reg0[3] = dns_lookup();
1540
1541                   Prerequisite: udp
1542
1543              R = put_nd_ra_opts(D1 = V1, D2 = V2, ..., Dn = Vn);
1544                   Parameters:  The following IPv6 ND Router Advertisement op‐
1545                   tion/value pairs as defined in RFC 4861.
1546
1547addr_mode
1548
1549                          Mandatory parameter which specifies the address mode
1550                          flag  to  be  set  in the RA flag options field. The
1551                          value of this option is a string and  the  following
1552                          values  can  be defined - "slaac", "dhcpv6_stateful"
1553                          and "dhcpv6_stateless".
1554
1555slla
1556
1557                          Mandatory parameter which specifies  the  link-layer
1558                          address  of  the interface from which the Router Ad‐
1559                          vertisement is sent.
1560
1561mtu
1562
1563                          Optional parameter which specifies the MTU.
1564
1565prefix
1566
1567                          Optional parameter which should be specified if  the
1568                          addr_mode  is  "slaac"  or  "dhcpv6_stateless".  The
1569                          value should be an IPv6 prefix which  will  be  used
1570                          for  stateless  IPv6 address configuration. This op‐
1571                          tion can be defined multiple times.
1572
1573                   Result: stored to a 1-bit subfield R.
1574
1575                   Valid only in the ingress pipeline.
1576
1577                   When this action is applied to an IPv6 Router  solicitation
1578                   request  packet,  it changes the packet into an IPv6 Router
1579                   Advertisement reply and adds the options specified  in  the
1580                   parameters, and stores 1 in R.
1581
1582                   When  this action is applied to a non-IPv6 Router solicita‐
1583                   tion packet or an invalid IPv6 request packet ,  it  leaves
1584                   the packet unchanged and stores 0 in R.
1585
1586                   Example: reg0[3] = put_nd_ra_opts(addr_mode = "slaac", slla
1587                   = 00:00:00:00:10:02, prefix = aef0::/64, mtu = 1450);
1588
1589              set_meter(rate);
1590              set_meter(rate, burst);
1591                   Parameters: rate limit int field rate in kbps,  burst  rate
1592                   limits int field burst in kbps.
1593
1594                   This action sets the rate limit for a flow.
1595
1596                   Example: set_meter(100, 1000);
1597
1598              R = check_pkt_larger(L)
1599                   Parameters: packet length L to check for in bytes.
1600
1601                   Result: stored to a 1-bit subfield R.
1602
1603                   This    is   a   logical   equivalent   of   the   OpenFlow
1604                   check_pkt_larger action. If the packet is larger  than  the
1605                   length specified in L, it stores 1 in the subfield R.
1606
1607                   Example: reg0[6] = check_pkt_larger(1000);
1608
1609              log(key=value, ...);
1610                     Causes  ovn-controller  to  log the packet on the chassis
1611                     that processes it. Packet logging currently uses the same
1612                     logging mechanism as other Open vSwitch and OVN messages,
1613                     which means that whether and where  log  messages  appear
1614                     depends  on  the  local logging configuration that can be
1615                     configured with ovs-appctl, etc.
1616
1617                     The log action takes zero or more of the  following  key-
1618                     value pair arguments that control what is logged:
1619
1620                     name=string
1621                            An  optional  name for the ACL. The string is cur‐
1622                            rently limited to 64 bytes.
1623
1624                     severity=level
1625                            Indicates the severity of the event. The level  is
1626                            one  of  following  (from  more  to less serious):
1627                            alert, warning,  notice,  info,  or  debug.  If  a
1628                            severity is not provided, the default is info.
1629
1630                     verdict=value
1631                            The  verdict  for  packets  matching the flow. The
1632                            value must be one of allow, deny, or reject.
1633
1634                     meter=string
1635                            An optional rate-limiting meter to be  applied  to
1636                            the logs. The string should reference a name entry
1637                            from the Meter table. The only meter  action  that
1638                            is appropriate is drop.
1639
1640              fwd_group(liveness=bool, childports=port, ...);
1641                     Parameters:  optional liveness, either true or false, de‐
1642                     faulting to false; childports, a comma-delimited list  of
1643                     strings denoting logical ports to load balance across.
1644
1645                     Load balance traffic to one or more child ports in a log‐
1646                     ical switch. ovn-controller translates the fwd_group into
1647                     an OpenFlow group with one bucket for each child port. If
1648                     liveness=true is specified, it also integrates the bucket
1649                     selection  with BFD status on the tunnel interface corre‐
1650                     sponding to child port.
1651
1652                     Example: fwd_group(liveness=true, childports="p1", "p2");
1653
1654              icmp4 { action; ... };
1655              icmp4_error { action; ... };
1656                   Temporarily replaces the IPv4 packet being processed by  an
1657                   ICMPv4 packet and executes each nested action on the ICMPv4
1658                   packet. Actions following these actions, if any,  apply  to
1659                   the original, unmodified packet.
1660
1661                   The  ICMPv4  packet  that these actions operates on is ini‐
1662                   tialized based on the IPv4 packet being processed, as  fol‐
1663                   lows. These are default values that the nested actions will
1664                   probably want to  change.  Ethernet  and  IPv4  fields  not
1665                   listed here are not changed:
1666
1667ip.proto = 1 (ICMPv4)
1668
1669ip.frag = 0 (not a fragment)
1670
1671ip.ttl = 255
1672
1673icmp4.type = 3 (destination unreachable)
1674
1675icmp4.code = 1 (host unreachable)
1676
1677                   icmp4_error  action  is  expected to be used to generate an
1678                   ICMPv4 packet in  response  to  an  error  in  original  IP
1679                   packet.  When  this  action generates the ICMPv4 packet, it
1680                   also copies the original IP datagram following  the  ICMPv4
1681                   header as per RFC 1122: 3.2.2.
1682
1683                   Prerequisite: ip4
1684
1685              icmp6 { action; ... };
1686              icmp6_error { action; ... };
1687                   Temporarily  replaces the IPv6 packet being processed by an
1688                   ICMPv6 packet and executes each nested action on the ICMPv6
1689                   packet.  Actions  following the icmp6 action, if any, apply
1690                   to the original, unmodified packet.
1691
1692                   The ICMPv6 packet that this action operates on is  initial‐
1693                   ized  based on the IPv6 packet being processed, as follows.
1694                   These are default values that the nested actions will prob‐
1695                   ably  want  to  change. Ethernet and IPv6 fields not listed
1696                   here are not changed:
1697
1698ip.proto = 58 (ICMPv6)
1699
1700ip.ttl = 255
1701
1702icmp6.type = 1 (destination unreachable)
1703
1704icmp6.code = 1 (administratively prohibited)
1705
1706                   icmp6_error action is expected to be used  to  generate  an
1707                   ICMPv6  packet  in  response  to  an error in original IPv6
1708                   packet.
1709
1710                   Prerequisite: ip6
1711
1712              tcp_reset;
1713                   This action transforms the current TCP packet according  to
1714                   the following pseudocode:
1715
1716                   if (tcp.ack) {
1717                           tcp.seq = tcp.ack;
1718                   } else {
1719                           tcp.ack = tcp.seq + length(tcp.payload);
1720                           tcp.seq = 0;
1721                   }
1722                   tcp.flags = RST;
1723
1724                   Then,  the  action  drops all TCP options and payload data,
1725                   and updates the TCP checksum. IP ttl is set to 255.
1726
1727                   Prerequisite: tcp
1728
1729              reject { action; ... };
1730                   If the original packet is IPv4 or IPv6 TCP packet,  it  re‐
1731                   places it with IPv4 or IPv6 TCP RST packet and executes the
1732                   inner actions. Otherwise it replaces it with an  ICMPv4  or
1733                   ICMPv6 packet and executes the inner actions.
1734
1735                   The  inner  actions  should  not attempt to swap eth source
1736                   with eth destination and IP source with IP  destination  as
1737                   this action implicitly does that.
1738
1739              trigger_event;
1740                   This action is used to allow ovs-vswitchd to report CMS re‐
1741                   lated events writing them in Controller_Event table. It  is
1742                   possible  to  associate a meter to a each event in order to
1743                   not overload pinctrl thread under heavy load; each meter is
1744                   identified  though  a  defined naming convention. Supported
1745                   events:
1746
1747empty_lb_backends. This event is  raised  if  a  re‐
1748                          ceived  packet  is  destined for a load balancer VIP
1749                          that has no  configured  backend  destinations.  For
1750                          this  event,  the  event info includes the load bal‐
1751                          ancer VIP, the load balancer UUID, and the transport
1752                          protocol. Associated meter: event-elb
1753
1754              igmp;
1755                   This  action  sends the packet to ovn-controller for multi‐
1756                   cast snooping.
1757
1758                   Prerequisite: igmp
1759
1760              bind_vport(V, P);
1761                   Parameters: logical port string field V  of  type  virtual,
1762                   logical port string field P.
1763
1764                   Binds  the virtual logical port V and sets the chassis col‐
1765                   umn and virtual_parent  of  the  table  Port_Binding.  vir‐
1766                   tual_parent is set to P.
1767
1768              handle_svc_check(P);
1769                   Parameters: logical port string field P.
1770
1771                   Handles  the service monitor reply received from the VIF of
1772                   the logical port P. ovn-controller periodically  sends  out
1773                   the  service monitor packets for the services configured in
1774                   the Service_Monitor table and this action updates the  sta‐
1775                   tus of those services.
1776
1777                   Example: handle_svc_check(inport);
1778
1779              handle_dhcpv6_reply;
1780                   Handle DHCPv6 prefix delegation advertisements/replies from
1781                   a IPv6 delegation server. ovn-controller will add an  entry
1782                   ipv6_ra_pd_list  in  the  options table for each prefix re‐
1783                   ceived from the delegation server
1784
1785              R = select(N1[=W1], N2[=W2], ...);
1786                   Parameters: Integer N1, N2..., with optional weight W1, W2,
1787                   ...
1788
1789                   Result: stored to a logical field or subfield R.
1790
1791                   Select  from  a list of integers N1, N2..., each within the
1792                   range 0 ~ 65535, and store the selected one in the field R.
1793                   There  must  be 2 or more integers listed, each with an op‐
1794                   tional weight, which is an integer within  the  range  1  ~
1795                   65535.  If weight is not specified, it defaults to 100. The
1796                   selection method is based on the  5-tuple  hash  of  packet
1797                   header.
1798
1799                   Processing  automatically moves on to the next table, as if
1800                   next; were specified. The select action must be put as  the
1801                   last action of the logical flow when there are multiple ac‐
1802                   tions (actions put after select will not take effect).
1803
1804                   Example: reg8[16..31] = select(1=20, 2=30, 3=50);
1805
1806              handle_dhcpv6_reply;
1807                   This action is used to parse DHCPv6 replies from IPv6 Dele‐
1808                   gation  Router and managed IPv6 Prefix delegation state ma‐
1809                   chine
1810
1811              R = chk_lb_hairpin();
1812                   This action checks if the packet  under  consideration  was
1813                   destined to a load balancer VIP and it is hairpinned, i.e.,
1814                   after load balancing the destination IP matches the  source
1815                   IP.  If  it is so, then the 1-bit destination register R is
1816                   set to 1.
1817
1818              R = chk_lb_hairpin_reply();
1819                   This action checks if the  packet  under  consideration  is
1820                   from  one  of the backend IP of a load balancer VIP and the
1821                   destination IP is the load balancer VIP. If it is so,  then
1822                   the 1-bit destination register R is set to 1.
1823
1824              R = ct_snat_to_vip;
1825                   This  action  sends  the  packet  through  the SNAT zone to
1826                   change the source IP address of the packet to the load bal‐
1827                   ancer  VIP if the original destination IP was load balancer
1828                   VIP and commits the connection. This  action  applies  suc‐
1829                   cessfully only for the hairpinned traffic i.e if the action
1830                   chk_lb_hairpin returned success. This action  doesn’t  take
1831                   any arguments and it determines the SNAT IP internally. The
1832                   packet is not automatically sent to  the  next  table.  The
1833                   caller  has  to  execute  the next; action explicitly after
1834                   this action to advance the packet to the next stage.
1835
1836       tags: map of string-string pairs
1837              Key-value pairs that provide additional information to help ovn-
1838              controller  processing the logical flow. Below are the tags used
1839              by ovn-controller.
1840
1841              in_out_port
1842                     In the logical flow’s "match" column, if a logical port P
1843                     is  compared  with  "inport" and the logical flow is on a
1844                     logical switch ingress pipeline, or if P is compared with
1845                     "outport"  and  the  logical  flow is on a logical switch
1846                     egress pipeline, and  the  expression  is  combined  with
1847                     other  expressions  (if  any) using the operator &&, then
1848                     the port P should be added as the value in this  tag.  If
1849                     there  are  multiple logical ports meeting this criteria,
1850                     one of them can be added. ovn-controller uses this infor‐
1851                     mation  to  skip parsing flows that are not needed on the
1852                     chassis. Failing to add the tag will  affect  efficiency,
1853                     while adding wrong value will affect correctness.
1854
1855       controller_meter: optional string
1856              The  name of the meter in table Meter to be used for all packets
1857              that the logical flow might send to ovn-controller.
1858
1859       external_ids : stage-name: optional string
1860              Human-readable name for this flow’s stage in the pipeline.
1861
1862       external_ids : stage-hint: optional string, containing an uuid
1863              UUID of a OVN_Northbound record that caused this logical flow to
1864              be  created.  Currently used only for attribute of logical flows
1865              to northbound ACL records.
1866
1867       external_ids : source: optional string
1868              Source file and line number of the code that added this flow  to
1869              the pipeline.
1870
1871     Common Columns:
1872
1873       The  overall purpose of these columns is described under Common Columns
1874       at the beginning of this document.
1875
1876       external_ids: map of string-string pairs
1877

Logical_DP_Group TABLE

1879       Each row in this table represents a group of logical  datapaths  refer‐
1880       enced by the logical_dp_group column in the Logical_Flow table.
1881
1882   Summary:
1883       datapaths                     set  of  weak reference to Datapath_Bind‐
1884                                     ings
1885
1886   Details:
1887       datapaths: set of weak reference to Datapath_Bindings
1888              List of Datapath_Binding entries.
1889

Multicast_Group TABLE

1891       The rows in this table define multicast groups of logical ports. Multi‐
1892       cast groups allow a single packet transmitted over a tunnel to a hyper‐
1893       visor to be delivered to multiple VMs on that  hypervisor,  which  uses
1894       bandwidth more efficiently.
1895
1896       Each  row in this table defines a logical multicast group numbered tun‐
1897       nel_key within datapath, whose logical ports are listed  in  the  ports
1898       column.
1899
1900   Summary:
1901       datapath                      Datapath_Binding
1902       tunnel_key                    integer, in range 32,768 to 65,535
1903       name                          string
1904       ports                         set of weak reference to Port_Bindings
1905
1906   Details:
1907       datapath: Datapath_Binding
1908              The logical datapath in which the multicast group resides.
1909
1910       tunnel_key: integer, in range 32,768 to 65,535
1911              The  value  used to designate this logical egress port in tunnel
1912              encapsulations. An index forces the key to be unique within  the
1913              datapath.  The unusual range ensures that multicast group IDs do
1914              not overlap with logical port IDs.
1915
1916       name: string
1917              The logical multicast group’s name. An index forces the name  to
1918              be  unique  within  the  datapath.  Logical flows in the ingress
1919              pipeline may output to the group just as for individual  logical
1920              ports, by assigning the group’s name to outport and executing an
1921              output action.
1922
1923              Multicast group names and logical  port  names  share  a  single
1924              namespace  and  thus should not overlap (but the database schema
1925              cannot enforce this). To try to avoid conflicts, ovn-northd uses
1926              names that begin with _MC_.
1927
1928       ports: set of weak reference to Port_Bindings
1929              The  logical ports included in the multicast group. All of these
1930              ports must be in the datapath logical datapath (but the database
1931              schema cannot enforce this).
1932

Meter TABLE

1934       Each  row  in this table represents a meter that can be used for QoS or
1935       rate-limiting.
1936
1937   Summary:
1938       name                          string (must be unique within table)
1939       unit                          string, either kbps or pktps
1940       bands                         set of 1 or more Meter_Bands
1941
1942   Details:
1943       name: string (must be unique within table)
1944              A name for this meter.
1945
1946              Names that begin with "__" (two underscores)  are  reserved  for
1947              OVN internal use and should not be added manually.
1948
1949       unit: string, either kbps or pktps
1950              The  unit for rate and burst_rate parameters in the bands entry.
1951              kbps specifies kilobits per second, and pktps specifies  packets
1952              per second.
1953
1954       bands: set of 1 or more Meter_Bands
1955              The bands associated with this meter. Each band specifies a rate
1956              above which the band is to take the action action.  If  multiple
1957              bands’  rates  are exceeded, then the band with the highest rate
1958              among the exceeded bands is selected.
1959

Meter_Band TABLE

1961       Each row in this table represents a meter band which specifies the rate
1962       above  which  the  configured action should be applied. These bands are
1963       referenced by the bands column in the Meter table.
1964
1965   Summary:
1966       action                        string, must be drop
1967       rate                          integer, in range 1 to 4,294,967,295
1968       burst_size                    integer, in range 0 to 4,294,967,295
1969
1970   Details:
1971       action: string, must be drop
1972              The action to execute when this band matches. The only supported
1973              action is drop.
1974
1975       rate: integer, in range 1 to 4,294,967,295
1976              The rate limit for this band, in kilobits per second or bits per
1977              second, depending on whether the parent Meter entry’s unit  col‐
1978              umn specified kbps or pktps.
1979
1980       burst_size: integer, in range 0 to 4,294,967,295
1981              The  maximum  burst allowed for the band in kilobits or packets,
1982              depending on whether kbps or pktps was selected  in  the  parent
1983              Meter  entry’s  unit  column. If the size is zero, the switch is
1984              free to select some reasonable value depending on its configura‐
1985              tion.
1986

Datapath_Binding TABLE

1988       Each  row in this table represents a logical datapath, which implements
1989       a logical pipeline among the ports in the Port_Binding table associated
1990       with  it.  In practice, the pipeline in a given logical datapath imple‐
1991       ments either a logical switch or a logical router.
1992
1993       The main purpose of a row in this table is provide a  physical  binding
1994       for a logical datapath. A logical datapath does not have a physical lo‐
1995       cation, so its physical  binding  information  is  limited:  just  tun‐
1996       nel_key. The rest of the data in this table does not affect packet for‐
1997       warding.
1998
1999   Summary:
2000       tunnel_key                    integer, in range 1 to  16,777,215  (must
2001                                     be unique within table)
2002       load_balancers                set of uuids
2003       OVN_Northbound Relationship:
2004         external_ids : logical-switch
2005                                     optional string, containing an uuid
2006         external_ids : logical-router
2007                                     optional string, containing an uuid
2008         external_ids : interconn-ts
2009                                     optional string
2010         Naming:
2011            external_ids : name      optional string
2012            external_ids : name2     optional string
2013       Common Columns:
2014         external_ids                map of string-string pairs
2015
2016   Details:
2017       tunnel_key:  integer,  in  range 1 to 16,777,215 (must be unique within
2018       table)
2019              The tunnel key value to which the logical datapath is bound. The
2020              Tunnel  Encapsulation  section  in ovn-architecture(7) describes
2021              how tunnel keys are constructed for  each  supported  encapsula‐
2022              tion.
2023
2024       load_balancers: set of uuids
2025              Not  used  anymore;  kept  for  backwards  compatibility  of the
2026              schema.
2027
2028     OVN_Northbound Relationship:
2029
2030       Each row in Datapath_Binding is associated with some logical  datapath.
2031       ovn-northd  uses these keys to track the association of a logical data‐
2032       path with concepts in the OVN_Northbound database.
2033
2034       external_ids : logical-switch: optional string, containing an uuid
2035              For  a  logical  datapath  that  represents  a  logical  switch,
2036              ovn-northd stores in this key the UUID of the corresponding Log‐
2037              ical_Switch row in the OVN_Northbound database.
2038
2039       external_ids : logical-router: optional string, containing an uuid
2040              For  a  logical  datapath  that  represents  a  logical  router,
2041              ovn-northd stores in this key the UUID of the corresponding Log‐
2042              ical_Router row in the OVN_Northbound database.
2043
2044       external_ids : interconn-ts: optional string
2045              For a logical datapath that represents  a  logical  switch  that
2046              represents  a  transit  switch  for  interconnection, ovn-northd
2047              stores in this key the value of the same interconn-ts key of the
2048              external_ids  column  of the corresponding Logical_Switch row in
2049              the OVN_Northbound database.
2050
2051     Naming:
2052
2053       ovn-northd copies these from the  name  fields  in  the  OVN_Northbound
2054       database,  either from name and external_ids:neutron:router_name in the
2055       Logical_Router table or from name and external_ids:neutron:network_name
2056       in the Logical_Switch table.
2057
2058       external_ids : name: optional string
2059              A name for the logical datapath.
2060
2061       external_ids : name2: optional string
2062              Another name for the logical datapath.
2063
2064     Common Columns:
2065
2066       The  overall purpose of these columns is described under Common Columns
2067       at the beginning of this document.
2068
2069       external_ids: map of string-string pairs
2070

Port_Binding TABLE

2072       Each row in this table binds a logical port to a realization. For  most
2073       logical  ports, this means binding to some physical location, for exam‐
2074       ple by binding a logical port to a VIF that belongs to a VM running  on
2075       a  particular  hypervisor.  Other  logical ports, such as logical patch
2076       ports, can be realized without a specific physical location, but  their
2077       bindings are still expressed through rows in this table.
2078
2079       For   every  Logical_Switch_Port  record  in  OVN_Northbound  database,
2080       ovn-northd creates a record in this  table.  ovn-northd  populates  and
2081       maintains  every  column except the chassis and virtual_parent columns,
2082       which it leaves empty in new records.
2083
2084       ovn-controller/ovn-controller-vtep populates the chassis column for the
2085       records  that identify the logical ports that are located on its hyper‐
2086       visor/gateway, which ovn-controller/ovn-controller-vtep in  turn  finds
2087       out  by  monitoring the local hypervisor’s Open_vSwitch database, which
2088       identifies logical ports via  the  conventions  described  in  Integra‐
2089       tionGuide.rst.  (The  exceptions are for Port_Binding records with type
2090       of l3gateway, whose locations are identified by ovn-northd via the  op‐
2091       tions:l3gateway-chassis  column  in this table. ovn-controller is still
2092       responsible to populate the chassis column.)
2093
2094       ovn-controller also populates  the  virtual_parent  column  of  records
2095       whose type is virtual.
2096
2097       When  a  chassis  shuts down gracefully, it should clean up the chassis
2098       column that it previously had populated. (This is not critical  because
2099       resources  hosted  on the chassis are equally unreachable regardless of
2100       whether their rows are present.) To handle the case where a VM is  shut
2101       down abruptly on one chassis, then brought up again on a different one,
2102       ovn-controller/ovn-controller-vtep must overwrite  the  chassis  column
2103       with new information.
2104
2105   Summary:
2106       Core Features:
2107         datapath                    Datapath_Binding
2108         logical_port                string (must be unique within table)
2109         encap                       optional weak reference to Encap
2110         chassis                     optional weak reference to Chassis
2111         gateway_chassis             set of Gateway_Chassises
2112         ha_chassis_group            optional HA_Chassis_Group
2113         up                          optional boolean
2114         tunnel_key                  integer, in range 1 to 32,767
2115         mac                         set of strings
2116         type                        string
2117       Patch Options:
2118         options : peer              optional string
2119         nat_addresses               set of strings
2120       L3 Gateway Options:
2121         options : peer              optional string
2122         options : l3gateway-chassis
2123                                     optional string
2124         nat_addresses               set of strings
2125       Localnet Options:
2126         options : network_name      optional string
2127         tag                         optional integer, in range 1 to 4,095
2128       L2 Gateway Options:
2129         options : network_name      optional string
2130         options : l2gateway-chassis
2131                                     optional string
2132         tag                         optional integer, in range 1 to 4,095
2133       VTEP Options:
2134         options : vtep-physical-switch
2135                                     optional string
2136         options : vtep-logical-switch
2137                                     optional string
2138       VMI (or VIF) Options:
2139         options : requested-chassis
2140                                     optional string
2141         options : iface-id-ver      optional string
2142         options : qos_max_rate      optional string
2143         options : qos_burst         optional string
2144         options : qdisc_queue_id    optional  string,  containing an integer,
2145                                     in range 1 to 61,440
2146       Distributed Gateway Port Options:
2147         options : chassis-redirect-port
2148                                     optional string
2149       Chassis Redirect Options:
2150         options : distributed-port  optional string
2151         options : redirect-type     optional string
2152         options : always-redirect   optional string
2153       Nested Containers:
2154         parent_port                 optional string
2155         tag                         optional integer, in range 1 to 4,095
2156       Virtual ports:
2157         virtual_parent              optional string
2158       Naming:
2159         external_ids : name         optional string
2160       Common Columns:
2161         external_ids                map of string-string pairs
2162
2163   Details:
2164     Core Features:
2165
2166       datapath: Datapath_Binding
2167              The logical datapath to which the logical port belongs.
2168
2169       logical_port: string (must be unique within table)
2170              A logical port. For a logical switch port, this  is  taken  from
2171              name in the OVN_Northbound database’s Logical_Switch_Port table.
2172              For a logical router port,  this  is  taken  from  name  in  the
2173              OVN_Northbound database’s Logical_Router_port table. (This means
2174              that logical switch ports and router port names must  not  share
2175              names in an OVN deployment.) OVN does not prescribe a particular
2176              format for the logical port ID.
2177
2178       encap: optional weak reference to Encap
2179              Points to supported  encapsulation  configurations  to  transmit
2180              logical dataplane packets to this chassis. Each entry is a Encap
2181              record that describes the configuration.
2182
2183       chassis: optional weak reference to Chassis
2184              The meaning of this column depends on the value of the type col‐
2185              umn. This is the meaning for each type
2186
2187              (empty string)
2188                     The  physical  location  of the logical port. To success‐
2189                     fully identify a chassis, this column must be  a  Chassis
2190                     record. This is populated by ovn-controller.
2191
2192              vtep   The  physical  location  of the hardware_vtep gateway. To
2193                     successfully identify a chassis, this column  must  be  a
2194                     Chassis record. This is populated by ovn-controller-vtep.
2195
2196              localnet
2197                     Always  empty. A localnet port is realized on every chas‐
2198                     sis that has connectivity to the  corresponding  physical
2199                     network.
2200
2201              localport
2202                     Always  empty. A localport port is present on every chas‐
2203                     sis.
2204
2205              l3gateway
2206                     The physical location of the L3 gateway. To  successfully
2207                     identify a chassis, this column must be a Chassis record.
2208                     This is populated by ovn-controller based on the value of
2209                     the options:l3gateway-chassis column in this table.
2210
2211              l2gateway
2212                     The physical location of this L2 gateway. To successfully
2213                     identify a chassis, this column must be a Chassis record.
2214                     This is populated by ovn-controller based on the value of
2215                     the options:l2gateway-chassis column in this table.
2216
2217       gateway_chassis: set of Gateway_Chassises
2218              A list of Gateway_Chassis.
2219
2220              This should only be populated for ports with type set  to  chas‐
2221              sisredirect.  This  column  defines  the list of chassis used as
2222              gateways where traffic will be redirected through.
2223
2224       ha_chassis_group: optional HA_Chassis_Group
2225              This should only be populated for ports with type set  to  chas‐
2226              sisredirect.  This  column  defines  the HA chassis group with a
2227              list of HA chassis used as gateways where traffic will be  redi‐
2228              rected through.
2229
2230       up: optional boolean
2231              This  is  set  to  true  whenever all OVS flows required by this
2232              Port_Binding have been installed. This is populated by  ovn-con‐
2233              troller.
2234
2235       tunnel_key: integer, in range 1 to 32,767
2236              A  number  that represents the logical port in the key (e.g. STT
2237              key or Geneve TLV) field carried within tunnel protocol packets.
2238
2239              The tunnel ID must be unique within the scope of a logical data‐
2240              path.
2241
2242       mac: set of strings
2243              This column is a misnomer as it may contain MAC addresses and IP
2244              addresses. It is copied from the addresses column in  the  Logi‐
2245              cal_Switch_Port table in the Northbound database. It follows the
2246              same format as that column.
2247
2248       type: string
2249              A type for this logical port. Logical ports can be used to model
2250              other types of connectivity into an OVN logical switch. The fol‐
2251              lowing types are defined:
2252
2253              (empty string)
2254                     VM (or VIF) interface.
2255
2256              patch  One of a pair of logical ports that act as  if  connected
2257                     by a patch cable. Useful for connecting two logical data‐
2258                     paths, e.g. to connect a  logical  router  to  a  logical
2259                     switch or to another logical router.
2260
2261              l3gateway
2262                     One  of  a pair of logical ports that act as if connected
2263                     by a patch cable across multiple chassis. Useful for con‐
2264                     necting  a logical switch with a Gateway router (which is
2265                     only resident on a particular chassis).
2266
2267              localnet
2268                     A  connection  to  a  locally  accessible  network   from
2269                     ovn-controller instances that have a corresponding bridge
2270                     mapping. A logical  switch  can  have  multiple  localnet
2271                     ports attached. This type is used to model direct connec‐
2272                     tivity to existing networks. In this case,  each  chassis
2273                     should  have  a  mapping for one of the physical networks
2274                     only. Note: nothing said above  implies  that  a  chassis
2275                     cannot  be  plugged to multiple physical networks as long
2276                     as they belong to different switches.
2277
2278              localport
2279                     A connection to a local VIF. Traffic that  arrives  on  a
2280                     localport  is  never  forwarded  over a tunnel to another
2281                     chassis. These ports are present  on  every  chassis  and
2282                     have  the  same  address  in all of them. This is used to
2283                     model connectivity to local services that  run  on  every
2284                     hypervisor.
2285
2286              l2gateway
2287                     An  L2 connection to a physical network. The chassis this
2288                     Port_Binding is bound to will serve as an L2  gateway  to
2289                     the network named by options:network_name.
2290
2291              vtep   A  port to a logical switch on a VTEP gateway chassis. In
2292                     order to get this port correctly recognized  by  the  OVN
2293                     controller,   the  options:vtep-physical-switch  and  op‐
2294                     tions:vtep-logical-switch must also be defined.
2295
2296              chassisredirect
2297                     A logical port that  represents  a  particular  instance,
2298                     bound  to a specific chassis, of an otherwise distributed
2299                     parent port (e.g. of type patch). A chassisredirect  port
2300                     should  never be used as an inport. When an ingress pipe‐
2301                     line sets the outport, it may set the value to a  logical
2302                     port  of type chassisredirect. This will cause the packet
2303                     to be directed to a specific chassis  to  carry  out  the
2304                     egress pipeline. At the beginning of the egress pipeline,
2305                     the outport will be reset to the value of the distributed
2306                     port.
2307
2308              virtual
2309                     Represents  a  logical port with an virtual ip. This vir‐
2310                     tual ip can be configured on a  logical  port  (which  is
2311                     refered as virtual parent).
2312
2313     Patch Options:
2314
2315       These options apply to logical ports with type of patch.
2316
2317       options : peer: optional string
2318              The  logical_port  in the Port_Binding record for the other side
2319              of the patch. The named logical_port  must  specify  this  logi‐
2320              cal_port  in its own peer option. That is, the two patch logical
2321              ports must have reversed logical_port and peer values.
2322
2323       nat_addresses: set of strings
2324              MAC address followed by a list of SNAT and DNAT external IP  ad‐
2325              dresses,  followed  by is_chassis_resident("lport"), where lport
2326              is the name of a logical port on the same chassis where the cor‐
2327              responding  NAT  rules  are applied. This is used to send gratu‐
2328              itous ARPs for SNAT and DNAT external IP addresses via localnet,
2329              from the chassis where lport resides. Example: 80:fa:5b:06:72:b7
2330              158.36.44.22  158.36.44.24   is_chassis_resident("foo1").   This
2331              would  result  in generation of gratuitous ARPs for IP addresses
2332              158.36.44.22  and   158.36.44.24   with   a   MAC   address   of
2333              80:fa:5b:06:72:b7 from the chassis where the logical port "foo1"
2334              resides.
2335
2336     L3 Gateway Options:
2337
2338       These options apply to logical ports with type of l3gateway.
2339
2340       options : peer: optional string
2341              The logical_port in the Port_Binding record for the  other  side
2342              of  the  ’l3gateway’  port.  The named logical_port must specify
2343              this logical_port in its own  peer  option.  That  is,  the  two
2344              ’l3gateway’  logical  ports  must have reversed logical_port and
2345              peer values.
2346
2347       options : l3gateway-chassis: optional string
2348              The chassis in which the port resides.
2349
2350       nat_addresses: set of strings
2351              MAC address of the l3gateway port followed by a list of SNAT and
2352              DNAT external IP addresses. This is used to send gratuitous ARPs
2353              for SNAT and DNAT external IP addresses via  localnet.  Example:
2354              80:fa:5b:06:72:b7  158.36.44.22  158.36.44.24. This would result
2355              in generation of gratuitous ARPs for IP  addresses  158.36.44.22
2356              and  158.36.44.24  with a MAC address of 80:fa:5b:06:72:b7. This
2357              is used in OVS version 2.8 and later versions.
2358
2359     Localnet Options:
2360
2361       These options apply to logical ports with type of localnet.
2362
2363       options : network_name: optional string
2364              Required.   ovn-controller   uses   the   configuration    entry
2365              ovn-bridge-mappings to determine how to connect to this network.
2366              ovn-bridge-mappings is a list of network names mapped to a local
2367              OVS  bridge  that provides access to that network. An example of
2368              configuring ovn-bridge-mappings would be: .IP
2369              $ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1
2370
2371              When a logical switch has a localnet port attached, every  chas‐
2372              sis  that  may  have a local vif attached to that logical switch
2373              must have a bridge mapping configured to  reach  that  localnet.
2374              Traffic  that arrives on a localnet port is never forwarded over
2375              a tunnel to another chassis.  If  there  are  multiple  localnet
2376              ports  in a logical switch, each chassis should only have a sin‐
2377              gle bridge mapping for one of the physical  networks.  Note:  In
2378              case  of  multiple  localnet ports, to provide interconnectivity
2379              between all VIFs located on  different  chassis  with  different
2380              fabric  connectivity,  the  fabric should implement some form of
2381              routing between the segments.
2382
2383       tag: optional integer, in range 1 to 4,095
2384              If set, indicates that the port represents  a  connection  to  a
2385              specific  VLAN  on  a locally accessible network. The VLAN ID is
2386              used to match incoming traffic and is  also  added  to  outgoing
2387              traffic.
2388
2389     L2 Gateway Options:
2390
2391       These options apply to logical ports with type of l2gateway.
2392
2393       options : network_name: optional string
2394              Required.    ovn-controller   uses   the   configuration   entry
2395              ovn-bridge-mappings to determine how to connect to this network.
2396              ovn-bridge-mappings is a list of network names mapped to a local
2397              OVS bridge that provides access to that network. An  example  of
2398              configuring ovn-bridge-mappings would be: .IP
2399              $ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1
2400
2401              When a logical switch has a l2gateway port attached, the chassis
2402              that the l2gateway port is bound to must have a  bridge  mapping
2403              configured to reach the network identified by network_name.
2404
2405       options : l2gateway-chassis: optional string
2406              Required. The chassis in which the port resides.
2407
2408       tag: optional integer, in range 1 to 4,095
2409              If  set,  indicates  that the gateway is connected to a specific
2410              VLAN on the physical network. The VLAN ID is used to  match  in‐
2411              coming traffic and is also added to outgoing traffic.
2412
2413     VTEP Options:
2414
2415       These options apply to logical ports with type of vtep.
2416
2417       options : vtep-physical-switch: optional string
2418              Required. The name of the VTEP gateway.
2419
2420       options : vtep-logical-switch: optional string
2421              Required.  A  logical switch name connected by the VTEP gateway.
2422              Must be set when type is vtep.
2423
2424     VMI (or VIF) Options:
2425
2426       These options apply to logical ports with type having (empty string)
2427
2428       options : requested-chassis: optional string
2429              If set, identifies a specific chassis (by name or hostname) that
2430              is  allowed  to  bind  this port. Using this option will prevent
2431              thrashing between two chassis trying to bind the same port  dur‐
2432              ing  a live migration. It can also prevent similar thrashing due
2433              to a mis-configuration, if a port  is  accidentally  created  on
2434              more than one chassis.
2435
2436       options : iface-id-ver: optional string
2437              If  set,  this port will be bound by ovn-controller only if this
2438              same key and value is configured in the external_ids  column  in
2439              the Open_vSwitch database’s Interface table.
2440
2441       options : qos_max_rate: optional string
2442              If  set,  indicates the maximum rate for data sent from this in‐
2443              terface, in bit/s. The traffic will be shaped according to  this
2444              limit.
2445
2446       options : qos_burst: optional string
2447              If set, indicates the maximum burst size for data sent from this
2448              interface, in bits.
2449
2450       options : qdisc_queue_id: optional string, containing  an  integer,  in
2451       range 1 to 61,440
2452              Indicates  the queue number on the physical device. This is same
2453              as the queue_id used in OpenFlow in struct ofp_action_enqueue.
2454
2455     Distributed Gateway Port Options:
2456
2457       These options apply to the distributed parent ports  of  logical  ports
2458       with type of chasssisredirect.
2459
2460       options : chassis-redirect-port: optional string
2461              The  name of the chassis redirect port derived from this port if
2462              this port is a distributed parent of a chassis redirect port.
2463
2464     Chassis Redirect Options:
2465
2466       These options apply to logical ports with type of chassisredirect.
2467
2468       options : distributed-port: optional string
2469              The name of the distributed port for which this  chassisredirect
2470              port represents a particular instance.
2471
2472       options : redirect-type: optional string
2473              The  value  is  copied from the column options in the OVN_North‐
2474              bound database’s Logical_Router_Port table for  the  distributed
2475              parent of this port.
2476
2477       options : always-redirect: optional string
2478              A  boolean  option that is set to true if the distributed parent
2479              of this chassis redirect port does not need distributed process‐
2480              ing.
2481
2482     Nested Containers:
2483
2484       These columns support containers nested within a VM. Specifically, they
2485       are used when type is empty and logical_port identifies  the  interface
2486       of  a  container  spawned inside a VM. They are empty for containers or
2487       VMs that run directly on a hypervisor.
2488
2489       parent_port: optional string
2490              This is taken from parent_name in the OVN_Northbound  database’s
2491              Logical_Switch_Port table.
2492
2493       tag: optional integer, in range 1 to 4,095
2494              Identifies  the  VLAN tag in the network traffic associated with
2495              that container’s network interface.
2496
2497              This column is used for a different purpose when type is  local‐
2498              net  (see  Localnet Options, above) or l2gateway (see L2 Gateway
2499              Options, above).
2500
2501     Virtual ports:
2502
2503       virtual_parent: optional string
2504              This column is set by ovn-controller with one of the value  from
2505              the  options:virtual-parents  in  the  OVN_Northbound database’s
2506              Logical_Switch_Port table when the OVN action bind_vport is exe‐
2507              cuted.  ovn-controller also sets the chassis column when it exe‐
2508              cutes this action with its chassis id.
2509
2510              ovn-controller sets this column only if the type is "virtual".
2511
2512     Naming:
2513
2514       external_ids : name: optional string
2515              For a logical switch port, ovn-northd copies  this  from  exter‐
2516              nal_ids:neutron:port_name  in  the  Logical_Switch_Port table in
2517              the OVN_Northbound database, if it is a nonempty string.
2518
2519              For a logical switch port, ovn-northd  does  not  currently  set
2520              this key.
2521
2522     Common Columns:
2523
2524       external_ids: map of string-string pairs
2525              See External IDs at the beginning of this document.
2526
2527              The  ovn-northd  program  populates this column with all entries
2528              into the external_ids column of the Logical_Switch_Port table of
2529              the OVN_Northbound database.
2530

MAC_Binding TABLE

2532       Each  row  in  this  table specifies a binding from an IP address to an
2533       Ethernet address that has been discovered through  ARP  (for  IPv4)  or
2534       neighbor discovery (for IPv6). This table is primarily used to discover
2535       bindings on physical networks, because IP-to-MAC bindings  for  virtual
2536       machines are usually populated statically into the Port_Binding table.
2537
2538       This  table  expresses  a  functional  relationship:  MAC_Binding(logi‐
2539       cal_port, ip) = mac.
2540
2541       In outline, the lifetime of a logical router’s MAC binding  looks  like
2542       this:
2543
2544              1.  On  hypervisor  1, a logical router determines that a packet
2545                  should be forwarded to IP address A on  one  of  its  router
2546                  ports.  It  uses  its logical flow table to determine that A
2547                  lacks a static IP-to-MAC binding and the get_arp  action  to
2548                  determine that it lacks a dynamic IP-to-MAC binding.
2549
2550              2.  Using  an  OVN logical arp action, the logical router gener‐
2551                  ates and sends a broadcast ARP request to the  router  port.
2552                  It drops the IP packet.
2553
2554              3.  The  logical switch attached to the router port delivers the
2555                  ARP request to all of its ports. (It might make sense to de‐
2556                  liver  it  only to ports that have no static IP-to-MAC bind‐
2557                  ings, but this could also be surprising behavior.)
2558
2559              4.  A host or VM on hypervisor 2 (which might be the same as hy‐
2560                  pervisor  1)  attached to the logical switch owns the IP ad‐
2561                  dress in question. It composes an ARP reply and unicasts  it
2562                  to the logical router port’s Ethernet address.
2563
2564              5.  The  logical  switch  delivers  the ARP reply to the logical
2565                  router port.
2566
2567              6.  The logical router flow table executes a put_arp action.  To
2568                  record  the  IP-to-MAC binding, ovn-controller adds a row to
2569                  the MAC_Binding table.
2570
2571              7.  On  hypervisor  1,  ovn-controller  receives   the   updated
2572                  MAC_Binding table from the OVN southbound database. The next
2573                  packet destined to A through the logical router is sent  di‐
2574                  rectly to the bound Ethernet address.
2575
2576   Summary:
2577       logical_port                  string
2578       ip                            string
2579       mac                           string
2580       datapath                      Datapath_Binding
2581
2582   Details:
2583       logical_port: string
2584              The logical port on which the binding was discovered.
2585
2586       ip: string
2587              The bound IP address.
2588
2589       mac: string
2590              The Ethernet address to which the IP is bound.
2591
2592       datapath: Datapath_Binding
2593              The logical datapath to which the logical port belongs.
2594

DHCP_Options TABLE

2596       Each  row in this table stores the DHCP Options supported by native OVN
2597       DHCP. ovn-northd populates this table with the supported DHCP  options.
2598       ovn-controller  looks  up  this table to get the DHCP codes of the DHCP
2599       options defined in the "put_dhcp_opts" action. Please refer to the  RFC
2600       2132  "https://tools.ietf.org/html/rfc2132"  for  the  possible list of
2601       DHCP options that can be defined here.
2602
2603   Summary:
2604       name                          string
2605       code                          integer, in range 0 to 254
2606       type                          string, one of  bool,  domains,  host_id,
2607                                     ipv4, static_routes, str, uint16, uint32,
2608                                     or uint8
2609
2610   Details:
2611       name: string
2612              Name of the DHCP option.
2613
2614              Example. name="router"
2615
2616       code: integer, in range 0 to 254
2617              DHCP option code for the DHCP option as defined in the RFC 2132.
2618
2619              Example. code=3
2620
2621       type: string, one of bool, domains, host_id, ipv4, static_routes,  str,
2622       uint16, uint32, or uint8
2623              Data type of the DHCP option code.
2624
2625              value: bool
2626                     This  indicates  that  the  value of the DHCP option is a
2627                     bool.
2628
2629                     Example.       "name=ip_forward_enable",       "code=19",
2630                     "type=bool".
2631
2632                     put_dhcp_opts(..., ip_forward_enable = 1,...)
2633
2634              value: uint8
2635                     This  indicates  that  the value of the DHCP option is an
2636                     unsigned int8 (8 bits)
2637
2638                     Example. "name=default_ttl", "code=23", "type=uint8".
2639
2640                     put_dhcp_opts(..., default_ttl = 50,...)
2641
2642              value: uint16
2643                     This indicates that the value of the DHCP  option  is  an
2644                     unsigned int16 (16 bits).
2645
2646                     Example. "name=mtu", "code=26", "type=uint16".
2647
2648                     put_dhcp_opts(..., mtu = 1450,...)
2649
2650              value: uint32
2651                     This  indicates  that  the value of the DHCP option is an
2652                     unsigned int32 (32 bits).
2653
2654                     Example. "name=lease_time", "code=51", "type=uint32".
2655
2656                     put_dhcp_opts(..., lease_time = 86400,...)
2657
2658              value: ipv4
2659                     This indicates that the value of the DHCP  option  is  an
2660                     IPv4 address or addresses.
2661
2662                     Example. "name=router", "code=3", "type=ipv4".
2663
2664                     put_dhcp_opts(..., router = 10.0.0.1,...)
2665
2666                     Example. "name=dns_server", "code=6", "type=ipv4".
2667
2668                     put_dhcp_opts(..., dns_server = {8.8.8.8 7.7.7.7},...)
2669
2670              value: static_routes
2671                     This indicates that the value of the DHCP option contains
2672                     a pair of IPv4 route and next hop addresses.
2673
2674                     Example.    "name=classless_static_route",    "code=121",
2675                     "type=static_routes".
2676
2677                     put_dhcp_opts(...,        classless_static_route        =
2678                     {30.0.0.0/24,10.0.0.4,0.0.0.0/0,10.0.0.1}...)
2679
2680              value: str
2681                     This indicates that the value of the  DHCP  option  is  a
2682                     string.
2683
2684                     Example. "name=host_name", "code=12", "type=str".
2685
2686              value: host_id
2687                     This  indicates  that  the  value of the DHCP option is a
2688                     host_id. It can either be a host_name or an IP address.
2689
2690                     Example. "name=tftp_server", "code=66", "type=host_id".
2691
2692              value: domains
2693                     This indicates that the value of the DHCP option is a do‐
2694                     main name or a comma separated list of domain names.
2695
2696                     Example. "name=domain_search_list", "code=119", "type=do‐
2697                     mains".
2698

DHCPv6_Options TABLE

2700       Each row in this table stores the DHCPv6 Options  supported  by  native
2701       OVN  DHCPv6.  ovn-northd populates this table with the supported DHCPv6
2702       options. ovn-controller looks up this table to get the DHCPv6 codes  of
2703       the  DHCPv6 options defined in the put_dhcpv6_opts action. Please refer
2704       to RFC 3315 and RFC 3646 for the list of DHCPv6 options that can be de‐
2705       fined here.
2706
2707   Summary:
2708       name                          string
2709       code                          integer, in range 0 to 254
2710       type                          string, one of ipv6, mac, or str
2711
2712   Details:
2713       name: string
2714              Name of the DHCPv6 option.
2715
2716              Example. name="ia_addr"
2717
2718       code: integer, in range 0 to 254
2719              DHCPv6  option  code for the DHCPv6 option as defined in the ap‐
2720              propriate RFC.
2721
2722              Example. code=3
2723
2724       type: string, one of ipv6, mac, or str
2725              Data type of the DHCPv6 option code.
2726
2727              value: ipv6
2728                     This indicates that the value of the DHCPv6 option is  an
2729                     IPv6 address(es).
2730
2731                     Example. "name=ia_addr", "code=5", "type=ipv6".
2732
2733                     put_dhcpv6_opts(..., ia_addr = ae70::4,...)
2734
2735              value: str
2736                     This  indicates  that the value of the DHCPv6 option is a
2737                     string.
2738
2739                     Example. "name=domain_search", "code=24", "type=str".
2740
2741                     put_dhcpv6_opts(..., domain_search = ovn.domain,...)
2742
2743              value: mac
2744                     This indicates that the value of the DHCPv6 option  is  a
2745                     MAC address.
2746
2747                     Example. "name=server_id", "code=2", "type=mac".
2748
2749                     put_dhcpv6_opts(..., server_id = 01:02:03:04L05:06,...)
2750

Connection TABLE

2752       Configuration  for  a  database  connection to an Open vSwitch database
2753       (OVSDB) client.
2754
2755       This table  primarily  configures  the  Open  vSwitch  database  server
2756       (ovsdb-server).
2757
2758       The  Open vSwitch database server can initiate and maintain active con‐
2759       nections to remote clients. It can also  listen  for  database  connec‐
2760       tions.
2761
2762   Summary:
2763       Core Features:
2764         target                      string (must be unique within table)
2765         read_only                   boolean
2766         role                        string
2767       Client Failure Detection and Handling:
2768         max_backoff                 optional integer, at least 1,000
2769         inactivity_probe            optional integer
2770       Status:
2771         is_connected                boolean
2772         status : last_error         optional string
2773         status : state              optional  string, one of ACTIVE, BACKOFF,
2774                                     CONNECTING, IDLE, or VOID
2775         status : sec_since_connect  optional string, containing  an  integer,
2776                                     at least 0
2777         status : sec_since_disconnect
2778                                     optional  string,  containing an integer,
2779                                     at least 0
2780         status : locks_held         optional string
2781         status : locks_waiting      optional string
2782         status : locks_lost         optional string
2783         status : n_connections      optional string, containing  an  integer,
2784                                     at least 2
2785         status : bound_port         optional string, containing an integer
2786       Common Columns:
2787         external_ids                map of string-string pairs
2788         other_config                map of string-string pairs
2789
2790   Details:
2791     Core Features:
2792
2793       target: string (must be unique within table)
2794              Connection methods for clients.
2795
2796              The following connection methods are currently supported:
2797
2798              ssl:host[:port]
2799                     The  specified  SSL port on the given host, which can ei‐
2800                     ther be a DNS name (if built with unbound library) or  an
2801                     IP  address.  A  valid SSL configuration must be provided
2802                     when this form is used, this configuration can be  speci‐
2803                     fied via command-line options or the SSL table.
2804
2805                     If port is not specified, it defaults to 6640.
2806
2807                     SSL  support  is  an  optional feature that is not always
2808                     built as part of Open vSwitch.
2809
2810              tcp:host[:port]
2811                     The specified TCP port on the given host, which  can  ei‐
2812                     ther  be a DNS name (if built with unbound library) or an
2813                     IP address (IPv4 or IPv6). If host is  an  IPv6  address,
2814                     wrap it in square brackets, e.g. tcp:[::1]:6640.
2815
2816                     If port is not specified, it defaults to 6640.
2817
2818              pssl:[port][:host]
2819                     Listens  for  SSL  connections on the specified TCP port.
2820                     Specify 0 for  port  to  have  the  kernel  automatically
2821                     choose  an available port. If host, which can either be a
2822                     DNS name (if built with unbound library)  or  an  IP  ad‐
2823                     dress,  is  specified, then connections are restricted to
2824                     the resolved or specified local IP address  (either  IPv4
2825                     or  IPv6  address).  If  host is an IPv6 address, wrap in
2826                     square brackets, e.g. pssl:6640:[::1].  If  host  is  not
2827                     specified then it listens only on IPv4 (but not IPv6) ad‐
2828                     dresses. A valid SSL configuration must be provided  when
2829                     this  form is used, this can be specified either via com‐
2830                     mand-line options or the SSL table.
2831
2832                     If port is not specified, it defaults to 6640.
2833
2834                     SSL support is an optional feature  that  is  not  always
2835                     built as part of Open vSwitch.
2836
2837              ptcp:[port][:host]
2838                     Listens  for connections on the specified TCP port. Spec‐
2839                     ify 0 for port to have the kernel automatically choose an
2840                     available  port.  If host, which can either be a DNS name
2841                     (if built with unbound library)  or  an  IP  address,  is
2842                     specified,  then  connections  are  restricted to the re‐
2843                     solved or specified local IP address (either IPv4 or IPv6
2844                     address).  If  host is an IPv6 address, wrap it in square
2845                     brackets, e.g. ptcp:6640:[::1]. If host is not  specified
2846                     then it listens only on IPv4 addresses.
2847
2848                     If port is not specified, it defaults to 6640.
2849
2850              When  multiple clients are configured, the target values must be
2851              unique. Duplicate target values yield unspecified results.
2852
2853       read_only: boolean
2854              true to restrict these connections  to  read-only  transactions,
2855              false to allow them to modify the database.
2856
2857       role: string
2858              String containing role name for this connection entry.
2859
2860     Client Failure Detection and Handling:
2861
2862       max_backoff: optional integer, at least 1,000
2863              Maximum  number  of  milliseconds to wait between connection at‐
2864              tempts. Default is implementation-specific.
2865
2866       inactivity_probe: optional integer
2867              Maximum number of milliseconds of idle time on connection to the
2868              client  before  sending  an  inactivity  probe  message. If Open
2869              vSwitch does not communicate with the client for  the  specified
2870              number  of  seconds,  it will send a probe. If a response is not
2871              received for the same additional amount of  time,  Open  vSwitch
2872              assumes  the  connection  has been broken and attempts to recon‐
2873              nect. Default is implementation-specific. A value of 0  disables
2874              inactivity probes.
2875
2876     Status:
2877
2878       Key-value pair of is_connected is always updated. Other key-value pairs
2879       in the status columns may be updated depends on the target type.
2880
2881       When target specifies a connection method that listens for inbound con‐
2882       nections  (e.g.  ptcp:  or punix:), both n_connections and is_connected
2883       may also be updated while the remaining key-value pairs are omitted.
2884
2885       On the other hand, when target specifies an  outbound  connection,  all
2886       key-value  pairs  may  be  updated, except the above-mentioned two key-
2887       value pairs associated with inbound connection targets. They are  omit‐
2888       ted.
2889
2890       is_connected: boolean
2891              true if currently connected to this client, false otherwise.
2892
2893       status : last_error: optional string
2894              A human-readable description of the last error on the connection
2895              to the manager; i.e. strerror(errno). This key will  exist  only
2896              if an error has occurred.
2897
2898       status  :  state:  optional string, one of ACTIVE, BACKOFF, CONNECTING,
2899       IDLE, or VOID
2900              The state of the connection to the manager:
2901
2902              VOID   Connection is disabled.
2903
2904              BACKOFF
2905                     Attempting to reconnect at an increasing period.
2906
2907              CONNECTING
2908                     Attempting to connect.
2909
2910              ACTIVE Connected, remote host responsive.
2911
2912              IDLE   Connection is idle. Waiting for response to keep-alive.
2913
2914              These values may change in the future. They  are  provided  only
2915              for human consumption.
2916
2917       status  : sec_since_connect: optional string, containing an integer, at
2918       least 0
2919              The amount of time since this client last successfully connected
2920              to the database (in seconds). Value is empty if client has never
2921              successfully been connected.
2922
2923       status : sec_since_disconnect: optional string, containing an  integer,
2924       at least 0
2925              The  amount of time since this client last disconnected from the
2926              database (in seconds). Value is empty if client has  never  dis‐
2927              connected.
2928
2929       status : locks_held: optional string
2930              Space-separated  list  of the names of OVSDB locks that the con‐
2931              nection holds. Omitted if  the  connection  does  not  hold  any
2932              locks.
2933
2934       status : locks_waiting: optional string
2935              Space-separated  list  of the names of OVSDB locks that the con‐
2936              nection is currently waiting to acquire. Omitted if the  connec‐
2937              tion is not waiting for any locks.
2938
2939       status : locks_lost: optional string
2940              Space-separated  list  of the names of OVSDB locks that the con‐
2941              nection has had stolen by another OVSDB client.  Omitted  if  no
2942              locks have been stolen from this connection.
2943
2944       status  :  n_connections:  optional  string,  containing an integer, at
2945       least 2
2946              When target specifies a connection method that listens  for  in‐
2947              bound  connections  (e.g. ptcp: or pssl:) and more than one con‐
2948              nection is actually active, the value is the  number  of  active
2949              connections. Otherwise, this key-value pair is omitted.
2950
2951       status : bound_port: optional string, containing an integer
2952              When target is ptcp: or pssl:, this is the TCP port on which the
2953              OVSDB server is listening. (This  is  particularly  useful  when
2954              target  specifies a port of 0, allowing the kernel to choose any
2955              available port.)
2956
2957     Common Columns:
2958
2959       The overall purpose of these columns is described under Common  Columns
2960       at the beginning of this document.
2961
2962       external_ids: map of string-string pairs
2963
2964       other_config: map of string-string pairs
2965

SSL TABLE

2967       SSL configuration for ovn-sb database access.
2968
2969   Summary:
2970       private_key                   string
2971       certificate                   string
2972       ca_cert                       string
2973       bootstrap_ca_cert             boolean
2974       ssl_protocols                 string
2975       ssl_ciphers                   string
2976       Common Columns:
2977         external_ids                map of string-string pairs
2978
2979   Details:
2980       private_key: string
2981              Name  of  a  PEM  file  containing  the  private key used as the
2982              switch’s identity for SSL connections to the controller.
2983
2984       certificate: string
2985              Name of a PEM file containing a certificate, signed by the  cer‐
2986              tificate authority (CA) used by the controller and manager, that
2987              certifies the switch’s private key,  identifying  a  trustworthy
2988              switch.
2989
2990       ca_cert: string
2991              Name  of a PEM file containing the CA certificate used to verify
2992              that the switch is connected to a trustworthy controller.
2993
2994       bootstrap_ca_cert: boolean
2995              If set to true, then Open vSwitch will attempt to obtain the  CA
2996              certificate  from the controller on its first SSL connection and
2997              save it to the named PEM file. If it is successful, it will  im‐
2998              mediately  drop  the  connection and reconnect, and from then on
2999              all SSL connections  must  be  authenticated  by  a  certificate
3000              signed  by the CA certificate thus obtained. This option exposes
3001              the SSL connection to a man-in-the-middle attack  obtaining  the
3002              initial  CA  certificate.  It may still be useful for bootstrap‐
3003              ping.
3004
3005       ssl_protocols: string
3006              List of SSL protocols to be enabled for SSL connections. The de‐
3007              fault when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
3008
3009       ssl_ciphers: string
3010              List  of  ciphers  (in  OpenSSL cipher string format) to be sup‐
3011              ported for SSL connections. The  default  when  this  option  is
3012              omitted is HIGH:!aNULL:!MD5.
3013
3014     Common Columns:
3015
3016       The  overall purpose of these columns is described under Common Columns
3017       at the beginning of this document.
3018
3019       external_ids: map of string-string pairs
3020

DNS TABLE

3022       Each row  in  this  table  stores  the  DNS  records.  The  OVN  action
3023       dns_lookup uses this table for DNS resolution.
3024
3025   Summary:
3026       records                       map of string-string pairs
3027       datapaths                     set of 1 or more Datapath_Bindings
3028       Common Columns:
3029         external_ids                map of string-string pairs
3030
3031   Details:
3032       records: map of string-string pairs
3033              Key-value pair of DNS records with DNS query name as the key and
3034              a string of IP address(es) separated by comma or  space  as  the
3035              value.  ovn-northd stores the DNS query name in all lowercase in
3036              order to facilitate case-insensitive lookups.
3037
3038              Example:  "vm1.ovn.org" = "10.0.0.4 aef0::4"
3039
3040       datapaths: set of 1 or more Datapath_Bindings
3041              The DNS records defined in the column records  will  be  applied
3042              only  to  the DNS queries originating from the datapaths defined
3043              in this column.
3044
3045     Common Columns:
3046
3047       external_ids: map of string-string pairs
3048              See External IDs at the beginning of this document.
3049

RBAC_Role TABLE

3051       Role table for role-based access controls.
3052
3053   Summary:
3054       name                          string
3055       permissions                   map of string-weak reference to RBAC_Per‐
3056                                     mission pairs
3057
3058   Details:
3059       name: string
3060              The  role  name, corresponding to the role column in the Connec‐
3061              tion table.
3062
3063       permissions: map of string-weak reference to RBAC_Permission pairs
3064              A mapping of table names to rows in the RBAC_Permission table.
3065

RBAC_Permission TABLE

3067       Permissions table for role-based access controls.
3068
3069   Summary:
3070       table                         string
3071       authorization                 set of strings
3072       insert_delete                 boolean
3073       update                        set of strings
3074
3075   Details:
3076       table: string
3077              Name of table to which this row applies.
3078
3079       authorization: set of strings
3080              Set of strings identifying columns and column:key  pairs  to  be
3081              compared with client ID. At least one match is required in order
3082              to be authorized. A zero-length string is treated as  a  special
3083              value indicating all clients should be considered authorized.
3084
3085       insert_delete: boolean
3086              When  "true",  row  insertions  and authorized row deletions are
3087              permitted.
3088
3089       update: set of strings
3090              Set of strings identifying columns and column:key pairs that au‐
3091              thorized clients are allowed to modify.
3092

Gateway_Chassis TABLE

3094       Association  of Port_Binding rows of type chassisredirect to a Chassis.
3095       The traffic going out through a specific chassisredirect port  will  be
3096       redirected to a chassis, or a set of them in high availability configu‐
3097       rations.
3098
3099   Summary:
3100       name                          string (must be unique within table)
3101       chassis                       optional weak reference to Chassis
3102       priority                      integer, in range 0 to 32,767
3103       options                       map of string-string pairs
3104       Common Columns:
3105         external_ids                map of string-string pairs
3106
3107   Details:
3108       name: string (must be unique within table)
3109              Name of the Gateway_Chassis.
3110
3111              A   suggested,   but   not   required   naming   convention   is
3112              ${port_name}_${chassis_name}.
3113
3114       chassis: optional weak reference to Chassis
3115              The Chassis to which we send the traffic.
3116
3117       priority: integer, in range 0 to 32,767
3118              This  is  the  priority  the  specific  Chassis  among all Gate‐
3119              way_Chassis belonging to the same Port_Binding.
3120
3121       options: map of string-string pairs
3122              Reserved for future use.
3123
3124     Common Columns:
3125
3126       The overall purpose of these columns is described under Common  Columns
3127       at the beginning of this document.
3128
3129       external_ids: map of string-string pairs
3130

HA_Chassis TABLE

3132   Summary:
3133       chassis                       optional weak reference to Chassis
3134       priority                      integer, in range 0 to 32,767
3135       Common Columns:
3136         external_ids                map of string-string pairs
3137
3138   Details:
3139       chassis: optional weak reference to Chassis
3140              The Chassis which provides the HA functionality.
3141
3142       priority: integer, in range 0 to 32,767
3143              Priority  of  the HA chassis. Chassis with highest priority will
3144              be the master in the HA chassis group.
3145
3146     Common Columns:
3147
3148       external_ids: map of string-string pairs
3149              See External IDs at the beginning of this document.
3150

HA_Chassis_Group TABLE

3152       Table representing a group of chassis which can provide High availabil‐
3153       ity  services.  Each  chassis  in the group is represented by the table
3154       HA_Chassis. The HA chassis with highest priority will be the master  of
3155       this  group. If the master chassis failover is detected, the HA chassis
3156       with the next higher priority takes over the responsibility of  provid‐
3157       ing the HA. If ha_chassis_group column of the table Port_Binding refer‐
3158       ences this table, then this HA chassis group provides the gateway func‐
3159       tionality  and  redirects  the  gateway  traffic  to the master of this
3160       group.
3161
3162   Summary:
3163       name                          string (must be unique within table)
3164       ha_chassis                    set of HA_Chassises
3165       ref_chassis                   set of weak reference to Chassis
3166       Common Columns:
3167         external_ids                map of string-string pairs
3168
3169   Details:
3170       name: string (must be unique within table)
3171              Name of the HA_Chassis_Group. Name should be unique.
3172
3173       ha_chassis: set of HA_Chassises
3174              A list of HA_Chassis which belongs to this group.
3175
3176       ref_chassis: set of weak reference to Chassis
3177              The set of Chassis that reference this HA chassis group. To  de‐
3178              termine  the  correct  Chassis,  find  the  chassisredirect type
3179              Port_Binding  that  references   this   HA_Chassis_Group.   This
3180              Port_Binding  is  derived  from  some particular logical router.
3181              Starting from that LR, find the set of all logical switches  and
3182              routers  connected  to it, directly or indirectly, across router
3183              ports that link one LRP to another or to a LSP. For each LSP  in
3184              these  logical switches, find the corresponding Port_Binding and
3185              add its bound Chassis (if any) to ref_chassis.
3186
3187     Common Columns:
3188
3189       external_ids: map of string-string pairs
3190              See External IDs at the beginning of this document.
3191

Controller_Event TABLE

3193       Database table used by ovn-controller to  report  CMS  related  events.
3194       Please note there is no guarantee a given event is written exactly once
3195       in the db. It is CMS responsibility to squash duplicated  lines  or  to
3196       filter out duplicated events
3197
3198   Summary:
3199       event_type                    string, must be empty_lb_backends
3200       event_info                    map of string-string pairs
3201       chassis                       optional weak reference to Chassis
3202       seq_num                       integer
3203
3204   Details:
3205       event_type: string, must be empty_lb_backends
3206              Event type occurred
3207
3208       event_info: map of string-string pairs
3209              Key-value  pairs used to specify event info to the CMS. Possible
3210              values are:
3211
3212vip: VIP reported for the empty_lb_backends event
3213
3214protocol:   Transport   protocol   reported    for    the
3215                     empty_lb_backends event
3216
3217load_balancer: UUID of the load balancer reported for the
3218                     empty_lb_backends event
3219
3220       chassis: optional weak reference to Chassis
3221              This column is a Chassis record to identify the chassis that has
3222              managed a given event.
3223
3224       seq_num: integer
3225              Event  sequence  number. Global counter for controller generated
3226              events. It can be used by the CMS to detect possible duplication
3227              of the same event.
3228

IP_Multicast TABLE

3230       IP Multicast configuration options. For now only applicable to IGMP.
3231
3232   Summary:
3233       datapath                      weak  reference to Datapath_Binding (must
3234                                     be unique within table)
3235       enabled                       optional boolean
3236       querier                       optional boolean
3237       table_size                    optional integer
3238       idle_timeout                  optional integer
3239       query_interval                optional integer
3240       seq_no                        integer
3241       Querier configuration options:
3242         eth_src                     string
3243         ip4_src                     string
3244         ip6_src                     string
3245         query_max_resp              optional integer
3246
3247   Details:
3248       datapath: weak reference to Datapath_Binding (must be unique within ta‐
3249       ble)
3250              Datapath_Binding entry for which these configuration options are
3251              defined.
3252
3253       enabled: optional boolean
3254              Enables/disables multicast snooping. Default: disabled.
3255
3256       querier: optional boolean
3257              Enables/disables multicast querying. If enabled  then  multicast
3258              querying is enabled by default.
3259
3260       table_size: optional integer
3261              Limits  the  number of multicast groups that can be learned. De‐
3262              fault: 2048 groups per datapath.
3263
3264       idle_timeout: optional integer
3265              Configures the idle timeout (in seconds) for IP multicast groups
3266              if multicast snooping is enabled. Default: 300 seconds.
3267
3268       query_interval: optional integer
3269              Configures  the  interval  (in  seconds)  for  sending multicast
3270              queries if snooping and querier are enabled. Default: idle_time‐
3271              out/2 seconds.
3272
3273       seq_no: integer
3274              ovn-controller  reads  this value and flushes all learned multi‐
3275              cast groups when it detects that seq_no was changed.
3276
3277     Querier configuration options:
3278
3279       The ovn-controller process that runs on OVN hypervisor nodes  uses  the
3280       following columns to determine field values in IGMP/MLD queries that it
3281       originates:
3282
3283       eth_src: string
3284              Source Ethernet address.
3285
3286       ip4_src: string
3287              Source IPv4 address.
3288
3289       ip6_src: string
3290              Source IPv6 address.
3291
3292       query_max_resp: optional integer
3293              Value (in seconds) to be used as "max-response" field in  multi‐
3294              cast queries. Default: 1 second.
3295

IGMP_Group TABLE

3297       Contains learned IGMP groups indexed by address/datapath/chassis.
3298
3299   Summary:
3300       address                       string
3301       datapath                      optional weak reference to Datapath_Bind‐
3302                                     ing
3303       chassis                       optional weak reference to Chassis
3304       ports                         set of weak reference to Port_Bindings
3305
3306   Details:
3307       address: string
3308              Destination IPv4 address for the IGMP group.
3309
3310       datapath: optional weak reference to Datapath_Binding
3311              Datapath to which this IGMP group belongs.
3312
3313       chassis: optional weak reference to Chassis
3314              Chassis to which this IGMP group belongs.
3315
3316       ports: set of weak reference to Port_Bindings
3317              The destination port bindings for this IGMP group.
3318

Service_Monitor TABLE

3320       Each row in this table configures monitoring a service  for  its  live‐
3321       ness. The service can be an IPv4 TCP or UDP service. ovn-controller pe‐
3322       riodically sends out service monitor packets and updates the status  of
3323       the service. Service monitoring for IPv6 services is not supported.
3324
3325       ovn-northd  uses  this  feature  to  implement the load balancer health
3326       check feature offered to the CMS through the northbound database.
3327
3328   Summary:
3329       Configuration:
3330         ip                          string
3331         protocol                    optional string, either tcp or udp
3332         port                        integer, in range 0 to 65,535
3333         logical_port                string
3334         src_mac                     string
3335         src_ip                      string
3336         options : interval          optional string, containing an integer
3337         options : timeout           optional string, containing an integer
3338         options : success_count     optional string, containing an integer
3339         options : failure_count     optional string, containing an integer
3340       Status Reporting:
3341         status                      optional string, one of  error,  offline,
3342                                     or online
3343       Common Columns:
3344         external_ids                map of string-string pairs
3345
3346   Details:
3347     Configuration:
3348
3349       ovn-northd sets these columns and values to configure the service moni‐
3350       tor.
3351
3352       ip: string
3353              IP of the service to be monitored. Only IPv4 is supported.
3354
3355       protocol: optional string, either tcp or udp
3356              The protocol of the service.
3357
3358       port: integer, in range 0 to 65,535
3359              The TCP or UDP port of the service.
3360
3361       logical_port: string
3362              The VIF of the logical port on which the service is running. The
3363              ovn-controller that binds this logical_port monitors the service
3364              by sending periodic monitor packets.
3365
3366       src_mac: string
3367              Source Ethernet address to use in the service monitor packet.
3368
3369       src_ip: string
3370              Source IPv4 address to use in the service monitor packet.
3371
3372       options : interval: optional string, containing an integer
3373              The interval, in seconds, between service monitor checks.
3374
3375       options : timeout: optional string, containing an integer
3376              The time, in seconds, after  which  the  service  monitor  check
3377              times out.
3378
3379       options : success_count: optional string, containing an integer
3380              The  number of successful checks after which the service is con‐
3381              sidered online.
3382
3383       options : failure_count: optional string, containing an integer
3384              The number of failure checks after which the service is  consid‐
3385              ered offline.
3386
3387     Status Reporting:
3388
3389       The  ovn-controller  on the chassis that hosts the logical_port updates
3390       this column to report the service’s status.
3391
3392       status: optional string, one of error, offline, or online
3393              For TCP service, ovn-controller sends a SYN to the  service  and
3394              expects an ACK response to consider the service to be online.
3395
3396              For  UDP  service, ovn-controller sends a UDP packet to the ser‐
3397              vice and doesn’t expect any reply. If it receives an ICMP reply,
3398              then it considers the service to be offline.
3399
3400     Common Columns:
3401
3402       external_ids: map of string-string pairs
3403              See External IDs at the beginning of this document.
3404

Load_Balancer TABLE

3406       Each row represents a load balancer.
3407
3408   Summary:
3409       name                          string
3410       vips                          map of string-string pairs
3411       protocol                      optional string, one of sctp, tcp, or udp
3412       datapaths                     set of Datapath_Bindings
3413       Load_Balancer options:
3414         options : hairpin_snat_ip   optional string
3415         options : hairpin_orig_tuple
3416                                     optional string, either true or false
3417       Common Columns:
3418         external_ids                map of string-string pairs
3419
3420   Details:
3421       name: string
3422              A  name  for the load balancer. This name has no special meaning
3423              or purpose other than to provide convenience for human  interac‐
3424              tion with the ovn-nb database.
3425
3426       vips: map of string-string pairs
3427              A  map of virtual IP addresses (and an optional port number with
3428              : as a separator) associated with this load balancer  and  their
3429              corresponding  endpoint  IP addresses (and optional port numbers
3430              with : as separators) separated by commas.
3431
3432       protocol: optional string, one of sctp, tcp, or udp
3433              Valid protocols are tcp, udp, or sctp.  This  column  is  useful
3434              when  a  port  number is provided as part of the vips column. If
3435              this column is empty and a port number is provided  as  part  of
3436              vips column, OVN assumes the protocol to be tcp.
3437
3438       datapaths: set of Datapath_Bindings
3439              Datapaths to which this load balancer applies to.
3440
3441     Load_Balancer options:
3442
3443       options : hairpin_snat_ip: optional string
3444              IP  to  be  used  as  source IP for packets that have been hair-
3445              pinned after load balancing. This value is  automatically  popu‐
3446              lated by ovn-northd.
3447
3448       options : hairpin_orig_tuple: optional string, either true or false
3449              This value is automatically set to true by ovn-northd when orig‐
3450              inal destination IP and transport  port  of  the  load  balanced
3451              packets are stored in registers reg1, reg2, xxreg1.
3452
3453     Common Columns:
3454
3455       external_ids: map of string-string pairs
3456              See External IDs at the beginning of this document.
3457

BFD TABLE

3459       Contains BFD parameter for ovn-controller bfd configuration.
3460
3461   Summary:
3462       Configuration:
3463         src_port                    integer, in range 49,152 to 65,535
3464         disc                        integer
3465         logical_port                string
3466         dst_ip                      string
3467         min_tx                      integer
3468         min_rx                      integer
3469         detect_mult                 integer
3470         options                     map of string-string pairs
3471         external_ids                map of string-string pairs
3472       Status Reporting:
3473         status                      string, one of admin_down, down, init, or
3474                                     up
3475
3476   Details:
3477     Configuration:
3478
3479       src_port: integer, in range 49,152 to 65,535
3480              udp source port used in bfd control  packets.  The  source  port
3481              MUST be in the range 49152 through 65535 (RFC5881 section 4).
3482
3483       disc: integer
3484              A unique, nonzero discriminator value generated by the transmit‐
3485              ting system, used to demultiplex multiple BFD  sessions  between
3486              the same pair of systems.
3487
3488       logical_port: string
3489              OVN logical port when BFD engine is running.
3490
3491       dst_ip: string
3492              BFD peer IP address.
3493
3494       min_tx: integer
3495              This  is  the  minimum interval, in milliseconds, that the local
3496              system would like to use when transmitting BFD Control  packets,
3497              less any jitter applied. The value zero is reserved.
3498
3499       min_rx: integer
3500              This  is the minimum interval, in milliseconds, between received
3501              BFD Control packets that this system is capable  of  supporting,
3502              less  any  jitter  applied by the sender. If this value is zero,
3503              the transmitting system does not want the remote system to  send
3504              any periodic BFD Control packets.
3505
3506       detect_mult: integer
3507              Detection  time  multiplier.  The  negotiated transmit interval,
3508              multiplied by this value, provides the Detection  Time  for  the
3509              receiving system in Asynchronous mode.
3510
3511       options: map of string-string pairs
3512              Reserved for future use.
3513
3514       external_ids: map of string-string pairs
3515              See External IDs at the beginning of this document.
3516
3517     Status Reporting:
3518
3519       status: string, one of admin_down, down, init, or up
3520              BFD port logical states. Possible values are:
3521
3522admin_down
3523
3524down
3525
3526init
3527
3528up
3529

FDB TABLE

3531       This  table is primarily used to learn the MACs observed on a VIF which
3532       belongs to a Logical_Switch_Port record in  OVN_Northbound  whose  port
3533       security  is  disabled  and  ’unknown’ address set. If port security is
3534       disabled on a Logical_Switch_Port record, OVN should allow traffic with
3535       any  source  mac  from  the  VIF.  This table will be used to deliver a
3536       packet to the VIF, If a packet’s eth.dst is learnt.
3537
3538   Summary:
3539       mac                           string
3540       dp_key                        integer, in range 1 to 16,777,215
3541       port_key                      integer, in range 1 to 16,777,215
3542
3543   Details:
3544       mac: string
3545              The learnt mac address.
3546
3547       dp_key: integer, in range 1 to 16,777,215
3548              The key of the datapath on which this FDB was learnt.
3549
3550       port_key: integer, in range 1 to 16,777,215
3551              The key of the port binding on which this FDB was learnt.
3552
3553
3554
3555Open vSwitch 21.09.0           DB Schema 20.20.0                     ovn-sb(5)
Impressum