1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
6 ovn-nb - OVN_Northbound database schema
7 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces al‐
10 most all of the contents of the database. The ovn-northd program moni‐
11 tors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32 Table Purpose
34 NB_Global Northbound configuration
35 Copp Control plane protection
36 Logical_Switch
37 L2 logical switch
38 Logical_Switch_Port
39 L2 logical switch port
40 Forwarding_Group
41 forwarding group
42 Address_Set
43 Address Sets
44 Port_Group
45 Port Groups
46 Load_Balancer
47 load balancer
48 Load_Balancer_Group
49 load balancer group
50 Load_Balancer_Health_Check
51 load balancer
52 ACL Access Control List (ACL) rule
53 Logical_Router
54 L3 logical router
55 QoS QoS rule
56 Mirror Mirror Entry
57 Meter Meter entry
58 Meter_Band
59 Band for meter entries
60 Logical_Router_Port
61 L3 logical router port
62 Logical_Router_Static_Route
63 Logical router static routes
64 Logical_Router_Policy
65 Logical router policies
66 NAT NAT rules
67 DHCP_Options
68 DHCP options
69 Connection
70 OVSDB client connections.
71 DNS Native DNS resolution
72 SSL SSL configuration.
73 Gateway_Chassis
74 Gateway_Chassis configuration.
75 HA_Chassis_Group
76 HA_Chassis_Group configuration.
77 HA_Chassis
78 HA_Chassis configuration.
79 BFD BFD configuration.
80 Static_MAC_Binding
81 Static_MAC_Binding configuration.
82 Chassis_Template_Var
83 Chassis_Template_Var configuration.
84
86 Northbound configuration for an OVN system. This table must have ex‐
87 actly one row.
88 Summary:
90 Identity:
91 name string
92 Status:
93 nb_cfg integer
94 nb_cfg_timestamp integer
95 sb_cfg integer
96 sb_cfg_timestamp integer
97 hv_cfg integer
98 hv_cfg_timestamp integer
99 Common Columns:
100 external_ids map of string-string pairs
101 Common options:
102 options map of string-string pairs
103 Options for configuring OVS BFD:
104 options : bfd-min-rx optional string
105 options : bfd-decay-min-rx
106 optional string
107 options : bfd-min-tx optional string
108 options : bfd-mult optional string
109 options : mac_prefix optional string
110 options : mac_binding_removal_limit
111 optional string, containing an integer,
112 in range 0 to 4,294,967,295
113 options : controller_event optional string, either true or false
114 options : northd_probe_interval
115 optional string
116 options : use_logical_dp_groups
117 optional string
118 options : use_parallel_build
119 optional string
120 options : ignore_lsp_down optional string
121 options : use_ct_inv_match optional string
122 options : default_acl_drop optional string
123 options : debug_drop_domain_id
124 optional string
125 options : debug_drop_collector_set
126 optional string
127 Options for configuring interconnection route advertisement:
128 options : ic-route-adv optional string
129 options : ic-route-learn optional string
130 options : ic-route-adv-default
131 optional string
132 options : ic-route-learn-default
133 optional string
134 options : ic-route-blacklist
135 optional string
136 Connection Options:
137 connections set of Connections
138 ssl optional SSL
139 Security Configurations:
140 ipsec boolean
141 Read-only Options:
142 options : max_tunid optional string
143 Details:
145 Identity:
146 name: string
148 The name of the OVN cluster, which uniquely identifies the OVN
149 cluster throughout all OVN clusters supposed to interconnect
150 with each other.
151 Status:
153 These columns allow a client to track the overall configuration state
155 of the system.
156 nb_cfg: integer
158 Sequence number for client to increment. When a client modifies
159 any part of the northbound database configuration and wishes to
160 wait for ovn-northd and possibly all of the hypervisors to fin‐
161 ish applying the changes, it may increment this sequence number.
162 nb_cfg_timestamp: integer
164 The timestamp, in milliseconds since the epoch, when ovn-northd
165 sees the latest nb_cfg and starts processing.
166 To print the timestamp as a human-readable date:
168 date -d "@$(ovn-nbctl get NB_Global . nb_cfg_timestamp | sed ’s/...$//’)"
170 sb_cfg: integer
173 Sequence number that ovn-northd sets to the value of nb_cfg af‐
174 ter it finishes applying the corresponding configuration changes
175 to the OVN_Southbound database.
176 sb_cfg_timestamp: integer
178 The timestamp, in milliseconds since the epoch, when ovn-northd
179 finishes applying the corresponding configuration changes to the
180 OVN_Southbound database successfully.
181 hv_cfg: integer
183 Sequence number that ovn-northd sets to the smallest sequence
184 number of all the chassis in the system, as reported in the
185 Chassis_Private table in the southbound database. Thus, hv_cfg
186 equals nb_cfg if all chassis are caught up with the northbound
187 configuration (which may never happen, if any chassis is down).
188 This value can regress, if a chassis was removed from the system
189 and rejoins before catching up.
190 If there are no chassis, then ovn-northd copies nb_cfg to
192 hv_cfg. Thus, in this case, the (nonexistent) hypervisors are
193 always considered to be caught up. This means that hypervisors
194 can be "caught up" even in cases where sb_cfg would show that
195 the southbound database is not. To detect when both the hypervi‐
196 sors and the southbound database are caught up, a client should
197 take the smaller of sb_cfg and hv_cfg.
198 hv_cfg_timestamp: integer
200 The largest timestamp, in milliseconds since the epoch, of the
201 smallest sequence number of all the chassis in the system, as
202 reported in the Chassis_Private table in the southbound data‐
203 base. In other words, this timestamp reflects the time when the
204 slowest chassis catches up with the northbound configuration,
205 which is useful for end-to-end control plane latency measure‐
206 ment.
207 Common Columns:
209 external_ids: map of string-string pairs
211 See External IDs at the beginning of this document.
212 Common options:
214 options: map of string-string pairs
216 This column provides general key/value settings. The supported
217 options are described individually below.
218 Options for configuring OVS BFD:
220 These options apply when ovn-controller configures OVS BFD on tunnels
222 interfaces. Please note these parameters refer to legacy OVS BFD imple‐
223 mentation and not to OVN BFD one.
224 options : bfd-min-rx: optional string
226 BFD option min-rx value to use when configuring BFD on tunnel
227 interfaces.
228 options : bfd-decay-min-rx: optional string
230 BFD option decay-min-rx value to use when configuring BFD on
231 tunnel interfaces.
232 options : bfd-min-tx: optional string
234 BFD option min-tx value to use when configuring BFD on tunnel
235 interfaces.
236 options : bfd-mult: optional string
238 BFD option mult value to use when configuring BFD on tunnel in‐
239 terfaces.
240 options : mac_prefix: optional string
242 Configure a given OUI to be used as prefix when L2 address is
243 dynamically assigned, e.g. 00:11:22
244 options : mac_binding_removal_limit: optional string, containing an in‐
246 teger, in range 0 to 4,294,967,295
247 MAC binding aging bulk removal limit. This limits how many rows
248 can expire in a single transaction. Default value is 0 which is
249 unlimited. When we hit the limit next batch removal is delayed
250 by 5 s.
251 options : controller_event: optional string, either true or false
253 Value set by the CMS to enable/disable ovn-controller event re‐
254 porting. Traffic into OVS can raise a ’controller’ event that
255 results in a Controller_Event being written to the Con‐
256 troller_Event table in SBDB. When the CMS has seen the event and
257 taken appropriate action, it can remove the corresponding row in
258 Controller_Event table. The intention is for a CMS to see the
259 events and take some sort of action. Please see the Con‐
260 troller_Event table in SBDB. It is possible to associate a meter
261 to each controller event type in order to not overload the pinc‐
262 trl thread under heavy load. Each event type relies on a meter
263 with a defined name:
264 • empty_lb_backends: event-elb
266 options : northd_probe_interval: optional string
268 The inactivity probe interval of the connection to the OVN
269 Northbound and Southbound databases from ovn-northd, in mil‐
270 liseconds. If the value is zero, it disables the connection
271 keepalive feature.
272 If the value is nonzero, then it will be forced to a value of at
274 least 1000 ms.
275 options : use_logical_dp_groups: optional string
277 Note: This option is deprecated, the only behavior is to always
278 combine logical flows by datapath groups. Changing the value or
279 removing this option all toghether will have no effect.
280 ovn-northd combines logical flows that differs only by logical
282 datapath into a single logical flow with logical datapath group
283 attached.
284 options : use_parallel_build: optional string
286 If set to true, ovn-northd will attempt to compute logical flows
287 in parallel.
288 Parallel computation is enabled only if the system has 4 or more
290 cores/threads available to be used by ovn-northd.
291 The default value is false.
293 options : ignore_lsp_down: optional string
295 If set to false, ARP/ND reply flows for logical switch ports
296 will be installed only if the port is up, i.e. claimed by a
297 Chassis. If set to true, these flows are installed regardless of
298 the status of the port, which can result in a situation that ARP
299 request to an IP is resolved even before the relevant VM/con‐
300 tainer is running. For environments where this is not an issue,
301 setting it to true can reduce the load and latency of the con‐
302 trol plane. The default value is true.
303 options : use_ct_inv_match: optional string
305 If set to false, ovn-northd will not use the ct.inv field in any
306 of the logical flow matches. The default value is true. If the
307 NIC supports offloading OVS datapath flows but doesn’t support
308 offloading ct_state inv flag, then the datapath flows matching
309 on this flag (either +inv or -inv) will not be offloaded. CMS
310 should consider setting use_ct_inv_match to false in such cases.
311 This results in a side effect of the invalid packets getting de‐
312 livered to the destination VIF, which otherwise would have been
313 dropped by OVN.
314 options : default_acl_drop: optional string
316 If set to true., ovn-northd will generate a logical flow to drop
317 all traffic in the ACL stages. By default this option is set to
318 false.
319 options : debug_drop_domain_id: optional string
321 If set to a 8-bit number and if debug_drop_collector_set is also
322 configured, ovn-northd will add a sample action to every logical
323 flow that contains a ’drop’ action. The 8 most significant bits
324 of the observation_domain_id field will be those specified in
325 the debug_drop_domain_id. The 24 least significant bits of the
326 observation_domain_id field will be the datapath’s key.
327 The observation_point_id will be set to the first 32 bits of the
329 logical flow’s UUID.
330 options : debug_drop_collector_set: optional string
332 If set to a 32-bit number ovn-northd will add a sample action to
333 every logical flow that contains a ’drop’ action. The sample ac‐
334 tion will have the specified collector_set_id. The value must
335 match that of the local OVS configuration as described in
336 ovs-actions(7).
337 Options for configuring interconnection route advertisement:
339 These options control how routes are advertised between OVN deployments
341 for interconnection. If enabled, ovn-ic from different OVN deployments
342 exchanges routes between each other through the global OVN_IC_South‐
343 bound database. Only routers with ports connected to interconnection
344 transit switches participate in route advertisement. For each of these
345 routers, there are two types of routes to be advertised:
346 Firstly, the static routes configured in the router are advertised.
348 Secondly, the networks configured in the logical router ports that are
350 not on the transit switches are advertised. These are considered as di‐
351 rectly connected subnets on the router.
352 Link local prefixes (IPv4 169.254.0.0/16 and IPv6 FE80::/10) are never
354 advertised.
355 The learned routes are added to the static_routes column of the Logi‐
357 cal_Router table, with external_ids:ic-learned-route set to the uuid of
358 the row in Route table of the OVN_IC_Southbound database.
359 options : ic-route-adv: optional string
361 A boolean value that enables route advertisement to the global
362 OVN_IC_Southbound database. Default is false.
363 options : ic-route-learn: optional string
365 A boolean value that enables route learning from the global
366 OVN_IC_Southbound database. Default is false.
367 options : ic-route-adv-default: optional string
369 A boolean value that enables advertising default route to the
370 global OVN_IC_Southbound database. Default is false. This option
371 takes effect only when option ic-route-adv is true.
372 options : ic-route-learn-default: optional string
374 A boolean value that enables learning default route from the
375 global OVN_IC_Southbound database. Default is false. This option
376 takes effect only when option ic-route-learn is true.
377 options : ic-route-blacklist: optional string
379 A string value contains a list of CIDRs delimited by ",". A
380 route will not be advertised or learned if the route’s prefix
381 belongs to any of the CIDRs listed.
382 Connection Options:
384 connections: set of Connections
386 Database clients to which the Open vSwitch database server
387 should connect or on which it should listen, along with options
388 for how these connections should be configured. See the Connec‐
389 tion table for more information.
390 ssl: optional SSL
392 Global SSL configuration.
393 Security Configurations:
395 ipsec: boolean
397 Tunnel encryption configuration. If this column is set to be
398 true, all OVN tunnels will be encrypted with IPsec.
399 Read-only Options:
401 options : max_tunid: optional string
403 The maximum supported tunnel ID. Depends on types of encapsula‐
404 tion enabled in the cluster.
405
407 This table is used to define control plane protection policies, i.e.,
408 associate entries from table Meter to control protocol names.
409 Summary:
411 name string (must be unique within table)
412 meters : arp optional string
413 meters : arp-resolve optional string
414 meters : dhcpv4-opts optional string
415 meters : dhcpv6-opts optional string
416 meters : dns optional string
417 meters : event-elb optional string
418 meters : icmp4-error optional string
419 meters : icmp6-error optional string
420 meters : igmp optional string
421 meters : nd-na optional string
422 meters : nd-ns optional string
423 meters : nd-ns-resolve optional string
424 meters : nd-ra-opts optional string
425 meters : tcp-reset optional string
426 meters : bfd optional string
427 meters : reject optional string
428 external_ids map of string-string pairs
429 Details:
431 name: string (must be unique within table)
432 CoPP name.
433 meters : arp: optional string
435 Rate limiting meter for ARP packets (request/reply) used for
436 learning neighbors.
437 meters : arp-resolve: optional string
439 Rate limiting meter for packets that require resolving the next-
440 hop (through ARP).
441 meters : dhcpv4-opts: optional string
443 Rate limiting meter for packets that require adding DHCPv4 op‐
444 tions.
445 meters : dhcpv6-opts: optional string
447 Rate limiting meter for packets that require adding DHCPv6 op‐
448 tions.
449 meters : dns: optional string
451 Rate limiting meter for DNS query packets that need to be
452 replied to.
453 meters : event-elb: optional string
455 Rate limiting meter for empty load balancer events.
456 meters : icmp4-error: optional string
458 Rate limiting meter for packets that require replying with an
459 ICMP error.
460 meters : icmp6-error: optional string
462 Rate limiting meter for packets that require replying with an
463 ICMPv6 error.
464 meters : igmp: optional string
466 Rate limiting meter for IGMP packets.
467 meters : nd-na: optional string
469 Rate limiting meter for ND neighbor advertisement packets used
470 for learning neighbors.
471 meters : nd-ns: optional string
473 Rate limiting meter for ND neighbor solicitation packets used
474 for learning neighbors.
475 meters : nd-ns-resolve: optional string
477 Rate limiting meter for packets that require resolving the next-
478 hop (through ND).
479 meters : nd-ra-opts: optional string
481 Rate limiting meter for packets that require adding ND router
482 advertisement options.
483 meters : tcp-reset: optional string
485 Rate limiting meter for packets that require replying with TCP
486 RST packet.
487 meters : bfd: optional string
489 Rate limiting meter for BFD packets.
490 meters : reject: optional string
492 Rate limiting meter for packets that trigger a reject action
493 external_ids: map of string-string pairs
495 See External IDs at the beginning of this document.
496
498 Each row represents one L2 logical switch.
499 There are two kinds of logical switches, that is, ones that fully vir‐
501 tualize the network (overlay logical switches) and ones that provide
502 simple connectivity to physical networks (bridged logical switches).
503 They work in the same way when providing connectivity between logical
504 ports on same chassis, but differently when connecting remote logical
505 ports. Overlay logical switches connect remote logical ports by tun‐
506 nels, while bridged logical switches provide connectivity to remote
507 ports by bridging the packets to directly connected physical L2 seg‐
508 ments with the help of localnet ports. Each bridged logical switch has
509 one or more localnet ports, which have only one special address un‐
510 known.
511 Summary:
513 ports set of Logical_Switch_Ports
514 load_balancer set of weak reference to Load_Balancers
515 load_balancer_group set of Load_Balancer_Groups
516 acls set of ACLs
517 qos_rules set of QoSes
518 dns_records set of weak reference to DNSes
519 forwarding_groups set of Forwarding_Groups
520 Naming:
521 name string
522 external_ids : neutron:network_name
523 optional string
524 IP Address Assignment:
525 other_config : subnet optional string
526 other_config : exclude_ips optional string
527 other_config : ipv6_prefix optional string
528 other_config : mac_only optional string, either true or false
529 IP Multicast Snooping Options:
530 other_config : mcast_snoop optional string, either true or false
531 other_config : mcast_querier
532 optional string, either true or false
533 other_config : mcast_flood_unregistered
534 optional string, either true or false
535 other_config : mcast_table_size
536 optional string, containing an integer,
537 in range 1 to 32,766
538 other_config : mcast_idle_timeout
539 optional string, containing an integer,
540 in range 15 to 3,600
541 other_config : mcast_query_interval
542 optional string, containing an integer,
543 in range 1 to 3,600
544 other_config : mcast_query_max_response
545 optional string, containing an integer,
546 in range 1 to 10
547 other_config : mcast_eth_src
548 optional string
549 other_config : mcast_ip4_src
550 optional string
551 other_config : mcast_ip6_src
552 optional string
553 Interconnection:
554 other_config : interconn-ts
555 optional string
556 Tunnel Key:
557 other_config : requested-tnl-key
558 optional string, containing an integer,
559 in range 1 to 16,777,215
560 copp optional weak reference to Copp
561 Other options:
562 other_config : vlan-passthru
563 optional string, either true or false
564 Common Columns:
565 external_ids map of string-string pairs
566 Details:
568 ports: set of Logical_Switch_Ports
569 The logical ports connected to the logical switch.
570 It is an error for multiple logical switches to include the same
572 logical port.
573 load_balancer: set of weak reference to Load_Balancers
575 Set of load balancers associated to this logical switch.
576 load_balancer_group: set of Load_Balancer_Groups
578 Set of load balancers groups associated to this logical switch.
579 acls: set of ACLs
581 Access control rules that apply to packets within the logical
582 switch.
583 qos_rules: set of QoSes
585 QoS marking and metering rules that apply to packets within the
586 logical switch.
587 dns_records: set of weak reference to DNSes
589 This column defines the DNS records to be used for resolving in‐
590 ternal DNS queries within the logical switch by the native DNS
591 resolver. Please see the DNS table.
592 forwarding_groups: set of Forwarding_Groups
594 Groups a set of logical port endpoints for traffic going out of
595 the logical switch.
596 Naming:
598 These columns provide names for the logical switch. From OVN’s perspec‐
600 tive, these names have no special meaning or purpose other than to pro‐
601 vide convenience for human interaction with the database. There is no
602 requirement for the name to be unique. (For a unique identifier for a
603 logical switch, use its row UUID.)
604 (Originally, name was intended to serve the purpose of a human-friendly
606 name, but the Neutron integration used it to uniquely identify its own
607 switch object, in the format neutron-uuid. Later on, Neutron started
608 propagating the friendly name of a switch as external_ids:neutron:net‐
609 work_name. Perhaps this can be cleaned up someday.)
610 name: string
612 A name for the logical switch.
613 external_ids : neutron:network_name: optional string
615 Another name for the logical switch.
616 IP Address Assignment:
618 These options control automatic IP address management (IPAM) for ports
620 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
621 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
622 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled to‐
623 gether or separately.
624 To request dynamic address assignment for a particular port, use the
626 dynamic keyword in the addresses column of the port’s Logi‐
627 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
628 IPAM for IPv4 and IPv6 are both enabled.
629 other_config : subnet: optional string
631 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
632 ovn-northd to automatically assign IP addresses within that sub‐
633 net.
634 other_config : exclude_ips: optional string
636 To exclude some addresses from automatic IP address management,
637 set this to a list of the IPv4 addresses or ..-delimited ranges
638 to exclude. The addresses or ranges should be a subset of those
639 in other_config:subnet.
640 Whether listed or not, ovn-northd will never allocate the first
642 or last address in a subnet, such as 192.168.0.0 or
643 192.168.0.255 in 192.168.0.0/24.
644 Examples:
646 • 192.168.0.2 192.168.0.10
648 • 192.168.0.4 192.168.0.30..192.168.0.60
650 192.168.0.110..192.168.0.120
651 • 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
653 192.168.0.144
654 other_config : ipv6_prefix: optional string
656 Set this to an IPv6 prefix to enable ovn-northd to automatically
657 assign IPv6 addresses using this prefix. The assigned IPv6 ad‐
658 dress will be generated using the IPv6 prefix and the MAC ad‐
659 dress (converted to an IEEE EUI64 identifier) of the port. The
660 IPv6 prefix defined here should be a valid IPv6 address ending
661 with ::.
662 Examples:
664 • aef0::
666 • bef0:1234:a890:5678::
668 • 8230:5678::
670 other_config : mac_only: optional string, either true or false
672 Value used to request to assign L2 address only if neither sub‐
673 net nor ipv6_prefix are specified
674 IP Multicast Snooping Options:
676 These options control IP Multicast Snooping configuration of the logi‐
678 cal switch. To enable IP Multicast Snooping set other_con‐
679 fig:mcast_snoop to true. To enable IP Multicast Querier set other_con‐
680 fig:mcast_snoop to true. If IP Multicast Querier is enabled other_con‐
681 fig:mcast_eth_src and other_config:mcast_ip4_src must be set.
682 other_config : mcast_snoop: optional string, either true or false
684 Enables/disables IP Multicast Snooping on the logical switch.
685 other_config : mcast_querier: optional string, either true or false
687 Enables/disables IP Multicast Querier on the logical switch.
688 other_config : mcast_flood_unregistered: optional string, either true
690 or false
691 Determines whether unregistered multicast traffic should be
692 flooded or not. Only applicable if other_config:mcast_snoop is
693 enabled. Default: false.
694 other_config : mcast_table_size: optional string, containing an inte‐
696 ger, in range 1 to 32,766
697 Number of multicast groups to be stored. Default: 2048.
698 other_config : mcast_idle_timeout: optional string, containing an inte‐
700 ger, in range 15 to 3,600
701 Configures the IP Multicast Snooping group idle timeout (in sec‐
702 onds). Default: 300 seconds.
703 other_config : mcast_query_interval: optional string, containing an in‐
705 teger, in range 1 to 3,600
706 Configures the IP Multicast Querier interval between queries (in
707 seconds). Default: other_config:mcast_idle_timeout / 2.
708 other_config : mcast_query_max_response: optional string, containing an
710 integer, in range 1 to 10
711 Configures the value of the "max-response" field in the multi‐
712 cast queries originated by the logical switch. Default: 1 sec‐
713 ond.
714 other_config : mcast_eth_src: optional string
716 Configures the source Ethernet address for queries originated by
717 the logical switch.
718 other_config : mcast_ip4_src: optional string
720 Configures the source IPv4 address for queries originated by the
721 logical switch.
722 other_config : mcast_ip6_src: optional string
724 Configures the source IPv6 address for queries originated by the
725 logical switch.
726 Interconnection:
728 other_config : interconn-ts: optional string
730 The name of corresponding transit switch in OVN_IC_Northbound
731 database. This kind of logical switch is created and controlled
732 by ovn-ic.
733 Tunnel Key:
735 other_config : requested-tnl-key: optional string, containing an inte‐
737 ger, in range 1 to 16,777,215
738 Configures the datapath tunnel key for the logical switch. Usu‐
739 ally this is not needed because ovn-northd will assign an unique
740 key for each datapath by itself. However, if it is configured,
741 ovn-northd honors the configured value. The typical use case is
742 for interconnection: the tunnel keys for transit switches need
743 to be unique globally, so they are maintained in the global
744 OVN_IC_Southbound database, and ovn-ic simply syncs the value
745 from OVN_IC_Southbound through this config.
746 copp: optional weak reference to Copp
748 The control plane protection policy from table Copp used for me‐
749 tering packets sent to ovn-controller from ports of this logical
750 switch.
751 Other options:
753 other_config : vlan-passthru: optional string, either true or false
755 Determines whether VLAN tagged incoming traffic should be al‐
756 lowed. Note that this may have security implications when en‐
757 abled for a logical switch with a tag=0 localnet port. If not
758 properly isolated from other localnet ports, fabric traffic that
759 belongs to other tagged networks may be passed through such a
760 port.
761 Common Columns:
763 external_ids: map of string-string pairs
765 See External IDs at the beginning of this document.
766
768 A port within an L2 logical switch.
769 Summary:
771 Core Features:
772 name string (must be unique within table)
773 type string
774 Options:
775 options map of string-string pairs
776 Options for router ports:
777 options : router-port optional string
778 options : nat-addresses optional string
779 options : exclude-lb-vips-from-garp
780 optional string
781 options : arp_proxy optional string
782 Options for localnet ports:
783 options : network_name optional string
784 options : ethtype optional string
785 options : localnet_learn_fdb
786 optional string, either true or false
787 Options for l2gateway ports:
788 options : network_name optional string
789 options : l2gateway-chassis
790 optional string
791 Options for vtep ports:
792 options : vtep-physical-switch
793 optional string
794 options : vtep-logical-switch
795 optional string
796 VMI (or VIF) Options:
797 options : requested-chassis
798 optional string
799 options : activation-strategy
800 optional string
801 options : iface-id-ver optional string
802 options : qos_min_rate optional string
803 options : qos_max_rate optional string
804 options : qos_burst optional string
805 options : hostname optional string
806 VIF Plugging Options:
807 options : vif-plug-type
808 optional string
809 options : vif-plug-mtu-request
810 optional string
811 Virtual port Options:
812 options : virtual-ip optional string
813 options : virtual-parents
814 optional string
815 IP Multicast Snooping Options:
816 options : mcast_flood optional string, either true or false
817 options : mcast_flood_reports
818 optional string, either true or false
819 Containers:
820 parent_name optional string
821 tag_request optional integer, in range 0 to 4,095
822 tag optional integer, in range 1 to 4,095
823 Port State:
824 up optional boolean
825 enabled optional boolean
826 Addressing:
827 addresses set of strings
828 dynamic_addresses optional string
829 port_security set of strings
830 DHCP:
831 dhcpv4_options optional weak reference to DHCP_Options
832 dhcpv6_options optional weak reference to DHCP_Options
833 mirror_rules set of weak reference to Mirrors
834 ha_chassis_group optional HA_Chassis_Group
835 Naming:
836 external_ids : neutron:port_name
837 optional string
838 Tunnel Key:
839 options : requested-tnl-key
840 optional string, containing an integer,
841 in range 1 to 32,767
842 Common Columns:
843 external_ids map of string-string pairs
844 Details:
846 Core Features:
847 name: string (must be unique within table)
849 The logical port name.
850 For entities (VMs or containers) that are spawned in the hyper‐
852 visor, the name used here must match those used in the exter‐
853 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
854 because hypervisors use external_ids:iface-id as a lookup key to
855 identify the network interface of that entity.
856 For containers that share a VIF within a VM, the name can be any
858 unique identifier. See Containers, below, for more information.
859 A logical switch port may not have the same name as a logical
861 router port, but the database schema cannot enforce this.
862 type: string
864 Specify a type for this logical port. Logical ports can be used
865 to model other types of connectivity into an OVN logical switch.
866 The following types are defined:
867 (empty string)
869 A VM (or VIF) interface.
870 router A connection to a logical router. The value of op‐
872 tions:router-port specifies the name of the Logi‐
873 cal_Router_Port to which this logical switch port is con‐
874 nected.
875 localnet
877 A connection to a locally accessible network from
878 ovn-controller instances that have a corresponding bridge
879 mapping. A logical switch can have multiple localnet
880 ports attached. This type is used to model direct connec‐
881 tivity to existing networks. In this case, each chassis
882 should have a mapping for one of the physical networks
883 only. Note: nothing said above implies that a chassis
884 cannot be plugged to multiple physical networks as long
885 as they belong to different switches.
886 localport
888 A connection to a local VIF. Traffic that arrives on a
889 localport is never forwarded over a tunnel to another
890 chassis. These ports are present on every chassis and
891 have the same address in all of them. This is used to
892 model connectivity to local services that run on every
893 hypervisor.
894 l2gateway
896 A connection to a physical network.
897 vtep A port to a logical switch on a VTEP gateway.
899 external
901 Represents a logical port which is external and not hav‐
902 ing an OVS port in the integration bridge. OVN will never
903 receive any traffic from this port or send any traffic to
904 this port. OVN can support native services like
905 DHCPv4/DHCPv6/DNS for this port. If ha_chassis_group is
906 defined, ovn-controller running in the master chassis of
907 the HA chassis group will bind this port to provide these
908 native services. It is expected that this port belong to
909 a bridged logical switch (with a localnet port).
910 It is recommended to use the same HA chassis group for
912 all the external ports of a logical switch. Otherwise,
913 the physical switch might see MAC flap issue when differ‐
914 ent chassis provide the native services. For example when
915 supporting native DHCPv4 service, DHCPv4 server mac (con‐
916 figured in options:server_mac column in table DHCP_Op‐
917 tions) originating from different ports can cause MAC
918 flap issue. The MAC of the logical router IP(s) can also
919 flap if the same HA chassis group is not set for all the
920 external ports of a logical switch.
921 Below are some of the use cases where external ports can
923 be used.
924 • VMs connected to SR-IOV nics - Traffic from these
926 VMs by passes the kernel stack and local ovn-con‐
927 troller do not bind these ports and cannot serve
928 the native services.
929 • When CMS supports provisioning baremetal servers.
931 virtual
933 Represents a logical port which does not have an OVS port
934 in the integration bridge and has a virtual ip configured
935 in the options:virtual-ip column. This virtual ip can
936 move around between the logical ports configured in the
937 options:virtual-parents column.
938 One of the use case where virtual ports can be used is.
940 • The virtual ip represents a load balancer vip and
942 the virtual parents provide load balancer service
943 in an active-standby setup with the active virtual
944 parent owning the virtual ip.
945 remote A remote port is to model a port that resides remotely on
947 another OVN, which is on the other side of a transit log‐
948 ical switch for OVN interconnection. This type of ports
949 are created by ovn-ic instead of by CMS. Any change to
950 the port will be automatically overwritten by ovn-ic.
951 Options:
953 options: map of string-string pairs
955 This column provides key/value settings specific to the logical
956 port type. The type-specific options are described individually
957 below.
958 Options for router ports:
960 These options apply when type is router.
962 options : router-port: optional string
964 Required. The name of the Logical_Router_Port to which this log‐
965 ical switch port is connected.
966 options : nat-addresses: optional string
968 This is used to send gratuitous ARPs for SNAT and DNAT IP ad‐
969 dresses via the localnet port that is attached to the same logi‐
970 cal switch as this type router port. This option is specified on
971 a logical switch port that is connected to a gateway router, or
972 a logical switch port that is connected to a distributed gateway
973 port on a logical router.
974 This must take one of the following forms:
976 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
978 nal IP addresses and for all load balancer IP addresses
979 defined on the options:router-port’s logical router, us‐
980 ing the options:router-port’s MAC address.
981 This form of options:nat-addresses is valid for logical
983 switch ports where options:router-port is the name of a
984 port on a gateway router, or the name of a distributed
985 gateway port.
986 Supported only in OVN 2.8 and later. Earlier versions re‐
988 quired NAT addresses to be manually synchronized.
989 Ethernet address followed by one or more IPv4 addresses
991 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
992 This would result in generation of gratuitous ARPs for IP
993 addresses 158.36.44.22 and 158.36.44.24 with a MAC ad‐
994 dress of 80:fa:5b:06:72:b7.
995 This form of options:nat-addresses is only valid for log‐
997 ical switch ports where options:router-port is the name
998 of a port on a gateway router.
999 options : exclude-lb-vips-from-garp: optional string
1001 If options:nat-addresses is set to router, Gratuitous ARPs will
1002 be sent for all SNAT and DNAT external IP addresses defined on
1003 the options:router-port’s logical router, using the op‐
1004 tions:router-port’s MAC address, not cosidering configured load
1005 balancers.
1006 options : arp_proxy: optional string
1008 Optional. A list of IPv4 addresses that this logical switch
1009 router port will reply to ARP requests. Example: 169.254.239.254
1010 169.254.239.2. The options:router-port’s logical router should
1011 have a route to forward packets sent to configured proxy ARP IPs
1012 to an appropriate destination.
1013 Options for localnet ports:
1015 These options apply when type is localnet.
1017 options : network_name: optional string
1019 Required. The name of the network to which the localnet port is
1020 connected. Each hypervisor, via ovn-controller, uses its local
1021 configuration to determine exactly how to connect to this lo‐
1022 cally accessible network, if at all.
1023 options : ethtype: optional string
1025 Optional. VLAN EtherType field value for encapsulating VLAN
1026 headers. Supported values: 802.11q (default), 802.11ad.
1027 options : localnet_learn_fdb: optional string, either true or false
1029 Optional. Allows localnet port to learn MACs and store them in
1030 FDB table if set to true. The default value is false.
1031 Options for l2gateway ports:
1033 These options apply when type is l2gateway.
1035 options : network_name: optional string
1037 Required. The name of the network to which the l2gateway port is
1038 connected. The L2 gateway, via ovn-controller, uses its local
1039 configuration to determine exactly how to connect to this net‐
1040 work.
1041 options : l2gateway-chassis: optional string
1043 Required. The chassis on which the l2gateway logical port should
1044 be bound to. ovn-controller running on the defined chassis will
1045 connect this logical port to the physical network.
1046 Options for vtep ports:
1048 These options apply when type is vtep.
1050 options : vtep-physical-switch: optional string
1052 Required. The name of the VTEP gateway.
1053 options : vtep-logical-switch: optional string
1055 Required. A logical switch name connected by the VTEP gateway.
1056 VMI (or VIF) Options:
1058 These options apply to logical ports with type having (empty string)
1060 options : requested-chassis: optional string
1062 If set, identifies a specific chassis (by name or hostname) that
1063 is allowed to bind this port. Using this option will prevent
1064 thrashing between two chassis trying to bind the same port dur‐
1065 ing a live migration. It can also prevent similar thrashing due
1066 to a mis-configuration, if a port is accidentally created on
1067 more than one chassis.
1068 If set to a comma separated list, the first entry identifies the
1070 main chassis and the rest are one or more additional chassis
1071 that are allowed to bind the same port.
1072 When multiple chassis are set for the port, and the logical
1074 switch is connected to an external network through a localnet
1075 port, tunneling is enforced for the port to guarantee delivery
1076 of packets directed to the port to all its locations. This has
1077 MTU implications because the network used for tunneling must
1078 have MTU larger than localnet for stable connectivity.
1079 options : activation-strategy: optional string
1081 If used with multiple chassis set in requested-chassis, speci‐
1082 fies an activation strategy for all additional chassis. By de‐
1083 fault, no activation strategy is used, meaning additional port
1084 locations are immediately available for use. When set to "rarp",
1085 the port is blocked for ingress and egress communication until a
1086 RARP packet is sent from a new location. The "rarp" strategy is
1087 useful in live migration scenarios for virtual machines.
1088 options : iface-id-ver: optional string
1090 If set, this port will be bound by ovn-controller only if this
1091 same key and value is configured in the external_ids column in
1092 the Open_vSwitch database’s Interface table.
1093 options : qos_min_rate: optional string
1095 If set, indicates the minimum guaranteed rate available for data
1096 sent from this interface, in bit/s.
1097 options : qos_max_rate: optional string
1099 If set, indicates the maximum rate for data sent from this in‐
1100 terface, in bit/s. The traffic will be shaped according to this
1101 limit.
1102 options : qos_burst: optional string
1104 If set, indicates the maximum burst size for data sent from this
1105 interface, in bits.
1106 options : hostname: optional string
1108 If set, indicates the DHCPv4 option "Hostname" (option code 12)
1109 associated for this Logical Switch Port. If DHCPv4 is enabled
1110 for this Logical Switch Port, hostname dhcp option will be in‐
1111 cluded in DHCP reply.
1112 VIF Plugging Options:
1114 options : vif-plug-type: optional string
1116 If set, OVN will attempt to perform plugging of this VIF. In or‐
1117 der to get this port plugged by the OVN controller, OVN must be
1118 built with support for VIF plugging. The default behavior is for
1119 the CMS to do the VIF plugging. Each VIF plug provider have
1120 their own options namespaced by name, for example "vif-plug:rep‐
1121 resentor:key". Please refer to the VIF plug provider documenta‐
1122 tion located in Documentation/topics/vif-plug-providers/ for
1123 more information.
1124 options : vif-plug-mtu-request: optional string
1126 Requested MTU for plugged interfaces. When set the OVN con‐
1127 troller will fill the mtu_request column of the Open vSwitch
1128 database’s Interface table. This in turn will make OVS vswitchd
1129 update the MTU of the linked interface.
1130 Virtual port Options:
1132 These options apply when type is virtual.
1134 options : virtual-ip: optional string
1136 This option represents the virtual IPv4 address.
1137 options : virtual-parents: optional string
1139 This options represents a set of logical port names (with in the
1140 same logical switch) which can own the virtual ip configured in
1141 the options:virtual-ip. All these virtual parents should add the
1142 virtual ip in the port_security if port security addressed are
1143 enabled.
1144 IP Multicast Snooping Options:
1146 These options apply when the port is part of a logical switch which has
1148 other_config :mcast_snoop set to true.
1149 options : mcast_flood: optional string, either true or false
1151 If set to true, multicast packets (except reports) are uncondi‐
1152 tionally forwarded to the specific port. Default: false.
1153 options : mcast_flood_reports: optional string, either true or false
1155 If set to true, multicast reports are unconditionally forwarded
1156 to the specific port. Default: false.
1157 Containers:
1159 When a large number of containers are nested within a VM, it may be too
1161 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
1162 support such cases. Each container is assigned a VLAN ID and each
1163 packet that passes between the hypervisor and the VM is tagged with the
1164 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
1165 ical wire, even inside a tunnel, so they need not be unique except rel‐
1166 ative to a single VM on a hypervisor.
1167 These columns are used for VIFs that represent nested containers using
1169 shared VIFs. For VMs and for containers that have dedicated VIFs, they
1170 are empty.
1171 parent_name: optional string
1173 The VM interface through which the nested container sends its
1174 network traffic. This must match the name column for some other
1175 Logical_Switch_Port.
1176 tag_request: optional integer, in range 0 to 4,095
1178 The VLAN tag in the network traffic associated with a con‐
1179 tainer’s network interface. The client can request ovn-northd to
1180 allocate a tag that is unique within the scope of a specific
1181 parent (specified in parent_name) by setting a value of 0 in
1182 this column. The allocated value is written by ovn-northd in the
1183 tag column. (Note that these tags are allocated and managed lo‐
1184 cally in ovn-northd, so they cannot be reconstructed in the
1185 event that the database is lost.) The client can also request a
1186 specific non-zero tag and ovn-northd will honor it and copy that
1187 value to the tag column.
1188 When type is set to localnet or l2gateway, this can be set to
1190 indicate that the port represents a connection to a specific
1191 VLAN on a locally accessible network. The VLAN ID is used to
1192 match incoming traffic and is also added to outgoing traffic.
1193 tag: optional integer, in range 1 to 4,095
1195 The VLAN tag allocated by ovn-northd based on the contents of
1196 the tag_request column.
1197 Port State:
1199 up: optional boolean
1201 This column is populated by ovn-northd, rather than by the CMS
1202 plugin as is most of this database. When a logical port is bound
1203 to a physical location in the OVN Southbound database Binding
1204 table, ovn-northd sets this column to true; otherwise, or if the
1205 port becomes unbound later, it sets it to false. If this column
1206 is empty, the port is not considered up. This allows the CMS to
1207 wait for a VM’s (or container’s) networking to become active be‐
1208 fore it allows the VM (or container) to start.
1209 Logical ports of router type are an exception to this rule. They
1211 are considered to be always up, that is this column is always
1212 set to true.
1213 enabled: optional boolean
1215 This column is used to administratively set port state. If this
1216 column is empty or is set to true, the port is enabled. If this
1217 column is set to false, the port is disabled. A disabled port
1218 has all ingress and egress traffic dropped.
1219 Addressing:
1221 addresses: set of strings
1223 Addresses owned by the logical port.
1224 Each element in the set must take one of the following forms:
1226 Ethernet address followed by zero or more IPv4 or IPv6 addresses
1228 (or both)
1229 An Ethernet address defined is owned by the logical port.
1230 Like a physical Ethernet NIC, a logical port ordinarily
1231 has a single fixed Ethernet address.
1232 When a OVN logical switch processes a unicast Ethernet
1234 frame whose destination MAC address is in a logical
1235 port’s addresses column, it delivers it only to that
1236 port, as if a MAC learning process had learned that MAC
1237 address on the port.
1238 If IPv4 or IPv6 address(es) (or both) are defined, it in‐
1240 dicates that the logical port owns the given IP ad‐
1241 dresses.
1242 If IPv4 address(es) are defined, the OVN logical switch
1244 uses this information to synthesize responses to ARP re‐
1245 quests without traversing the physical network. The OVN
1246 logical router connected to the logical switch, if any,
1247 uses this information to avoid issuing ARP requests for
1248 logical switch ports.
1249 Note that the order here is important. The Ethernet ad‐
1251 dress must be listed before the IP address(es) if de‐
1252 fined.
1253 Examples:
1255 80:fa:5b:06:72:b7
1257 This indicates that the logical port owns the
1258 above mac address.
1259 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
1261 This indicates that the logical port owns the mac
1262 address and two IPv4 addresses.
1263 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1265 This indicates that the logical port owns the mac
1266 address and 1 IPv6 address.
1267 80:fa:5b:06:72:b7 10.0.0.4
1269 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1270 This indicates that the logical port owns the mac
1271 address and 1 IPv4 address and 1 IPv6 address.
1272 unknown
1274 This indicates that the logical port has an unknown set
1275 of Ethernet addresses. When an OVN logical switch pro‐
1276 cesses a unicast Ethernet frame whose destination MAC ad‐
1277 dress is not in any logical port’s addresses column, it
1278 delivers it to the port (or ports) whose addresses col‐
1279 umns include unknown.
1280 dynamic
1282 Use dynamic to make ovn-northd generate a globally unique
1283 MAC address, choose an unused IPv4 address with the logi‐
1284 cal port’s subnet (if other_config:subnet is set in the
1285 port’s Logical_Switch), and generate an IPv6 address from
1286 the MAC address (if other_config:ipv6_prefix is set in
1287 the port’s Logical_Switch) and store them in the port’s
1288 dynamic_addresses column.
1289 Only one element containing dynamic may appear in ad‐
1291 dresses.
1292 dynamic ip
1294 dynamic ipv6
1295 dynamic ip ipv6
1296 These act like dynamic alone but specify particular IPv4 or
1297 IPv6 addresses to use. OVN IPAM will still automatically
1298 allocate the other address if configured appropriately. Ex‐
1299 ample: dynamic 192.168.0.1 2001::1.
1300 mac dynamic
1302 This acts like dynamic alone but specifies a particular MAC
1303 address to use. OVN IPAM will still automatically allocate
1304 IPv4 or IPv6 addresses, or both, if configured appropri‐
1305 ately. Example: 80:fa:5b:06:72:b7 dynamic
1306 router
1308 Accepted only when type is router. This indicates that the
1309 Ethernet, IPv4, and IPv6 addresses for this logical switch
1310 port should be obtained from the connected logical router
1311 port, as specified by router-port in options.
1312 The resulting addresses are used to populate the logical
1314 switch’s destination lookup, and also for the logical
1315 switch to generate ARP and ND replies.
1316 If the connected logical router port has a distributed
1318 gateway port specified and the logical router has rules
1319 specified in nat with external_mac, then those addresses
1320 are also used to populate the switch’s destination lookup.
1321 Supported only in OVN 2.7 and later. Earlier versions re‐
1323 quired router addresses to be manually synchronized.
1324 dynamic_addresses: optional string
1326 Addresses assigned to the logical port by ovn-northd, if dynamic
1327 is specified in addresses. Addresses will be of the same format
1328 as those that populate the addresses column. Note that dynami‐
1329 cally assigned addresses are constructed and managed locally in
1330 ovn-northd, so they cannot be reconstructed in the event that
1331 the database is lost.
1332 port_security: set of strings
1334 This column controls the addresses from which the host attached
1335 to the logical port (``the host’’) is allowed to send packets
1336 and to which it is allowed to receive packets. If this column is
1337 empty, all addresses are permitted.
1338 Each element in the set must begin with one Ethernet address.
1340 This would restrict the host to sending packets from and receiv‐
1341 ing packets to the ethernet addresses defined in the logical
1342 port’s port_security column. It also restricts the inner source
1343 MAC addresses that the host may send in ARP and IPv6 Neighbor
1344 Discovery packets. The host is always allowed to receive packets
1345 to multicast and broadcast Ethernet addresses.
1346 Each element in the set may additionally contain one or more
1348 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
1349 is given, it must be a CIDR mask. In addition to the restric‐
1350 tions described for Ethernet addresses above, such an element
1351 restricts the IPv4 or IPv6 addresses from which the host may
1352 send and to which it may receive packets to the specified ad‐
1353 dresses. A masked address, if the host part is zero, indicates
1354 that the host is allowed to use any address in the subnet; if
1355 the host part is nonzero, the mask simply indicates the size of
1356 the subnet. In addition:
1357 • If any IPv4 address is given, the host is also allowed to
1359 receive packets to the IPv4 local broadcast address
1360 255.255.255.255 and to IPv4 multicast addresses
1361 (224.0.0.0/4). If an IPv4 address with a mask is given,
1362 the host is also allowed to receive packets to the broad‐
1363 cast address in that specified subnet.
1364 If any IPv4 address is given, the host is additionally
1366 restricted to sending ARP packets with the specified
1367 source IPv4 address. (RARP is not restricted.)
1368 • If any IPv6 address is given, the host is also allowed to
1370 receive packets to IPv6 multicast addresses (ff00::/8).
1371 If any IPv6 address is given, the host is additionally
1373 restricted to sending IPv6 Neighbor Discovery Solicita‐
1374 tion or Advertisement packets with the specified source
1375 address or, for solicitations, the unspecified address.
1376 If an element includes an IPv4 address, but no IPv6 addresses,
1378 then IPv6 traffic is not allowed. If an element includes an IPv6
1379 address, but no IPv4 address, then IPv4 and ARP traffic is not
1380 allowed.
1381 This column uses the same lexical syntax as the match column in
1383 the OVN Southbound database’s Pipeline table. Multiple addresses
1384 within an element may be space or comma separated.
1385 This column is provided as a convenience to cloud management
1387 systems, but all of the features that it implements can be im‐
1388 plemented as ACLs using the ACL table.
1389 Examples:
1391 80:fa:5b:06:72:b7
1393 The host may send traffic from and receive traffic to the
1394 specified MAC address, and to receive traffic to Ethernet
1395 multicast and broadcast addresses, but not otherwise. The
1396 host may not send ARP or IPv6 Neighbor Discovery packets
1397 with inner source Ethernet addresses other than the one
1398 specified.
1399 80:fa:5b:06:72:b7 192.168.1.10/24
1401 This adds further restrictions to the first example. The
1402 host may send IPv4 packets from or receive IPv4 packets
1403 to only 192.168.1.10, except that it may also receive
1404 IPv4 packets to 192.168.1.255 (based on the subnet mask),
1405 255.255.255.255, and any address in 224.0.0.0/4. The host
1406 may not send ARPs with a source Ethernet address other
1407 than 80:fa:5b:06:72:b7 or source IPv4 address other than
1408 192.168.1.10. The host may not send or receive any IPv6
1409 (including IPv6 Neighbor Discovery) traffic.
1410 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
1412 The host may send traffic from and receive traffic to the
1413 specified MAC addresses, and to receive traffic to Ether‐
1414 net multicast and broadcast addresses, but not otherwise.
1415 With MAC 80:fa:5b:12:42:ba, the host may send traffic
1416 from and receive traffic to any L3 address. With MAC
1417 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
1418 receive IPv4 packets to only 192.168.1.10, except that it
1419 may also receive IPv4 packets to 192.168.1.255 (based on
1420 the subnet mask), 255.255.255.255, and any address in
1421 224.0.0.0/4. The host may not send or receive any IPv6
1422 (including IPv6 Neighbor Discovery) traffic.
1423 DHCP:
1425 dhcpv4_options: optional weak reference to DHCP_Options
1427 This column defines the DHCPv4 Options to be included by the
1428 ovn-controller when it replies to the DHCPv4 requests. Please
1429 see the DHCP_Options table.
1430 dhcpv6_options: optional weak reference to DHCP_Options
1432 This column defines the DHCPv6 Options to be included by the
1433 ovn-controller when it replies to the DHCPv6 requests. Please
1434 see the DHCP_Options table.
1435 mirror_rules: set of weak reference to Mirrors
1437 Mirror rules that apply to logical switch port which is the
1438 source. Please see the Mirror table.
1439 ha_chassis_group: optional HA_Chassis_Group
1441 References a row in the OVN Northbound database’s HA_Chas‐
1442 sis_Group table. It indicates the HA chassis group to use if the
1443 type is set to external. If type is not external, this column is
1444 ignored.
1445 Naming:
1447 external_ids : neutron:port_name: optional string
1449 This column gives an optional human-friendly name for the port.
1450 This name has no special meaning or purpose other than to pro‐
1451 vide convenience for human interaction with the northbound data‐
1452 base.
1453 Neutron copies this from its own port object’s name. (Neutron
1455 ports do are not assigned human-friendly names by default, so it
1456 will often be empty.)
1457 Tunnel Key:
1459 options : requested-tnl-key: optional string, containing an integer, in
1461 range 1 to 32,767
1462 Configures the port binding tunnel key for the port. Usually
1463 this is not needed because ovn-northd will assign an unique key
1464 for each port by itself. However, if it is configured,
1465 ovn-northd honors the configured value. The typical use case is
1466 for interconnection: the tunnel keys for ports on transit
1467 switches need to be unique globally, so they are maintained in
1468 the global OVN_IC_Southbound database, and ovn-ic simply syncs
1469 the value from OVN_IC_Southbound through this config.
1470 Common Columns:
1472 external_ids: map of string-string pairs
1474 See External IDs at the beginning of this document.
1475 The ovn-northd program copies all these pairs into the exter‐
1477 nal_ids column of the Port_Binding table in OVN_Southbound data‐
1478 base.
1479
1481 Each row represents one forwarding group.
1482 Summary:
1484 name string
1485 vip string
1486 vmac string
1487 liveness boolean
1488 child_port set of 1 or more strings
1489 Common Columns:
1490 external_ids map of string-string pairs
1491 Details:
1493 name: string
1494 A name for the forwarding group. This name has no special mean‐
1495 ing or purpose other than to provide convenience for human in‐
1496 teraction with the ovn-nb database.
1497 vip: string
1499 The virtual IP address assigned to the forwarding group. It will
1500 respond with vmac when an ARP request is sent for vip.
1501 vmac: string
1503 The virtual MAC address assigned to the forwarding group.
1504 liveness: boolean
1506 If set to true, liveness is enabled for child ports otherwise it
1507 is disabled.
1508 child_port: set of 1 or more strings
1510 List of child ports in the forwarding group.
1511 Common Columns:
1513 external_ids: map of string-string pairs
1515 See External IDs at the beginning of this document.
1516
1518 Each row in this table represents a named set of addresses. An address
1519 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
1520 or CIDR masks. Address set may ultimately be used in ACLs to compare
1521 against fields such as ip4.src or ip6.src. A single address set must
1522 contain addresses of the same type. As an example, the following would
1523 create an address set with three IP addresses:
1524 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1526 Address sets may be used in the match column of the ACL table. For syn‐
1529 tax information, see the details of the expression language used for
1530 the match column in the Logical_Flow table of the OVN_Southbound data‐
1531 base.
1532 Summary:
1534 name string (must be unique within table)
1535 addresses set of strings
1536 Common Columns:
1537 external_ids map of string-string pairs
1538 Details:
1540 name: string (must be unique within table)
1541 A name for the address set. Names are ASCII and must match
1542 [a-zA-Z_.][a-zA-Z_.0-9]*.
1543 addresses: set of strings
1545 The set of addresses in string form.
1546 Common Columns:
1548 external_ids: map of string-string pairs
1550 See External IDs at the beginning of this document.
1551
1553 Each row in this table represents a named group of logical switch
1554 ports.
1555 Port groups may be used in the match column of the ACL table. For syn‐
1557 tax information, see the details of the expression language used for
1558 the match column in the Logical_Flow table of the OVN_Southbound data‐
1559 base.
1560 For each port group, there are two address sets generated to the Ad‐
1562 dress_Set table of the OVN_Southbound database, containing the IP ad‐
1563 dresses of the group of ports, one for IPv4, and the other for IPv6,
1564 with name being the name of the Port_Group followed by a suffix _ip4
1565 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
1566 the same way as regular address sets in the match column of the ACL ta‐
1567 ble. For syntax information, see the details of the expression language
1568 used for the match column in the Logical_Flow table of the OVN_South‐
1569 bound database.
1570 Summary:
1572 name string (must be unique within table)
1573 ports set of weak reference to Logi‐
1574 cal_Switch_Ports
1575 acls set of ACLs
1576 Common Columns:
1577 external_ids map of string-string pairs
1578 Details:
1580 name: string (must be unique within table)
1581 A name for the port group. Names are ASCII and must match
1582 [a-zA-Z_.][a-zA-Z_.0-9]*.
1583 ports: set of weak reference to Logical_Switch_Ports
1585 The logical switch ports belonging to the group in uuids.
1586 acls: set of ACLs
1588 Access control rules that apply to the port group. Applying an
1589 ACL to a port group has the same effect as applying the ACL to
1590 all logical lswitches that the ports of the port group belong
1591 to.
1592 Common Columns:
1594 external_ids: map of string-string pairs
1596 See External IDs at the beginning of this document.
1597
1599 Each row represents one load balancer.
1600 Summary:
1602 name string
1603 vips map of string-string pairs
1604 protocol optional string, one of sctp, tcp, or udp
1605 Health Checks:
1606 health_check set of Load_Balancer_Health_Checks
1607 ip_port_mappings map of string-string pairs
1608 selection_fields set of strings, one of eth_dst, eth_src,
1609 ip_dst, ip_src, tp_dst, or tp_src
1610 Common Columns:
1611 external_ids map of string-string pairs
1612 Load_Balancer options:
1613 options : reject optional string, either true or false
1614 options : hairpin_snat_ip optional string
1615 options : skip_snat optional string
1616 options : add_route optional string
1617 options : neighbor_responder
1618 optional string
1619 options : template optional string
1620 options : address-family optional string
1621 options : affinity_timeout optional string
1622 Details:
1624 name: string
1625 A name for the load balancer. This name has no special meaning
1626 or purpose other than to provide convenience for human interac‐
1627 tion with the ovn-nb database.
1628 vips: map of string-string pairs
1630 A map of virtual IP addresses (and an optional port number with
1631 : as a separator) associated with this load balancer and their
1632 corresponding endpoint IP addresses (and optional port numbers
1633 with : as separators) separated by commas. If the destination IP
1634 address (and port number) of a packet leaving a container or a
1635 VM matches the virtual IP address (and port number) provided
1636 here as a key, then OVN will statefully replace the destination
1637 IP address by one of the provided IP address (and port number)
1638 in this map as a value. IPv4 and IPv6 addresses are supported
1639 for load balancing; however a VIP of one address family may not
1640 be mapped to a destination IP address of a different family. If
1641 specifying an IPv6 address with a port, the address portion must
1642 be enclosed in square brackets. Examples for keys are
1643 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
1644 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1645 When the Load_Balancer is added to the logical_switch, the VIP
1647 has to be in a different subnet than the one used for the logi‐
1648 cal_switch. Since VIP is in a different subnet, you should con‐
1649 nect your logical switch to either a OVN logical router or a
1650 real router (this is because the client can now send a packet
1651 with VIP as the destination IP address and router’s mac address
1652 as the destination MAC address).
1653 protocol: optional string, one of sctp, tcp, or udp
1655 Valid protocols are tcp, udp, or sctp. This column is useful
1656 when a port number is provided as part of the vips column. If
1657 this column is empty and a port number is provided as part of
1658 vips column, OVN assumes the protocol to be tcp.
1659 Health Checks:
1661 OVN supports health checks for load balancer endpoints, for IPv4 load
1663 balancers only. When health checks are enabled, the load balancer uses
1664 only healthy endpoints.
1665 Suppose that vips contains a key-value pair
1667 10.0.0.10:80=10.0.0.4:8080,20.0.0.4:8080. To enable health checks for
1668 this virtual’s endpoints, add two key-value pairs to ip_port_mappings,
1669 with keys 10.0.0.4 and 20.0.0.4, and add to health_check a reference to
1670 a Load_Balancer_Health_Check row whose vip is set to 10.0.0.10.
1671 health_check: set of Load_Balancer_Health_Checks
1673 Load balancer health checks associated with this load balancer.
1674 ip_port_mappings: map of string-string pairs
1676 Maps from endpoint IP to a colon-separated pair of logical port
1677 name and source IP, e.g. port_name:sourc_ip. Health checks are
1678 sent to this port with the specified source IP.
1679 For example, in the example above, IP to port mappings might be
1681 defined as 10.0.0.4=sw0-p1:10.0.0.2 and
1682 20.0.0.4=sw1-p1:20.0.0.2, if the values given were suitable
1683 ports and IP addresses.
1684 selection_fields: set of strings, one of eth_dst, eth_src, ip_dst,
1686 ip_src, tp_dst, or tp_src
1687 OVN native load balancers are supported using the OpenFlow
1688 groups of type select. OVS supports two selection methods:
1689 dp_hash and hash (with optional fields specified) in selecting
1690 the buckets of a group. Please see the OVS documentation (man
1691 ovs-ofctl) for more details on the selection methods. Each end‐
1692 point IP (and port if set) is mapped to a bucket in the group
1693 flow.
1694 CMS can choose the hash selection method by setting the selec‐
1696 tion fields in this column. ovs-vswitchd uses the specified
1697 fields in generating the hash.
1698 dp_hash selection method uses the assistance of datapath to cal‐
1700 culate the hash and it is expected to be faster than hash selec‐
1701 tion method. So CMS should take this into consideration before
1702 using the hash method. Please consult the OVS documentation and
1703 OVS sources for the implementation details.
1704 Common Columns:
1706 external_ids: map of string-string pairs
1708 See External IDs at the beginning of this document.
1709 Load_Balancer options:
1711 options : reject: optional string, either true or false
1713 If the load balancer is created with --reject option and it has
1714 no active backends, a TCP reset segment (for tcp) or an ICMP
1715 port unreachable packet (for all other kind of traffic) will be
1716 sent whenever an incoming packet is received for this load-bal‐
1717 ancer. Please note using --reject option will disable empty_lb
1718 SB controller event for this load balancer.
1719 options : hairpin_snat_ip: optional string
1721 IP to be used as source IP for packets that have been hair-
1722 pinned after load balancing. The default behavior when the op‐
1723 tion is not set is to use the load balancer VIP as source IP.
1724 This option may have exactly one IPv4 and/or one IPv6 address on
1725 it, separated by a space character.
1726 options : skip_snat: optional string
1728 If the load balancing rule is configured with skip_snat option,
1729 the option lb_force_snat_ip configured for the logical router
1730 that references this load balancer will not be applied for this
1731 load balancer.
1732 options : add_route: optional string
1734 If set to true, then neighbor routers will have logical flows
1735 added that will allow for routing to the VIP IP. It also will
1736 have ARP resolution logical flows added. By setting this option,
1737 it means there is no reason to create a Logi‐
1738 cal_Router_Static_Route from neighbor routers to this NAT ad‐
1739 dress. It also means that no ARP request is required for neigh‐
1740 bor routers to learn the IP-MAC mapping for this VIP IP. For
1741 more information about what flows are added for IP routes,
1742 please see the ovn-northd manpage section on IP Routing.
1743 options : neighbor_responder: optional string
1745 If set to all, then routers on which the load balancer is ap‐
1746 plied reply to ARP/neighbor discovery requests for all VIPs of
1747 the load balancer. If set to reachable, then routers on which
1748 the load balancer is applied reply to ARP/neighbor discovery re‐
1749 quests only for VIPs that are part of a router’s subnet. If set
1750 to none, then routers on which the load balancer is applied
1751 never reply to ARP/neighbor discovery requests for any of the
1752 load balancer VIPs. Load balancers with options:template=true do
1753 not support reachable as a valid mode. The default value of this
1754 option, if not specified, is reachable for regular load bal‐
1755 ancers and none for template load balancers.
1756 options : template: optional string
1758 Option to be set to true, if the load balancer is a template.
1759 The load balancer VIPs and backends must be using Chassis_Tem‐
1760 plate_Var in their definitions.
1761 Load balancer template VIP supported formats are:
1763 ^VIP_VAR[:^PORT_VAR|:port]
1765 where VIP_VAR and PORT_VAR are keys of the Chassis_Template_Var
1768 variables records.
1769 Note: The VIP and PORT cannot be combined into a single template
1771 variable. For example, a Chassis_Template_Var variable expanding
1772 to 10.0.0.1:8080 is not valid if used as VIP.
1773 Load balancer template backend supported formats are:
1775 ^BACKEND_VAR1[:^PORT_VAR1|:port],^BACKEND_VAR2[:^PORT_VAR2|:port]
1777 or
1778 ^BACKENDS_VAR1,^BACKENDS_VAR2
1779 where BACKEND_VAR1, PORT_VAR1, BACKEND_VAR2, PORT_VAR2, BACK‐
1782 ENDS_VAR1 and BACKENDS_VAR2 are keys of the Chassis_Template_Var
1783 variables records.
1784 options : address-family: optional string
1786 Address family used by the load balancer. Supported values are
1787 ipv4 and ipv6. The address-family is only used for load bal‐
1788 ancers with options:template=true. For explicit load balancers,
1789 setting the address-family has no effect.
1790 options : affinity_timeout: optional string
1792 If the CMS provides a positive value (in seconds) for affin‐
1793 ity_timeout, OVN will dnat connections received from the same
1794 client to this lb to the same backend if received in the affin‐
1795 ity timeslot. Max supported affinity_timeout is 65535 seconds.
1796
1798 Each row represents a logical grouping of load balancers. It is up to
1799 the CMS to decide the criteria on which load balancers are grouped to‐
1800 gether. To simplify configuration and to optimize its processing load
1801 balancers that must be associated to the same set of logical switches
1802 and/or logical routers should be grouped together.
1803 Summary:
1805 name string (must be unique within table)
1806 load_balancer set of weak reference to Load_Balancers
1807 Details:
1809 name: string (must be unique within table)
1810 A name for the load balancer group. This name has no special
1811 meaning or purpose other than to provide convenience for human
1812 interaction with the ovn-nb database.
1813 load_balancer: set of weak reference to Load_Balancers
1815 A set of load balancers.
1816
1818 Each row represents one load balancer health check. Health checks are
1819 supported for IPv4 load balancers only.
1820 Summary:
1822 vip string
1823 Health check options:
1824 options : interval optional string, containing an integer
1825 options : timeout optional string, containing an integer
1826 options : success_count optional string, containing an integer
1827 options : failure_count optional string, containing an integer
1828 Common Columns:
1829 external_ids map of string-string pairs
1830 Details:
1832 vip: string
1833 vip whose endpoints should be monitored for health check.
1834 Health check options:
1836 options : interval: optional string, containing an integer
1838 The interval, in seconds, between health checks.
1839 options : timeout: optional string, containing an integer
1841 The time, in seconds, after which a health check times out.
1842 options : success_count: optional string, containing an integer
1844 The number of successful checks after which the endpoint is con‐
1845 sidered online.
1846 options : failure_count: optional string, containing an integer
1848 The number of failure checks after which the endpoint is consid‐
1849 ered offline.
1850 Common Columns:
1852 external_ids: map of string-string pairs
1854 See External IDs at the beginning of this document.
1855
1857 Each row in this table represents one ACL rule for a logical switch or
1858 a port group that points to it through its acls column. The action col‐
1859 umn for the highest-priority matching row in this table determines a
1860 packet’s treatment. If no row matches, packets are allowed by default.
1861 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1862 match, and deny as action.)
1863 Summary:
1865 label integer, in range 0 to 4,294,967,295
1866 priority integer, in range 0 to 32,767
1867 direction string, either from-lport or to-lport
1868 match string
1869 action string, one of allow-related, al‐
1870 low-stateless, allow, drop, or reject
1871 options:
1872 options : apply-after-lb optional string
1873 Logging:
1874 log boolean
1875 name optional string, at most 63 characters
1876 long
1877 severity optional string, one of alert, debug,
1878 info, notice, or warning
1879 meter optional string
1880 Common Columns:
1881 options map of string-string pairs
1882 ACL configuration options:
1883 options : log-related optional string
1884 external_ids map of string-string pairs
1885 Details:
1887 label: integer, in range 0 to 4,294,967,295
1888 Associates an identifier with the ACL. The same value will be
1889 written to corresponding connection tracker entry. The value
1890 should be a valid 32-bit unsigned integer. This value can help
1891 in debugging from connection tracker side. For example, through
1892 this "label" we can backtrack to the ACL rule which is causing a
1893 "leaked" connection. Connection tracker entries are created only
1894 for allowed connections so the label is valid only for allow and
1895 allow-related actions.
1896 priority: integer, in range 0 to 32,767
1898 The ACL rule’s priority. Rules with numerically higher priority
1899 take precedence over those with lower. If two ACL rules with the
1900 same priority both match, then the one actually applied to a
1901 packet is undefined.
1902 Return traffic from an allow-related flow is always allowed and
1904 cannot be changed through an ACL.
1905 allow-stateless flows always take precedence before stateful
1907 ACLs, regardless of their priority. (Both allow and allow-re‐
1908 lated ACLs can be stateful.)
1909 direction: string, either from-lport or to-lport
1911 Direction of the traffic to which this rule should apply:
1912 • from-lport: Used to implement filters on traffic arriving
1914 from a logical port. These rules are applied to the logi‐
1915 cal switch’s ingress pipeline.
1916 • to-lport: Used to implement filters on traffic forwarded
1918 to a logical port. These rules are applied to the logical
1919 switch’s egress pipeline.
1920 match: string
1922 The packets that the ACL should match, in the same expression
1923 language used for the match column in the OVN Southbound data‐
1924 base’s Logical_Flow table. The outport logical port is only
1925 available in the to-lport direction (the inport is available in
1926 both directions).
1927 By default all traffic is allowed. When writing a more restric‐
1929 tive policy, it is important to remember to allow flows such as
1930 ARP and IPv6 neighbor discovery packets.
1931 Note that you can not create an ACL matching on a port with
1933 type=router or type=localnet.
1934 action: string, one of allow-related, allow-stateless, allow, drop, or
1936 reject
1937 The action to take when the ACL rule matches:
1938 • allow-stateless: Always forward the packet in stateless
1940 manner, omitting connection tracking mechanism, regard‐
1941 less of other rules defined for the switch. May require
1942 defining additional rules for inbound replies. For exam‐
1943 ple, if you define a rule to allow outgoing TCP traffic
1944 directed to an IP address, then you probably also want to
1945 define another rule to allow incoming TCP traffic coming
1946 from this same IP address.
1947 • allow: Forward the packet. It will also send the packets
1949 through connection tracking when allow-related rules ex‐
1950 ist on the logical switch. Otherwise, it’s equivalent to
1951 allow-stateless.
1952 • allow-related: Forward the packet and related traffic
1954 (e.g. inbound replies to an outbound connection).
1955 • drop: Silently drop the packet.
1957 • reject: Drop the packet, replying with a RST for TCP or
1959 ICMPv4/ICMPv6 unreachable message for other
1960 IPv4/IPv6-based protocols.
1961 options:
1963 ACLs options.
1965 options : apply-after-lb: optional string
1967 If set to true, the ACL will be applied after load balancing
1968 stage. Supported only for from-lport direction.
1969 The main use case of this option is to support ACLs matching on
1971 the destination IP address of the packet for the backend IPs of
1972 load balancers.
1973 OVN will apply the from-lport ACLs in two stages. ACLs without
1975 this option apply-after-lb set, will be applied before the load
1976 balancer stage and ACLs with this option set will be applied af‐
1977 ter the load balancer stage. The priorities are indepedent be‐
1978 tween these stages and may not be obvious to the CMS. Hence CMS
1979 should be extra careful when using this option and should care‐
1980 fully evaluate the priorities of all the ACLs and the default
1981 deny/allow ACLs if any.
1982 Logging:
1984 These columns control whether and how OVN logs packets that match an
1986 ACL.
1987 log: boolean
1989 If set to true, packets that match the ACL will trigger a log
1990 message on the transport node or nodes that perform ACL process‐
1991 ing. Logging may be combined with any action.
1992 If set to false, the remaining columns in this group have no
1994 significance.
1995 name: optional string, at most 63 characters long
1997 This name, if it is provided, is included in log records. It
1998 provides the administrator and the cloud management system a way
1999 to associate a log record with a particular ACL.
2000 severity: optional string, one of alert, debug, info, notice, or warn‐
2002 ing
2003 The severity of the ACL. The severity levels match those of sys‐
2004 log, in decreasing level of severity: alert, warning, notice,
2005 info, or debug. When the column is empty, the default is info.
2006 meter: optional string
2008 The name of a meter to rate-limit log messages for the ACL. The
2009 string must match the name column of a row in the Meter table.
2010 By default, log messages are not rate-limited. In order to en‐
2011 sure that the same Meter rate limits multiple ACL logs sepa‐
2012 rately, set the fair column.
2013 Common Columns:
2015 options: map of string-string pairs
2017 This column provides general key/value settings. The supported
2018 options are described individually below.
2019 ACL configuration options:
2021 options : log-related: optional string
2023 If set to true, then log when reply or related traffic is admit‐
2024 ted from a stateful ACL. In order for this option to function,
2025 the log option must be set to true and a label must be set, and
2026 it must be unique to the ACL. The label is necessary as it is
2027 the only means to associate the reply traffic with the ACL to
2028 which it belongs. It must be unique, because otherwise it is am‐
2029 biguous which ACL will be matched. Note: If this option is en‐
2030 abled, an extra flow is installed in order to log the related
2031 traffic. Therefore, if this is enabled on all ACLs, then the to‐
2032 tal number of flows necessary to log the ACL traffic is doubled,
2033 compared to if this option is not enabled.
2034 external_ids: map of string-string pairs
2036 See External IDs at the beginning of this document.
2037
2039 Each row represents one L3 logical router.
2040 Summary:
2042 ports set of Logical_Router_Ports
2043 static_routes set of Logical_Router_Static_Routes
2044 policies set of Logical_Router_Policys
2045 enabled optional boolean
2046 nat set of NATs
2047 load_balancer set of weak reference to Load_Balancers
2048 load_balancer_group set of Load_Balancer_Groups
2049 Naming:
2050 name string
2051 external_ids : neutron:router_name
2052 optional string
2053 copp optional weak reference to Copp
2054 Options:
2055 options : chassis optional string
2056 options : dnat_force_snat_ip
2057 optional string
2058 options : lb_force_snat_ip optional string
2059 options : mcast_relay optional string, either true or false
2060 options : dynamic_neigh_routers
2061 optional string, either true or false
2062 options : always_learn_from_arp_request
2063 optional string, either true or false
2064 options : requested-tnl-key
2065 optional string, containing an integer,
2066 in range 1 to 16,777,215
2067 options : snat-ct-zone optional string, containing an integer,
2068 in range 0 to 65,535
2069 options : mac_binding_age_threshold
2070 optional string, containing an integer,
2071 in range 0 to 4,294,967,295
2072 Common Columns:
2073 external_ids map of string-string pairs
2074 Details:
2076 ports: set of Logical_Router_Ports
2077 The router’s ports.
2078 static_routes: set of Logical_Router_Static_Routes
2080 Zero or more static routes for the router.
2081 policies: set of Logical_Router_Policys
2083 Zero or more routing policies for the router.
2084 enabled: optional boolean
2086 This column is used to administratively set router state. If
2087 this column is empty or is set to true, the router is enabled.
2088 If this column is set to false, the router is disabled. A dis‐
2089 abled router has all ingress and egress traffic dropped.
2090 nat: set of NATs
2092 One or more NAT rules for the router. NAT rules only work on
2093 Gateway routers, and on distributed routers with one and only
2094 one distributed gateway port.
2095 load_balancer: set of weak reference to Load_Balancers
2097 Set of load balancers associated to this logical router. Load
2098 balancer Load balancer rules only work on the Gateway routers or
2099 routers with one and only one distributed gateway port.
2100 load_balancer_group: set of Load_Balancer_Groups
2102 Set of load balancers groups associated to this logical router.
2103 Naming:
2105 These columns provide names for the logical router. From OVN’s perspec‐
2107 tive, these names have no special meaning or purpose other than to pro‐
2108 vide convenience for human interaction with the northbound database.
2109 There is no requirement for the name to be unique. (For a unique iden‐
2110 tifier for a logical router, use its row UUID.)
2111 (Originally, name was intended to serve the purpose of a human-friendly
2113 name, but the Neutron integration used it to uniquely identify its own
2114 router object, in the format neutron-uuid. Later on, Neutron started
2115 propagating the friendly name of a router as external_ids:neu‐
2116 tron:router_name. Perhaps this can be cleaned up someday.)
2117 name: string
2119 A name for the logical router.
2120 external_ids : neutron:router_name: optional string
2122 Another name for the logical router.
2123 copp: optional weak reference to Copp
2125 The control plane protection policy from table Copp used for me‐
2126 tering packets sent to ovn-controller from logical ports of this
2127 router.
2128 Options:
2130 Additional options for the logical router.
2132 options : chassis: optional string
2134 If set, indicates that the logical router in question is a Gate‐
2135 way router (which is centralized) and resides in the set chas‐
2136 sis. The same value is also used by ovn-controller to uniquely
2137 identify the chassis in the OVN deployment and comes from exter‐
2138 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
2139 database.
2140 The Gateway router can only be connected to a distributed router
2142 via a switch if SNAT and DNAT are to be configured in the Gate‐
2143 way router.
2144 options : dnat_force_snat_ip: optional string
2146 If set, indicates a set of IP addresses to use to force SNAT a
2147 packet that has already been DNATed in the gateway router. When
2148 multiple gateway routers are configured, a packet can poten‐
2149 tially enter any of the gateway router, get DNATted and eventu‐
2150 ally reach the logical switch port. For the return traffic to go
2151 back to the same gateway router (for unDNATing), the packet
2152 needs a SNAT in the first place. This can be achieved by setting
2153 the above option with a gateway specific set of IP addresses.
2154 This option may have exactly one IPv4 and/or one IPv6 address on
2155 it, separated by a a space.
2156 options : lb_force_snat_ip: optional string
2158 If set, this option can take two possible type of values. Either
2159 a set of IP addresses or the string value - router_ip.
2160 If a set of IP addresses are configured, it indicates to use to
2162 force SNAT a packet that has already been load-balanced in the
2163 gateway router. When multiple gateway routers are configured, a
2164 packet can potentially enter any of the gateway routers, get
2165 DNATted as part of the load-balancing and eventually reach the
2166 logical switch port. For the return traffic to go back to the
2167 same gateway router (for unDNATing), the packet needs a SNAT in
2168 the first place. This can be achieved by setting the above op‐
2169 tion with a gateway specific set of IP addresses. This option
2170 may have exactly one IPv4 and/or one IPv6 address on it, sepa‐
2171 rated by a space character.
2172 If it is configured with the value router_ip, then the load bal‐
2174 anced packet is SNATed with the IP of router port (attached to
2175 the gateway router) selected as the destination after taking the
2176 routing decision.
2177 options : mcast_relay: optional string, either true or false
2179 Enables/disables IP multicast relay between logical switches
2180 connected to the logical router. Default: False.
2181 options : dynamic_neigh_routers: optional string, either true or false
2183 If set to true, the router will resolve neighbor routers’ MAC
2184 addresses only by dynamic ARP/ND, instead of prepopulating
2185 static mappings for all neighbor routers in the ARP/ND Resolu‐
2186 tion stage. This reduces number of flows, but requires ARP/ND
2187 messages to resolve the IP-MAC bindings when needed. It is false
2188 by default. It is recommended to set to true when a large number
2189 of logical routers are connected to the same logical switch but
2190 most of them never need to send traffic between each other. By
2191 default, ovn-northd does not create mappings to NAT and load
2192 balancer addresess. However, for NAT and load balancer addresses
2193 that have the add_route option added, ovn-northd will create
2194 logical flows that map NAT and load balancer IP addresses to the
2195 appropriate MAC address. Setting dynamic_neigh_routers to true
2196 will prevent the automatic creation of these logical flows.
2197 options : always_learn_from_arp_request: optional string, either true
2199 or false
2200 This option controls the behavior when handling IPv4 ARP re‐
2201 quests or IPv6 ND-NS packets - whether a dynamic neighbor (MAC
2202 binding) entry is added/updated.
2203 true - Always learn the MAC-IP binding, and add/update the MAC
2205 binding entry.
2206 false - If there is a MAC binding for that IP and the MAC is
2208 different, or, if TPA of ARP request belongs to any router port
2209 on this router, then update/add that MAC-IP binding. Otherwise,
2210 don’t update/add entries.
2211 It is true by default. It is recommended to set to false when a
2213 large number of logical routers are connected to the same logi‐
2214 cal switch but most of them never need to send traffic between
2215 each other, to reduce the size of the MAC binding table.
2216 options : requested-tnl-key: optional string, containing an integer, in
2218 range 1 to 16,777,215
2219 Configures the datapath tunnel key for the logical router. This
2220 is not needed because ovn-northd will assign an unique key for
2221 each datapath by itself. However, if it is configured,
2222 ovn-northd honors the configured value.
2223 options : snat-ct-zone: optional string, containing an integer, in
2225 range 0 to 65,535
2226 Use the requested conntrack zone for SNAT with this router. This
2227 can be useful if egress traffic from the host running OVN comes
2228 from both OVN and other sources. This way, OVN and the other
2229 sources can make use of the same conntrack zone.
2230 options : mac_binding_age_threshold: optional string, containing an in‐
2232 teger, in range 0 to 4,294,967,295
2233 MAC binding aging threshold value in seconds. MAC binding ex‐
2234 ceeding this timeout will be automatically removed. The value
2235 defaults to 0, which means disabled.
2236 Common Columns:
2238 external_ids: map of string-string pairs
2240 See External IDs at the beginning of this document.
2241
2243 Each row in this table represents one QoS rule for a logical switch
2244 that points to it through its qos_rules column. Two types of QoS are
2245 supported: DSCP marking and metering. A match with the highest-priority
2246 will have QoS applied to it. If the action column is specified, then
2247 matching packets will have DSCP marking applied. If the bandwidth col‐
2248 umn is specified, then matching packets will have metering applied. ac‐
2249 tion and bandwidth are not exclusive, so both marking and metering by
2250 defined for the same QoS entry. If no row matches, packets will not
2251 have any QoS applied.
2252 Summary:
2254 priority integer, in range 0 to 32,767
2255 direction string, either from-lport or to-lport
2256 match string
2257 action map of string-integer pairs, key must be
2258 dscp, value in range 0 to 63
2259 bandwidth map of string-integer pairs, key either
2260 burst or rate, value in range 1 to
2261 4,294,967,295
2262 external_ids map of string-string pairs
2263 Details:
2265 priority: integer, in range 0 to 32,767
2266 The QoS rule’s priority. Rules with numerically higher priority
2267 take precedence over those with lower. If two QoS rules with the
2268 same priority both match, then the one actually applied to a
2269 packet is undefined.
2270 direction: string, either from-lport or to-lport
2272 The value of this field is similar to ACL column in the OVN
2273 Northbound database’s ACL table.
2274 match: string
2276 The packets that the QoS rules should match, in the same expres‐
2277 sion language used for the match column in the OVN Southbound
2278 database’s Logical_Flow table. The outport logical port is only
2279 available in the to-lport direction (the inport is available in
2280 both directions).
2281 action: map of string-integer pairs, key must be dscp, value in range 0
2283 to 63
2284 When specified, matching flows will have DSCP marking applied.
2285 • dscp: The value of this action should be in the range of
2287 0 to 63 (inclusive).
2288 bandwidth: map of string-integer pairs, key either burst or rate, value
2290 in range 1 to 4,294,967,295
2291 When specified, matching packets will have bandwidth metering
2292 applied. Traffic over the limit will be dropped.
2293 • rate: The value of rate limit in kbps.
2295 • burst: The value of burst rate limit in kilobits. This is
2297 optional and needs to specify the rate.
2298 external_ids: map of string-string pairs
2300 See External IDs at the beginning of this document.
2301
2303 Each row in this table represents a mirror that can be used for port
2304 mirroring. These mirrors are referenced by the mirror_rules column in
2305 the Logical_Switch_Port table.
2306 Summary:
2308 name string (must be unique within table)
2309 filter string, either from-lport or to-lport
2310 sink string
2311 type string, either erspan or gre
2312 index integer
2313 external_ids map of string-string pairs
2314 Details:
2316 name: string (must be unique within table)
2317 Represents the name of the mirror.
2318 filter: string, either from-lport or to-lport
2320 The value of this field represents selection criteria of the
2321 mirror. to-lport mirrors the packets coming into logical port.
2322 from-lport mirrors the packets going out of logical port.
2323 sink: string
2325 The value of this field represents the destination/sink of the
2326 mirror. The value it takes is an IP address of the sink port.
2327 type: string, either erspan or gre
2329 The value of this field represents the type of the tunnel used
2330 for sending the mirrored packets.
2331 index: integer
2333 The value of this field represents the tunnel ID. If the config‐
2334 ured tunnel type is gre, this field represents the GRE key value
2335 and if the configured tunnel type is erspan it represents the
2336 erspan_idx value.
2337 external_ids: map of string-string pairs
2339 See External IDs at the beginning of this document.
2340
2342 Each row in this table represents a meter that can be used for QoS or
2343 rate-limiting.
2344 Summary:
2346 name string (must be unique within table)
2347 unit string, either kbps or pktps
2348 bands set of 1 or more Meter_Bands
2349 fair optional boolean
2350 external_ids map of string-string pairs
2351 Details:
2353 name: string (must be unique within table)
2354 A name for this meter.
2355 Names that begin with "__" (two underscores) are reserved for
2357 OVN internal use and should not be added manually.
2358 unit: string, either kbps or pktps
2360 The unit for rate and burst_rate parameters in the bands entry.
2361 kbps specifies kilobits per second, and pktps specifies packets
2362 per second.
2363 bands: set of 1 or more Meter_Bands
2365 The bands associated with this meter. Each band specifies a rate
2366 above which the band is to take the action action. If multiple
2367 bands’ rates are exceeded, then the band with the highest rate
2368 among the exceeded bands is selected.
2369 fair: optional boolean
2371 This column is used to further describe the desired behavior of
2372 the meter when there are multiple references to it. If this col‐
2373 umn is empty or is set to false, the rate will be shared across
2374 all rows that refer to the same Meter name. Conversely, when
2375 this column is set to true, each user of the same Meter will be
2376 rate-limited on its own.
2377 external_ids: map of string-string pairs
2379 See External IDs at the beginning of this document.
2380
2382 Each row in this table represents a meter band which specifies the rate
2383 above which the configured action should be applied. These bands are
2384 referenced by the bands column in the Meter table.
2385 Summary:
2387 action string, must be drop
2388 rate integer, in range 1 to 4,294,967,295
2389 burst_size integer, in range 0 to 4,294,967,295
2390 external_ids map of string-string pairs
2391 Details:
2393 action: string, must be drop
2394 The action to execute when this band matches. The only supported
2395 action is drop.
2396 rate: integer, in range 1 to 4,294,967,295
2398 The rate limit for this band, in kilobits per second or bits per
2399 second, depending on whether the parent Meter entry’s unit col‐
2400 umn specified kbps or pktps.
2401 burst_size: integer, in range 0 to 4,294,967,295
2403 The maximum burst allowed for the band in kilobits or packets,
2404 depending on whether kbps or pktps was selected in the parent
2405 Meter entry’s unit column. If the size is zero, the switch is
2406 free to select some reasonable value depending on its configura‐
2407 tion.
2408 external_ids: map of string-string pairs
2410 See External IDs at the beginning of this document.
2411
2413 A port within an L3 logical router.
2414 Exactly one Logical_Router row must reference a given logical router
2416 port.
2417 Summary:
2419 name string (must be unique within table)
2420 networks set of 1 or more strings
2421 mac string
2422 enabled optional boolean
2423 Distributed Gateway Ports:
2424 ha_chassis_group optional HA_Chassis_Group
2425 gateway_chassis set of Gateway_Chassises
2426 Options for Physical VLAN MTU Issues:
2427 options : reside-on-redirect-chassis
2428 optional string, either true or false
2429 options : redirect-type optional string, either bridged or over‐
2430 lay
2431 ipv6_prefix set of strings
2432 ipv6_ra_configs:
2433 ipv6_ra_configs : address_mode
2434 optional string
2435 ipv6_ra_configs : router_preference
2436 optional string
2437 ipv6_ra_configs : route_info
2438 optional string
2439 ipv6_ra_configs : mtu optional string
2440 ipv6_ra_configs : send_periodic
2441 optional string
2442 ipv6_ra_configs : max_interval
2443 optional string
2444 ipv6_ra_configs : min_interval
2445 optional string
2446 ipv6_ra_configs : rdnss optional string
2447 ipv6_ra_configs : dnssl optional string
2448 Options:
2449 options : mcast_flood optional string, either true or false
2450 options : requested-tnl-key
2451 optional string, containing an integer,
2452 in range 1 to 32,767
2453 options : prefix_delegation
2454 optional string, either true or false
2455 options : prefix optional string, either true or false
2456 options : route_table optional string
2457 options : gateway_mtu optional string, containing an integer,
2458 in range 68 to 65,535
2459 options : gateway_mtu_bypass
2460 optional string
2461 Attachment:
2462 peer optional string
2463 Common Columns:
2464 external_ids map of string-string pairs
2465 Details:
2467 name: string (must be unique within table)
2468 A name for the logical router port.
2469 In addition to provide convenience for human interaction with
2471 the northbound database, this column is used as reference by its
2472 patch port in Logical_Switch_Port or another logical router port
2473 in Logical_Router_Port.
2474 A logical router port may not have the same name as a logical
2476 switch port, but the database schema cannot enforce this.
2477 networks: set of 1 or more strings
2479 The IP addresses and netmasks of the router. For example,
2480 192.168.0.1/24 indicates that the router’s IP address is
2481 192.168.0.1 and that packets destined to 192.168.0.x should be
2482 routed to this port.
2483 A logical router port always adds a link-local IPv6 address
2485 (fe80::/64) automatically generated from the interface’s MAC ad‐
2486 dress using the modified EUI-64 format.
2487 mac: string
2489 The Ethernet address that belongs to this router port.
2490 enabled: optional boolean
2492 This column is used to administratively set port state. If this
2493 column is empty or is set to true, the port is enabled. If this
2494 column is set to false, the port is disabled. A disabled port
2495 has all ingress and egress traffic dropped.
2496 Distributed Gateway Ports:
2498 Gateways, as documented under Gateways in the OVN architecture guide,
2500 provide limited connectivity between logical networks and physical
2501 ones. OVN support multiple kinds of gateways. The Logical_Router_Port
2502 table can be used two different ways to configure distributed gateway
2503 ports, which are one kind of gateway. These two forms of configuration
2504 exist for historical reasons. Both of them produce the same kind of OVN
2505 southbound records and the same behavior in practice.
2506 If either of these are set, this logical router port represents a dis‐
2508 tributed gateway port that connects this router to a logical switch
2509 with a localnet port or a connection to another OVN deployment.
2510 Also mentioned in the OVN architecture guide, distributed gateway ports
2512 can also be used for scalability reasons in deployments where logical
2513 switches are dedicated to chassises rather than distributed.
2514 The preferred way to configure a gateway is ha_chassis_group, but gate‐
2516 way_chassis is also supported for backward compatibility. Only one of
2517 these should be set at a time on a given LRP, since they configure the
2518 same features.
2519 Even when a gateway is configured, the logical router port still effec‐
2521 tively resides on each chassis. However, due to the implications of the
2522 use of L2 learning in the physical network, as well as the need to sup‐
2523 port advanced features such as one-to-many NAT (aka IP masquerading), a
2524 subset of the logical router processing is handled in a centralized
2525 manner on the gateway chassis.
2526 There can be more than one distributed gateway ports configured on each
2528 logical router, each connecting to different L2 segments. Load-balanc‐
2529 ing is not yet supported on logical routers with more than one distrib‐
2530 uted gateway ports.
2531 For each distributed gateway port, it may have more than one gateway
2533 chassises. When more than one gateway chassis is specified, OVN only
2534 uses one at a time. OVN can rely on OVS BFD implementation to monitor
2535 gateway connectivity, preferring the highest-priority gateway that is
2536 online. Priorities are specified in the priority column of Gate‐
2537 way_Chassis or HA_Chassis.
2538 ovn-northd programs the external_mac rules specified in the LRP’s LR
2540 into the peer logical switch’s destination lookup on the chassis where
2541 the logical_port resides. In addition, the logical router’s MAC address
2542 is automatically programmed in the peer logical switch’s destination
2543 lookup flow on the gateway chasssis. If it is desired to generate gra‐
2544 tuitous ARPs for NAT addresses, then set the peer LSP’s options:nat-ad‐
2545 dresses to router.
2546 OVN 20.03 and earlier supported a third way to configure distributed
2548 gateway ports using options:redirect-chassis to specify the gateway
2549 chassis. This method is no longer supported. Any remaining users should
2550 switch to one of the newer methods instead. A gateway_chassis may be
2551 easily configured from the command line, e.g. ovn-nbctl lrp-set-gate‐
2552 way-chassis lrp chassis.
2553 ha_chassis_group: optional HA_Chassis_Group
2555 Designates an HA_Chassis_Group to provide gateway high avail‐
2556 ability.
2557 gateway_chassis: set of Gateway_Chassises
2559 Designates one or more Gateway_Chassis for the logical router
2560 port.
2561 Options for Physical VLAN MTU Issues:
2563 MTU issues arise in mixing tunnels with logical networks that are
2565 bridged to a physical VLAN. For an explanation of the MTU issues, see
2566 Physical VLAN MTU Issues in the OVN architecture document. The follow‐
2567 ing options, which are alternatives, provide solutions. Both of them
2568 cause packets to be sent over localnet instead of tunnels, but they
2569 differ in whether some or all packets are sent this way. The most prom‐
2570 inent tradeoff between these options is that reside-on-redirect-chassis
2571 is easier to configure and that redirect-type performs better for east-
2572 west traffic.
2573 options : reside-on-redirect-chassis: optional string, either true or
2575 false
2576 If set to true, this option forces all traffic across the logi‐
2577 cal router port to pass through the gateway chassis using a hop
2578 across a localnet port. This changes behavior in two ways:
2579 • Without this option, east-west traffic passes directly
2581 between source and destination chassis (or even within a
2582 single chassis, for co-located VMs). With this option,
2583 all east-west traffic passes through the gateway chassis.
2584 • Without this option, traffic between the gateway chassis
2586 and other chassis is encapsulated in tunnels. With this
2587 option, traffic passes over a localnet interface.
2588 This option may usefully be set only on logical router ports
2590 that connect a distributed logical router to a logical switch
2591 with VIFs. It should not be set on a distributed gateway port.
2592 OVN honors this option only if the logical router has one and
2594 only one distributed gateway port and if the LRP’s peer switch
2595 has a localnet port.
2596 options : redirect-type: optional string, either bridged or overlay
2598 If set to bridged on a distributed gateway port, this option
2599 causes OVN to redirect packets to the gateway chassis over a lo‐
2600 calnet port instead of a tunnel. The relevant chassis must share
2601 a localnet port.
2602 This feature requires the administrator or the CMS to configure
2604 each participating chassis with a unique Ethernet address for
2605 the logical router by setting ovn-chassis-mac-mappings in the
2606 Open vSwitch database, for use by ovn-controller.
2607 Setting this option to overlay or leaving it unset has no ef‐
2609 fect. This option may usefully be set only on a distributed
2610 gateway port when there is one and only one distributed gateway
2611 port on the logical router. It is otherwise ignored.
2612 ipv6_prefix: set of strings
2614 This column contains IPv6 prefix obtained by prefix delegation
2615 router according to RFC 3633
2616 ipv6_ra_configs:
2618 This column defines the IPv6 ND RA address mode and ND MTU Option to be
2620 included by ovn-controller when it replies to the IPv6 Router solicita‐
2621 tion requests.
2622 ipv6_ra_configs : address_mode: optional string
2624 The address mode to be used for IPv6 address configuration. The
2625 supported values are:
2626 • slaac: Address configuration using Router Advertisement
2628 (RA) packet. The IPv6 prefixes defined in the Logi‐
2629 cal_Router_Port table’s networks column will be included
2630 in the RA’s ICMPv6 option - Prefix information.
2631 • dhcpv6_stateful: Address configuration using DHCPv6.
2633 • dhcpv6_stateless: Address configuration using Router Ad‐
2635 vertisement (RA) packet. Other IPv6 options are provided
2636 by DHCPv6.
2637 ipv6_ra_configs : router_preference: optional string
2639 Default Router Preference (PRF) indicates whether to prefer this
2640 router over other default routers (RFC 4191). Possible values
2641 are:
2642 • HIGH: mapped to 0x01 in RA PRF field
2644 • MEDIUM: mapped to 0x00 in RA PRF field
2646 • LOW: mapped to 0x11 in RA PRF field
2648 ipv6_ra_configs : route_info: optional string
2650 Route Info is used to configure Route Info Option sent in Router
2651 Advertisement according to RFC 4191. Route Info is a comma sepa‐
2652 rated string where each field provides PRF and prefix for a
2653 given route (e.g: HIGH-aef1::11/48,LOW-aef2::11/96) Possible PRF
2654 values are:
2655 • HIGH: mapped to 0x01 in RA PRF field
2657 • MEDIUM: mapped to 0x00 in RA PRF field
2659 • LOW: mapped to 0x11 in RA PRF field
2661 ipv6_ra_configs : mtu: optional string
2663 The recommended MTU for the link. Default is 0, which means no
2664 MTU Option will be included in RA packet replied by ovn-con‐
2665 troller. Per RFC 2460, the mtu value is recommended no less than
2666 1280, so any mtu value less than 1280 will be considered as no
2667 MTU Option.
2668 ipv6_ra_configs : send_periodic: optional string
2670 If set to true, then this router interface will send router ad‐
2671 vertisements periodically. The default is false.
2672 ipv6_ra_configs : max_interval: optional string
2674 The maximum number of seconds to wait between sending periodic
2675 router advertisements. This option has no effect if ipv6_ra_con‐
2676 figs:send_periodic is false. The default is 600.
2677 ipv6_ra_configs : min_interval: optional string
2679 The minimum number of seconds to wait between sending periodic
2680 router advertisements. This option has no effect if ipv6_ra_con‐
2681 figs:send_periodic is false. The default is one-third of
2682 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
2683 unset.
2684 ipv6_ra_configs : rdnss: optional string
2686 IPv6 address of RDNSS server announced in RA packets. At the mo‐
2687 ment OVN supports just one RDNSS server.
2688 ipv6_ra_configs : dnssl: optional string
2690 DNS Search List announced in RA packets. Multiple DNS Search
2691 List must be ’comma’ separated (e.g. "a.b.c, d.e.f")
2692 Options:
2694 Additional options for the logical router port.
2696 options : mcast_flood: optional string, either true or false
2698 If set to true, multicast traffic (including reports) are uncon‐
2699 ditionally forwarded to the specific port.
2700 This option applies when the port is part of a logical router
2702 which has options:mcast_relay set to true.
2703 Default: false.
2705 options : requested-tnl-key: optional string, containing an integer, in
2707 range 1 to 32,767
2708 Configures the port binding tunnel key for the port. Usually
2709 this is not needed because ovn-northd will assign an unique key
2710 for each port by itself. However, if it is configured,
2711 ovn-northd honors the configured value.
2712 options : prefix_delegation: optional string, either true or false
2714 If set to true, enable IPv6 prefix delegation state machine on
2715 this logical router port (RFC3633). IPv6 prefix delegation is
2716 available just on a gateway router or on a gateway router port.
2717 options : prefix: optional string, either true or false
2719 If set to true, this interface will receive an IPv6 prefix ac‐
2720 cording to RFC3663
2721 options : route_table: optional string
2723 Designates lookup Logical_Router_Static_Routes with specified
2724 route_table value. Routes to directly connected networks from
2725 same Logical Router and routes without route_table option set
2726 have higher priority than routes with route_table option set.
2727 options : gateway_mtu: optional string, containing an integer, in range
2729 68 to 65,535
2730 If set, logical flows will be added to router pipeline to check
2731 packet length. If packet length is greater than the value set,
2732 ICMPv4 type 3 (Destination Unreachable) code 4 (Fragmentation
2733 Needed and Don’t Fragment was Set) or ICMPv6 type 2 (Packet Too
2734 Big) code 0 (no route to destination) packets will be generated.
2735 This allows for Path MTU Discovery.
2736 options : gateway_mtu_bypass: optional string
2738 When configured, represents a match expression, in the same ex‐
2739 pression language used for the match column in the OVN South‐
2740 bound database’s Logical_Flow table. Packets matching this ex‐
2741 pression will bypass the length check configured through the op‐
2742 tions:gateway_mtu option.
2743 Attachment:
2745 A given router port serves one of two purposes:
2747 • To attach a logical switch to a logical router. A logical
2749 router port of this type is referenced by exactly one
2750 Logical_Switch_Port of type router. The value of name is
2751 set as router-port in column options of Logi‐
2752 cal_Switch_Port. In this case peer column is empty.
2753 • To connect one logical router to another. This requires a
2755 pair of logical router ports, each connected to a differ‐
2756 ent router. Each router port in the pair specifies the
2757 other in its peer column. No Logical_Switch refers to the
2758 router port.
2759 peer: optional string
2761 For a router port used to connect two logical routers, this
2762 identifies the other router port in the pair by name.
2763 For a router port attached to a logical switch, this column is
2765 empty.
2766 Common Columns:
2768 external_ids: map of string-string pairs
2770 See External IDs at the beginning of this document.
2771 The ovn-northd program copies all these pairs into the exter‐
2773 nal_ids column of the Port_Binding table in OVN_Southbound data‐
2774 base.
2776 Each record represents a static route.
2777 When multiple routes match a packet, the longest-prefix match is cho‐
2779 sen. For a given prefix length, a dst-ip route is preferred over a
2780 src-ip route.
2781 When there are ECMP routes, i.e. multiple routes with same prefix and
2783 policy, one of them will be selected based on the 5-tuple hashing of
2784 the packet header.
2785 Summary:
2787 ip_prefix string
2788 policy optional string, either dst-ip or src-ip
2789 nexthop string
2790 output_port optional string
2791 bfd optional weak reference to BFD
2792 route_table string
2793 external_ids : ic-learned-route
2794 optional string
2795 Common Columns:
2796 external_ids map of string-string pairs
2797 Common options:
2798 options map of string-string pairs
2799 options : ecmp_symmetric_reply
2800 optional string
2801 options : origin optional string
2802 Details:
2804 ip_prefix: string
2805 IP prefix of this route (e.g. 192.168.100.0/24).
2806 policy: optional string, either dst-ip or src-ip
2808 If it is specified, this setting describes the policy used to
2809 make routing decisions. This setting must be one of the follow‐
2810 ing strings:
2811 • src-ip: This policy sends the packet to the nexthop when
2813 the packet’s source IP address matches ip_prefix.
2814 • dst-ip: This policy sends the packet to the nexthop when
2816 the packet’s destination IP address matches ip_prefix.
2817 If not specified, the default is dst-ip.
2819 nexthop: string
2821 Nexthop IP address for this route. Nexthop IP address should be
2822 the IP address of a connected router port or the IP address of a
2823 logical port or can be set to discard for dropping packets which
2824 match the given route.
2825 output_port: optional string
2827 The name of the Logical_Router_Port via which the packet needs
2828 to be sent out. This is optional and when not specified, OVN
2829 will automatically figure this out based on the nexthop. When
2830 this is specified and there are multiple IP addresses on the
2831 router port and none of them are in the same subnet of nexthop,
2832 OVN chooses the first IP address as the one via which the nex‐
2833 thop is reachable.
2834 bfd: optional weak reference to BFD
2836 Reference to BFD row if the route has associated a BFD session
2837 route_table: string
2839 Any string to place route to separate routing table. If Logical
2840 Router Port has configured value in options:route_table other
2841 than empty string, OVN performs route lookup for all packets en‐
2842 tering Logical Router ingress pipeline from this port in the
2843 following manner:
2844 • 1. First lookup among "global" routes: routes without
2846 route_table value set and routes to directly connected
2847 networks.
2848 • 2. Next lookup among routes with same route_table value
2850 as specified in LRP’s options:route_table field.
2851 external_ids : ic-learned-route: optional string
2853 ovn-ic populates this key if the route is learned from the
2854 global OVN_IC_Southbound database. In this case the value will
2855 be set to the uuid of the row in Route table of the
2856 OVN_IC_Southbound database.
2857 Common Columns:
2859 external_ids: map of string-string pairs
2861 See External IDs at the beginning of this document.
2862 Common options:
2864 options: map of string-string pairs
2866 This column provides general key/value settings. The supported
2867 options are described individually below.
2868 options : ecmp_symmetric_reply: optional string
2870 If true, then new traffic that arrives over this route will have
2871 its reply traffic bypass ECMP route selection and will be sent
2872 out this route instead. Note that this option overrides any
2873 rules set in the Logical_Router_policy table. This option only
2874 works on gateway routers (routers that have options:chassis
2875 set).
2876 options : origin: optional string
2878 In case ovn-interconnection has been learned this route, it will
2879 have its origin set: either "connected" or "static". This key is
2880 supposed to be written only by ovn-ic daemon. ovn-northd then
2881 checks this value when generating Logical Flows. Logi‐
2882 cal_Router_Static_Route records with same ip_prefix within same
2883 Logical Router will have next lookup order based on origin key
2884 value:
2885 1. connected
2887 2. static
2889
2891 Each row in this table represents one routing policy for a logical
2892 router that points to it through its policies column. The action column
2893 for the highest-priority matching row in this table determines a
2894 packet’s treatment. If no row matches, packets are allowed by default.
2895 (Default-deny treatment is possible: add a rule with priority 0, 1 as
2896 match, and drop as action.)
2897 Summary:
2899 priority integer, in range 0 to 32,767
2900 match string
2901 action string, one of allow, drop, or reroute
2902 nexthop optional string
2903 nexthops set of strings
2904 options : pkt_mark optional string
2905 Common Columns:
2906 external_ids map of string-string pairs
2907 Details:
2909 priority: integer, in range 0 to 32,767
2910 The routing policy’s priority. Rules with numerically higher
2911 priority take precedence over those with lower. A rule is
2912 uniquely identified by the priority and match string.
2913 match: string
2915 The packets that the routing policy should match, in the same
2916 expression language used for the match column in the OVN South‐
2917 bound database’s Logical_Flow table.
2918 By default all traffic is allowed. When writing a more restric‐
2920 tive policy, it is important to remember to allow flows such as
2921 ARP and IPv6 neighbor discovery packets.
2922 action: string, one of allow, drop, or reroute
2924 The action to take when the routing policy matches:
2925 • allow: Forward the packet.
2927 • drop: Silently drop the packet.
2929 • reroute: Reroute packet to nexthop or nexthops.
2931 nexthop: optional string
2933 Note: This column is deprecated in favor of nexthops.
2934 Next-hop IP address for this route, which should be the IP ad‐
2936 dress of a connected router port or the IP address of a logical
2937 port.
2938 nexthops: set of strings
2940 Next-hop ECMP IP addresses for this route. Each IP in the list
2941 should be the IP address of a connected router port or the IP
2942 address of a logical port.
2943 One IP from the list is selected as next hop.
2945 options : pkt_mark: optional string
2947 Marks the packet with the value specified when the router policy
2948 is applied. CMS can inspect this packet marker and take some de‐
2949 cisions if desired. This value is not preserved when the packet
2950 goes out on the wire.
2951 Common Columns:
2953 external_ids: map of string-string pairs
2955 See External IDs at the beginning of this document.
2956
2958 Each record represents a NAT rule.
2959 Summary:
2961 type string, one of dnat, dnat_and_snat, or
2962 snat
2963 external_ip string
2964 external_mac optional string
2965 external_port_range string
2966 logical_ip string
2967 logical_port optional string
2968 allowed_ext_ips optional Address_Set
2969 exempted_ext_ips optional Address_Set
2970 gateway_port optional weak reference to Logi‐
2971 cal_Router_Port
2972 options : stateless optional string
2973 options : add_route optional string
2974 Common Columns:
2975 external_ids map of string-string pairs
2976 Details:
2978 type: string, one of dnat, dnat_and_snat, or snat
2979 Type of the NAT rule.
2980 • When type is dnat, the externally visible IP address ex‐
2982 ternal_ip is DNATted to the IP address logical_ip in the
2983 logical space.
2984 • When type is snat, IP packets with their source IP ad‐
2986 dress that either matches the IP address in logical_ip or
2987 is in the network provided by logical_ip is SNATed into
2988 the IP address in external_ip.
2989 • When type is dnat_and_snat, the externally visible IP ad‐
2991 dress external_ip is DNATted to the IP address logical_ip
2992 in the logical space. In addition, IP packets with the
2993 source IP address that matches logical_ip is SNATed into
2994 the IP address in external_ip.
2995 external_ip: string
2997 An IPv4 address.
2998 external_mac: optional string
3000 A MAC address.
3001 This is only used on the gateway port on distributed routers.
3003 This must be specified in order for the NAT rule to be processed
3004 in a distributed manner on all chassis. If this is not specified
3005 for a NAT rule on a distributed router, then this NAT rule will
3006 be processed in a centralized manner on the gateway port in‐
3007 stance on the gateway chassis.
3008 This MAC address must be unique on the logical switch that the
3010 gateway port is attached to. If the MAC address used on the log‐
3011 ical_port is globally unique, then that MAC address can be spec‐
3012 ified as this external_mac.
3013 external_port_range: string
3015 L4 source port range
3016 Range of ports, from which a port number will be picked that
3018 will replace the source port of to be NATed packet. This is ba‐
3019 sically PAT (port address translation).
3020 Value of the column is in the format, port_lo-port_hi. For exam‐
3022 ple: external_port_range : "1-30000"
3023 Valid range of ports is 1-65535.
3025 logical_ip: string
3027 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
3028 logical_port: optional string
3030 The name of the logical port where the logical_ip resides.
3031 This is only used on distributed routers. This must be specified
3033 in order for the NAT rule to be processed in a distributed man‐
3034 ner on all chassis. If this is not specified for a NAT rule on a
3035 distributed router, then this NAT rule will be processed in a
3036 centralized manner on the gateway port instance on the gateway
3037 chassis.
3038 allowed_ext_ips: optional Address_Set
3040 It represents Address Set of external ips that NAT rule is ap‐
3041 plicable to. For SNAT type NAT rules, this refers to destination
3042 addresses. For DNAT type NAT rules, this refers to source ad‐
3043 dresses.
3044 This configuration overrides the default NAT behavior of apply‐
3046 ing a rule solely based on internal IP. Without this configura‐
3047 tion, NAT happens without considering the external IP (i.e
3048 dest/source for snat/dnat type rule). With this configuration
3049 NAT rule is applied ONLY if external ip is in the input Address
3050 Set.
3051 exempted_ext_ips: optional Address_Set
3053 It represents Address Set of external ips that NAT rule is NOT
3054 applicable to. For SNAT type NAT rules, this refers to destina‐
3055 tion addresses. For DNAT type NAT rules, this refers to source
3056 addresses.
3057 This configuration overrides the default NAT behavior of apply‐
3059 ing a rule solely based on internal IP. Without this configura‐
3060 tion, NAT happens without considering the external IP (i.e
3061 dest/source for snat/dnat type rule). With this configuration
3062 NAT rule is NOT applied if external ip is in the input Address
3063 Set.
3064 If there are NAT rules in a logical router with overlapping IP
3066 prefixes (including /32), then usage of exempted_ext_ips should
3067 be avoided in following scenario. a. SNAT rule (let us say
3068 RULE1) with logical_ip PREFIX/MASK (let us say 50.0.0.0/24). b.
3069 SNAT rule (let us say RULE2) with logical_ip PREFIX/MASK+1 (let
3070 us say 50.0.0.0/25). c. Now, if exempted_ext_ips is associated
3071 with RULE2, then a logical ip which matches both 50.0.0.0/24 and
3072 50.0.0.0/25 may get the RULE2 applied to it instead of RULE1.
3073 allowed_ext_ips and exempted_ext_ips are mutually exclusive to
3075 each other. If both Address Sets are set for a rule, then the
3076 NAT rule is not considered.
3077 gateway_port: optional weak reference to Logical_Router_Port
3079 A distributed gateway port in the Logical_Router_Port table
3080 where the NAT rule needs to be applied.
3081 When multiple distributed gateway ports are configured on a Log‐
3083 ical_Router, applying a NAT rule at each of the distributed
3084 gateway ports might not be desired. Consider the case where a
3085 logical router has 2 distributed gateway port, one with networks
3086 50.0.0.10/24 and the other with networks 60.0.0.10/24. If the
3087 logical router has a NAT rule of type snat, logical_ip
3088 10.1.1.0/24 and external_ip 50.1.1.20/24, the rule needs to be
3089 selectively applied on matching packets entering/leaving through
3090 the distributed gateway port with networks 50.0.0.10/24.
3091 When a logical router has multiple distributed gateway ports and
3093 this column is not set for a NAT rule, then the rule will be ap‐
3094 plied at the distributed gateway port which is in the same net‐
3095 work as the external_ip of the NAT rule, if such a router port
3096 exists. If logical router has a single distributed gateway port
3097 and this column is not set for a NAT rule, the rule will be ap‐
3098 plied at the distributed gateway port even if the router port is
3099 not in the same network as the external_ip of the NAT rule.
3100 options : stateless: optional string
3102 Indicates if a dnat_and_snat rule should lead to connection
3103 tracking state or not.
3104 options : add_route: optional string
3106 If set to true, then neighbor routers will have logical flows
3107 added that will allow for routing to the NAT address. It also
3108 will have ARP resolution logical flows added. By setting this
3109 option, it means there is no reason to create a Logi‐
3110 cal_Router_Static_Route from neighbor routers to this NAT ad‐
3111 dress. It also means that no ARP request is required for neigh‐
3112 bor routers to learn the IP-MAC mapping for this NAT address.
3113 This option only applies to NATs of type dnat and dnat_and_snat.
3114 For more information about what flows are added for IP routes,
3115 please see the ovn-northd manpage section on IP Routing.
3116 Common Columns:
3118 external_ids: map of string-string pairs
3120 See External IDs at the beginning of this document.
3121
3123 OVN implements native DHCPv4 support which caters to the common use
3124 case of providing an IPv4 address to a booting instance by providing
3125 stateless replies to DHCPv4 requests based on statically configured ad‐
3126 dress mappings. To do this it allows a short list of DHCPv4 options to
3127 be configured and applied at each compute host running ovn-controller.
3128 OVN also implements native DHCPv6 support which provides stateless
3130 replies to DHCPv6 requests.
3131 Summary:
3133 cidr string
3134 DHCPv4 options:
3135 Mandatory DHCPv4 options:
3136 options : server_id optional string
3137 options : server_mac optional string
3138 options : lease_time optional string, containing an integer,
3139 in range 0 to 4,294,967,295
3140 IPv4 DHCP Options:
3141 options : router optional string
3142 options : netmask optional string
3143 options : dns_server optional string
3144 options : log_server optional string
3145 options : lpr_server optional string
3146 options : swap_server optional string
3147 options : policy_filter optional string
3148 options : router_solicitation
3149 optional string
3150 options : nis_server optional string
3151 options : ntp_server optional string
3152 options : netbios_name_server
3153 optional string
3154 options : classless_static_route
3155 optional string
3156 options : ms_classless_static_route
3157 optional string
3158 options : next_server optional string
3159 Boolean DHCP Options:
3160 options : ip_forward_enable
3161 optional string, either 0 or 1
3162 options : router_discovery
3163 optional string, either 0 or 1
3164 options : ethernet_encap optional string, either 0 or 1
3165 Integer DHCP Options:
3166 options : default_ttl optional string, containing an integer,
3167 in range 0 to 255
3168 options : tcp_ttl optional string, containing an integer,
3169 in range 0 to 255
3170 options : mtu optional string, containing an integer,
3171 in range 68 to 65,535
3172 options : T1 optional string, containing an integer,
3173 in range 68 to 4,294,967,295
3174 options : T2 optional string, containing an integer,
3175 in range 68 to 4,294,967,295
3176 options : arp_cache_timeout
3177 optional string, containing an integer,
3178 in range 0 to 255
3179 options : tcp_keepalive_interval
3180 optional string, containing an integer,
3181 in range 0 to 255
3182 options : netbios_node_type
3183 optional string, containing an integer,
3184 in range 0 to 255
3185 String DHCP Options:
3186 options : wpad optional string
3187 options : bootfile_name optional string
3188 options : path_prefix optional string
3189 options : tftp_server_address
3190 optional string
3191 options : hostname optional string
3192 options : domain_name optional string
3193 options : bootfile_name_alt
3194 optional string
3195 options : broadcast_address
3196 optional string
3197 DHCP Options of type host_id:
3198 options : tftp_server optional string
3199 DHCP Options of type domains:
3200 options : domain_search_list
3201 optional string
3202 DHCPv6 options:
3203 Mandatory DHCPv6 options:
3204 options : server_id optional string
3205 IPv6 DHCPv6 options:
3206 options : dns_server optional string
3207 String DHCPv6 options:
3208 options : domain_search optional string
3209 options : dhcpv6_stateless
3210 optional string
3211 Common Columns:
3212 external_ids map of string-string pairs
3213 Details:
3215 cidr: string
3216 The DHCPv4/DHCPv6 options will be included if the logical port
3217 has its IP address in this cidr.
3218 DHCPv4 options:
3220 The CMS should define the set of DHCPv4 options as key/value pairs in
3222 the options column of this table. For ovn-controller to include these
3223 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
3224 to an entry in this table.
3225 Mandatory DHCPv4 options:
3227 The following options must be defined.
3229 options : server_id: optional string
3231 The IP address for the DHCP server to use. This should be in the
3232 subnet of the offered IP. This is also included in the DHCP of‐
3233 fer as option 54, ``server identifier.’’
3234 options : server_mac: optional string
3236 The Ethernet address for the DHCP server to use.
3237 options : lease_time: optional string, containing an integer, in range
3239 0 to 4,294,967,295
3240 The offered lease time in seconds,
3241 The DHCPv4 option code for this option is 51.
3243 IPv4 DHCP Options:
3245 Below are the supported DHCPv4 options whose values are an IPv4 ad‐
3247 dress, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
3248 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
3249 refer to RFC 2132 for more details on DHCPv4 options and their codes.
3250 options : router: optional string
3252 The IP address of a gateway for the client to use. This should
3253 be in the subnet of the offered IP. The DHCPv4 option code for
3254 this option is 3.
3255 options : netmask: optional string
3257 The DHCPv4 option code for this option is 1.
3258 options : dns_server: optional string
3260 The DHCPv4 option code for this option is 6.
3261 options : log_server: optional string
3263 The DHCPv4 option code for this option is 7.
3264 options : lpr_server: optional string
3266 The DHCPv4 option code for this option is 9.
3267 options : swap_server: optional string
3269 The DHCPv4 option code for this option is 16.
3270 options : policy_filter: optional string
3272 The DHCPv4 option code for this option is 21.
3273 options : router_solicitation: optional string
3275 The DHCPv4 option code for this option is 32.
3276 options : nis_server: optional string
3278 The DHCPv4 option code for this option is 41.
3279 options : ntp_server: optional string
3281 The DHCPv4 option code for this option is 42.
3282 options : netbios_name_server: optional string
3284 The DHCPv4 option code for this option is 44.
3285 options : classless_static_route: optional string
3287 The DHCPv4 option code for this option is 121.
3288 This option can contain one or more static routes, each of which
3290 consists of a destination descriptor and the IP address of the
3291 router that should be used to reach that destination. Please see
3292 RFC 3442 for more details.
3293 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
3295 options : ms_classless_static_route: optional string
3297 The DHCPv4 option code for this option is 249. This option is
3298 similar to classless_static_route supported by Microsoft Windows
3299 DHCPv4 clients.
3300 options : next_server: optional string
3302 The DHCPv4 option code for setting the "Next server IP address"
3303 field in the DHCP header.
3304 Boolean DHCP Options:
3306 These options accept a Boolean value, expressed as 0 for false or 1 for
3308 true.
3309 options : ip_forward_enable: optional string, either 0 or 1
3311 The DHCPv4 option code for this option is 19.
3312 options : router_discovery: optional string, either 0 or 1
3314 The DHCPv4 option code for this option is 31.
3315 options : ethernet_encap: optional string, either 0 or 1
3317 The DHCPv4 option code for this option is 36.
3318 Integer DHCP Options:
3320 These options accept a nonnegative integer value.
3322 options : default_ttl: optional string, containing an integer, in range
3324 0 to 255
3325 The DHCPv4 option code for this option is 23.
3326 options : tcp_ttl: optional string, containing an integer, in range 0
3328 to 255
3329 The DHCPv4 option code for this option is 37.
3330 options : mtu: optional string, containing an integer, in range 68 to
3332 65,535
3333 The DHCPv4 option code for this option is 26.
3334 options : T1: optional string, containing an integer, in range 68 to
3336 4,294,967,295
3337 This specifies the time interval from address assignment until
3338 the client begins trying to renew its address. The DHCPv4 option
3339 code for this option is 58.
3340 options : T2: optional string, containing an integer, in range 68 to
3342 4,294,967,295
3343 This specifies the time interval from address assignment until
3344 the client begins trying to rebind its address. The DHCPv4 op‐
3345 tion code for this option is 59.
3346 options : arp_cache_timeout: optional string, containing an integer, in
3348 range 0 to 255
3349 The DHCPv4 option code for this option is 35. This option speci‐
3350 fies the timeout in seconds for ARP cache entries.
3351 options : tcp_keepalive_interval: optional string, containing an inte‐
3353 ger, in range 0 to 255
3354 The DHCPv4 option code for this option is 38. This option speci‐
3355 fies the interval that the client TCP should wait before sending
3356 a keepalive message on a TCP connection.
3357 options : netbios_node_type: optional string, containing an integer, in
3359 range 0 to 255
3360 The DHCPv4 option code for this option is 46.
3361 String DHCP Options:
3363 These options accept a string value.
3365 options : wpad: optional string
3367 The DHCPv4 option code for this option is 252. This option is
3368 used as part of web proxy auto discovery to provide a URL for a
3369 web proxy.
3370 options : bootfile_name: optional string
3372 The DHCPv4 option code for this option is 67. This option is
3373 used to identify a bootfile.
3374 options : path_prefix: optional string
3376 The DHCPv4 option code for this option is 210. In PXELINUX’ case
3377 this option is used to set a common path prefix, instead of de‐
3378 riving it from the bootfile name.
3379 options : tftp_server_address: optional string
3381 The DHCPv4 option code for this option is 150. The option con‐
3382 tains one or more IPv4 addresses that the client MAY use. This
3383 option is Cisco proprietary, the IEEE standard that matches with
3384 this requirement is option 66 (tftp_server).
3385 options : hostname: optional string
3387 The DHCPv4 option code for this option is 12. If set, indicates
3388 the DHCPv4 option "Hostname". Alternatively, this option can be
3389 configured in options:hostname column in table Logi‐
3390 cal_Switch_Port. If Hostname option value is set in both con‐
3391 flicting Logical_Switch_Port and DHCP_Options tables, Logi‐
3392 cal_Switch_Port takes precedence.
3393 options : domain_name: optional string
3395 The DHCPv4 option code for this option is 15. This option speci‐
3396 fies the domain name that client should use when resolving host‐
3397 names via the Domain Name System.
3398 options : bootfile_name_alt: optional string
3400 "bootfile_name_alt" option is used to support iPXE. When both
3401 "bootfile_name" and "bootfile_name_alt" are provided by the CMS,
3402 "bootfile_name" will be used for option 67 if the dhcp request
3403 contains etherboot option (175), otherwise "bootfile_name_alt"
3404 will be used.
3405 options : broadcast_address: optional string
3407 The DHCPv4 option code for this option is 28. This option speci‐
3408 fies the IP address used as a broadcast address.
3409 DHCP Options of type host_id:
3411 These options accept either an IPv4 address or a string value.
3413 options : tftp_server: optional string
3415 The DHCPv4 option code for this option is 66.
3416 DHCP Options of type domains:
3418 These options accept string value which is a comma separated list of
3420 domain names. The domain names are encoded based on RFC 1035.
3421 options : domain_search_list: optional string
3423 The DHCPv4 option code for this option is 119.
3424 DHCPv6 options:
3426 OVN also implements native DHCPv6 support. The CMS should define the
3428 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
3429 will be included in the DHCPv6 response to the DHCPv6 Solicit/Re‐
3430 quest/Confirm packet from the logical ports having the IPv6 addresses
3431 in the cidr.
3432 Mandatory DHCPv6 options:
3434 The following options must be defined.
3436 options : server_id: optional string
3438 The Ethernet address for the DHCP server to use. This is also
3439 included in the DHCPv6 reply as option 2, ``Server Identifier’’
3440 to carry a DUID identifying a server between a client and a
3441 server. ovn-controller defines DUID based on Link-layer Address
3442 [DUID-LL].
3443 IPv6 DHCPv6 options:
3445 Below are the supported DHCPv6 options whose values are an IPv6 ad‐
3447 dress, e.g. aef0::4. Some options accept multiple IPv6 addresses en‐
3448 closed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
3449 RFC 3315 for more details on DHCPv6 options and their codes.
3450 options : dns_server: optional string
3452 The DHCPv6 option code for this option is 23. This option speci‐
3453 fies the DNS servers that the VM should use.
3454 String DHCPv6 options:
3456 These options accept string values.
3458 options : domain_search: optional string
3460 The DHCPv6 option code for this option is 24. This option speci‐
3461 fies the domain search list the client should use to resolve
3462 hostnames with DNS.
3463 Example: "ovn.org".
3465 options : dhcpv6_stateless: optional string
3467 This option specifies the OVN native DHCPv6 will work in state‐
3468 less mode, which means OVN native DHCPv6 will not offer IPv6 ad‐
3469 dresses for VM/VIF ports, but only reply other configurations,
3470 such as DNS and domain search list. When setting this option
3471 with string value "true", VM/VIF will configure IPv6 addresses
3472 by stateless way. Default value for this option is false.
3473 Common Columns:
3475 external_ids: map of string-string pairs
3477 See External IDs at the beginning of this document.
3478
3480 Configuration for a database connection to an Open vSwitch database
3481 (OVSDB) client.
3482 This table primarily configures the Open vSwitch database server
3484 (ovsdb-server).
3485 The Open vSwitch database server can initiate and maintain active con‐
3487 nections to remote clients. It can also listen for database connec‐
3488 tions.
3489 Summary:
3491 Core Features:
3492 target string (must be unique within table)
3493 Client Failure Detection and Handling:
3494 max_backoff optional integer, at least 1,000
3495 inactivity_probe optional integer
3496 Status:
3497 is_connected boolean
3498 status : last_error optional string
3499 status : state optional string, one of ACTIVE, BACKOFF,
3500 CONNECTING, IDLE, or VOID
3501 status : sec_since_connect optional string, containing an integer,
3502 at least 0
3503 status : sec_since_disconnect
3504 optional string, containing an integer,
3505 at least 0
3506 status : locks_held optional string
3507 status : locks_waiting optional string
3508 status : locks_lost optional string
3509 status : n_connections optional string, containing an integer,
3510 at least 2
3511 status : bound_port optional string, containing an integer
3512 Common Columns:
3513 external_ids map of string-string pairs
3514 other_config map of string-string pairs
3515 Details:
3517 Core Features:
3518 target: string (must be unique within table)
3520 Connection methods for clients.
3521 The following connection methods are currently supported:
3523 ssl:host[:port]
3525 The specified SSL port on the host at the given host,
3526 which can either be a DNS name (if built with unbound li‐
3527 brary) or an IP address. A valid SSL configuration must
3528 be provided when this form is used, this configuration
3529 can be specified via command-line options or the SSL ta‐
3530 ble.
3531 If port is not specified, it defaults to 6640.
3533 SSL support is an optional feature that is not always
3535 built as part of Open vSwitch.
3536 tcp:host[:port]
3538 The specified TCP port on the host at the given host,
3539 which can either be a DNS name (if built with unbound li‐
3540 brary) or an IP address. If host is an IPv6 address, wrap
3541 it in square brackets, e.g. tcp:[::1]:6640.
3542 If port is not specified, it defaults to 6640.
3544 pssl:[port][:host]
3546 Listens for SSL connections on the specified TCP port.
3547 Specify 0 for port to have the kernel automatically
3548 choose an available port. If host, which can either be a
3549 DNS name (if built with unbound library) or an IP ad‐
3550 dress, is specified, then connections are restricted to
3551 the resolved or specified local IPaddress (either IPv4 or
3552 IPv6 address). If host is an IPv6 address, wrap in square
3553 brackets, e.g. pssl:6640:[::1]. If host is not specified
3554 then it listens only on IPv4 (but not IPv6) addresses. A
3555 valid SSL configuration must be provided when this form
3556 is used, this can be specified either via command-line
3557 options or the SSL table.
3558 If port is not specified, it defaults to 6640.
3560 SSL support is an optional feature that is not always
3562 built as part of Open vSwitch.
3563 ptcp:[port][:host]
3565 Listens for connections on the specified TCP port. Spec‐
3566 ify 0 for port to have the kernel automatically choose an
3567 available port. If host, which can either be a DNS name
3568 (if built with unbound library) or an IP address, is
3569 specified, then connections are restricted to the re‐
3570 solved or specified local IP address (either IPv4 or IPv6
3571 address). If host is an IPv6 address, wrap it in square
3572 brackets, e.g. ptcp:6640:[::1]. If host is not specified
3573 then it listens only on IPv4 addresses.
3574 If port is not specified, it defaults to 6640.
3576 When multiple clients are configured, the target values must be
3578 unique. Duplicate target values yield unspecified results.
3579 Client Failure Detection and Handling:
3581 max_backoff: optional integer, at least 1,000
3583 Maximum number of milliseconds to wait between connection at‐
3584 tempts. Default is implementation-specific.
3585 inactivity_probe: optional integer
3587 Maximum number of milliseconds of idle time on connection to the
3588 client before sending an inactivity probe message. If Open
3589 vSwitch does not communicate with the client for the specified
3590 number of seconds, it will send a probe. If a response is not
3591 received for the same additional amount of time, Open vSwitch
3592 assumes the connection has been broken and attempts to recon‐
3593 nect. Default is implementation-specific. A value of 0 disables
3594 inactivity probes.
3595 Status:
3597 Key-value pair of is_connected is always updated. Other key-value pairs
3599 in the status columns may be updated depends on the target type.
3600 When target specifies a connection method that listens for inbound con‐
3602 nections (e.g. ptcp: or punix:), both n_connections and is_connected
3603 may also be updated while the remaining key-value pairs are omitted.
3604 On the other hand, when target specifies an outbound connection, all
3606 key-value pairs may be updated, except the above-mentioned two key-
3607 value pairs associated with inbound connection targets. They are omit‐
3608 ted.
3609 is_connected: boolean
3611 true if currently connected to this client, false otherwise.
3612 status : last_error: optional string
3614 A human-readable description of the last error on the connection
3615 to the manager; i.e. strerror(errno). This key will exist only
3616 if an error has occurred.
3617 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
3619 IDLE, or VOID
3620 The state of the connection to the manager:
3621 VOID Connection is disabled.
3623 BACKOFF
3625 Attempting to reconnect at an increasing period.
3626 CONNECTING
3628 Attempting to connect.
3629 ACTIVE Connected, remote host responsive.
3631 IDLE Connection is idle. Waiting for response to keep-alive.
3633 These values may change in the future. They are provided only
3635 for human consumption.
3636 status : sec_since_connect: optional string, containing an integer, at
3638 least 0
3639 The amount of time since this client last successfully connected
3640 to the database (in seconds). Value is empty if client has never
3641 successfully been connected.
3642 status : sec_since_disconnect: optional string, containing an integer,
3644 at least 0
3645 The amount of time since this client last disconnected from the
3646 database (in seconds). Value is empty if client has never dis‐
3647 connected.
3648 status : locks_held: optional string
3650 Space-separated list of the names of OVSDB locks that the con‐
3651 nection holds. Omitted if the connection does not hold any
3652 locks.
3653 status : locks_waiting: optional string
3655 Space-separated list of the names of OVSDB locks that the con‐
3656 nection is currently waiting to acquire. Omitted if the connec‐
3657 tion is not waiting for any locks.
3658 status : locks_lost: optional string
3660 Space-separated list of the names of OVSDB locks that the con‐
3661 nection has had stolen by another OVSDB client. Omitted if no
3662 locks have been stolen from this connection.
3663 status : n_connections: optional string, containing an integer, at
3665 least 2
3666 When target specifies a connection method that listens for in‐
3667 bound connections (e.g. ptcp: or pssl:) and more than one con‐
3668 nection is actually active, the value is the number of active
3669 connections. Otherwise, this key-value pair is omitted.
3670 status : bound_port: optional string, containing an integer
3672 When target is ptcp: or pssl:, this is the TCP port on which the
3673 OVSDB server is listening. (This is particularly useful when
3674 target specifies a port of 0, allowing the kernel to choose any
3675 available port.)
3676 Common Columns:
3678 The overall purpose of these columns is described under Common Columns
3680 at the beginning of this document.
3681 external_ids: map of string-string pairs
3683 other_config: map of string-string pairs
3685
3687 Each row in this table stores the DNS records. The Logical_Switch ta‐
3688 ble’s dns_records references these records.
3689 Summary:
3691 records map of string-string pairs
3692 external_ids map of string-string pairs
3693 Details:
3695 records: map of string-string pairs
3696 Key-value pair of DNS records with DNS query name as the key and
3697 value as a string of IP address(es) separated by comma or space.
3698 For PTR requests, the key-value pair can be Reverse IPv4 ad‐
3699 dress.in-addr.arpa and the value DNS domain name. For IPv6 ad‐
3700 dresses, the key has to be Reverse IPv6 address.ip6.arpa.
3701 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
3703 Example: "4.0.0.10.in-addr.arpa" = "vm1.ovn.org"
3705 external_ids: map of string-string pairs
3707 See External IDs at the beginning of this document.
3708
3710 SSL configuration for ovn-nb database access.
3711 Summary:
3713 private_key string
3714 certificate string
3715 ca_cert string
3716 bootstrap_ca_cert boolean
3717 ssl_protocols string
3718 ssl_ciphers string
3719 Common Columns:
3720 external_ids map of string-string pairs
3721 Details:
3723 private_key: string
3724 Name of a PEM file containing the private key used as the
3725 switch’s identity for SSL connections to the controller.
3726 certificate: string
3728 Name of a PEM file containing a certificate, signed by the cer‐
3729 tificate authority (CA) used by the controller and manager, that
3730 certifies the switch’s private key, identifying a trustworthy
3731 switch.
3732 ca_cert: string
3734 Name of a PEM file containing the CA certificate used to verify
3735 that the switch is connected to a trustworthy controller.
3736 bootstrap_ca_cert: boolean
3738 If set to true, then Open vSwitch will attempt to obtain the CA
3739 certificate from the controller on its first SSL connection and
3740 save it to the named PEM file. If it is successful, it will im‐
3741 mediately drop the connection and reconnect, and from then on
3742 all SSL connections must be authenticated by a certificate
3743 signed by the CA certificate thus obtained. This option exposes
3744 the SSL connection to a man-in-the-middle attack obtaining the
3745 initial CA certificate. It may still be useful for bootstrap‐
3746 ping.
3747 ssl_protocols: string
3749 List of SSL protocols to be enabled for SSL connections. The de‐
3750 fault when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
3751 ssl_ciphers: string
3753 List of ciphers (in OpenSSL cipher string format) to be sup‐
3754 ported for SSL connections. The default when this option is
3755 omitted is HIGH:!aNULL:!MD5.
3756 Common Columns:
3758 The overall purpose of these columns is described under Common Columns
3760 at the beginning of this document.
3761 external_ids: map of string-string pairs
3763
3765 Association of a chassis to a logical router port. The traffic going
3766 out through an specific router port will be redirected to a chassis, or
3767 a set of them in high availability configurations.
3768 Summary:
3770 name string (must be unique within table)
3771 chassis_name string
3772 priority integer, in range 0 to 32,767
3773 options map of string-string pairs
3774 Common Columns:
3775 external_ids map of string-string pairs
3776 Details:
3778 name: string (must be unique within table)
3779 Name of the Gateway_Chassis.
3780 A suggested, but not required naming convention is
3782 ${port_name}_${chassis_name}.
3783 chassis_name: string
3785 Name of the chassis that we want to redirect traffic through for
3786 the associated logical router port. The value must match the
3787 name column of the Chassis table in the OVN_Southbound database.
3788 priority: integer, in range 0 to 32,767
3790 This is the priority of a chassis among all Gateway_Chassis be‐
3791 longing to the same logical router port.
3792 options: map of string-string pairs
3794 Reserved for future use.
3795 Common Columns:
3797 external_ids: map of string-string pairs
3799 See External IDs at the beginning of this document.
3800
3802 Table representing a group of chassis which can provide high availabil‐
3803 ity services. Each chassis in the group is represented by the table
3804 HA_Chassis. The HA chassis with highest priority will be the master of
3805 this group. If the master chassis failover is detected, the HA chassis
3806 with the next higher priority takes over the responsibility of provid‐
3807 ing the HA. If a distributed gateway router port references a row in
3808 this table, then the master HA chassis in this group provides the gate‐
3809 way functionality.
3810 Summary:
3812 name string (must be unique within table)
3813 ha_chassis set of HA_Chassises
3814 Common Columns:
3815 external_ids map of string-string pairs
3816 Details:
3818 name: string (must be unique within table)
3819 Name of the HA_Chassis_Group. Name should be unique.
3820 ha_chassis: set of HA_Chassises
3822 A list of HA chassis which belongs to this group.
3823 Common Columns:
3825 external_ids: map of string-string pairs
3827 See External IDs at the beginning of this document.
3828
3830 Summary:
3831 chassis_name string
3832 priority integer, in range 0 to 32,767
3833 Common Columns:
3834 external_ids map of string-string pairs
3835 Details:
3837 chassis_name: string
3838 Name of the chassis which is part of the HA chassis group. The
3839 value must match the name column of the Chassis table in the
3840 OVN_Southbound database.
3841 priority: integer, in range 0 to 32,767
3843 Priority of the chassis. Chassis with highest priority will be
3844 the master.
3845 Common Columns:
3847 external_ids: map of string-string pairs
3849 See External IDs at the beginning of this document.
3850
3852 Contains BFD parameter for ovn-controller BFD configuration. OVN BFD
3853 implementation is used to provide detection of failures in the path be‐
3854 tween adjacent forwarding engines, including the OVN interfaces. OVN
3855 BFD provides link status info to OVN northd in order to update logical
3856 flows according to the status of BFD endpoints. In the current imple‐
3857 mentation OVN BFD is used to check next-hop status for ECMP routes.
3858 Please note BFD table refers to OVN BFD implementation and not to OVS
3859 legacy one.
3860 Summary:
3862 Configuration:
3863 logical_port string
3864 dst_ip string
3865 min_tx optional integer, at least 1
3866 min_rx optional integer
3867 detect_mult optional integer, at least 1
3868 options map of string-string pairs
3869 external_ids map of string-string pairs
3870 Status Reporting:
3871 status optional string, one of admin_down, down,
3872 init, or up
3873 Details:
3875 Configuration:
3876 ovn-northd reads configuration from these columns.
3878 logical_port: string
3880 OVN logical port when BFD engine is running.
3881 dst_ip: string
3883 BFD peer IP address.
3884 min_tx: optional integer, at least 1
3886 This is the minimum interval, in milliseconds, that the local
3887 system would like to use when transmitting BFD Control packets,
3888 less any jitter applied. The value zero is reserved. Default
3889 value is 1000 ms.
3890 min_rx: optional integer
3892 This is the minimum interval, in milliseconds, between received
3893 BFD Control packets that this system is capable of supporting,
3894 less any jitter applied by the sender. If this value is zero,
3895 the transmitting system does not want the remote system to send
3896 any periodic BFD Control packets.
3897 detect_mult: optional integer, at least 1
3899 Detection time multiplier. The negotiated transmit interval,
3900 multiplied by this value, provides the Detection Time for the
3901 receiving system in Asynchronous mode. Default value is 5.
3902 options: map of string-string pairs
3904 Reserved for future use.
3905 external_ids: map of string-string pairs
3907 See External IDs at the beginning of this document.
3908 Status Reporting:
3910 ovn-northd writes BFD status into these columns.
3912 status: optional string, one of admin_down, down, init, or up
3914 BFD port logical states. Possible values are:
3915 • admin_down
3917 • down
3919 • init
3921 • up
3923
3925 Each record represents a Static_MAC_Binding entry for a logical router.
3926 Summary:
3928 Configuration:
3929 logical_port string
3930 ip string
3931 mac string
3932 override_dynamic_mac boolean
3933 Details:
3935 Configuration:
3936 ovn-northd reads configuration from these columns and propagates the
3938 value to SBDB.
3939 logical_port: string
3941 The logical router port for the binding.
3942 ip: string
3944 The bound IP address.
3945 mac: string
3947 The Ethernet address to which the IP is bound.
3948 override_dynamic_mac: boolean
3950 Override dynamically learnt MACs.
3951
3953 One record per chassis, each containing a map, variables, between tem‐
3954 plate variable names and their value for that specific chassis. A tem‐
3955 plate variable has a name and potentially different values on different
3956 hypervisors in the OVN cluster. For example, two rows, R1 = (.chas‐
3957 sis=C1, variables={(N: V1)} and R2 = (.chassis=C2, variables={(N: V2)}
3958 will make ovn-controller running on chassis C1 and C2 interpret the to‐
3959 ken N either as V1 (on C1) or as V2 (on C2). Users can refer to tem‐
3960 plate variables from within other logical components, e.g., within ACL,
3961 QoS or Logical_Router_Policy matches or from Load_Balancer VIP and
3962 backend definitions.
3963 If a template variable is referenced on a chassis for which that vari‐
3965 able is not defined then ovn-controller running on that chassis will
3966 just interpret it as a raw string literal.
3967 Summary:
3969 chassis string (must be unique within table)
3970 variables map of string-string pairs
3971 Common Columns:
3972 external_ids map of string-string pairs
3973 Details:
3975 chassis: string (must be unique within table)
3976 The chassis this set of variable values applies to.
3977 variables: map of string-string pairs
3979 The set of variable values for a given chassis.
3980 Common Columns:
3982 external_ids: map of string-string pairs
3984 See External IDs at the beginning of this document.
3985Open vSwitch 22.12.0 DB Schema 7.0.0 ovn-nb(5)