1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
6 ovn-nb - OVN_Northbound database schema
7 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces al‐
10 most all of the contents of the database. The ovn-northd program moni‐
11 tors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32 Table Purpose
34 NB_Global Northbound configuration
35 Copp Control plane protection
36 Logical_Switch
37 L2 logical switch
38 Logical_Switch_Port
39 L2 logical switch port
40 Forwarding_Group
41 forwarding group
42 Address_Set
43 Address Sets
44 Port_Group
45 Port Groups
46 Load_Balancer
47 load balancer
48 Load_Balancer_Group
49 load balancer group
50 Load_Balancer_Health_Check
51 load balancer
52 ACL Access Control List (ACL) rule
53 Logical_Router
54 L3 logical router
55 QoS QoS rule
56 Meter Meter entry
57 Meter_Band
58 Band for meter entries
59 Logical_Router_Port
60 L3 logical router port
61 Logical_Router_Static_Route
62 Logical router static routes
63 Logical_Router_Policy
64 Logical router policies
65 NAT NAT rules
66 DHCP_Options
67 DHCP options
68 Connection
69 OVSDB client connections.
70 DNS Native DNS resolution
71 SSL SSL configuration.
72 Gateway_Chassis
73 Gateway_Chassis configuration.
74 HA_Chassis_Group
75 HA_Chassis_Group configuration.
76 HA_Chassis
77 HA_Chassis configuration.
78 BFD BFD configuration.
79 Static_MAC_Binding
80 Static_MAC_Binding configuration.
81
83 Northbound configuration for an OVN system. This table must have ex‐
84 actly one row.
85 Summary:
87 Identity:
88 name string
89 Status:
90 nb_cfg integer
91 nb_cfg_timestamp integer
92 sb_cfg integer
93 sb_cfg_timestamp integer
94 hv_cfg integer
95 hv_cfg_timestamp integer
96 Common Columns:
97 external_ids map of string-string pairs
98 Common options:
99 options map of string-string pairs
100 Options for configuring OVS BFD:
101 options : bfd-min-rx optional string
102 options : bfd-decay-min-rx
103 optional string
104 options : bfd-min-tx optional string
105 options : bfd-mult optional string
106 options : mac_prefix optional string
107 options : controller_event optional string, either true or false
108 options : northd_probe_interval
109 optional string
110 options : use_logical_dp_groups
111 optional string
112 options : use_parallel_build
113 optional string
114 options : ignore_lsp_down optional string
115 options : use_ct_inv_match optional string
116 options : default_acl_drop optional string
117 Options for configuring interconnection route advertisement:
118 options : ic-route-adv optional string
119 options : ic-route-learn optional string
120 options : ic-route-adv-default
121 optional string
122 options : ic-route-learn-default
123 optional string
124 options : ic-route-blacklist
125 optional string
126 Connection Options:
127 connections set of Connections
128 ssl optional SSL
129 Security Configurations:
130 ipsec boolean
131 Read-only Options:
132 options : max_tunid optional string
133 Details:
135 Identity:
136 name: string
138 The name of the OVN cluster, which uniquely identifies the OVN
139 cluster throughout all OVN clusters supposed to interconnect
140 with each other.
141 Status:
143 These columns allow a client to track the overall configuration state
145 of the system.
146 nb_cfg: integer
148 Sequence number for client to increment. When a client modifies
149 any part of the northbound database configuration and wishes to
150 wait for ovn-northd and possibly all of the hypervisors to fin‐
151 ish applying the changes, it may increment this sequence number.
152 nb_cfg_timestamp: integer
154 The timestamp, in milliseconds since the epoch, when ovn-northd
155 sees the latest nb_cfg and starts processing.
156 To print the timestamp as a human-readable date:
158 date -d "@$(ovn-nbctl get NB_Global . nb_cfg_timestamp | sed ’s/...$//’)"
160 sb_cfg: integer
163 Sequence number that ovn-northd sets to the value of nb_cfg af‐
164 ter it finishes applying the corresponding configuration changes
165 to the OVN_Southbound database.
166 sb_cfg_timestamp: integer
168 The timestamp, in milliseconds since the epoch, when ovn-northd
169 finishes applying the corresponding configuration changes to the
170 OVN_Southbound database successfully.
171 hv_cfg: integer
173 Sequence number that ovn-northd sets to the smallest sequence
174 number of all the chassis in the system, as reported in the
175 Chassis_Private table in the southbound database. Thus, hv_cfg
176 equals nb_cfg if all chassis are caught up with the northbound
177 configuration (which may never happen, if any chassis is down).
178 This value can regress, if a chassis was removed from the system
179 and rejoins before catching up.
180 If there are no chassis, then ovn-northd copies nb_cfg to
182 hv_cfg. Thus, in this case, the (nonexistent) hypervisors are
183 always considered to be caught up. This means that hypervisors
184 can be "caught up" even in cases where sb_cfg would show that
185 the southbound database is not. To detect when both the hypervi‐
186 sors and the southbound database are caught up, a client should
187 take the smaller of sb_cfg and hv_cfg.
188 hv_cfg_timestamp: integer
190 The largest timestamp, in milliseconds since the epoch, of the
191 smallest sequence number of all the chassis in the system, as
192 reported in the Chassis_Private table in the southbound data‐
193 base. In other words, this timestamp reflects the time when the
194 slowest chassis catches up with the northbound configuration,
195 which is useful for end-to-end control plane latency measure‐
196 ment.
197 Common Columns:
199 external_ids: map of string-string pairs
201 See External IDs at the beginning of this document.
202 Common options:
204 options: map of string-string pairs
206 This column provides general key/value settings. The supported
207 options are described individually below.
208 Options for configuring OVS BFD:
210 These options apply when ovn-controller configures OVS BFD on tunnels
212 interfaces. Please note these parameters refer to legacy OVS BFD imple‐
213 mentation and not to OVN BFD one.
214 options : bfd-min-rx: optional string
216 BFD option min-rx value to use when configuring BFD on tunnel
217 interfaces.
218 options : bfd-decay-min-rx: optional string
220 BFD option decay-min-rx value to use when configuring BFD on
221 tunnel interfaces.
222 options : bfd-min-tx: optional string
224 BFD option min-tx value to use when configuring BFD on tunnel
225 interfaces.
226 options : bfd-mult: optional string
228 BFD option mult value to use when configuring BFD on tunnel in‐
229 terfaces.
230 options : mac_prefix: optional string
232 Configure a given OUI to be used as prefix when L2 address is
233 dynamically assigned, e.g. 00:11:22
234 options : controller_event: optional string, either true or false
236 Value set by the CMS to enable/disable ovn-controller event re‐
237 porting. Traffic into OVS can raise a ’controller’ event that
238 results in a Controller_Event being written to the Con‐
239 troller_Event table in SBDB. When the CMS has seen the event and
240 taken appropriate action, it can remove the correponding row in
241 Controller_Event table. The intention is for a CMS to see the
242 events and take some sort of action. Please see the Con‐
243 troller_Event table in SBDB. It is possible to associate a meter
244 to each controller event type in order to not overload the pinc‐
245 trl thread under heavy load. Each event type relies on a meter
246 with a defined name:
247 • empty_lb_backends: event-elb
249 options : northd_probe_interval: optional string
251 The inactivity probe interval of the connection to the OVN
252 Northbound and Southbound databases from ovn-northd, in mil‐
253 liseconds. If the value is zero, it disables the connection
254 keepalive feature.
255 If the value is nonzero, then it will be forced to a value of at
257 least 1000 ms.
258 options : use_logical_dp_groups: optional string
260 If set to true, ovn-northd will combine logical flows that dif‐
261 fers only by logical datapath into a single logical flow with
262 logical datapath group attached.
263 While this should significantly reduce number of logical flows
265 stored in Southbound database this could also increase process‐
266 ing complexity on the ovn-controller side, e.g., ovn-controller
267 will re-consider logical flow for all logical datapaths in a
268 group. If the option set to false, there will be separate logi‐
269 cal flow per logical datapath and only this flow will be re-con‐
270 sidered.
271 The default value is false.
273 options : use_parallel_build: optional string
275 If set to true, ovn-northd will attempt to compute logical flows
276 in parallel.
277 Parallel computation is enabled only if the system has 4 or more
279 cores/threads available to be used by ovn-northd.
280 The default value is false.
282 options : ignore_lsp_down: optional string
284 If set to false, ARP/ND reply flows for logical switch ports
285 will be installed only if the port is up, i.e. claimed by a
286 Chassis. If set to true, these flows are installed regardless of
287 the status of the port, which can result in a situation that ARP
288 request to an IP is resolved even before the relevant VM/con‐
289 tainer is running. For environments where this is not an issue,
290 setting it to true can reduce the load and latency of the con‐
291 trol plane. The default value is true.
292 options : use_ct_inv_match: optional string
294 If set to false, ovn-northd will not use the ct.inv field in any
295 of the logical flow matches. The default value is true. If the
296 NIC supports offloading OVS datapath flows but doesn’t support
297 offloading ct_state inv flag, then the datapath flows matching
298 on this flag (either +inv or -inv) will not be offloaded. CMS
299 should consider setting use_ct_inv_match to false in such cases.
300 This results in a side effect of the invalid packets getting de‐
301 livered to the destination VIF, which otherwise would have been
302 dropped by OVN.
303 options : default_acl_drop: optional string
305 If set to true., ovn-northd will generate a logical flow to drop
306 all traffic in the ACL stages. By default this option is set to
307 false.
308 Options for configuring interconnection route advertisement:
310 These options control how routes are advertised between OVN deployments
312 for interconnection. If enabled, ovn-ic from different OVN deployments
313 exchanges routes between each other through the global OVN_IC_South‐
314 bound database. Only routers with ports connected to interconnection
315 transit switches participate in route advertisement. For each of these
316 routers, there are two types of routes to be advertised:
317 Firstly, the static routes configured in the router are advertised.
319 Secondly, the networks configured in the logical router ports that are
321 not on the transit switches are advertised. These are considered as di‐
322 rectly connected subnets on the router.
323 Link local prefixes (IPv4 169.254.0.0/16 and IPv6 FE80::/10) are never
325 advertised.
326 The learned routes are added to the static_routes column of the Logi‐
328 cal_Router table, with external_ids:ic-learned-route set to the uuid of
329 the row in Route table of the OVN_IC_Southbound database.
330 options : ic-route-adv: optional string
332 A boolean value that enables route advertisement to the global
333 OVN_IC_Southbound database. Default is false.
334 options : ic-route-learn: optional string
336 A boolean value that enables route learning from the global
337 OVN_IC_Southbound database. Default is false.
338 options : ic-route-adv-default: optional string
340 A boolean value that enables advertising default route to the
341 global OVN_IC_Southbound database. Default is false. This option
342 takes effect only when option ic-route-adv is true.
343 options : ic-route-learn-default: optional string
345 A boolean value that enables learning default route from the
346 global OVN_IC_Southbound database. Default is false. This option
347 takes effect only when option ic-route-learn is true.
348 options : ic-route-blacklist: optional string
350 A string value contains a list of CIDRs delimited by ",". A
351 route will not be advertised or learned if the route’s prefix
352 belongs to any of the CIDRs listed.
353 Connection Options:
355 connections: set of Connections
357 Database clients to which the Open vSwitch database server
358 should connect or on which it should listen, along with options
359 for how these connections should be configured. See the Connec‐
360 tion table for more information.
361 ssl: optional SSL
363 Global SSL configuration.
364 Security Configurations:
366 ipsec: boolean
368 Tunnel encryption configuration. If this column is set to be
369 true, all OVN tunnels will be encrypted with IPsec.
370 Read-only Options:
372 options : max_tunid: optional string
374 The maximum supported tunnel ID. Depends on types of encapsula‐
375 tion enabled in the cluster.
376
378 This table is used to define control plane protection policies, i.e.,
379 associate entries from table Meter to control protocol names.
380 Summary:
382 name string (must be unique within table)
383 meters : arp optional string
384 meters : arp-resolve optional string
385 meters : dhcpv4-opts optional string
386 meters : dhcpv6-opts optional string
387 meters : dns optional string
388 meters : event-elb optional string
389 meters : icmp4-error optional string
390 meters : icmp6-error optional string
391 meters : igmp optional string
392 meters : nd-na optional string
393 meters : nd-ns optional string
394 meters : nd-ns-resolve optional string
395 meters : nd-ra-opts optional string
396 meters : tcp-reset optional string
397 meters : bfd optional string
398 meters : reject optional string
399 external_ids map of string-string pairs
400 Details:
402 name: string (must be unique within table)
403 CoPP name.
404 meters : arp: optional string
406 Rate limiting meter for ARP packets (request/reply) used for
407 learning neighbors.
408 meters : arp-resolve: optional string
410 Rate limiting meter for packets that require resolving the next-
411 hop (through ARP).
412 meters : dhcpv4-opts: optional string
414 Rate limiting meter for packets that require adding DHCPv4 op‐
415 tions.
416 meters : dhcpv6-opts: optional string
418 Rate limiting meter for packets that require adding DHCPv6 op‐
419 tions.
420 meters : dns: optional string
422 Rate limiting meter for DNS query packets that need to be
423 replied to.
424 meters : event-elb: optional string
426 Rate limiting meter for empty load balancer events.
427 meters : icmp4-error: optional string
429 Rate limiting meter for packets that require replying with an
430 ICMP error.
431 meters : icmp6-error: optional string
433 Rate limiting meter for packets that require replying with an
434 ICMPv6 error.
435 meters : igmp: optional string
437 Rate limiting meter for IGMP packets.
438 meters : nd-na: optional string
440 Rate limiting meter for ND neighbor advertisement packets used
441 for learning neighbors.
442 meters : nd-ns: optional string
444 Rate limiting meter for ND neighbor solicitation packets used
445 for learning neighbors.
446 meters : nd-ns-resolve: optional string
448 Rate limiting meter for packets that require resolving the next-
449 hop (through ND).
450 meters : nd-ra-opts: optional string
452 Rate limiting meter for packets that require adding ND router
453 advertisement options.
454 meters : tcp-reset: optional string
456 Rate limiting meter for packets that require replying with TCP
457 RST packet.
458 meters : bfd: optional string
460 Rate limiting meter for BFD packets.
461 meters : reject: optional string
463 Rate limiting meter for packets that trigger a reject action
464 external_ids: map of string-string pairs
466 See External IDs at the beginning of this document.
467
469 Each row represents one L2 logical switch.
470 There are two kinds of logical switches, that is, ones that fully vir‐
472 tualize the network (overlay logical switches) and ones that provide
473 simple connectivity to physical networks (bridged logical switches).
474 They work in the same way when providing connectivity between logical
475 ports on same chassis, but differently when connecting remote logical
476 ports. Overlay logical switches connect remote logical ports by tun‐
477 nels, while bridged logical switches provide connectivity to remote
478 ports by bridging the packets to directly connected physical L2 seg‐
479 ments with the help of localnet ports. Each bridged logical switch has
480 one or more localnet ports, which have only one special address un‐
481 known.
482 Summary:
484 ports set of Logical_Switch_Ports
485 load_balancer set of weak reference to Load_Balancers
486 load_balancer_group set of Load_Balancer_Groups
487 acls set of ACLs
488 qos_rules set of QoSes
489 dns_records set of weak reference to DNSes
490 forwarding_groups set of Forwarding_Groups
491 Naming:
492 name string
493 external_ids : neutron:network_name
494 optional string
495 IP Address Assignment:
496 other_config : subnet optional string
497 other_config : exclude_ips optional string
498 other_config : ipv6_prefix optional string
499 other_config : mac_only optional string, either true or false
500 IP Multicast Snooping Options:
501 other_config : mcast_snoop optional string, either true or false
502 other_config : mcast_querier
503 optional string, either true or false
504 other_config : mcast_flood_unregistered
505 optional string, either true or false
506 other_config : mcast_table_size
507 optional string, containing an integer,
508 in range 1 to 32,766
509 other_config : mcast_idle_timeout
510 optional string, containing an integer,
511 in range 15 to 3,600
512 other_config : mcast_query_interval
513 optional string, containing an integer,
514 in range 1 to 3,600
515 other_config : mcast_query_max_response
516 optional string, containing an integer,
517 in range 1 to 10
518 other_config : mcast_eth_src
519 optional string
520 other_config : mcast_ip4_src
521 optional string
522 other_config : mcast_ip6_src
523 optional string
524 Interconnection:
525 other_config : interconn-ts
526 optional string
527 Tunnel Key:
528 other_config : requested-tnl-key
529 optional string, containing an integer,
530 in range 1 to 16,777,215
531 copp optional weak reference to Copp
532 Other options:
533 other_config : vlan-passthru
534 optional string, either true or false
535 Common Columns:
536 external_ids map of string-string pairs
537 Details:
539 ports: set of Logical_Switch_Ports
540 The logical ports connected to the logical switch.
541 It is an error for multiple logical switches to include the same
543 logical port.
544 load_balancer: set of weak reference to Load_Balancers
546 Set of load balancers associated to this logical switch.
547 load_balancer_group: set of Load_Balancer_Groups
549 Set of load balancers groups associated to this logical switch.
550 acls: set of ACLs
552 Access control rules that apply to packets within the logical
553 switch.
554 qos_rules: set of QoSes
556 QoS marking and metering rules that apply to packets within the
557 logical switch.
558 dns_records: set of weak reference to DNSes
560 This column defines the DNS records to be used for resolving in‐
561 ternal DNS queries within the logical switch by the native DNS
562 resolver. Please see the DNS table.
563 forwarding_groups: set of Forwarding_Groups
565 Groups a set of logical port endpoints for traffic going out of
566 the logical switch.
567 Naming:
569 These columns provide names for the logical switch. From OVN’s perspec‐
571 tive, these names have no special meaning or purpose other than to pro‐
572 vide convenience for human interaction with the database. There is no
573 requirement for the name to be unique. (For a unique identifier for a
574 logical switch, use its row UUID.)
575 (Originally, name was intended to serve the purpose of a human-friendly
577 name, but the Neutron integration used it to uniquely identify its own
578 switch object, in the format neutron-uuid. Later on, Neutron started
579 propagating the friendly name of a switch as external_ids:neutron:net‐
580 work_name. Perhaps this can be cleaned up someday.)
581 name: string
583 A name for the logical switch.
584 external_ids : neutron:network_name: optional string
586 Another name for the logical switch.
587 IP Address Assignment:
589 These options control automatic IP address management (IPAM) for ports
591 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
592 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
593 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled to‐
594 gether or separately.
595 To request dynamic address assignment for a particular port, use the
597 dynamic keyword in the addresses column of the port’s Logi‐
598 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
599 IPAM for IPv4 and IPv6 are both enabled.
600 other_config : subnet: optional string
602 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
603 ovn-northd to automatically assign IP addresses within that sub‐
604 net.
605 other_config : exclude_ips: optional string
607 To exclude some addresses from automatic IP address management,
608 set this to a list of the IPv4 addresses or ..-delimited ranges
609 to exclude. The addresses or ranges should be a subset of those
610 in other_config:subnet.
611 Whether listed or not, ovn-northd will never allocate the first
613 or last address in a subnet, such as 192.168.0.0 or
614 192.168.0.255 in 192.168.0.0/24.
615 Examples:
617 • 192.168.0.2 192.168.0.10
619 • 192.168.0.4 192.168.0.30..192.168.0.60
621 192.168.0.110..192.168.0.120
622 • 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
624 192.168.0.144
625 other_config : ipv6_prefix: optional string
627 Set this to an IPv6 prefix to enable ovn-northd to automatically
628 assign IPv6 addresses using this prefix. The assigned IPv6 ad‐
629 dress will be generated using the IPv6 prefix and the MAC ad‐
630 dress (converted to an IEEE EUI64 identifier) of the port. The
631 IPv6 prefix defined here should be a valid IPv6 address ending
632 with ::.
633 Examples:
635 • aef0::
637 • bef0:1234:a890:5678::
639 • 8230:5678::
641 other_config : mac_only: optional string, either true or false
643 Value used to request to assign L2 address only if neither sub‐
644 net nor ipv6_prefix are specified
645 IP Multicast Snooping Options:
647 These options control IP Multicast Snooping configuration of the logi‐
649 cal switch. To enable IP Multicast Snooping set other_con‐
650 fig:mcast_snoop to true. To enable IP Multicast Querier set other_con‐
651 fig:mcast_snoop to true. If IP Multicast Querier is enabled other_con‐
652 fig:mcast_eth_src and other_config:mcast_ip4_src must be set.
653 other_config : mcast_snoop: optional string, either true or false
655 Enables/disables IP Multicast Snooping on the logical switch.
656 other_config : mcast_querier: optional string, either true or false
658 Enables/disables IP Multicast Querier on the logical switch.
659 other_config : mcast_flood_unregistered: optional string, either true
661 or false
662 Determines whether unregistered multicast traffic should be
663 flooded or not. Only applicable if other_config:mcast_snoop is
664 enabled.
665 other_config : mcast_table_size: optional string, containing an inte‐
667 ger, in range 1 to 32,766
668 Number of multicast groups to be stored. Default: 2048.
669 other_config : mcast_idle_timeout: optional string, containing an inte‐
671 ger, in range 15 to 3,600
672 Configures the IP Multicast Snooping group idle timeout (in sec‐
673 onds). Default: 300 seconds.
674 other_config : mcast_query_interval: optional string, containing an in‐
676 teger, in range 1 to 3,600
677 Configures the IP Multicast Querier interval between queries (in
678 seconds). Default: other_config:mcast_idle_timeout / 2.
679 other_config : mcast_query_max_response: optional string, containing an
681 integer, in range 1 to 10
682 Configures the value of the "max-response" field in the multi‐
683 cast queries originated by the logical switch. Default: 1 sec‐
684 ond.
685 other_config : mcast_eth_src: optional string
687 Configures the source Ethernet address for queries originated by
688 the logical switch.
689 other_config : mcast_ip4_src: optional string
691 Configures the source IPv4 address for queries originated by the
692 logical switch.
693 other_config : mcast_ip6_src: optional string
695 Configures the source IPv6 address for queries originated by the
696 logical switch.
697 Interconnection:
699 other_config : interconn-ts: optional string
701 The name of corresponding transit switch in OVN_IC_Northbound
702 database. This kind of logical switch is created and controlled
703 by ovn-ic.
704 Tunnel Key:
706 other_config : requested-tnl-key: optional string, containing an inte‐
708 ger, in range 1 to 16,777,215
709 Configures the datapath tunnel key for the logical switch. Usu‐
710 ally this is not needed because ovn-northd will assign an unique
711 key for each datapath by itself. However, if it is configured,
712 ovn-northd honors the configured value. The typical use case is
713 for interconnection: the tunnel keys for transit switches need
714 to be unique globally, so they are maintained in the global
715 OVN_IC_Southbound database, and ovn-ic simply syncs the value
716 from OVN_IC_Southbound through this config.
717 copp: optional weak reference to Copp
719 The control plane protection policy from table Copp used for me‐
720 tering packets sent to ovn-controller from ports of this logical
721 switch.
722 Other options:
724 other_config : vlan-passthru: optional string, either true or false
726 Determines whether VLAN tagged incoming traffic should be al‐
727 lowed. Note that this may have security implications when en‐
728 abled for a logical switch with a tag=0 localnet port. If not
729 properly isolated from other localnet ports, fabric traffic that
730 belongs to other tagged networks may be passed through such a
731 port.
732 Common Columns:
734 external_ids: map of string-string pairs
736 See External IDs at the beginning of this document.
737
739 A port within an L2 logical switch.
740 Summary:
742 Core Features:
743 name string (must be unique within table)
744 type string
745 Options:
746 options map of string-string pairs
747 Options for router ports:
748 options : router-port optional string
749 options : nat-addresses optional string
750 options : exclude-lb-vips-from-garp
751 optional string
752 options : arp_proxy optional string
753 Options for localnet ports:
754 options : network_name optional string
755 options : ethtype optional string
756 Options for l2gateway ports:
757 options : network_name optional string
758 options : l2gateway-chassis
759 optional string
760 Options for vtep ports:
761 options : vtep-physical-switch
762 optional string
763 options : vtep-logical-switch
764 optional string
765 VMI (or VIF) Options:
766 options : requested-chassis
767 optional string
768 options : iface-id-ver optional string
769 options : qos_min_rate optional string
770 options : qos_max_rate optional string
771 options : qos_burst optional string
772 options : hostname optional string
773 VIF Plugging Options:
774 options : vif-plug-type
775 optional string
776 options : vif-plug-mtu-request
777 optional string
778 Virtual port Options:
779 options : virtual-ip optional string
780 options : virtual-parents
781 optional string
782 IP Multicast Snooping Options:
783 options : mcast_flood optional string, either true or false
784 options : mcast_flood_reports
785 optional string, either true or false
786 Containers:
787 parent_name optional string
788 tag_request optional integer, in range 0 to 4,095
789 tag optional integer, in range 1 to 4,095
790 Port State:
791 up optional boolean
792 enabled optional boolean
793 Addressing:
794 addresses set of strings
795 dynamic_addresses optional string
796 port_security set of strings
797 DHCP:
798 dhcpv4_options optional weak reference to DHCP_Options
799 dhcpv6_options optional weak reference to DHCP_Options
800 ha_chassis_group optional HA_Chassis_Group
801 Naming:
802 external_ids : neutron:port_name
803 optional string
804 Tunnel Key:
805 options : requested-tnl-key
806 optional string, containing an integer,
807 in range 1 to 32,767
808 Common Columns:
809 external_ids map of string-string pairs
810 Details:
812 Core Features:
813 name: string (must be unique within table)
815 The logical port name.
816 For entities (VMs or containers) that are spawned in the hyper‐
818 visor, the name used here must match those used in the exter‐
819 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
820 because hypervisors use external_ids:iface-id as a lookup key to
821 identify the network interface of that entity.
822 For containers that share a VIF within a VM, the name can be any
824 unique identifier. See Containers, below, for more information.
825 A logical switch port may not have the same name as a logical
827 router port, but the database schema cannot enforce this.
828 type: string
830 Specify a type for this logical port. Logical ports can be used
831 to model other types of connectivity into an OVN logical switch.
832 The following types are defined:
833 (empty string)
835 A VM (or VIF) interface.
836 router A connection to a logical router. The value of op‐
838 tions:router-port specifies the name of the Logi‐
839 cal_Router_Port to which this logical switch port is con‐
840 nected.
841 localnet
843 A connection to a locally accessible network from
844 ovn-controller instances that have a corresponding bridge
845 mapping. A logical switch can have multiple localnet
846 ports attached. This type is used to model direct connec‐
847 tivity to existing networks. In this case, each chassis
848 should have a mapping for one of the physical networks
849 only. Note: nothing said above implies that a chassis
850 cannot be plugged to multiple physical networks as long
851 as they belong to different switches.
852 localport
854 A connection to a local VIF. Traffic that arrives on a
855 localport is never forwarded over a tunnel to another
856 chassis. These ports are present on every chassis and
857 have the same address in all of them. This is used to
858 model connectivity to local services that run on every
859 hypervisor.
860 l2gateway
862 A connection to a physical network.
863 vtep A port to a logical switch on a VTEP gateway.
865 external
867 Represents a logical port which is external and not hav‐
868 ing an OVS port in the integration bridge. OVN will never
869 receive any traffic from this port or send any traffic to
870 this port. OVN can support native services like
871 DHCPv4/DHCPv6/DNS for this port. If ha_chassis_group is
872 defined, ovn-controller running in the master chassis of
873 the HA chassis group will bind this port to provide these
874 native services. It is expected that this port belong to
875 a bridged logical switch (with a localnet port).
876 It is recommended to use the same HA chassis group for
878 all the external ports of a logical switch. Otherwise,
879 the physical switch might see MAC flap issue when differ‐
880 ent chassis provide the native services. For example when
881 supporting native DHCPv4 service, DHCPv4 server mac (con‐
882 figured in options:server_mac column in table DHCP_Op‐
883 tions) originating from different ports can cause MAC
884 flap issue. The MAC of the logical router IP(s) can also
885 flap if the same HA chassis group is not set for all the
886 external ports of a logical switch.
887 Below are some of the use cases where external ports can
889 be used.
890 • VMs connected to SR-IOV nics - Traffic from these
892 VMs by passes the kernel stack and local ovn-con‐
893 troller do not bind these ports and cannot serve
894 the native services.
895 • When CMS supports provisioning baremetal servers.
897 virtual
899 Represents a logical port which does not have an OVS port
900 in the integration bridge and has a virtual ip configured
901 in the options:virtual-ip column. This virtual ip can
902 move around between the logical ports configured in the
903 options:virtual-parents column.
904 One of the use case where virtual ports can be used is.
906 • The virtual ip represents a load balancer vip and
908 the virtual parents provide load balancer service
909 in an active-standby setup with the active virtual
910 parent owning the virtual ip.
911 remote A remote port is to model a port that resides remotely on
913 another OVN, which is on the other side of a transit log‐
914 ical switch for OVN interconnection. This type of ports
915 are created by ovn-ic instead of by CMS. Any change to
916 the port will be automatically overwritten by ovn-ic.
917 Options:
919 options: map of string-string pairs
921 This column provides key/value settings specific to the logical
922 port type. The type-specific options are described individually
923 below.
924 Options for router ports:
926 These options apply when type is router.
928 options : router-port: optional string
930 Required. The name of the Logical_Router_Port to which this log‐
931 ical switch port is connected.
932 options : nat-addresses: optional string
934 This is used to send gratuitous ARPs for SNAT and DNAT IP ad‐
935 dresses via the localnet port that is attached to the same logi‐
936 cal switch as this type router port. This option is specified on
937 a logical switch port that is connected to a gateway router, or
938 a logical switch port that is connected to a distributed gateway
939 port on a logical router.
940 This must take one of the following forms:
942 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
944 nal IP addresses and for all load balancer IP addresses
945 defined on the options:router-port’s logical router, us‐
946 ing the options:router-port’s MAC address.
947 This form of options:nat-addresses is valid for logical
949 switch ports where options:router-port is the name of a
950 port on a gateway router, or the name of a distributed
951 gateway port.
952 Supported only in OVN 2.8 and later. Earlier versions re‐
954 quired NAT addresses to be manually synchronized.
955 Ethernet address followed by one or more IPv4 addresses
957 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
958 This would result in generation of gratuitous ARPs for IP
959 addresses 158.36.44.22 and 158.36.44.24 with a MAC ad‐
960 dress of 80:fa:5b:06:72:b7.
961 This form of options:nat-addresses is only valid for log‐
963 ical switch ports where options:router-port is the name
964 of a port on a gateway router.
965 options : exclude-lb-vips-from-garp: optional string
967 If options:nat-addresses is set to router, Gratuitous ARPs will
968 be sent for all SNAT and DNAT external IP addresses defined on
969 the options:router-port’s logical router, using the op‐
970 tions:router-port’s MAC address, not cosidering configured load
971 balancers.
972 options : arp_proxy: optional string
974 Optional. A list of IPv4 addresses that this logical switch
975 router port will reply to ARP requests. Example: 169.254.239.254
976 169.254.239.2. The options:router-port’s logical router should
977 have a route to forward packets sent to configured proxy ARP IPs
978 to an appropriate destination.
979 Options for localnet ports:
981 These options apply when type is localnet.
983 options : network_name: optional string
985 Required. The name of the network to which the localnet port is
986 connected. Each hypervisor, via ovn-controller, uses its local
987 configuration to determine exactly how to connect to this lo‐
988 cally accessible network, if at all.
989 options : ethtype: optional string
991 Optional. VLAN EtherType field value for encapsulating VLAN
992 headers. Supported values: 802.11q (default), 802.11ad.
993 Options for l2gateway ports:
995 These options apply when type is l2gateway.
997 options : network_name: optional string
999 Required. The name of the network to which the l2gateway port is
1000 connected. The L2 gateway, via ovn-controller, uses its local
1001 configuration to determine exactly how to connect to this net‐
1002 work.
1003 options : l2gateway-chassis: optional string
1005 Required. The chassis on which the l2gateway logical port should
1006 be bound to. ovn-controller running on the defined chassis will
1007 connect this logical port to the physical network.
1008 Options for vtep ports:
1010 These options apply when type is vtep.
1012 options : vtep-physical-switch: optional string
1014 Required. The name of the VTEP gateway.
1015 options : vtep-logical-switch: optional string
1017 Required. A logical switch name connected by the VTEP gateway.
1018 VMI (or VIF) Options:
1020 These options apply to logical ports with type having (empty string)
1022 options : requested-chassis: optional string
1024 If set, identifies a specific chassis (by name or hostname) that
1025 is allowed to bind this port. Using this option will prevent
1026 thrashing between two chassis trying to bind the same port dur‐
1027 ing a live migration. It can also prevent similar thrashing due
1028 to a mis-configuration, if a port is accidentally created on
1029 more than one chassis.
1030 If set to a comma separated list, the first entry identifies the
1032 main chassis and the rest are one or more additional chassis
1033 that are allowed to bind the same port.
1034 When multiple chassis are set for the port, and the logical
1036 switch is connected to an external network through a localnet
1037 port, tunneling is enforced for the port to guarantee delivery
1038 of packets directed to the port to all its locations. This has
1039 MTU implications because the network used for tunneling must
1040 have MTU larger than localnet for stable connectivity.
1041 options : iface-id-ver: optional string
1043 If set, this port will be bound by ovn-controller only if this
1044 same key and value is configured in the external_ids column in
1045 the Open_vSwitch database’s Interface table.
1046 options : qos_min_rate: optional string
1048 If set, indicates the minimum guaranteed rate available for data
1049 sent from this interface, in bit/s.
1050 options : qos_max_rate: optional string
1052 If set, indicates the maximum rate for data sent from this in‐
1053 terface, in bit/s. The traffic will be shaped according to this
1054 limit.
1055 options : qos_burst: optional string
1057 If set, indicates the maximum burst size for data sent from this
1058 interface, in bits.
1059 options : hostname: optional string
1061 If set, indicates the DHCPv4 option "Hostname" (option code 12)
1062 associated for this Logical Switch Port. If DHCPv4 is enabled
1063 for this Logical Switch Port, hostname dhcp option will be in‐
1064 cluded in DHCP reply.
1065 VIF Plugging Options:
1067 options : vif-plug-type: optional string
1069 If set, OVN will attempt to perform plugging of this VIF. In or‐
1070 der to get this port plugged by the OVN controller, OVN must be
1071 built with support for VIF plugging. The default behavior is for
1072 the CMS to do the VIF plugging. Each VIF plug provider have
1073 their own options namespaced by name, for example "vif-plug:rep‐
1074 resentor:key". Please refer to the VIF plug provider documenta‐
1075 tion located in Documentation/topics/vif-plug-providers/ for
1076 more information.
1077 options : vif-plug-mtu-request: optional string
1079 Requested MTU for plugged interfaces. When set the OVN con‐
1080 troller will fill the mtu_request column of the Open vSwitch
1081 database’s Interface table. This in turn will make OVS vswitchd
1082 update the MTU of the linked interface.
1083 Virtual port Options:
1085 These options apply when type is virtual.
1087 options : virtual-ip: optional string
1089 This option represents the virtual IPv4 address.
1090 options : virtual-parents: optional string
1092 This options represents a set of logical port names (with in the
1093 same logical switch) which can own the virtual ip configured in
1094 the options:virtual-ip. All these virtual parents should add the
1095 virtual ip in the port_security if port security addressed are
1096 enabled.
1097 IP Multicast Snooping Options:
1099 These options apply when the port is part of a logical switch which has
1101 other_config :mcast_snoop set to true.
1102 options : mcast_flood: optional string, either true or false
1104 If set to true, multicast packets (except reports) are uncondi‐
1105 tionally forwarded to the specific port.
1106 options : mcast_flood_reports: optional string, either true or false
1108 If set to true, multicast reports are unconditionally forwarded
1109 to the specific port.
1110 Containers:
1112 When a large number of containers are nested within a VM, it may be too
1114 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
1115 support such cases. Each container is assigned a VLAN ID and each
1116 packet that passes between the hypervisor and the VM is tagged with the
1117 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
1118 ical wire, even inside a tunnel, so they need not be unique except rel‐
1119 ative to a single VM on a hypervisor.
1120 These columns are used for VIFs that represent nested containers using
1122 shared VIFs. For VMs and for containers that have dedicated VIFs, they
1123 are empty.
1124 parent_name: optional string
1126 The VM interface through which the nested container sends its
1127 network traffic. This must match the name column for some other
1128 Logical_Switch_Port.
1129 tag_request: optional integer, in range 0 to 4,095
1131 The VLAN tag in the network traffic associated with a con‐
1132 tainer’s network interface. The client can request ovn-northd to
1133 allocate a tag that is unique within the scope of a specific
1134 parent (specified in parent_name) by setting a value of 0 in
1135 this column. The allocated value is written by ovn-northd in the
1136 tag column. (Note that these tags are allocated and managed lo‐
1137 cally in ovn-northd, so they cannot be reconstructed in the
1138 event that the database is lost.) The client can also request a
1139 specific non-zero tag and ovn-northd will honor it and copy that
1140 value to the tag column.
1141 When type is set to localnet or l2gateway, this can be set to
1143 indicate that the port represents a connection to a specific
1144 VLAN on a locally accessible network. The VLAN ID is used to
1145 match incoming traffic and is also added to outgoing traffic.
1146 tag: optional integer, in range 1 to 4,095
1148 The VLAN tag allocated by ovn-northd based on the contents of
1149 the tag_request column.
1150 Port State:
1152 up: optional boolean
1154 This column is populated by ovn-northd, rather than by the CMS
1155 plugin as is most of this database. When a logical port is bound
1156 to a physical location in the OVN Southbound database Binding
1157 table, ovn-northd sets this column to true; otherwise, or if the
1158 port becomes unbound later, it sets it to false. If this column
1159 is empty, the port is not considered up. This allows the CMS to
1160 wait for a VM’s (or container’s) networking to become active be‐
1161 fore it allows the VM (or container) to start.
1162 Logical ports of router type are an exception to this rule. They
1164 are considered to be always up, that is this column is always
1165 set to true.
1166 enabled: optional boolean
1168 This column is used to administratively set port state. If this
1169 column is empty or is set to true, the port is enabled. If this
1170 column is set to false, the port is disabled. A disabled port
1171 has all ingress and egress traffic dropped.
1172 Addressing:
1174 addresses: set of strings
1176 Addresses owned by the logical port.
1177 Each element in the set must take one of the following forms:
1179 Ethernet address followed by zero or more IPv4 or IPv6 addresses
1181 (or both)
1182 An Ethernet address defined is owned by the logical port.
1183 Like a physical Ethernet NIC, a logical port ordinarily
1184 has a single fixed Ethernet address.
1185 When a OVN logical switch processes a unicast Ethernet
1187 frame whose destination MAC address is in a logical
1188 port’s addresses column, it delivers it only to that
1189 port, as if a MAC learning process had learned that MAC
1190 address on the port.
1191 If IPv4 or IPv6 address(es) (or both) are defined, it in‐
1193 dicates that the logical port owns the given IP ad‐
1194 dresses.
1195 If IPv4 address(es) are defined, the OVN logical switch
1197 uses this information to synthesize responses to ARP re‐
1198 quests without traversing the physical network. The OVN
1199 logical router connected to the logical switch, if any,
1200 uses this information to avoid issuing ARP requests for
1201 logical switch ports.
1202 Note that the order here is important. The Ethernet ad‐
1204 dress must be listed before the IP address(es) if de‐
1205 fined.
1206 Examples:
1208 80:fa:5b:06:72:b7
1210 This indicates that the logical port owns the
1211 above mac address.
1212 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
1214 This indicates that the logical port owns the mac
1215 address and two IPv4 addresses.
1216 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1218 This indicates that the logical port owns the mac
1219 address and 1 IPv6 address.
1220 80:fa:5b:06:72:b7 10.0.0.4
1222 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1223 This indicates that the logical port owns the mac
1224 address and 1 IPv4 address and 1 IPv6 address.
1225 unknown
1227 This indicates that the logical port has an unknown set
1228 of Ethernet addresses. When an OVN logical switch pro‐
1229 cesses a unicast Ethernet frame whose destination MAC ad‐
1230 dress is not in any logical port’s addresses column, it
1231 delivers it to the port (or ports) whose addresses col‐
1232 umns include unknown.
1233 dynamic
1235 Use dynamic to make ovn-northd generate a globally unique
1236 MAC address, choose an unused IPv4 address with the logi‐
1237 cal port’s subnet (if other_config:subnet is set in the
1238 port’s Logical_Switch), and generate an IPv6 address from
1239 the MAC address (if other_config:ipv6_prefix is set in
1240 the port’s Logical_Switch) and store them in the port’s
1241 dynamic_addresses column.
1242 Only one element containing dynamic may appear in ad‐
1244 dresses.
1245 dynamic ip
1247 dynamic ipv6
1248 dynamic ip ipv6
1249 These act like dynamic alone but specify particular IPv4 or
1250 IPv6 addresses to use. OVN IPAM will still automatically
1251 allocate the other address if configured appropriately. Ex‐
1252 ample: dynamic 192.168.0.1 2001::1.
1253 mac dynamic
1255 This acts like dynamic alone but specifies a particular MAC
1256 address to use. OVN IPAM will still automatically allocate
1257 IPv4 or IPv6 addresses, or both, if configured appropri‐
1258 ately. Example: 80:fa:5b:06:72:b7 dynamic
1259 router
1261 Accepted only when type is router. This indicates that the
1262 Ethernet, IPv4, and IPv6 addresses for this logical switch
1263 port should be obtained from the connected logical router
1264 port, as specified by router-port in options.
1265 The resulting addresses are used to populate the logical
1267 switch’s destination lookup, and also for the logical
1268 switch to generate ARP and ND replies.
1269 If the connected logical router port has a distributed
1271 gateway port specified and the logical router has rules
1272 specified in nat with external_mac, then those addresses
1273 are also used to populate the switch’s destination lookup.
1274 Supported only in OVN 2.7 and later. Earlier versions re‐
1276 quired router addresses to be manually synchronized.
1277 dynamic_addresses: optional string
1279 Addresses assigned to the logical port by ovn-northd, if dynamic
1280 is specified in addresses. Addresses will be of the same format
1281 as those that populate the addresses column. Note that dynami‐
1282 cally assigned addresses are constructed and managed locally in
1283 ovn-northd, so they cannot be reconstructed in the event that
1284 the database is lost.
1285 port_security: set of strings
1287 This column controls the addresses from which the host attached
1288 to the logical port (``the host’’) is allowed to send packets
1289 and to which it is allowed to receive packets. If this column is
1290 empty, all addresses are permitted.
1291 Each element in the set must begin with one Ethernet address.
1293 This would restrict the host to sending packets from and receiv‐
1294 ing packets to the ethernet addresses defined in the logical
1295 port’s port_security column. It also restricts the inner source
1296 MAC addresses that the host may send in ARP and IPv6 Neighbor
1297 Discovery packets. The host is always allowed to receive packets
1298 to multicast and broadcast Ethernet addresses.
1299 Each element in the set may additionally contain one or more
1301 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
1302 is given, it must be a CIDR mask. In addition to the restric‐
1303 tions described for Ethernet addresses above, such an element
1304 restricts the IPv4 or IPv6 addresses from which the host may
1305 send and to which it may receive packets to the specified ad‐
1306 dresses. A masked address, if the host part is zero, indicates
1307 that the host is allowed to use any address in the subnet; if
1308 the host part is nonzero, the mask simply indicates the size of
1309 the subnet. In addition:
1310 • If any IPv4 address is given, the host is also allowed to
1312 receive packets to the IPv4 local broadcast address
1313 255.255.255.255 and to IPv4 multicast addresses
1314 (224.0.0.0/4). If an IPv4 address with a mask is given,
1315 the host is also allowed to receive packets to the broad‐
1316 cast address in that specified subnet.
1317 If any IPv4 address is given, the host is additionally
1319 restricted to sending ARP packets with the specified
1320 source IPv4 address. (RARP is not restricted.)
1321 • If any IPv6 address is given, the host is also allowed to
1323 receive packets to IPv6 multicast addresses (ff00::/8).
1324 If any IPv6 address is given, the host is additionally
1326 restricted to sending IPv6 Neighbor Discovery Solicita‐
1327 tion or Advertisement packets with the specified source
1328 address or, for solicitations, the unspecified address.
1329 If an element includes an IPv4 address, but no IPv6 addresses,
1331 then IPv6 traffic is not allowed. If an element includes an IPv6
1332 address, but no IPv4 address, then IPv4 and ARP traffic is not
1333 allowed.
1334 This column uses the same lexical syntax as the match column in
1336 the OVN Southbound database’s Pipeline table. Multiple addresses
1337 within an element may be space or comma separated.
1338 This column is provided as a convenience to cloud management
1340 systems, but all of the features that it implements can be im‐
1341 plemented as ACLs using the ACL table.
1342 Examples:
1344 80:fa:5b:06:72:b7
1346 The host may send traffic from and receive traffic to the
1347 specified MAC address, and to receive traffic to Ethernet
1348 multicast and broadcast addresses, but not otherwise. The
1349 host may not send ARP or IPv6 Neighbor Discovery packets
1350 with inner source Ethernet addresses other than the one
1351 specified.
1352 80:fa:5b:06:72:b7 192.168.1.10/24
1354 This adds further restrictions to the first example. The
1355 host may send IPv4 packets from or receive IPv4 packets
1356 to only 192.168.1.10, except that it may also receive
1357 IPv4 packets to 192.168.1.255 (based on the subnet mask),
1358 255.255.255.255, and any address in 224.0.0.0/4. The host
1359 may not send ARPs with a source Ethernet address other
1360 than 80:fa:5b:06:72:b7 or source IPv4 address other than
1361 192.168.1.10. The host may not send or receive any IPv6
1362 (including IPv6 Neighbor Discovery) traffic.
1363 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
1365 The host may send traffic from and receive traffic to the
1366 specified MAC addresses, and to receive traffic to Ether‐
1367 net multicast and broadcast addresses, but not otherwise.
1368 With MAC 80:fa:5b:12:42:ba, the host may send traffic
1369 from and receive traffic to any L3 address. With MAC
1370 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
1371 receive IPv4 packets to only 192.168.1.10, except that it
1372 may also receive IPv4 packets to 192.168.1.255 (based on
1373 the subnet mask), 255.255.255.255, and any address in
1374 224.0.0.0/4. The host may not send or receive any IPv6
1375 (including IPv6 Neighbor Discovery) traffic.
1376 DHCP:
1378 dhcpv4_options: optional weak reference to DHCP_Options
1380 This column defines the DHCPv4 Options to be included by the
1381 ovn-controller when it replies to the DHCPv4 requests. Please
1382 see the DHCP_Options table.
1383 dhcpv6_options: optional weak reference to DHCP_Options
1385 This column defines the DHCPv6 Options to be included by the
1386 ovn-controller when it replies to the DHCPv6 requests. Please
1387 see the DHCP_Options table.
1388 ha_chassis_group: optional HA_Chassis_Group
1390 References a row in the OVN Northbound database’s HA_Chas‐
1391 sis_Group table. It indicates the HA chassis group to use if the
1392 type is set to external. If type is not external, this column is
1393 ignored.
1394 Naming:
1396 external_ids : neutron:port_name: optional string
1398 This column gives an optional human-friendly name for the port.
1399 This name has no special meaning or purpose other than to pro‐
1400 vide convenience for human interaction with the northbound data‐
1401 base.
1402 Neutron copies this from its own port object’s name. (Neutron
1404 ports do are not assigned human-friendly names by default, so it
1405 will often be empty.)
1406 Tunnel Key:
1408 options : requested-tnl-key: optional string, containing an integer, in
1410 range 1 to 32,767
1411 Configures the port binding tunnel key for the port. Usually
1412 this is not needed because ovn-northd will assign an unique key
1413 for each port by itself. However, if it is configured,
1414 ovn-northd honors the configured value. The typical use case is
1415 for interconnection: the tunnel keys for ports on transit
1416 switches need to be unique globally, so they are maintained in
1417 the global OVN_IC_Southbound database, and ovn-ic simply syncs
1418 the value from OVN_IC_Southbound through this config.
1419 Common Columns:
1421 external_ids: map of string-string pairs
1423 See External IDs at the beginning of this document.
1424 The ovn-northd program copies all these pairs into the exter‐
1426 nal_ids column of the Port_Binding table in OVN_Southbound data‐
1427 base.
1428
1430 Each row represents one forwarding group.
1431 Summary:
1433 name string
1434 vip string
1435 vmac string
1436 liveness boolean
1437 child_port set of 1 or more strings
1438 Common Columns:
1439 external_ids map of string-string pairs
1440 Details:
1442 name: string
1443 A name for the forwarding group. This name has no special mean‐
1444 ing or purpose other than to provide convenience for human in‐
1445 teraction with the ovn-nb database.
1446 vip: string
1448 The virtual IP address assigned to the forwarding group. It will
1449 respond with vmac when an ARP request is sent for vip.
1450 vmac: string
1452 The virtual MAC address assigned to the forwarding group.
1453 liveness: boolean
1455 If set to true, liveness is enabled for child ports otherwise it
1456 is disabled.
1457 child_port: set of 1 or more strings
1459 List of child ports in the forwarding group.
1460 Common Columns:
1462 external_ids: map of string-string pairs
1464 See External IDs at the beginning of this document.
1465
1467 Each row in this table represents a named set of addresses. An address
1468 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
1469 or CIDR masks. Address set may ultimately be used in ACLs to compare
1470 against fields such as ip4.src or ip6.src. A single address set must
1471 contain addresses of the same type. As an example, the following would
1472 create an address set with three IP addresses:
1473 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1475 Address sets may be used in the match column of the ACL table. For syn‐
1478 tax information, see the details of the expression language used for
1479 the match column in the Logical_Flow table of the OVN_Southbound data‐
1480 base.
1481 Summary:
1483 name string (must be unique within table)
1484 addresses set of strings
1485 Common Columns:
1486 external_ids map of string-string pairs
1487 Details:
1489 name: string (must be unique within table)
1490 A name for the address set. Names are ASCII and must match
1491 [a-zA-Z_.][a-zA-Z_.0-9]*.
1492 addresses: set of strings
1494 The set of addresses in string form.
1495 Common Columns:
1497 external_ids: map of string-string pairs
1499 See External IDs at the beginning of this document.
1500
1502 Each row in this table represents a named group of logical switch
1503 ports.
1504 Port groups may be used in the match column of the ACL table. For syn‐
1506 tax information, see the details of the expression language used for
1507 the match column in the Logical_Flow table of the OVN_Southbound data‐
1508 base.
1509 For each port group, there are two address sets generated to the Ad‐
1511 dress_Set table of the OVN_Southbound database, containing the IP ad‐
1512 dresses of the group of ports, one for IPv4, and the other for IPv6,
1513 with name being the name of the Port_Group followed by a suffix _ip4
1514 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
1515 the same way as regular address sets in the match column of the ACL ta‐
1516 ble. For syntax information, see the details of the expression language
1517 used for the match column in the Logical_Flow table of the OVN_South‐
1518 bound database.
1519 Summary:
1521 name string (must be unique within table)
1522 ports set of weak reference to Logi‐
1523 cal_Switch_Ports
1524 acls set of ACLs
1525 Common Columns:
1526 external_ids map of string-string pairs
1527 Details:
1529 name: string (must be unique within table)
1530 A name for the port group. Names are ASCII and must match
1531 [a-zA-Z_.][a-zA-Z_.0-9]*.
1532 ports: set of weak reference to Logical_Switch_Ports
1534 The logical switch ports belonging to the group in uuids.
1535 acls: set of ACLs
1537 Access control rules that apply to the port group. Applying an
1538 ACL to a port group has the same effect as applying the ACL to
1539 all logical lswitches that the ports of the port group belong
1540 to.
1541 Common Columns:
1543 external_ids: map of string-string pairs
1545 See External IDs at the beginning of this document.
1546
1548 Each row represents one load balancer.
1549 Summary:
1551 name string
1552 vips map of string-string pairs
1553 protocol optional string, one of sctp, tcp, or udp
1554 Health Checks:
1555 health_check set of Load_Balancer_Health_Checks
1556 ip_port_mappings map of string-string pairs
1557 selection_fields set of strings, one of eth_dst, eth_src,
1558 ip_dst, ip_src, tp_dst, or tp_src
1559 Common Columns:
1560 external_ids map of string-string pairs
1561 Load_Balancer options:
1562 options : reject optional string, either true or false
1563 options : hairpin_snat_ip optional string
1564 options : skip_snat optional string
1565 options : add_route optional string
1566 options : neighbor_responder
1567 optional string
1568 Details:
1570 name: string
1571 A name for the load balancer. This name has no special meaning
1572 or purpose other than to provide convenience for human interac‐
1573 tion with the ovn-nb database.
1574 vips: map of string-string pairs
1576 A map of virtual IP addresses (and an optional port number with
1577 : as a separator) associated with this load balancer and their
1578 corresponding endpoint IP addresses (and optional port numbers
1579 with : as separators) separated by commas. If the destination IP
1580 address (and port number) of a packet leaving a container or a
1581 VM matches the virtual IP address (and port number) provided
1582 here as a key, then OVN will statefully replace the destination
1583 IP address by one of the provided IP address (and port number)
1584 in this map as a value. IPv4 and IPv6 addresses are supported
1585 for load balancing; however a VIP of one address family may not
1586 be mapped to a destination IP address of a different family. If
1587 specifying an IPv6 address with a port, the address portion must
1588 be enclosed in square brackets. Examples for keys are
1589 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
1590 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1591 When the Load_Balancer is added to the logical_switch, the VIP
1593 has to be in a different subnet than the one used for the logi‐
1594 cal_switch. Since VIP is in a different subnet, you should con‐
1595 nect your logical switch to either a OVN logical router or a
1596 real router (this is because the client can now send a packet
1597 with VIP as the destination IP address and router’s mac address
1598 as the destination MAC address).
1599 protocol: optional string, one of sctp, tcp, or udp
1601 Valid protocols are tcp, udp, or sctp. This column is useful
1602 when a port number is provided as part of the vips column. If
1603 this column is empty and a port number is provided as part of
1604 vips column, OVN assumes the protocol to be tcp.
1605 Health Checks:
1607 OVN supports health checks for load balancer endpoints, for IPv4 load
1609 balancers only. When health checks are enabled, the load balancer uses
1610 only healthy endpoints.
1611 Suppose that vips contains a key-value pair
1613 10.0.0.10:80=10.0.0.4:8080,20.0.0.4:8080. To enable health checks for
1614 this virtual’s endpoints, add two key-value pairs to ip_port_mappings,
1615 with keys 10.0.0.4 and 20.0.0.4, and add to health_check a reference to
1616 a Load_Balancer_Health_Check row whose vip is set to 10.0.0.10.
1617 health_check: set of Load_Balancer_Health_Checks
1619 Load balancer health checks associated with this load balancer.
1620 ip_port_mappings: map of string-string pairs
1622 Maps from endpoint IP to a colon-separated pair of logical port
1623 name and source IP, e.g. port_name:sourc_ip. Health checks are
1624 sent to this port with the specified source IP.
1625 For example, in the example above, IP to port mappings might be
1627 defined as 10.0.0.4=sw0-p1:10.0.0.2 and
1628 20.0.0.4=sw1-p1:20.0.0.2, if the values given were suitable
1629 ports and IP addresses.
1630 selection_fields: set of strings, one of eth_dst, eth_src, ip_dst,
1632 ip_src, tp_dst, or tp_src
1633 OVN native load balancers are supported using the OpenFlow
1634 groups of type select. OVS supports two selection methods:
1635 dp_hash and hash (with optional fields specified) in selecting
1636 the buckets of a group. Please see the OVS documentation (man
1637 ovs-ofctl) for more details on the selection methods. Each end‐
1638 point IP (and port if set) is mapped to a bucket in the group
1639 flow.
1640 CMS can choose the hash selection method by setting the selec‐
1642 tion fields in this column. ovs-vswitchd uses the specified
1643 fields in generating the hash.
1644 dp_hash selection method uses the assistance of datapath to cal‐
1646 culate the hash and it is expected to be faster than hash selec‐
1647 tion method. So CMS should take this into consideration before
1648 using the hash method. Please consult the OVS documentation and
1649 OVS sources for the implementation details.
1650 Common Columns:
1652 external_ids: map of string-string pairs
1654 See External IDs at the beginning of this document.
1655 Load_Balancer options:
1657 options : reject: optional string, either true or false
1659 If the load balancer is created with --reject option and it has
1660 no active backends, a TCP reset segment (for tcp) or an ICMP
1661 port unreachable packet (for all other kind of traffic) will be
1662 sent whenever an incoming packet is received for this load-bal‐
1663 ancer. Please note using --reject option will disable empty_lb
1664 SB controller event for this load balancer.
1665 options : hairpin_snat_ip: optional string
1667 IP to be used as source IP for packets that have been hair-
1668 pinned after load balancing. The default behavior when the op‐
1669 tion is not set is to use the load balancer VIP as source IP.
1670 This option may have exactly one IPv4 and/or one IPv6 address on
1671 it, separated by a space character.
1672 options : skip_snat: optional string
1674 If the load balancing rule is configured with skip_snat option,
1675 the option lb_force_snat_ip configured for the logical router
1676 that references this load balancer will not be applied for this
1677 load balancer.
1678 options : add_route: optional string
1680 If set to true, then neighbor routers will have logical flows
1681 added that will allow for routing to the VIP IP. It also will
1682 have ARP resolution logical flows added. By setting this option,
1683 it means there is no reason to create a Logi‐
1684 cal_Router_Static_Route from neighbor routers to this NAT ad‐
1685 dress. It also means that no ARP request is required for neigh‐
1686 bor routers to learn the IP-MAC mapping for this VIP IP. For
1687 more information about what flows are added for IP routes,
1688 please see the ovn-northd manpage section on IP Routing.
1689 options : neighbor_responder: optional string
1691 If set to all, then routers on which the load balancer is ap‐
1692 plied reply to ARP/neighbor discovery requests for all VIPs of
1693 the load balancer. If set to reachable, then routers on which
1694 the load balancer is applied reply to ARP/neighbor discovery re‐
1695 quests only for VIPs that are part of a router’s subnet. The de‐
1696 fault value of this option, if not specified, is reachable.
1697
1699 Each row represents a logical grouping of load balancers. It is up to
1700 the CMS to decide the criteria on which load balancers are grouped to‐
1701 gether. To simplify configuration and to optimize its processing load
1702 balancers that must be associated to the same set of logical switches
1703 and/or logical routers should be grouped together.
1704 Summary:
1706 name string (must be unique within table)
1707 load_balancer set of weak reference to Load_Balancers
1708 Details:
1710 name: string (must be unique within table)
1711 A name for the load balancer group. This name has no special
1712 meaning or purpose other than to provide convenience for human
1713 interaction with the ovn-nb database.
1714 load_balancer: set of weak reference to Load_Balancers
1716 A set of load balancers.
1717
1719 Each row represents one load balancer health check. Health checks are
1720 supported for IPv4 load balancers only.
1721 Summary:
1723 vip string
1724 Health check options:
1725 options : interval optional string, containing an integer
1726 options : timeout optional string, containing an integer
1727 options : success_count optional string, containing an integer
1728 options : failure_count optional string, containing an integer
1729 Common Columns:
1730 external_ids map of string-string pairs
1731 Details:
1733 vip: string
1734 vip whose endpoints should be monitored for health check.
1735 Health check options:
1737 options : interval: optional string, containing an integer
1739 The interval, in seconds, between health checks.
1740 options : timeout: optional string, containing an integer
1742 The time, in seconds, after which a health check times out.
1743 options : success_count: optional string, containing an integer
1745 The number of successful checks after which the endpoint is con‐
1746 sidered online.
1747 options : failure_count: optional string, containing an integer
1749 The number of failure checks after which the endpoint is consid‐
1750 ered offline.
1751 Common Columns:
1753 external_ids: map of string-string pairs
1755 See External IDs at the beginning of this document.
1756
1758 Each row in this table represents one ACL rule for a logical switch or
1759 a port group that points to it through its acls column. The action col‐
1760 umn for the highest-priority matching row in this table determines a
1761 packet’s treatment. If no row matches, packets are allowed by default.
1762 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1763 match, and deny as action.)
1764 Summary:
1766 label integer, in range 0 to 4,294,967,295
1767 priority integer, in range 0 to 32,767
1768 direction string, either from-lport or to-lport
1769 match string
1770 action string, one of allow-related, al‐
1771 low-stateless, allow, drop, or reject
1772 options:
1773 options : apply-after-lb optional string
1774 Logging:
1775 log boolean
1776 name optional string, at most 63 characters
1777 long
1778 severity optional string, one of alert, debug,
1779 info, notice, or warning
1780 meter optional string
1781 Common Columns:
1782 options map of string-string pairs
1783 ACL configuration options:
1784 options : log-related optional string
1785 external_ids map of string-string pairs
1786 Details:
1788 label: integer, in range 0 to 4,294,967,295
1789 Associates an identifier with the ACL. The same value will be
1790 written to corresponding connection tracker entry. The value
1791 should be a valid 32-bit unsigned integer. This value can help
1792 in debugging from connection tracker side. For example, through
1793 this "label" we can backtrack to the ACL rule which is causing a
1794 "leaked" connection. Connection tracker entries are created only
1795 for allowed connections so the label is valid only for allow and
1796 allow-related actions.
1797 priority: integer, in range 0 to 32,767
1799 The ACL rule’s priority. Rules with numerically higher priority
1800 take precedence over those with lower. If two ACL rules with the
1801 same priority both match, then the one actually applied to a
1802 packet is undefined.
1803 Return traffic from an allow-related flow is always allowed and
1805 cannot be changed through an ACL.
1806 allow-stateless flows always take precedence before stateful
1808 ACLs, regardless of their priority. (Both allow and allow-re‐
1809 lated ACLs can be stateful.)
1810 direction: string, either from-lport or to-lport
1812 Direction of the traffic to which this rule should apply:
1813 • from-lport: Used to implement filters on traffic arriving
1815 from a logical port. These rules are applied to the logi‐
1816 cal switch’s ingress pipeline.
1817 • to-lport: Used to implement filters on traffic forwarded
1819 to a logical port. These rules are applied to the logical
1820 switch’s egress pipeline.
1821 match: string
1823 The packets that the ACL should match, in the same expression
1824 language used for the match column in the OVN Southbound data‐
1825 base’s Logical_Flow table. The outport logical port is only
1826 available in the to-lport direction (the inport is available in
1827 both directions).
1828 By default all traffic is allowed. When writing a more restric‐
1830 tive policy, it is important to remember to allow flows such as
1831 ARP and IPv6 neighbor discovery packets.
1832 Note that you can not create an ACL matching on a port with
1834 type=router or type=localnet.
1835 action: string, one of allow-related, allow-stateless, allow, drop, or
1837 reject
1838 The action to take when the ACL rule matches:
1839 • allow-stateless: Always forward the packet in stateless
1841 manner, omitting connection tracking mechanism, regard‐
1842 less of other rules defined for the switch. May require
1843 defining additional rules for inbound replies. For exam‐
1844 ple, if you define a rule to allow outgoing TCP traffic
1845 directed to an IP address, then you probably also want to
1846 define another rule to allow incoming TCP traffic coming
1847 from this same IP address.
1848 • allow: Forward the packet. It will also send the packets
1850 through connection tracking when allow-related rules ex‐
1851 ist on the logical switch. Otherwise, it’s equivalent to
1852 allow-stateless.
1853 • allow-related: Forward the packet and related traffic
1855 (e.g. inbound replies to an outbound connection).
1856 • drop: Silently drop the packet.
1858 • reject: Drop the packet, replying with a RST for TCP or
1860 ICMPv4/ICMPv6 unreachable message for other
1861 IPv4/IPv6-based protocols.
1862 options:
1864 ACLs options.
1866 options : apply-after-lb: optional string
1868 If set to true, the ACL will be applied after load balancing
1869 stage. Supported only for from-lport direction.
1870 The main use case of this option is to support ACLs matching on
1872 the destination IP address of the packet for the backend IPs of
1873 load balancers.
1874 OVN will apply the from-lport ACLs in two stages. ACLs without
1876 this option apply-after-lb set, will be applied before the load
1877 balancer stage and ACLs with this option set will be applied af‐
1878 ter the load balancer stage. The priorities are indepedent be‐
1879 tween these stages and may not be obvious to the CMS. Hence CMS
1880 should be extra careful when using this option and should care‐
1881 fully evaluate the priorities of all the ACLs and the default
1882 deny/allow ACLs if any.
1883 Logging:
1885 These columns control whether and how OVN logs packets that match an
1887 ACL.
1888 log: boolean
1890 If set to true, packets that match the ACL will trigger a log
1891 message on the transport node or nodes that perform ACL process‐
1892 ing. Logging may be combined with any action.
1893 If set to false, the remaining columns in this group have no
1895 significance.
1896 name: optional string, at most 63 characters long
1898 This name, if it is provided, is included in log records. It
1899 provides the administrator and the cloud management system a way
1900 to associate a log record with a particular ACL.
1901 severity: optional string, one of alert, debug, info, notice, or warn‐
1903 ing
1904 The severity of the ACL. The severity levels match those of sys‐
1905 log, in decreasing level of severity: alert, warning, notice,
1906 info, or debug. When the column is empty, the default is info.
1907 meter: optional string
1909 The name of a meter to rate-limit log messages for the ACL. The
1910 string must match the name column of a row in the Meter table.
1911 By default, log messages are not rate-limited. In order to en‐
1912 sure that the same Meter rate limits multiple ACL logs sepa‐
1913 rately, set the fair column.
1914 Common Columns:
1916 options: map of string-string pairs
1918 This column provides general key/value settings. The supported
1919 options are described individually below.
1920 ACL configuration options:
1922 options : log-related: optional string
1924 If set to true, then log when reply or related traffic is admit‐
1925 ted from a stateful ACL. In order for this option to function,
1926 the log option must be set to true and a label must be set, and
1927 it must be unique to the ACL. The label is necessary as it is
1928 the only means to associate the reply traffic with the ACL to
1929 which it belongs. It must be unique, because otherwise it is am‐
1930 biguous which ACL will be matched. Note: If this option is en‐
1931 abled, an extra flow is installed in order to log the related
1932 traffic. Therefore, if this is enabled on all ACLs, then the to‐
1933 tal number of flows necessary to log the ACL traffic is doubled,
1934 compared to if this option is not enabled.
1935 external_ids: map of string-string pairs
1937 See External IDs at the beginning of this document.
1938
1940 Each row represents one L3 logical router.
1941 Summary:
1943 ports set of Logical_Router_Ports
1944 static_routes set of Logical_Router_Static_Routes
1945 policies set of Logical_Router_Policys
1946 enabled optional boolean
1947 nat set of NATs
1948 load_balancer set of weak reference to Load_Balancers
1949 load_balancer_group set of Load_Balancer_Groups
1950 Naming:
1951 name string
1952 external_ids : neutron:router_name
1953 optional string
1954 copp optional weak reference to Copp
1955 Options:
1956 options : chassis optional string
1957 options : dnat_force_snat_ip
1958 optional string
1959 options : lb_force_snat_ip optional string
1960 options : mcast_relay optional string, either true or false
1961 options : dynamic_neigh_routers
1962 optional string, either true or false
1963 options : always_learn_from_arp_request
1964 optional string, either true or false
1965 options : requested-tnl-key
1966 optional string, containing an integer,
1967 in range 1 to 16,777,215
1968 options : snat-ct-zone optional string, containing an integer,
1969 in range 0 to 65,535
1970 Common Columns:
1971 external_ids map of string-string pairs
1972 Details:
1974 ports: set of Logical_Router_Ports
1975 The router’s ports.
1976 static_routes: set of Logical_Router_Static_Routes
1978 Zero or more static routes for the router.
1979 policies: set of Logical_Router_Policys
1981 Zero or more routing policies for the router.
1982 enabled: optional boolean
1984 This column is used to administratively set router state. If
1985 this column is empty or is set to true, the router is enabled.
1986 If this column is set to false, the router is disabled. A dis‐
1987 abled router has all ingress and egress traffic dropped.
1988 nat: set of NATs
1990 One or more NAT rules for the router. NAT rules only work on
1991 Gateway routers, and on distributed routers with one and only
1992 one distributed gateway port.
1993 load_balancer: set of weak reference to Load_Balancers
1995 Set of load balancers associated to this logical router. Load
1996 balancer Load balancer rules only work on the Gateway routers or
1997 routers with one and only one distributed gateway port.
1998 load_balancer_group: set of Load_Balancer_Groups
2000 Set of load balancers groups associated to this logical router.
2001 Naming:
2003 These columns provide names for the logical router. From OVN’s perspec‐
2005 tive, these names have no special meaning or purpose other than to pro‐
2006 vide convenience for human interaction with the northbound database.
2007 There is no requirement for the name to be unique. (For a unique iden‐
2008 tifier for a logical router, use its row UUID.)
2009 (Originally, name was intended to serve the purpose of a human-friendly
2011 name, but the Neutron integration used it to uniquely identify its own
2012 router object, in the format neutron-uuid. Later on, Neutron started
2013 propagating the friendly name of a router as external_ids:neu‐
2014 tron:router_name. Perhaps this can be cleaned up someday.)
2015 name: string
2017 A name for the logical router.
2018 external_ids : neutron:router_name: optional string
2020 Another name for the logical router.
2021 copp: optional weak reference to Copp
2023 The control plane protection policy from table Copp used for me‐
2024 tering packets sent to ovn-controller from logical ports of this
2025 router.
2026 Options:
2028 Additional options for the logical router.
2030 options : chassis: optional string
2032 If set, indicates that the logical router in question is a Gate‐
2033 way router (which is centralized) and resides in the set chas‐
2034 sis. The same value is also used by ovn-controller to uniquely
2035 identify the chassis in the OVN deployment and comes from exter‐
2036 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
2037 database.
2038 The Gateway router can only be connected to a distributed router
2040 via a switch if SNAT and DNAT are to be configured in the Gate‐
2041 way router.
2042 options : dnat_force_snat_ip: optional string
2044 If set, indicates a set of IP addresses to use to force SNAT a
2045 packet that has already been DNATed in the gateway router. When
2046 multiple gateway routers are configured, a packet can poten‐
2047 tially enter any of the gateway router, get DNATted and eventu‐
2048 ally reach the logical switch port. For the return traffic to go
2049 back to the same gateway router (for unDNATing), the packet
2050 needs a SNAT in the first place. This can be achieved by setting
2051 the above option with a gateway specific set of IP addresses.
2052 This option may have exactly one IPv4 and/or one IPv6 address on
2053 it, separated by a a space.
2054 options : lb_force_snat_ip: optional string
2056 If set, this option can take two possible type of values. Either
2057 a set of IP addresses or the string value - router_ip.
2058 If a set of IP addresses are configured, it indicates to use to
2060 force SNAT a packet that has already been load-balanced in the
2061 gateway router. When multiple gateway routers are configured, a
2062 packet can potentially enter any of the gateway routers, get
2063 DNATted as part of the load-balancing and eventually reach the
2064 logical switch port. For the return traffic to go back to the
2065 same gateway router (for unDNATing), the packet needs a SNAT in
2066 the first place. This can be achieved by setting the above op‐
2067 tion with a gateway specific set of IP addresses. This option
2068 may have exactly one IPv4 and/or one IPv6 address on it, sepa‐
2069 rated by a space character.
2070 If it is configured with the value router_ip, then the load bal‐
2072 anced packet is SNATed with the IP of router port (attached to
2073 the gateway router) selected as the destination after taking the
2074 routing decision.
2075 options : mcast_relay: optional string, either true or false
2077 Enables/disables IP multicast relay between logical switches
2078 connected to the logical router. Default: False.
2079 options : dynamic_neigh_routers: optional string, either true or false
2081 If set to true, the router will resolve neighbor routers’ MAC
2082 addresses only by dynamic ARP/ND, instead of prepopulating
2083 static mappings for all neighbor routers in the ARP/ND Resolu‐
2084 tion stage. This reduces number of flows, but requires ARP/ND
2085 messages to resolve the IP-MAC bindings when needed. It is false
2086 by default. It is recommended to set to true when a large number
2087 of logical routers are connected to the same logical switch but
2088 most of them never need to send traffic between each other. By
2089 default, ovn-northd does not create mappings to NAT and load
2090 balancer addresess. However, for NAT and load balancer addresses
2091 that have the add_route option added, ovn-northd will create
2092 logical flows that map NAT and load balancer IP addresses to the
2093 appropriate MAC address. Setting dynamic_neigh_routers to true
2094 will prevent the automatic creation of these logical flows.
2095 options : always_learn_from_arp_request: optional string, either true
2097 or false
2098 This option controls the behavior when handling IPv4 ARP re‐
2099 quests or IPv6 ND-NS packets - whether a dynamic neighbor (MAC
2100 binding) entry is added/updated.
2101 true - Always learn the MAC-IP binding, and add/update the MAC
2103 binding entry.
2104 false - If there is a MAC binding for that IP and the MAC is
2106 different, or, if TPA of ARP request belongs to any router port
2107 on this router, then update/add that MAC-IP binding. Otherwise,
2108 don’t update/add entries.
2109 It is true by default. It is recommended to set to false when a
2111 large number of logical routers are connected to the same logi‐
2112 cal switch but most of them never need to send traffic between
2113 each other, to reduce the size of the MAC binding table.
2114 options : requested-tnl-key: optional string, containing an integer, in
2116 range 1 to 16,777,215
2117 Configures the datapath tunnel key for the logical router. This
2118 is not needed because ovn-northd will assign an unique key for
2119 each datapath by itself. However, if it is configured,
2120 ovn-northd honors the configured value.
2121 options : snat-ct-zone: optional string, containing an integer, in
2123 range 0 to 65,535
2124 Use the requested conntrack zone for SNAT with this router. This
2125 can be useful if egress traffic from the host running OVN comes
2126 from both OVN and other sources. This way, OVN and the other
2127 sources can make use of the same conntrack zone.
2128 Common Columns:
2130 external_ids: map of string-string pairs
2132 See External IDs at the beginning of this document.
2133
2135 Each row in this table represents one QoS rule for a logical switch
2136 that points to it through its qos_rules column. Two types of QoS are
2137 supported: DSCP marking and metering. A match with the highest-priority
2138 will have QoS applied to it. If the action column is specified, then
2139 matching packets will have DSCP marking applied. If the bandwidth col‐
2140 umn is specified, then matching packets will have metering applied. ac‐
2141 tion and bandwidth are not exclusive, so both marking and metering by
2142 defined for the same QoS entry. If no row matches, packets will not
2143 have any QoS applied.
2144 Summary:
2146 priority integer, in range 0 to 32,767
2147 direction string, either from-lport or to-lport
2148 match string
2149 action map of string-integer pairs, key must be
2150 dscp, value in range 0 to 63
2151 bandwidth map of string-integer pairs, key either
2152 burst or rate, value in range 1 to
2153 4,294,967,295
2154 external_ids map of string-string pairs
2155 Details:
2157 priority: integer, in range 0 to 32,767
2158 The QoS rule’s priority. Rules with numerically higher priority
2159 take precedence over those with lower. If two QoS rules with the
2160 same priority both match, then the one actually applied to a
2161 packet is undefined.
2162 direction: string, either from-lport or to-lport
2164 The value of this field is similar to ACL column in the OVN
2165 Northbound database’s ACL table.
2166 match: string
2168 The packets that the QoS rules should match, in the same expres‐
2169 sion language used for the match column in the OVN Southbound
2170 database’s Logical_Flow table. The outport logical port is only
2171 available in the to-lport direction (the inport is available in
2172 both directions).
2173 action: map of string-integer pairs, key must be dscp, value in range 0
2175 to 63
2176 When specified, matching flows will have DSCP marking applied.
2177 • dscp: The value of this action should be in the range of
2179 0 to 63 (inclusive).
2180 bandwidth: map of string-integer pairs, key either burst or rate, value
2182 in range 1 to 4,294,967,295
2183 When specified, matching packets will have bandwidth metering
2184 applied. Traffic over the limit will be dropped.
2185 • rate: The value of rate limit in kbps.
2187 • burst: The value of burst rate limit in kilobits. This is
2189 optional and needs to specify the rate.
2190 external_ids: map of string-string pairs
2192 See External IDs at the beginning of this document.
2193
2195 Each row in this table represents a meter that can be used for QoS or
2196 rate-limiting.
2197 Summary:
2199 name string (must be unique within table)
2200 unit string, either kbps or pktps
2201 bands set of 1 or more Meter_Bands
2202 fair optional boolean
2203 external_ids map of string-string pairs
2204 Details:
2206 name: string (must be unique within table)
2207 A name for this meter.
2208 Names that begin with "__" (two underscores) are reserved for
2210 OVN internal use and should not be added manually.
2211 unit: string, either kbps or pktps
2213 The unit for rate and burst_rate parameters in the bands entry.
2214 kbps specifies kilobits per second, and pktps specifies packets
2215 per second.
2216 bands: set of 1 or more Meter_Bands
2218 The bands associated with this meter. Each band specifies a rate
2219 above which the band is to take the action action. If multiple
2220 bands’ rates are exceeded, then the band with the highest rate
2221 among the exceeded bands is selected.
2222 fair: optional boolean
2224 This column is used to further describe the desired behavior of
2225 the meter when there are multiple references to it. If this col‐
2226 umn is empty or is set to false, the rate will be shared across
2227 all rows that refer to the same Meter name. Conversely, when
2228 this column is set to true, each user of the same Meter will be
2229 rate-limited on its own.
2230 external_ids: map of string-string pairs
2232 See External IDs at the beginning of this document.
2233
2235 Each row in this table represents a meter band which specifies the rate
2236 above which the configured action should be applied. These bands are
2237 referenced by the bands column in the Meter table.
2238 Summary:
2240 action string, must be drop
2241 rate integer, in range 1 to 4,294,967,295
2242 burst_size integer, in range 0 to 4,294,967,295
2243 external_ids map of string-string pairs
2244 Details:
2246 action: string, must be drop
2247 The action to execute when this band matches. The only supported
2248 action is drop.
2249 rate: integer, in range 1 to 4,294,967,295
2251 The rate limit for this band, in kilobits per second or bits per
2252 second, depending on whether the parent Meter entry’s unit col‐
2253 umn specified kbps or pktps.
2254 burst_size: integer, in range 0 to 4,294,967,295
2256 The maximum burst allowed for the band in kilobits or packets,
2257 depending on whether kbps or pktps was selected in the parent
2258 Meter entry’s unit column. If the size is zero, the switch is
2259 free to select some reasonable value depending on its configura‐
2260 tion.
2261 external_ids: map of string-string pairs
2263 See External IDs at the beginning of this document.
2264
2266 A port within an L3 logical router.
2267 Exactly one Logical_Router row must reference a given logical router
2269 port.
2270 Summary:
2272 name string (must be unique within table)
2273 networks set of 1 or more strings
2274 mac string
2275 enabled optional boolean
2276 Distributed Gateway Ports:
2277 ha_chassis_group optional HA_Chassis_Group
2278 gateway_chassis set of Gateway_Chassises
2279 Options for Physical VLAN MTU Issues:
2280 options : reside-on-redirect-chassis
2281 optional string, either true or false
2282 options : redirect-type optional string, either bridged or over‐
2283 lay
2284 ipv6_prefix set of strings
2285 ipv6_ra_configs:
2286 ipv6_ra_configs : address_mode
2287 optional string
2288 ipv6_ra_configs : router_preference
2289 optional string
2290 ipv6_ra_configs : route_info
2291 optional string
2292 ipv6_ra_configs : mtu optional string
2293 ipv6_ra_configs : send_periodic
2294 optional string
2295 ipv6_ra_configs : max_interval
2296 optional string
2297 ipv6_ra_configs : min_interval
2298 optional string
2299 ipv6_ra_configs : rdnss optional string
2300 ipv6_ra_configs : dnssl optional string
2301 Options:
2302 options : mcast_flood optional string, either true or false
2303 options : requested-tnl-key
2304 optional string, containing an integer,
2305 in range 1 to 32,767
2306 options : prefix_delegation
2307 optional string, either true or false
2308 options : prefix optional string, either true or false
2309 options : route_table optional string
2310 options : gateway_mtu optional string, containing an integer,
2311 in range 68 to 65,535
2312 options : gateway_mtu_bypass
2313 optional string
2314 Attachment:
2315 peer optional string
2316 Common Columns:
2317 external_ids map of string-string pairs
2318 Details:
2320 name: string (must be unique within table)
2321 A name for the logical router port.
2322 In addition to provide convenience for human interaction with
2324 the northbound database, this column is used as reference by its
2325 patch port in Logical_Switch_Port or another logical router port
2326 in Logical_Router_Port.
2327 A logical router port may not have the same name as a logical
2329 switch port, but the database schema cannot enforce this.
2330 networks: set of 1 or more strings
2332 The IP addresses and netmasks of the router. For example,
2333 192.168.0.1/24 indicates that the router’s IP address is
2334 192.168.0.1 and that packets destined to 192.168.0.x should be
2335 routed to this port.
2336 A logical router port always adds a link-local IPv6 address
2338 (fe80::/64) automatically generated from the interface’s MAC ad‐
2339 dress using the modified EUI-64 format.
2340 mac: string
2342 The Ethernet address that belongs to this router port.
2343 enabled: optional boolean
2345 This column is used to administratively set port state. If this
2346 column is empty or is set to true, the port is enabled. If this
2347 column is set to false, the port is disabled. A disabled port
2348 has all ingress and egress traffic dropped.
2349 Distributed Gateway Ports:
2351 Gateways, as documented under Gateways in the OVN architecture guide,
2353 provide limited connectivity between logical networks and physical
2354 ones. OVN support multiple kinds of gateways. The Logical_Router_Port
2355 table can be used two different ways to configure distributed gateway
2356 ports, which are one kind of gateway. These two forms of configuration
2357 exist for historical reasons. Both of them produce the same kind of OVN
2358 southbound records and the same behavior in practice.
2359 If either of these are set, this logical router port represents a dis‐
2361 tributed gateway port that connects this router to a logical switch
2362 with a localnet port or a connection to another OVN deployment.
2363 Also mentioned in the OVN architecture guide, distributed gateway ports
2365 can also be used for scalability reasons in deployments where logical
2366 switches are dedicated to chassises rather than distributed.
2367 The preferred way to configure a gateway is ha_chassis_group, but gate‐
2369 way_chassis is also supported for backward compatibility. Only one of
2370 these should be set at a time on a given LRP, since they configure the
2371 same features.
2372 Even when a gateway is configured, the logical router port still effec‐
2374 tively resides on each chassis. However, due to the implications of the
2375 use of L2 learning in the physical network, as well as the need to sup‐
2376 port advanced features such as one-to-many NAT (aka IP masquerading), a
2377 subset of the logical router processing is handled in a centralized
2378 manner on the gateway chassis.
2379 There can be more than one distributed gateway ports configured on each
2381 logical router, each connecting to different L2 segments. Load-balanc‐
2382 ing is not yet supported on logical routers with more than one distrib‐
2383 uted gateway ports.
2384 For each distributed gateway port, it may have more than one gateway
2386 chassises. When more than one gateway chassis is specified, OVN only
2387 uses one at a time. OVN can rely on OVS BFD implementation to monitor
2388 gateway connectivity, preferring the highest-priority gateway that is
2389 online. Priorities are specified in the priority column of Gate‐
2390 way_Chassis or HA_Chassis.
2391 ovn-northd programs the external_mac rules specified in the LRP’s LR
2393 into the peer logical switch’s destination lookup on the chassis where
2394 the logical_port resides. In addition, the logical router’s MAC address
2395 is automatically programmed in the peer logical switch’s destination
2396 lookup flow on the gateway chasssis. If it is desired to generate gra‐
2397 tuitous ARPs for NAT addresses, then set the peer LSP’s options:nat-ad‐
2398 dresses to router.
2399 OVN 20.03 and earlier supported a third way to configure distributed
2401 gateway ports using options:redirect-chassis to specify the gateway
2402 chassis. This method is no longer supported. Any remaining users should
2403 switch to one of the newer methods instead. A gateway_chassis may be
2404 easily configured from the command line, e.g. ovn-nbctl lrp-set-gate‐
2405 way-chassis lrp chassis.
2406 ha_chassis_group: optional HA_Chassis_Group
2408 Designates an HA_Chassis_Group to provide gateway high avail‐
2409 ability.
2410 gateway_chassis: set of Gateway_Chassises
2412 Designates one or more Gateway_Chassis for the logical router
2413 port.
2414 Options for Physical VLAN MTU Issues:
2416 MTU issues arise in mixing tunnels with logical networks that are
2418 bridged to a physical VLAN. For an explanation of the MTU issues, see
2419 Physical VLAN MTU Issues in the OVN architecture document. The follow‐
2420 ing options, which are alternatives, provide solutions. Both of them
2421 cause packets to be sent over localnet instead of tunnels, but they
2422 differ in whether some or all packets are sent this way. The most prom‐
2423 inent tradeoff between these options is that reside-on-redirect-chassis
2424 is easier to configure and that redirect-type performs better for east-
2425 west traffic.
2426 options : reside-on-redirect-chassis: optional string, either true or
2428 false
2429 If set to true, this option forces all traffic across the logi‐
2430 cal router port to pass through the gateway chassis using a hop
2431 across a localnet port. This changes behavior in two ways:
2432 • Without this option, east-west traffic passes directly
2434 between source and destination chassis (or even within a
2435 single chassis, for co-located VMs). With this option,
2436 all east-west traffic passes through the gateway chassis.
2437 • Without this option, traffic between the gateway chassis
2439 and other chassis is encapsulated in tunnels. With this
2440 option, traffic passes over a localnet interface.
2441 This option may usefully be set only on logical router ports
2443 that connect a distributed logical router to a logical switch
2444 with VIFs. It should not be set on a distributed gateway port.
2445 OVN honors this option only if the logical router has one and
2447 only one distributed gateway port and if the LRP’s peer switch
2448 has a localnet port.
2449 options : redirect-type: optional string, either bridged or overlay
2451 If set to bridged on a distributed gateway port, this option
2452 causes OVN to redirect packets to the gateway chassis over a lo‐
2453 calnet port instead of a tunnel. The relevant chassis must share
2454 a localnet port.
2455 This feature requires the administrator or the CMS to configure
2457 each participating chassis with a unique Ethernet address for
2458 the logical router by setting ovn-chassis-mac-mappings in the
2459 Open vSwitch database, for use by ovn-controller.
2460 Setting this option to overlay or leaving it unset has no ef‐
2462 fect. This option may usefully be set only on a distributed
2463 gateway port when there is one and only one distributed gateway
2464 port on the logical router. It is otherwise ignored.
2465 ipv6_prefix: set of strings
2467 This column contains IPv6 prefix obtained by prefix delegation
2468 router according to RFC 3633
2469 ipv6_ra_configs:
2471 This column defines the IPv6 ND RA address mode and ND MTU Option to be
2473 included by ovn-controller when it replies to the IPv6 Router solicita‐
2474 tion requests.
2475 ipv6_ra_configs : address_mode: optional string
2477 The address mode to be used for IPv6 address configuration. The
2478 supported values are:
2479 • slaac: Address configuration using Router Advertisement
2481 (RA) packet. The IPv6 prefixes defined in the Logi‐
2482 cal_Router_Port table’s networks column will be included
2483 in the RA’s ICMPv6 option - Prefix information.
2484 • dhcpv6_stateful: Address configuration using DHCPv6.
2486 • dhcpv6_stateless: Address configuration using Router Ad‐
2488 vertisement (RA) packet. Other IPv6 options are provided
2489 by DHCPv6.
2490 ipv6_ra_configs : router_preference: optional string
2492 Default Router Preference (PRF) indicates whether to prefer this
2493 router over other default routers (RFC 4191). Possible values
2494 are:
2495 • HIGH: mapped to 0x01 in RA PRF field
2497 • MEDIUM: mapped to 0x00 in RA PRF field
2499 • LOW: mapped to 0x11 in RA PRF field
2501 ipv6_ra_configs : route_info: optional string
2503 Route Info is used to configure Route Info Option sent in Router
2504 Advertisment according to RFC 4191. Route Info is a comma sepa‐
2505 rated string where each field provides PRF and prefix for a
2506 given route (e.g: HIGH-aef1::11/48,LOW-aef2::11/96) Possible PRF
2507 values are:
2508 • HIGH: mapped to 0x01 in RA PRF field
2510 • MEDIUM: mapped to 0x00 in RA PRF field
2512 • LOW: mapped to 0x11 in RA PRF field
2514 ipv6_ra_configs : mtu: optional string
2516 The recommended MTU for the link. Default is 0, which means no
2517 MTU Option will be included in RA packet replied by ovn-con‐
2518 troller. Per RFC 2460, the mtu value is recommended no less than
2519 1280, so any mtu value less than 1280 will be considered as no
2520 MTU Option.
2521 ipv6_ra_configs : send_periodic: optional string
2523 If set to true, then this router interface will send router ad‐
2524 vertisements periodically. The default is false.
2525 ipv6_ra_configs : max_interval: optional string
2527 The maximum number of seconds to wait between sending periodic
2528 router advertisements. This option has no effect if ipv6_ra_con‐
2529 figs:send_periodic is false. The default is 600.
2530 ipv6_ra_configs : min_interval: optional string
2532 The minimum number of seconds to wait between sending periodic
2533 router advertisements. This option has no effect if ipv6_ra_con‐
2534 figs:send_periodic is false. The default is one-third of
2535 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
2536 unset.
2537 ipv6_ra_configs : rdnss: optional string
2539 IPv6 address of RDNSS server announced in RA packets. At the mo‐
2540 ment OVN supports just one RDNSS server.
2541 ipv6_ra_configs : dnssl: optional string
2543 DNS Search List announced in RA packets. Multiple DNS Search
2544 List must be ’comma’ separated (e.g. "a.b.c, d.e.f")
2545 Options:
2547 Additional options for the logical router port.
2549 options : mcast_flood: optional string, either true or false
2551 If set to true, multicast traffic (including reports) are uncon‐
2552 ditionally forwarded to the specific port.
2553 This option applies when the port is part of a logical router
2555 which has options:mcast_relay set to true.
2556 options : requested-tnl-key: optional string, containing an integer, in
2558 range 1 to 32,767
2559 Configures the port binding tunnel key for the port. Usually
2560 this is not needed because ovn-northd will assign an unique key
2561 for each port by itself. However, if it is configured,
2562 ovn-northd honors the configured value.
2563 options : prefix_delegation: optional string, either true or false
2565 If set to true, enable IPv6 prefix delegation state machine on
2566 this logical router port (RFC3633). IPv6 prefix delegation is
2567 available just on a gateway router or on a gateway router port.
2568 options : prefix: optional string, either true or false
2570 If set to true, this interface will receive an IPv6 prefix ac‐
2571 cording to RFC3663
2572 options : route_table: optional string
2574 Designates lookup Logical_Router_Static_Routes with specified
2575 route_table value. Routes to directly connected networks from
2576 same Logical Router and routes without route_table option set
2577 have higher priority than routes with route_table option set.
2578 options : gateway_mtu: optional string, containing an integer, in range
2580 68 to 65,535
2581 If set, logical flows will be added to router pipeline to check
2582 packet length. If packet length is greater than the value set,
2583 ICMPv4 type 3 (Destination Unreachable) code 4 (Fragmentation
2584 Needed and Don’t Fragment was Set) or ICMPv6 type 2 (Packet Too
2585 Big) code 0 (no route to destination) packets will be generated.
2586 This allows for Path MTU Discovery.
2587 options : gateway_mtu_bypass: optional string
2589 When configured, represents a match expression, in the same ex‐
2590 pression language used for the match column in the OVN South‐
2591 bound database’s Logical_Flow table. Packets matching this ex‐
2592 pression will bypass the length check configured through the op‐
2593 tions:gateway_mtu option.
2594 Attachment:
2596 A given router port serves one of two purposes:
2598 • To attach a logical switch to a logical router. A logical
2600 router port of this type is referenced by exactly one
2601 Logical_Switch_Port of type router. The value of name is
2602 set as router-port in column options of Logi‐
2603 cal_Switch_Port. In this case peer column is empty.
2604 • To connect one logical router to another. This requires a
2606 pair of logical router ports, each connected to a differ‐
2607 ent router. Each router port in the pair specifies the
2608 other in its peer column. No Logical_Switch refers to the
2609 router port.
2610 peer: optional string
2612 For a router port used to connect two logical routers, this
2613 identifies the other router port in the pair by name.
2614 For a router port attached to a logical switch, this column is
2616 empty.
2617 Common Columns:
2619 external_ids: map of string-string pairs
2621 See External IDs at the beginning of this document.
2622 The ovn-northd program copies all these pairs into the exter‐
2624 nal_ids column of the Port_Binding table in OVN_Southbound data‐
2625 base.
2626
2628 Each record represents a static route.
2629 When multiple routes match a packet, the longest-prefix match is cho‐
2631 sen. For a given prefix length, a dst-ip route is preferred over a
2632 src-ip route.
2633 When there are ECMP routes, i.e. multiple routes with same prefix and
2635 policy, one of them will be selected based on the 5-tuple hashing of
2636 the packet header.
2637 Summary:
2639 ip_prefix string
2640 policy optional string, either dst-ip or src-ip
2641 nexthop string
2642 output_port optional string
2643 bfd optional weak reference to BFD
2644 route_table string
2645 external_ids : ic-learned-route
2646 optional string
2647 Common Columns:
2648 external_ids map of string-string pairs
2649 Common options:
2650 options map of string-string pairs
2651 options : ecmp_symmetric_reply
2652 optional string
2653 options : origin optional string
2654 Details:
2656 ip_prefix: string
2657 IP prefix of this route (e.g. 192.168.100.0/24).
2658 policy: optional string, either dst-ip or src-ip
2660 If it is specified, this setting describes the policy used to
2661 make routing decisions. This setting must be one of the follow‐
2662 ing strings:
2663 • src-ip: This policy sends the packet to the nexthop when
2665 the packet’s source IP address matches ip_prefix.
2666 • dst-ip: This policy sends the packet to the nexthop when
2668 the packet’s destination IP address matches ip_prefix.
2669 If not specified, the default is dst-ip.
2671 nexthop: string
2673 Nexthop IP address for this route. Nexthop IP address should be
2674 the IP address of a connected router port or the IP address of a
2675 logical port or can be set to discard for dropping packets which
2676 match the given route.
2677 output_port: optional string
2679 The name of the Logical_Router_Port via which the packet needs
2680 to be sent out. This is optional and when not specified, OVN
2681 will automatically figure this out based on the nexthop. When
2682 this is specified and there are multiple IP addresses on the
2683 router port and none of them are in the same subnet of nexthop,
2684 OVN chooses the first IP address as the one via which the nex‐
2685 thop is reachable.
2686 bfd: optional weak reference to BFD
2688 Reference to BFD row if the route has associated a BFD session
2689 route_table: string
2691 Any string to place route to separate routing table. If Logical
2692 Router Port has configured value in options:route_table other
2693 than empty string, OVN performs route lookup for all packets en‐
2694 tering Logical Router ingress pipeline from this port in the
2695 following manner:
2696 • 1. First lookup among "global" routes: routes without
2698 route_table value set and routes to directly connected
2699 networks.
2700 • 2. Next lookup among routes with same route_table value
2702 as specified in LRP’s options:route_table field.
2703 external_ids : ic-learned-route: optional string
2705 ovn-ic populates this key if the route is learned from the
2706 global OVN_IC_Southbound database. In this case the value will
2707 be set to the uuid of the row in Route table of the
2708 OVN_IC_Southbound database.
2709 Common Columns:
2711 external_ids: map of string-string pairs
2713 See External IDs at the beginning of this document.
2714 Common options:
2716 options: map of string-string pairs
2718 This column provides general key/value settings. The supported
2719 options are described individually below.
2720 options : ecmp_symmetric_reply: optional string
2722 If true, then new traffic that arrives over this route will have
2723 its reply traffic bypass ECMP route selection and will be sent
2724 out this route instead. Note that this option overrides any
2725 rules set in the Logical_Router_policy table. This option only
2726 works on gateway routers (routers that have options:chassis
2727 set).
2728 options : origin: optional string
2730 In case ovn-interconnection has been learned this route, it will
2731 have its origin set: either "connected" or "static". This key is
2732 supposed to be written only by ovn-ic daemon. ovn-northd then
2733 checks this value when generating Logical Flows. Logi‐
2734 cal_Router_Static_Route records with same ip_prefix within same
2735 Logical Router will have next lookup order based on origin key
2736 value:
2737 1. connected
2739 2. static
2741
2743 Each row in this table represents one routing policy for a logical
2744 router that points to it through its policies column. The action column
2745 for the highest-priority matching row in this table determines a
2746 packet’s treatment. If no row matches, packets are allowed by default.
2747 (Default-deny treatment is possible: add a rule with priority 0, 1 as
2748 match, and drop as action.)
2749 Summary:
2751 priority integer, in range 0 to 32,767
2752 match string
2753 action string, one of allow, drop, or reroute
2754 nexthop optional string
2755 nexthops set of strings
2756 options : pkt_mark optional string
2757 Common Columns:
2758 external_ids map of string-string pairs
2759 Details:
2761 priority: integer, in range 0 to 32,767
2762 The routing policy’s priority. Rules with numerically higher
2763 priority take precedence over those with lower. A rule is
2764 uniquely identified by the priority and match string.
2765 match: string
2767 The packets that the routing policy should match, in the same
2768 expression language used for the match column in the OVN South‐
2769 bound database’s Logical_Flow table.
2770 By default all traffic is allowed. When writing a more restric‐
2772 tive policy, it is important to remember to allow flows such as
2773 ARP and IPv6 neighbor discovery packets.
2774 action: string, one of allow, drop, or reroute
2776 The action to take when the routing policy matches:
2777 • allow: Forward the packet.
2779 • drop: Silently drop the packet.
2781 • reroute: Reroute packet to nexthop or nexthops.
2783 nexthop: optional string
2785 Note: This column is deprecated in favor of nexthops.
2786 Next-hop IP address for this route, which should be the IP ad‐
2788 dress of a connected router port or the IP address of a logical
2789 port.
2790 nexthops: set of strings
2792 Next-hop ECMP IP addresses for this route. Each IP in the list
2793 should be the IP address of a connected router port or the IP
2794 address of a logical port.
2795 One IP from the list is selected as next hop.
2797 options : pkt_mark: optional string
2799 Marks the packet with the value specified when the router policy
2800 is applied. CMS can inspect this packet marker and take some de‐
2801 cisions if desired. This value is not preserved when the packet
2802 goes out on the wire.
2803 Common Columns:
2805 external_ids: map of string-string pairs
2807 See External IDs at the beginning of this document.
2808
2810 Each record represents a NAT rule.
2811 Summary:
2813 type string, one of dnat, dnat_and_snat, or
2814 snat
2815 external_ip string
2816 external_mac optional string
2817 external_port_range string
2818 logical_ip string
2819 logical_port optional string
2820 allowed_ext_ips optional Address_Set
2821 exempted_ext_ips optional Address_Set
2822 gateway_port optional weak reference to Logi‐
2823 cal_Router_Port
2824 options : stateless optional string
2825 options : add_route optional string
2826 Common Columns:
2827 external_ids map of string-string pairs
2828 Details:
2830 type: string, one of dnat, dnat_and_snat, or snat
2831 Type of the NAT rule.
2832 • When type is dnat, the externally visible IP address ex‐
2834 ternal_ip is DNATted to the IP address logical_ip in the
2835 logical space.
2836 • When type is snat, IP packets with their source IP ad‐
2838 dress that either matches the IP address in logical_ip or
2839 is in the network provided by logical_ip is SNATed into
2840 the IP address in external_ip.
2841 • When type is dnat_and_snat, the externally visible IP ad‐
2843 dress external_ip is DNATted to the IP address logical_ip
2844 in the logical space. In addition, IP packets with the
2845 source IP address that matches logical_ip is SNATed into
2846 the IP address in external_ip.
2847 external_ip: string
2849 An IPv4 address.
2850 external_mac: optional string
2852 A MAC address.
2853 This is only used on the gateway port on distributed routers.
2855 This must be specified in order for the NAT rule to be processed
2856 in a distributed manner on all chassis. If this is not specified
2857 for a NAT rule on a distributed router, then this NAT rule will
2858 be processed in a centralized manner on the gateway port in‐
2859 stance on the gateway chassis.
2860 This MAC address must be unique on the logical switch that the
2862 gateway port is attached to. If the MAC address used on the log‐
2863 ical_port is globally unique, then that MAC address can be spec‐
2864 ified as this external_mac.
2865 external_port_range: string
2867 L4 source port range
2868 Range of ports, from which a port number will be picked that
2870 will replace the source port of to be NATed packet. This is ba‐
2871 sically PAT (port address translation).
2872 Value of the column is in the format, port_lo-port_hi. For exam‐
2874 ple: external_port_range : "1-30000"
2875 Valid range of ports is 1-65535.
2877 logical_ip: string
2879 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
2880 logical_port: optional string
2882 The name of the logical port where the logical_ip resides.
2883 This is only used on distributed routers. This must be specified
2885 in order for the NAT rule to be processed in a distributed man‐
2886 ner on all chassis. If this is not specified for a NAT rule on a
2887 distributed router, then this NAT rule will be processed in a
2888 centralized manner on the gateway port instance on the gateway
2889 chassis.
2890 allowed_ext_ips: optional Address_Set
2892 It represents Address Set of external ips that NAT rule is ap‐
2893 plicable to. For SNAT type NAT rules, this refers to destination
2894 addresses. For DNAT type NAT rules, this refers to source ad‐
2895 dresses.
2896 This configuration overrides the default NAT behavior of apply‐
2898 ing a rule solely based on internal IP. Without this configura‐
2899 tion, NAT happens without considering the external IP (i.e
2900 dest/source for snat/dnat type rule). With this configuration
2901 NAT rule is applied ONLY if external ip is in the input Address
2902 Set.
2903 exempted_ext_ips: optional Address_Set
2905 It represents Address Set of external ips that NAT rule is NOT
2906 applicable to. For SNAT type NAT rules, this refers to destina‐
2907 tion addresses. For DNAT type NAT rules, this refers to source
2908 addresses.
2909 This configuration overrides the default NAT behavior of apply‐
2911 ing a rule solely based on internal IP. Without this configura‐
2912 tion, NAT happens without considering the external IP (i.e
2913 dest/source for snat/dnat type rule). With this configuration
2914 NAT rule is NOT applied if external ip is in the input Address
2915 Set.
2916 If there are NAT rules in a logical router with overlapping IP
2918 prefixes (including /32), then usage of exempted_ext_ips should
2919 be avoided in following scenario. a. SNAT rule (let us say
2920 RULE1) with logical_ip PREFIX/MASK (let us say 50.0.0.0/24). b.
2921 SNAT rule (let us say RULE2) with logical_ip PREFIX/MASK+1 (let
2922 us say 50.0.0.0/25). c. Now, if exempted_ext_ips is associated
2923 with RULE2, then a logical ip which matches both 50.0.0.0/24 and
2924 50.0.0.0/25 may get the RULE2 applied to it instead of RULE1.
2925 allowed_ext_ips and exempted_ext_ips are mutually exclusive to
2927 each other. If both Address Sets are set for a rule, then the
2928 NAT rule is not considered.
2929 gateway_port: optional weak reference to Logical_Router_Port
2931 A distributed gateway port in the Logical_Router_Port table
2932 where the NAT rule needs to be applied.
2933 This column needs to be set when multiple distributed gateway
2935 ports are configured on a Logical_Router for the NAT rule to be
2936 applied. If logical router has a single distributed gateway
2937 port, NAT rule is applied at the distributed gateway port even
2938 if this column is not set.
2939 When multiple distributed gateway ports are configured on a Log‐
2941 ical_Router, applying a NAT rule at each of the distributed
2942 gateway ports might not be desired. Consider the case where a
2943 logical router has 2 distributed gateway port, one with networks
2944 50.0.0.10/24 and the other with networks 60.0.0.10/24. If the
2945 logical router has a NAT rule of type snat, logical_ip
2946 10.1.1.0/24 and external_ip 50.1.1.20/24, the rule needs to be
2947 selectively applied on matching packets entering/leaving through
2948 the distributed gateway port with networks 50.0.0.10/24.
2949 options : stateless: optional string
2951 Indicates if a dnat_and_snat rule should lead to connection
2952 tracking state or not.
2953 options : add_route: optional string
2955 If set to true, then neighbor routers will have logical flows
2956 added that will allow for routing to the NAT address. It also
2957 will have ARP resolution logical flows added. By setting this
2958 option, it means there is no reason to create a Logi‐
2959 cal_Router_Static_Route from neighbor routers to this NAT ad‐
2960 dress. It also means that no ARP request is required for neigh‐
2961 bor routers to learn the IP-MAC mapping for this NAT address.
2962 This option only applies to NATs of type dnat and dnat_and_snat.
2963 For more information about what flows are added for IP routes,
2964 please see the ovn-northd manpage section on IP Routing.
2965 Common Columns:
2967 external_ids: map of string-string pairs
2969 See External IDs at the beginning of this document.
2970
2972 OVN implements native DHCPv4 support which caters to the common use
2973 case of providing an IPv4 address to a booting instance by providing
2974 stateless replies to DHCPv4 requests based on statically configured ad‐
2975 dress mappings. To do this it allows a short list of DHCPv4 options to
2976 be configured and applied at each compute host running ovn-controller.
2977 OVN also implements native DHCPv6 support which provides stateless
2979 replies to DHCPv6 requests.
2980 Summary:
2982 cidr string
2983 DHCPv4 options:
2984 Mandatory DHCPv4 options:
2985 options : server_id optional string
2986 options : server_mac optional string
2987 options : lease_time optional string, containing an integer,
2988 in range 0 to 4,294,967,295
2989 IPv4 DHCP Options:
2990 options : router optional string
2991 options : netmask optional string
2992 options : dns_server optional string
2993 options : log_server optional string
2994 options : lpr_server optional string
2995 options : swap_server optional string
2996 options : policy_filter optional string
2997 options : router_solicitation
2998 optional string
2999 options : nis_server optional string
3000 options : ntp_server optional string
3001 options : netbios_name_server
3002 optional string
3003 options : classless_static_route
3004 optional string
3005 options : ms_classless_static_route
3006 optional string
3007 options : next_server optional string
3008 Boolean DHCP Options:
3009 options : ip_forward_enable
3010 optional string, either 0 or 1
3011 options : router_discovery
3012 optional string, either 0 or 1
3013 options : ethernet_encap optional string, either 0 or 1
3014 Integer DHCP Options:
3015 options : default_ttl optional string, containing an integer,
3016 in range 0 to 255
3017 options : tcp_ttl optional string, containing an integer,
3018 in range 0 to 255
3019 options : mtu optional string, containing an integer,
3020 in range 68 to 65,535
3021 options : T1 optional string, containing an integer,
3022 in range 68 to 4,294,967,295
3023 options : T2 optional string, containing an integer,
3024 in range 68 to 4,294,967,295
3025 options : arp_cache_timeout
3026 optional string, containing an integer,
3027 in range 0 to 255
3028 options : tcp_keepalive_interval
3029 optional string, containing an integer,
3030 in range 0 to 255
3031 options : netbios_node_type
3032 optional string, containing an integer,
3033 in range 0 to 255
3034 String DHCP Options:
3035 options : wpad optional string
3036 options : bootfile_name optional string
3037 options : path_prefix optional string
3038 options : tftp_server_address
3039 optional string
3040 options : hostname optional string
3041 options : domain_name optional string
3042 options : bootfile_name_alt
3043 optional string
3044 options : broadcast_address
3045 optional string
3046 DHCP Options of type host_id:
3047 options : tftp_server optional string
3048 DHCP Options of type domains:
3049 options : domain_search_list
3050 optional string
3051 DHCPv6 options:
3052 Mandatory DHCPv6 options:
3053 options : server_id optional string
3054 IPv6 DHCPv6 options:
3055 options : dns_server optional string
3056 String DHCPv6 options:
3057 options : domain_search optional string
3058 options : dhcpv6_stateless
3059 optional string
3060 Common Columns:
3061 external_ids map of string-string pairs
3062 Details:
3064 cidr: string
3065 The DHCPv4/DHCPv6 options will be included if the logical port
3066 has its IP address in this cidr.
3067 DHCPv4 options:
3069 The CMS should define the set of DHCPv4 options as key/value pairs in
3071 the options column of this table. For ovn-controller to include these
3072 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
3073 to an entry in this table.
3074 Mandatory DHCPv4 options:
3076 The following options must be defined.
3078 options : server_id: optional string
3080 The IP address for the DHCP server to use. This should be in the
3081 subnet of the offered IP. This is also included in the DHCP of‐
3082 fer as option 54, ``server identifier.’’
3083 options : server_mac: optional string
3085 The Ethernet address for the DHCP server to use.
3086 options : lease_time: optional string, containing an integer, in range
3088 0 to 4,294,967,295
3089 The offered lease time in seconds,
3090 The DHCPv4 option code for this option is 51.
3092 IPv4 DHCP Options:
3094 Below are the supported DHCPv4 options whose values are an IPv4 ad‐
3096 dress, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
3097 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
3098 refer to RFC 2132 for more details on DHCPv4 options and their codes.
3099 options : router: optional string
3101 The IP address of a gateway for the client to use. This should
3102 be in the subnet of the offered IP. The DHCPv4 option code for
3103 this option is 3.
3104 options : netmask: optional string
3106 The DHCPv4 option code for this option is 1.
3107 options : dns_server: optional string
3109 The DHCPv4 option code for this option is 6.
3110 options : log_server: optional string
3112 The DHCPv4 option code for this option is 7.
3113 options : lpr_server: optional string
3115 The DHCPv4 option code for this option is 9.
3116 options : swap_server: optional string
3118 The DHCPv4 option code for this option is 16.
3119 options : policy_filter: optional string
3121 The DHCPv4 option code for this option is 21.
3122 options : router_solicitation: optional string
3124 The DHCPv4 option code for this option is 32.
3125 options : nis_server: optional string
3127 The DHCPv4 option code for this option is 41.
3128 options : ntp_server: optional string
3130 The DHCPv4 option code for this option is 42.
3131 options : netbios_name_server: optional string
3133 The DHCPv4 option code for this option is 44.
3134 options : classless_static_route: optional string
3136 The DHCPv4 option code for this option is 121.
3137 This option can contain one or more static routes, each of which
3139 consists of a destination descriptor and the IP address of the
3140 router that should be used to reach that destination. Please see
3141 RFC 3442 for more details.
3142 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
3144 options : ms_classless_static_route: optional string
3146 The DHCPv4 option code for this option is 249. This option is
3147 similar to classless_static_route supported by Microsoft Windows
3148 DHCPv4 clients.
3149 options : next_server: optional string
3151 The DHCPv4 option code for setting the "Next server IP address"
3152 field in the DHCP header.
3153 Boolean DHCP Options:
3155 These options accept a Boolean value, expressed as 0 for false or 1 for
3157 true.
3158 options : ip_forward_enable: optional string, either 0 or 1
3160 The DHCPv4 option code for this option is 19.
3161 options : router_discovery: optional string, either 0 or 1
3163 The DHCPv4 option code for this option is 31.
3164 options : ethernet_encap: optional string, either 0 or 1
3166 The DHCPv4 option code for this option is 36.
3167 Integer DHCP Options:
3169 These options accept a nonnegative integer value.
3171 options : default_ttl: optional string, containing an integer, in range
3173 0 to 255
3174 The DHCPv4 option code for this option is 23.
3175 options : tcp_ttl: optional string, containing an integer, in range 0
3177 to 255
3178 The DHCPv4 option code for this option is 37.
3179 options : mtu: optional string, containing an integer, in range 68 to
3181 65,535
3182 The DHCPv4 option code for this option is 26.
3183 options : T1: optional string, containing an integer, in range 68 to
3185 4,294,967,295
3186 This specifies the time interval from address assignment until
3187 the client begins trying to renew its address. The DHCPv4 option
3188 code for this option is 58.
3189 options : T2: optional string, containing an integer, in range 68 to
3191 4,294,967,295
3192 This specifies the time interval from address assignment until
3193 the client begins trying to rebind its address. The DHCPv4 op‐
3194 tion code for this option is 59.
3195 options : arp_cache_timeout: optional string, containing an integer, in
3197 range 0 to 255
3198 The DHCPv4 option code for this option is 35. This option speci‐
3199 fies the timeout in seconds for ARP cache entries.
3200 options : tcp_keepalive_interval: optional string, containing an inte‐
3202 ger, in range 0 to 255
3203 The DHCPv4 option code for this option is 38. This option speci‐
3204 fies the interval that the client TCP should wait before sending
3205 a keepalive message on a TCP connection.
3206 options : netbios_node_type: optional string, containing an integer, in
3208 range 0 to 255
3209 The DHCPv4 option code for this option is 46.
3210 String DHCP Options:
3212 These options accept a string value.
3214 options : wpad: optional string
3216 The DHCPv4 option code for this option is 252. This option is
3217 used as part of web proxy auto discovery to provide a URL for a
3218 web proxy.
3219 options : bootfile_name: optional string
3221 The DHCPv4 option code for this option is 67. This option is
3222 used to identify a bootfile.
3223 options : path_prefix: optional string
3225 The DHCPv4 option code for this option is 210. In PXELINUX’ case
3226 this option is used to set a common path prefix, instead of de‐
3227 riving it from the bootfile name.
3228 options : tftp_server_address: optional string
3230 The DHCPv4 option code for this option is 150. The option con‐
3231 tains one or more IPv4 addresses that the client MAY use. This
3232 option is Cisco proprietary, the IEEE standard that matches with
3233 this requirement is option 66 (tftp_server).
3234 options : hostname: optional string
3236 The DHCPv4 option code for this option is 12. If set, indicates
3237 the DHCPv4 option "Hostname". Alternatively, this option can be
3238 configured in options:hostname column in table Logi‐
3239 cal_Switch_Port. If Hostname option value is set in both con‐
3240 flicting Logical_Switch_Port and DHCP_Options tables, Logi‐
3241 cal_Switch_Port takes precedence.
3242 options : domain_name: optional string
3244 The DHCPv4 option code for this option is 15. This option speci‐
3245 fies the domain name that client should use when resolving host‐
3246 names via the Domain Name System.
3247 options : bootfile_name_alt: optional string
3249 "bootfile_name_alt" option is used to support iPXE. When both
3250 "bootfile_name" and "bootfile_name_alt" are provided by the CMS,
3251 "bootfile_name" will be used for option 67 if the dhcp request
3252 contains etherboot option (175), otherwise "bootfile_name_alt"
3253 will be used.
3254 options : broadcast_address: optional string
3256 The DHCPv4 option code for this option is 28. This option speci‐
3257 fies the IP address used as a broadcast address.
3258 DHCP Options of type host_id:
3260 These options accept either an IPv4 address or a string value.
3262 options : tftp_server: optional string
3264 The DHCPv4 option code for this option is 66.
3265 DHCP Options of type domains:
3267 These options accept string value which is a comma separated list of
3269 domain names. The domain names are encoded based on RFC 1035.
3270 options : domain_search_list: optional string
3272 The DHCPv4 option code for this option is 119.
3273 DHCPv6 options:
3275 OVN also implements native DHCPv6 support. The CMS should define the
3277 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
3278 will be included in the DHCPv6 response to the DHCPv6 Solicit/Re‐
3279 quest/Confirm packet from the logical ports having the IPv6 addresses
3280 in the cidr.
3281 Mandatory DHCPv6 options:
3283 The following options must be defined.
3285 options : server_id: optional string
3287 The Ethernet address for the DHCP server to use. This is also
3288 included in the DHCPv6 reply as option 2, ``Server Identifier’’
3289 to carry a DUID identifying a server between a client and a
3290 server. ovn-controller defines DUID based on Link-layer Address
3291 [DUID-LL].
3292 IPv6 DHCPv6 options:
3294 Below are the supported DHCPv6 options whose values are an IPv6 ad‐
3296 dress, e.g. aef0::4. Some options accept multiple IPv6 addresses en‐
3297 closed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
3298 RFC 3315 for more details on DHCPv6 options and their codes.
3299 options : dns_server: optional string
3301 The DHCPv6 option code for this option is 23. This option speci‐
3302 fies the DNS servers that the VM should use.
3303 String DHCPv6 options:
3305 These options accept string values.
3307 options : domain_search: optional string
3309 The DHCPv6 option code for this option is 24. This option speci‐
3310 fies the domain search list the client should use to resolve
3311 hostnames with DNS.
3312 Example: "ovn.org".
3314 options : dhcpv6_stateless: optional string
3316 This option specifies the OVN native DHCPv6 will work in state‐
3317 less mode, which means OVN native DHCPv6 will not offer IPv6 ad‐
3318 dresses for VM/VIF ports, but only reply other configurations,
3319 such as DNS and domain search list. When setting this option
3320 with string value "true", VM/VIF will configure IPv6 addresses
3321 by stateless way. Default value for this option is false.
3322 Common Columns:
3324 external_ids: map of string-string pairs
3326 See External IDs at the beginning of this document.
3327
3329 Configuration for a database connection to an Open vSwitch database
3330 (OVSDB) client.
3331 This table primarily configures the Open vSwitch database server
3333 (ovsdb-server).
3334 The Open vSwitch database server can initiate and maintain active con‐
3336 nections to remote clients. It can also listen for database connec‐
3337 tions.
3338 Summary:
3340 Core Features:
3341 target string (must be unique within table)
3342 Client Failure Detection and Handling:
3343 max_backoff optional integer, at least 1,000
3344 inactivity_probe optional integer
3345 Status:
3346 is_connected boolean
3347 status : last_error optional string
3348 status : state optional string, one of ACTIVE, BACKOFF,
3349 CONNECTING, IDLE, or VOID
3350 status : sec_since_connect optional string, containing an integer,
3351 at least 0
3352 status : sec_since_disconnect
3353 optional string, containing an integer,
3354 at least 0
3355 status : locks_held optional string
3356 status : locks_waiting optional string
3357 status : locks_lost optional string
3358 status : n_connections optional string, containing an integer,
3359 at least 2
3360 status : bound_port optional string, containing an integer
3361 Common Columns:
3362 external_ids map of string-string pairs
3363 other_config map of string-string pairs
3364 Details:
3366 Core Features:
3367 target: string (must be unique within table)
3369 Connection methods for clients.
3370 The following connection methods are currently supported:
3372 ssl:host[:port]
3374 The specified SSL port on the host at the given host,
3375 which can either be a DNS name (if built with unbound li‐
3376 brary) or an IP address. A valid SSL configuration must
3377 be provided when this form is used, this configuration
3378 can be specified via command-line options or the SSL ta‐
3379 ble.
3380 If port is not specified, it defaults to 6640.
3382 SSL support is an optional feature that is not always
3384 built as part of Open vSwitch.
3385 tcp:host[:port]
3387 The specified TCP port on the host at the given host,
3388 which can either be a DNS name (if built with unbound li‐
3389 brary) or an IP address. If host is an IPv6 address, wrap
3390 it in square brackets, e.g. tcp:[::1]:6640.
3391 If port is not specified, it defaults to 6640.
3393 pssl:[port][:host]
3395 Listens for SSL connections on the specified TCP port.
3396 Specify 0 for port to have the kernel automatically
3397 choose an available port. If host, which can either be a
3398 DNS name (if built with unbound library) or an IP ad‐
3399 dress, is specified, then connections are restricted to
3400 the resolved or specified local IPaddress (either IPv4 or
3401 IPv6 address). If host is an IPv6 address, wrap in square
3402 brackets, e.g. pssl:6640:[::1]. If host is not specified
3403 then it listens only on IPv4 (but not IPv6) addresses. A
3404 valid SSL configuration must be provided when this form
3405 is used, this can be specified either via command-line
3406 options or the SSL table.
3407 If port is not specified, it defaults to 6640.
3409 SSL support is an optional feature that is not always
3411 built as part of Open vSwitch.
3412 ptcp:[port][:host]
3414 Listens for connections on the specified TCP port. Spec‐
3415 ify 0 for port to have the kernel automatically choose an
3416 available port. If host, which can either be a DNS name
3417 (if built with unbound library) or an IP address, is
3418 specified, then connections are restricted to the re‐
3419 solved or specified local IP address (either IPv4 or IPv6
3420 address). If host is an IPv6 address, wrap it in square
3421 brackets, e.g. ptcp:6640:[::1]. If host is not specified
3422 then it listens only on IPv4 addresses.
3423 If port is not specified, it defaults to 6640.
3425 When multiple clients are configured, the target values must be
3427 unique. Duplicate target values yield unspecified results.
3428 Client Failure Detection and Handling:
3430 max_backoff: optional integer, at least 1,000
3432 Maximum number of milliseconds to wait between connection at‐
3433 tempts. Default is implementation-specific.
3434 inactivity_probe: optional integer
3436 Maximum number of milliseconds of idle time on connection to the
3437 client before sending an inactivity probe message. If Open
3438 vSwitch does not communicate with the client for the specified
3439 number of seconds, it will send a probe. If a response is not
3440 received for the same additional amount of time, Open vSwitch
3441 assumes the connection has been broken and attempts to recon‐
3442 nect. Default is implementation-specific. A value of 0 disables
3443 inactivity probes.
3444 Status:
3446 Key-value pair of is_connected is always updated. Other key-value pairs
3448 in the status columns may be updated depends on the target type.
3449 When target specifies a connection method that listens for inbound con‐
3451 nections (e.g. ptcp: or punix:), both n_connections and is_connected
3452 may also be updated while the remaining key-value pairs are omitted.
3453 On the other hand, when target specifies an outbound connection, all
3455 key-value pairs may be updated, except the above-mentioned two key-
3456 value pairs associated with inbound connection targets. They are omit‐
3457 ted.
3458 is_connected: boolean
3460 true if currently connected to this client, false otherwise.
3461 status : last_error: optional string
3463 A human-readable description of the last error on the connection
3464 to the manager; i.e. strerror(errno). This key will exist only
3465 if an error has occurred.
3466 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
3468 IDLE, or VOID
3469 The state of the connection to the manager:
3470 VOID Connection is disabled.
3472 BACKOFF
3474 Attempting to reconnect at an increasing period.
3475 CONNECTING
3477 Attempting to connect.
3478 ACTIVE Connected, remote host responsive.
3480 IDLE Connection is idle. Waiting for response to keep-alive.
3482 These values may change in the future. They are provided only
3484 for human consumption.
3485 status : sec_since_connect: optional string, containing an integer, at
3487 least 0
3488 The amount of time since this client last successfully connected
3489 to the database (in seconds). Value is empty if client has never
3490 successfully been connected.
3491 status : sec_since_disconnect: optional string, containing an integer,
3493 at least 0
3494 The amount of time since this client last disconnected from the
3495 database (in seconds). Value is empty if client has never dis‐
3496 connected.
3497 status : locks_held: optional string
3499 Space-separated list of the names of OVSDB locks that the con‐
3500 nection holds. Omitted if the connection does not hold any
3501 locks.
3502 status : locks_waiting: optional string
3504 Space-separated list of the names of OVSDB locks that the con‐
3505 nection is currently waiting to acquire. Omitted if the connec‐
3506 tion is not waiting for any locks.
3507 status : locks_lost: optional string
3509 Space-separated list of the names of OVSDB locks that the con‐
3510 nection has had stolen by another OVSDB client. Omitted if no
3511 locks have been stolen from this connection.
3512 status : n_connections: optional string, containing an integer, at
3514 least 2
3515 When target specifies a connection method that listens for in‐
3516 bound connections (e.g. ptcp: or pssl:) and more than one con‐
3517 nection is actually active, the value is the number of active
3518 connections. Otherwise, this key-value pair is omitted.
3519 status : bound_port: optional string, containing an integer
3521 When target is ptcp: or pssl:, this is the TCP port on which the
3522 OVSDB server is listening. (This is particularly useful when
3523 target specifies a port of 0, allowing the kernel to choose any
3524 available port.)
3525 Common Columns:
3527 The overall purpose of these columns is described under Common Columns
3529 at the beginning of this document.
3530 external_ids: map of string-string pairs
3532 other_config: map of string-string pairs
3534
3536 Each row in this table stores the DNS records. The Logical_Switch ta‐
3537 ble’s dns_records references these records.
3538 Summary:
3540 records map of string-string pairs
3541 external_ids map of string-string pairs
3542 Details:
3544 records: map of string-string pairs
3545 Key-value pair of DNS records with DNS query name as the key and
3546 value as a string of IP address(es) separated by comma or space.
3547 For PTR requests, the key-value pair can be Reverse IPv4 ad‐
3548 dress.in-addr.arpa and the value DNS domain name. For IPv6 ad‐
3549 dresses, the key has to be Reverse IPv6 address.ip6.arpa.
3550 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
3552 Example: "4.0.0.10.in-addr.arpa" = "vm1.ovn.org"
3554 external_ids: map of string-string pairs
3556 See External IDs at the beginning of this document.
3557
3559 SSL configuration for ovn-nb database access.
3560 Summary:
3562 private_key string
3563 certificate string
3564 ca_cert string
3565 bootstrap_ca_cert boolean
3566 ssl_protocols string
3567 ssl_ciphers string
3568 Common Columns:
3569 external_ids map of string-string pairs
3570 Details:
3572 private_key: string
3573 Name of a PEM file containing the private key used as the
3574 switch’s identity for SSL connections to the controller.
3575 certificate: string
3577 Name of a PEM file containing a certificate, signed by the cer‐
3578 tificate authority (CA) used by the controller and manager, that
3579 certifies the switch’s private key, identifying a trustworthy
3580 switch.
3581 ca_cert: string
3583 Name of a PEM file containing the CA certificate used to verify
3584 that the switch is connected to a trustworthy controller.
3585 bootstrap_ca_cert: boolean
3587 If set to true, then Open vSwitch will attempt to obtain the CA
3588 certificate from the controller on its first SSL connection and
3589 save it to the named PEM file. If it is successful, it will im‐
3590 mediately drop the connection and reconnect, and from then on
3591 all SSL connections must be authenticated by a certificate
3592 signed by the CA certificate thus obtained. This option exposes
3593 the SSL connection to a man-in-the-middle attack obtaining the
3594 initial CA certificate. It may still be useful for bootstrap‐
3595 ping.
3596 ssl_protocols: string
3598 List of SSL protocols to be enabled for SSL connections. The de‐
3599 fault when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
3600 ssl_ciphers: string
3602 List of ciphers (in OpenSSL cipher string format) to be sup‐
3603 ported for SSL connections. The default when this option is
3604 omitted is HIGH:!aNULL:!MD5.
3605 Common Columns:
3607 The overall purpose of these columns is described under Common Columns
3609 at the beginning of this document.
3610 external_ids: map of string-string pairs
3612
3614 Association of a chassis to a logical router port. The traffic going
3615 out through an specific router port will be redirected to a chassis, or
3616 a set of them in high availability configurations.
3617 Summary:
3619 name string (must be unique within table)
3620 chassis_name string
3621 priority integer, in range 0 to 32,767
3622 options map of string-string pairs
3623 Common Columns:
3624 external_ids map of string-string pairs
3625 Details:
3627 name: string (must be unique within table)
3628 Name of the Gateway_Chassis.
3629 A suggested, but not required naming convention is
3631 ${port_name}_${chassis_name}.
3632 chassis_name: string
3634 Name of the chassis that we want to redirect traffic through for
3635 the associated logical router port. The value must match the
3636 name column of the Chassis table in the OVN_Southbound database.
3637 priority: integer, in range 0 to 32,767
3639 This is the priority of a chassis among all Gateway_Chassis be‐
3640 longing to the same logical router port.
3641 options: map of string-string pairs
3643 Reserved for future use.
3644 Common Columns:
3646 external_ids: map of string-string pairs
3648 See External IDs at the beginning of this document.
3649
3651 Table representing a group of chassis which can provide high availabil‐
3652 ity services. Each chassis in the group is represented by the table
3653 HA_Chassis. The HA chassis with highest priority will be the master of
3654 this group. If the master chassis failover is detected, the HA chassis
3655 with the next higher priority takes over the responsibility of provid‐
3656 ing the HA. If a distributed gateway router port references a row in
3657 this table, then the master HA chassis in this group provides the gate‐
3658 way functionality.
3659 Summary:
3661 name string (must be unique within table)
3662 ha_chassis set of HA_Chassises
3663 Common Columns:
3664 external_ids map of string-string pairs
3665 Details:
3667 name: string (must be unique within table)
3668 Name of the HA_Chassis_Group. Name should be unique.
3669 ha_chassis: set of HA_Chassises
3671 A list of HA chassis which belongs to this group.
3672 Common Columns:
3674 external_ids: map of string-string pairs
3676 See External IDs at the beginning of this document.
3677
3679 Summary:
3680 chassis_name string
3681 priority integer, in range 0 to 32,767
3682 Common Columns:
3683 external_ids map of string-string pairs
3684 Details:
3686 chassis_name: string
3687 Name of the chassis which is part of the HA chassis group. The
3688 value must match the name column of the Chassis table in the
3689 OVN_Southbound database.
3690 priority: integer, in range 0 to 32,767
3692 Priority of the chassis. Chassis with highest priority will be
3693 the master.
3694 Common Columns:
3696 external_ids: map of string-string pairs
3698 See External IDs at the beginning of this document.
3699
3701 Contains BFD parameter for ovn-controller BFD configuration. OVN BFD
3702 implementation is used to provide detection of failures in the path be‐
3703 tween adjacent forwarding engines, including the OVN interfaces. OVN
3704 BFD provides link status info to OVN northd in order to update logical
3705 flows according to the status of BFD endpoints. In the current imple‐
3706 mentation OVN BFD is used to check next-hop status for ECMP routes.
3707 Please note BFD table refers to OVN BFD implementation and not to OVS
3708 legacy one.
3709 Summary:
3711 Configuration:
3712 logical_port string
3713 dst_ip string
3714 min_tx optional integer, at least 1
3715 min_rx optional integer
3716 detect_mult optional integer, at least 1
3717 options map of string-string pairs
3718 external_ids map of string-string pairs
3719 Status Reporting:
3720 status optional string, one of admin_down, down,
3721 init, or up
3722 Details:
3724 Configuration:
3725 ovn-northd reads configuration from these columns.
3727 logical_port: string
3729 OVN logical port when BFD engine is running.
3730 dst_ip: string
3732 BFD peer IP address.
3733 min_tx: optional integer, at least 1
3735 This is the minimum interval, in milliseconds, that the local
3736 system would like to use when transmitting BFD Control packets,
3737 less any jitter applied. The value zero is reserved. Default
3738 value is 1000 ms.
3739 min_rx: optional integer
3741 This is the minimum interval, in milliseconds, between received
3742 BFD Control packets that this system is capable of supporting,
3743 less any jitter applied by the sender. If this value is zero,
3744 the transmitting system does not want the remote system to send
3745 any periodic BFD Control packets.
3746 detect_mult: optional integer, at least 1
3748 Detection time multiplier. The negotiated transmit interval,
3749 multiplied by this value, provides the Detection Time for the
3750 receiving system in Asynchronous mode. Default value is 5.
3751 options: map of string-string pairs
3753 Reserved for future use.
3754 external_ids: map of string-string pairs
3756 See External IDs at the beginning of this document.
3757 Status Reporting:
3759 ovn-northd writes BFD status into these columns.
3761 status: optional string, one of admin_down, down, init, or up
3763 BFD port logical states. Possible values are:
3764 • admin_down
3766 • down
3768 • init
3770 • up
3772
3774 Each record represents a Static_MAC_Binding entry for a logical router.
3775 Summary:
3777 Configuration:
3778 logical_port string
3779 ip string
3780 mac string
3781 override_dynamic_mac boolean
3782 Details:
3784 Configuration:
3785 ovn-northd reads configuration from these columns and propagates the
3787 value to SBDB.
3788 logical_port: string
3790 The logical router port for the binding.
3791 ip: string
3793 The bound IP address.
3794 mac: string
3796 The Ethernet address to which the IP is bound.
3797 override_dynamic_mac: boolean
3799 Override dynamically learnt MACs.
3800Open vSwitch 22.06.1 DB Schema 6.3.0 ovn-nb(5)