1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
3
4
6 ovn-nb - OVN_Northbound database schema
7
8 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces al‐
10 most all of the contents of the database. The ovn-northd program moni‐
11 tors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13
14 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16
17 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21
22 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32
33 Table Purpose
34 NB_Global Northbound configuration
35 Copp Control plane protection
36 Logical_Switch
37 L2 logical switch
38 Logical_Switch_Port
39 L2 logical switch port
40 Forwarding_Group
41 forwarding group
42 Address_Set
43 Address Sets
44 Port_Group
45 Port Groups
46 Load_Balancer
47 load balancer
48 Load_Balancer_Group
49 load balancer group
50 Load_Balancer_Health_Check
51 load balancer
52 ACL Access Control List (ACL) rule
53 Logical_Router
54 L3 logical router
55 QoS QoS rule
56 Mirror Mirror Entry
57 Meter Meter entry
58 Meter_Band
59 Band for meter entries
60 Logical_Router_Port
61 L3 logical router port
62 Logical_Router_Static_Route
63 Logical router static routes
64 Logical_Router_Policy
65 Logical router policies
66 NAT NAT rules
67 DHCP_Options
68 DHCP options
69 Connection
70 OVSDB client connections.
71 DNS Native DNS resolution
72 SSL SSL configuration.
73 Gateway_Chassis
74 Gateway_Chassis configuration.
75 HA_Chassis_Group
76 HA_Chassis_Group configuration.
77 HA_Chassis
78 HA_Chassis configuration.
79 BFD BFD configuration.
80 Static_MAC_Binding
81 Static_MAC_Binding configuration.
82 Chassis_Template_Var
83 Chassis_Template_Var configuration.
84
86 Northbound configuration for an OVN system. This table must have ex‐
87 actly one row.
88
89 Summary:
90 Identity:
91 name string
92 Status:
93 nb_cfg integer
94 nb_cfg_timestamp integer
95 sb_cfg integer
96 sb_cfg_timestamp integer
97 hv_cfg integer
98 hv_cfg_timestamp integer
99 Common Columns:
100 external_ids map of string-string pairs
101 Common options:
102 options map of string-string pairs
103 Options for configuring OVS BFD:
104 options : bfd-min-rx optional string
105 options : bfd-decay-min-rx
106 optional string
107 options : bfd-min-tx optional string
108 options : bfd-mult optional string
109 options : mac_prefix optional string
110 options : mac_binding_removal_limit
111 optional string, containing an integer,
112 in range 0 to 4,294,967,295
113 options : fdb_removal_limit
114 optional string, containing an integer,
115 in range 0 to 4,294,967,295
116 options : controller_event optional string, either true or false
117 options : northd_probe_interval
118 optional string
119 options : ic_probe_interval
120 optional string
121 options : nbctl_probe_interval
122 optional string
123 options : northd_trim_timeout
124 optional string
125 options : use_logical_dp_groups
126 optional string
127 options : use_parallel_build
128 optional string
129 options : ignore_lsp_down optional string
130 options : use_ct_inv_match optional string
131 options : default_acl_drop optional string
132 options : debug_drop_domain_id
133 optional string
134 options : debug_drop_collector_set
135 optional string
136 options : use_common_zone optional string, either true or false
137 options : northd-backoff-interval-ms
138 optional string
139 Options for configuring interconnection route advertisement:
140 options : ic-route-adv optional string
141 options : ic-route-learn optional string
142 options : ic-route-adv-default
143 optional string
144 options : ic-route-learn-default
145 optional string
146 options : ic-route-blacklist
147 optional string
148 Connection Options:
149 connections set of Connections
150 ssl optional SSL
151 Security Configurations:
152 ipsec boolean
153 Read-only Options:
154 options : max_tunid optional string
155
156 Details:
157 Identity:
158
159 name: string
160 The name of the OVN cluster, which uniquely identifies the OVN
161 cluster throughout all OVN clusters supposed to interconnect
162 with each other.
163
164 Status:
165
166 These columns allow a client to track the overall configuration state
167 of the system.
168
169 nb_cfg: integer
170 Sequence number for client to increment. When a client modifies
171 any part of the northbound database configuration and wishes to
172 wait for ovn-northd and possibly all of the hypervisors to fin‐
173 ish applying the changes, it may increment this sequence number.
174
175 nb_cfg_timestamp: integer
176 The timestamp, in milliseconds since the epoch, when ovn-northd
177 sees the latest nb_cfg and starts processing.
178
179 To print the timestamp as a human-readable date:
180
181 date -d "@$(ovn-nbctl get NB_Global . nb_cfg_timestamp | sed ’s/...$//’)"
182
183
184 sb_cfg: integer
185 Sequence number that ovn-northd sets to the value of nb_cfg af‐
186 ter it finishes applying the corresponding configuration changes
187 to the OVN_Southbound database.
188
189 sb_cfg_timestamp: integer
190 The timestamp, in milliseconds since the epoch, when ovn-northd
191 finishes applying the corresponding configuration changes to the
192 OVN_Southbound database successfully.
193
194 hv_cfg: integer
195 Sequence number that ovn-northd sets to the smallest sequence
196 number of all the chassis in the system, as reported in the
197 Chassis_Private table in the southbound database. Thus, hv_cfg
198 equals nb_cfg if all chassis are caught up with the northbound
199 configuration (which may never happen, if any chassis is down).
200 This value can regress, if a chassis was removed from the system
201 and rejoins before catching up.
202
203 If there are no chassis, then ovn-northd copies nb_cfg to
204 hv_cfg. Thus, in this case, the (nonexistent) hypervisors are
205 always considered to be caught up. This means that hypervisors
206 can be "caught up" even in cases where sb_cfg would show that
207 the southbound database is not. To detect when both the hypervi‐
208 sors and the southbound database are caught up, a client should
209 take the smaller of sb_cfg and hv_cfg.
210
211 hv_cfg_timestamp: integer
212 The largest timestamp, in milliseconds since the epoch, of the
213 smallest sequence number of all the chassis in the system, as
214 reported in the Chassis_Private table in the southbound data‐
215 base. In other words, this timestamp reflects the time when the
216 slowest chassis catches up with the northbound configuration,
217 which is useful for end-to-end control plane latency measure‐
218 ment.
219
220 Common Columns:
221
222 external_ids: map of string-string pairs
223 See External IDs at the beginning of this document.
224
225 Common options:
226
227 options: map of string-string pairs
228 This column provides general key/value settings. The supported
229 options are described individually below.
230
231 Options for configuring OVS BFD:
232
233 These options apply when ovn-controller configures OVS BFD on tunnels
234 interfaces. Please note these parameters refer to legacy OVS BFD imple‐
235 mentation and not to OVN BFD one.
236
237 options : bfd-min-rx: optional string
238 BFD option min-rx value to use when configuring BFD on tunnel
239 interfaces.
240
241 options : bfd-decay-min-rx: optional string
242 BFD option decay-min-rx value to use when configuring BFD on
243 tunnel interfaces.
244
245 options : bfd-min-tx: optional string
246 BFD option min-tx value to use when configuring BFD on tunnel
247 interfaces.
248
249 options : bfd-mult: optional string
250 BFD option mult value to use when configuring BFD on tunnel in‐
251 terfaces.
252
253 options : mac_prefix: optional string
254 Configure a given OUI to be used as prefix when L2 address is
255 dynamically assigned, e.g. 00:11:22
256
257 options : mac_binding_removal_limit: optional string, containing an in‐
258 teger, in range 0 to 4,294,967,295
259 MAC binding aging bulk removal limit. This limits how many rows
260 can expire in a single transaction. Default value is 0 which is
261 unlimited. When we hit the limit next batch removal is delayed
262 by 5 s.
263
264 options : fdb_removal_limit: optional string, containing an integer, in
265 range 0 to 4,294,967,295
266 FDB aging bulk removal limit. This limits how many rows can ex‐
267 pire in a single transaction. Default value is 0 which is unlim‐
268 ited. When we hit the limit next batch removal is delayed by 5
269 s.
270
271 options : controller_event: optional string, either true or false
272 Value set by the CMS to enable/disable ovn-controller event re‐
273 porting. Traffic into OVS can raise a ’controller’ event that
274 results in a Controller_Event being written to the Con‐
275 troller_Event table in SBDB. When the CMS has seen the event and
276 taken appropriate action, it can remove the corresponding row in
277 Controller_Event table. The intention is for a CMS to see the
278 events and take some sort of action. Please see the Con‐
279 troller_Event table in SBDB. It is possible to associate a meter
280 to each controller event type in order to not overload the pinc‐
281 trl thread under heavy load. Each event type relies on a meter
282 with a defined name:
283
284 • empty_lb_backends: event-elb
285
286 options : northd_probe_interval: optional string
287 The inactivity probe interval of the connection to the OVN
288 Northbound and Southbound databases from ovn-northd, in mil‐
289 liseconds. If the value is zero, it disables the connection
290 keepalive feature.
291
292 If the value is nonzero, then it will be forced to a value of at
293 least 1000 ms.
294
295 options : ic_probe_interval: optional string
296 The inactivity probe interval of the connection to the OVN
297 Northbound and Southbound databases from ovn-ic, in millisec‐
298 onds. If the value is zero, it disables the connection keepalive
299 feature.
300
301 If the value is nonzero, then it will be forced to a value of at
302 least 1000 ms.
303
304 options : nbctl_probe_interval: optional string
305 The inactivity probe interval of the connection to the OVN
306 Northbound database from ovn-nbctl utility, in milliseconds. If
307 the value is zero, it disables the connection keepalive feature.
308
309 If the value is nonzero, then it will be forced to a value of at
310 least 1000 ms.
311
312 If the value is less than zero, then the default inactivity
313 probe interval for ovn-nbctl would be left intact (120000 ms).
314
315 options : northd_trim_timeout: optional string
316 When used, this configuration value specifies the time, in mil‐
317 liseconds, since the last ovn-northd active operation after
318 which memory trimming is performed. By default this is set to
319 30000 (30 seconds).
320
321 options : use_logical_dp_groups: optional string
322 Note: This option is deprecated, the only behavior is to always
323 combine logical flows by datapath groups. Changing the value or
324 removing this option all toghether will have no effect.
325
326 ovn-northd combines logical flows that differs only by logical
327 datapath into a single logical flow with logical datapath group
328 attached.
329
330 options : use_parallel_build: optional string
331 If set to true, ovn-northd will attempt to compute logical flows
332 in parallel.
333
334 Parallel computation is enabled only if the system has 4 or more
335 cores/threads available to be used by ovn-northd.
336
337 The default value is false.
338
339 options : ignore_lsp_down: optional string
340 If set to false, ARP/ND reply flows for logical switch ports
341 will be installed only if the port is up, i.e. claimed by a
342 Chassis. If set to true, these flows are installed regardless of
343 the status of the port, which can result in a situation that ARP
344 request to an IP is resolved even before the relevant VM/con‐
345 tainer is running. For environments where this is not an issue,
346 setting it to true can reduce the load and latency of the con‐
347 trol plane. The default value is true.
348
349 options : use_ct_inv_match: optional string
350 If set to false, ovn-northd will not use the ct.inv field in any
351 of the logical flow matches. The default value is true. If the
352 NIC supports offloading OVS datapath flows but doesn’t support
353 offloading ct_state inv flag, then the datapath flows matching
354 on this flag (either +inv or -inv) will not be offloaded. CMS
355 should consider setting use_ct_inv_match to false in such cases.
356 This results in a side effect of the invalid packets getting de‐
357 livered to the destination VIF, which otherwise would have been
358 dropped by OVN.
359
360 options : default_acl_drop: optional string
361 If set to true., ovn-northd will generate a logical flow to drop
362 all traffic in the ACL stages. By default this option is set to
363 false.
364
365 options : debug_drop_domain_id: optional string
366 If set to a 8-bit number and if debug_drop_collector_set is also
367 configured, ovn-northd will add a sample action to every logical
368 flow that contains a ’drop’ action. The 8 most significant bits
369 of the observation_domain_id field will be those specified in
370 the debug_drop_domain_id. The 24 least significant bits of the
371 observation_domain_id field will be the datapath’s key.
372
373 The observation_point_id will be set to the first 32 bits of the
374 logical flow’s UUID.
375
376 options : debug_drop_collector_set: optional string
377 If set to a 32-bit number ovn-northd will add a sample action to
378 every logical flow that contains a ’drop’ action. The sample ac‐
379 tion will have the specified collector_set_id. The value must
380 match that of the local OVS configuration as described in
381 ovs-actions(7).
382
383 options : use_common_zone: optional string, either true or false
384 Default value is false. If set to true the SNAT and DNAT happens
385 in common zone, instead of happening in separate zones, depend‐
386 ing on the configuration. However, this option breaks traffic
387 when there is configuration of DGP + LB + SNAT on this LR. The
388 value true should be used only in case of HWOL compatibility
389 with GDP.
390
391 options : northd-backoff-interval-ms: optional string
392 Maximum interval that the northd incremental engine is delayed
393 by in milliseconds. Setting the value to nonzero delays the next
394 northd engine run by the previous run time, capped by the speci‐
395 fied value. If the value is zero the engine won’t be delayed at
396 all. The recommended period is smaller than 500 ms, beyond that
397 the latency of SB changes would be very noticeable.
398
399 Options for configuring interconnection route advertisement:
400
401 These options control how routes are advertised between OVN deployments
402 for interconnection. If enabled, ovn-ic from different OVN deployments
403 exchanges routes between each other through the global OVN_IC_South‐
404 bound database. Only routers with ports connected to interconnection
405 transit switches participate in route advertisement. For each of these
406 routers, there are two types of routes to be advertised:
407
408 Firstly, the static routes configured in the router are advertised.
409
410 Secondly, the networks configured in the logical router ports that are
411 not on the transit switches are advertised. These are considered as di‐
412 rectly connected subnets on the router.
413
414 Link local prefixes (IPv4 169.254.0.0/16 and IPv6 FE80::/10) are never
415 advertised.
416
417 The learned routes are added to the static_routes column of the Logi‐
418 cal_Router table, with external_ids:ic-learned-route set to the uuid of
419 the row in Route table of the OVN_IC_Southbound database.
420
421 options : ic-route-adv: optional string
422 A boolean value that enables route advertisement to the global
423 OVN_IC_Southbound database. Default is false.
424
425 options : ic-route-learn: optional string
426 A boolean value that enables route learning from the global
427 OVN_IC_Southbound database. Default is false.
428
429 options : ic-route-adv-default: optional string
430 A boolean value that enables advertising default route to the
431 global OVN_IC_Southbound database. Default is false. This option
432 takes effect only when option ic-route-adv is true.
433
434 options : ic-route-learn-default: optional string
435 A boolean value that enables learning default route from the
436 global OVN_IC_Southbound database. Default is false. This option
437 takes effect only when option ic-route-learn is true.
438
439 options : ic-route-blacklist: optional string
440 A string value contains a list of CIDRs delimited by ",". A
441 route will not be advertised or learned if the route’s prefix
442 belongs to any of the CIDRs listed.
443
444 Connection Options:
445
446 connections: set of Connections
447 Database clients to which the Open vSwitch database server
448 should connect or on which it should listen, along with options
449 for how these connections should be configured. See the Connec‐
450 tion table for more information.
451
452 ssl: optional SSL
453 Global SSL configuration.
454
455 Security Configurations:
456
457 ipsec: boolean
458 Tunnel encryption configuration. If this column is set to be
459 true, all OVN tunnels will be encrypted with IPsec.
460
461 Read-only Options:
462
463 options : max_tunid: optional string
464 The maximum supported tunnel ID. Depends on types of encapsula‐
465 tion enabled in the cluster.
466
468 This table is used to define control plane protection policies, i.e.,
469 associate entries from table Meter to control protocol names.
470
471 Summary:
472 name string (must be unique within table)
473 meters : arp optional string
474 meters : arp-resolve optional string
475 meters : dhcpv4-opts optional string
476 meters : dhcpv6-opts optional string
477 meters : dns optional string
478 meters : event-elb optional string
479 meters : icmp4-error optional string
480 meters : icmp6-error optional string
481 meters : igmp optional string
482 meters : nd-na optional string
483 meters : nd-ns optional string
484 meters : nd-ns-resolve optional string
485 meters : nd-ra-opts optional string
486 meters : tcp-reset optional string
487 meters : bfd optional string
488 meters : reject optional string
489 meters : svc-monitor optional string
490 external_ids map of string-string pairs
491
492 Details:
493 name: string (must be unique within table)
494 CoPP name.
495
496 meters : arp: optional string
497 Rate limiting meter for ARP packets (request/reply) used for
498 learning neighbors.
499
500 meters : arp-resolve: optional string
501 Rate limiting meter for packets that require resolving the next-
502 hop (through ARP).
503
504 meters : dhcpv4-opts: optional string
505 Rate limiting meter for packets that require adding DHCPv4 op‐
506 tions.
507
508 meters : dhcpv6-opts: optional string
509 Rate limiting meter for packets that require adding DHCPv6 op‐
510 tions.
511
512 meters : dns: optional string
513 Rate limiting meter for DNS query packets that need to be
514 replied to.
515
516 meters : event-elb: optional string
517 Rate limiting meter for empty load balancer events.
518
519 meters : icmp4-error: optional string
520 Rate limiting meter for packets that require replying with an
521 ICMP error.
522
523 meters : icmp6-error: optional string
524 Rate limiting meter for packets that require replying with an
525 ICMPv6 error.
526
527 meters : igmp: optional string
528 Rate limiting meter for IGMP packets.
529
530 meters : nd-na: optional string
531 Rate limiting meter for ND neighbor advertisement packets used
532 for learning neighbors.
533
534 meters : nd-ns: optional string
535 Rate limiting meter for ND neighbor solicitation packets used
536 for learning neighbors.
537
538 meters : nd-ns-resolve: optional string
539 Rate limiting meter for packets that require resolving the next-
540 hop (through ND).
541
542 meters : nd-ra-opts: optional string
543 Rate limiting meter for packets that require adding ND router
544 advertisement options.
545
546 meters : tcp-reset: optional string
547 Rate limiting meter for packets that require replying with TCP
548 RST packet.
549
550 meters : bfd: optional string
551 Rate limiting meter for BFD packets.
552
553 meters : reject: optional string
554 Rate limiting meter for packets that trigger a reject action
555
556 meters : svc-monitor: optional string
557 Rate limiting meter for packets that are arriving to service
558 monitor MAC address.
559
560 external_ids: map of string-string pairs
561 See External IDs at the beginning of this document.
562
564 Each row represents one L2 logical switch.
565
566 There are two kinds of logical switches, that is, ones that fully vir‐
567 tualize the network (overlay logical switches) and ones that provide
568 simple connectivity to physical networks (bridged logical switches).
569 They work in the same way when providing connectivity between logical
570 ports on same chassis, but differently when connecting remote logical
571 ports. Overlay logical switches connect remote logical ports by tun‐
572 nels, while bridged logical switches provide connectivity to remote
573 ports by bridging the packets to directly connected physical L2 seg‐
574 ments with the help of localnet ports. Each bridged logical switch has
575 one or more localnet ports, which have only one special address un‐
576 known.
577
578 Summary:
579 ports set of Logical_Switch_Ports
580 load_balancer set of weak reference to Load_Balancers
581 load_balancer_group set of Load_Balancer_Groups
582 acls set of ACLs
583 qos_rules set of QoSes
584 dns_records set of weak reference to DNSes
585 forwarding_groups set of Forwarding_Groups
586 Naming:
587 name string
588 external_ids : neutron:network_name
589 optional string
590 IP Address Assignment:
591 other_config : subnet optional string
592 other_config : exclude_ips optional string
593 other_config : ipv6_prefix optional string
594 other_config : mac_only optional string, either true or false
595 other_config : fdb_age_threshold
596 optional string, containing an integer,
597 in range 0 to 4,294,967,295
598 IP Multicast Snooping Options:
599 other_config : mcast_snoop optional string, either true or false
600 other_config : mcast_querier
601 optional string, either true or false
602 other_config : mcast_flood_unregistered
603 optional string, either true or false
604 other_config : mcast_table_size
605 optional string, containing an integer,
606 in range 1 to 32,766
607 other_config : mcast_idle_timeout
608 optional string, containing an integer,
609 in range 15 to 3,600
610 other_config : mcast_query_interval
611 optional string, containing an integer,
612 in range 1 to 3,600
613 other_config : mcast_query_max_response
614 optional string, containing an integer,
615 in range 1 to 10
616 other_config : mcast_eth_src
617 optional string
618 other_config : mcast_ip4_src
619 optional string
620 other_config : mcast_ip6_src
621 optional string
622 Interconnection:
623 other_config : interconn-ts
624 optional string
625 Tunnel Key:
626 other_config : requested-tnl-key
627 optional string, containing an integer,
628 in range 1 to 16,777,215
629 copp optional weak reference to Copp
630 Other options:
631 other_config : vlan-passthru
632 optional string, either true or false
633 other_config : broadcast-arps-to-all-routers
634 optional string, either true or false
635 Common Columns:
636 external_ids map of string-string pairs
637
638 Details:
639 ports: set of Logical_Switch_Ports
640 The logical ports connected to the logical switch.
641
642 It is an error for multiple logical switches to include the same
643 logical port.
644
645 load_balancer: set of weak reference to Load_Balancers
646 Set of load balancers associated to this logical switch.
647
648 load_balancer_group: set of Load_Balancer_Groups
649 Set of load balancers groups associated to this logical switch.
650
651 acls: set of ACLs
652 Access control rules that apply to packets within the logical
653 switch.
654
655 qos_rules: set of QoSes
656 QoS marking and metering rules that apply to packets within the
657 logical switch.
658
659 dns_records: set of weak reference to DNSes
660 This column defines the DNS records to be used for resolving in‐
661 ternal DNS queries within the logical switch by the native DNS
662 resolver. Please see the DNS table.
663
664 forwarding_groups: set of Forwarding_Groups
665 Groups a set of logical port endpoints for traffic going out of
666 the logical switch.
667
668 Naming:
669
670 These columns provide names for the logical switch. From OVN’s perspec‐
671 tive, these names have no special meaning or purpose other than to pro‐
672 vide convenience for human interaction with the database. There is no
673 requirement for the name to be unique. (For a unique identifier for a
674 logical switch, use its row UUID.)
675
676 (Originally, name was intended to serve the purpose of a human-friendly
677 name, but the Neutron integration used it to uniquely identify its own
678 switch object, in the format neutron-uuid. Later on, Neutron started
679 propagating the friendly name of a switch as external_ids:neutron:net‐
680 work_name. Perhaps this can be cleaned up someday.)
681
682 name: string
683 A name for the logical switch.
684
685 external_ids : neutron:network_name: optional string
686 Another name for the logical switch.
687
688 IP Address Assignment:
689
690 These options control automatic IP address management (IPAM) for ports
691 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
692 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
693 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled to‐
694 gether or separately.
695
696 To request dynamic address assignment for a particular port, use the
697 dynamic keyword in the addresses column of the port’s Logi‐
698 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
699 IPAM for IPv4 and IPv6 are both enabled.
700
701 other_config : subnet: optional string
702 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
703 ovn-northd to automatically assign IP addresses within that sub‐
704 net.
705
706 other_config : exclude_ips: optional string
707 To exclude some addresses from automatic IP address management,
708 set this to a list of the IPv4 addresses or ..-delimited ranges
709 to exclude. The addresses or ranges should be a subset of those
710 in other_config:subnet.
711
712 Whether listed or not, ovn-northd will never allocate the first
713 or last address in a subnet, such as 192.168.0.0 or
714 192.168.0.255 in 192.168.0.0/24.
715
716 Examples:
717
718 • 192.168.0.2 192.168.0.10
719
720 • 192.168.0.4 192.168.0.30..192.168.0.60
721 192.168.0.110..192.168.0.120
722
723 • 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
724 192.168.0.144
725
726 other_config : ipv6_prefix: optional string
727 Set this to an IPv6 prefix to enable ovn-northd to automatically
728 assign IPv6 addresses using this prefix. The assigned IPv6 ad‐
729 dress will be generated using the IPv6 prefix and the MAC ad‐
730 dress (converted to an IEEE EUI64 identifier) of the port. The
731 IPv6 prefix defined here should be a valid IPv6 address ending
732 with ::.
733
734 Examples:
735
736 • aef0::
737
738 • bef0:1234:a890:5678::
739
740 • 8230:5678::
741
742 other_config : mac_only: optional string, either true or false
743 Value used to request to assign L2 address only if neither sub‐
744 net nor ipv6_prefix are specified
745
746 other_config : fdb_age_threshold: optional string, containing an inte‐
747 ger, in range 0 to 4,294,967,295
748 FDB aging threshold value in seconds. FDB exceeding this timeout
749 will be automatically removed. The value defaults to 0, which
750 means disabled.
751
752 IP Multicast Snooping Options:
753
754 These options control IP Multicast Snooping configuration of the logi‐
755 cal switch. To enable IP Multicast Snooping set other_con‐
756 fig:mcast_snoop to true. To enable IP Multicast Querier set other_con‐
757 fig:mcast_querier to true. If IP Multicast Querier is enabled
758 other_config:mcast_eth_src and other_config:mcast_ip4_src must be set.
759
760 other_config : mcast_snoop: optional string, either true or false
761 Enables/disables IP Multicast Snooping on the logical switch.
762 Default: false.
763
764 other_config : mcast_querier: optional string, either true or false
765 Enables/disables IP Multicast Querier on the logical switch.
766 Only applicable if other_config:mcast_snoop is enabled. Default:
767 true.
768
769 other_config : mcast_flood_unregistered: optional string, either true
770 or false
771 Determines whether unregistered multicast traffic should be
772 flooded or not. Only applicable if other_config:mcast_snoop is
773 enabled. Default: false.
774
775 other_config : mcast_table_size: optional string, containing an inte‐
776 ger, in range 1 to 32,766
777 Number of multicast groups to be stored. Default: 2048.
778
779 other_config : mcast_idle_timeout: optional string, containing an inte‐
780 ger, in range 15 to 3,600
781 Configures the IP Multicast Snooping group idle timeout (in sec‐
782 onds). Default: 300 seconds.
783
784 other_config : mcast_query_interval: optional string, containing an in‐
785 teger, in range 1 to 3,600
786 Configures the IP Multicast Querier interval between queries (in
787 seconds). Default: other_config:mcast_idle_timeout / 2.
788
789 other_config : mcast_query_max_response: optional string, containing an
790 integer, in range 1 to 10
791 Configures the value of the "max-response" field in the multi‐
792 cast queries originated by the logical switch. Default: 1 sec‐
793 ond.
794
795 other_config : mcast_eth_src: optional string
796 Configures the source Ethernet address for queries originated by
797 the logical switch.
798
799 other_config : mcast_ip4_src: optional string
800 Configures the source IPv4 address for queries originated by the
801 logical switch.
802
803 other_config : mcast_ip6_src: optional string
804 Configures the source IPv6 address for queries originated by the
805 logical switch.
806
807 Interconnection:
808
809 other_config : interconn-ts: optional string
810 The name of corresponding transit switch in OVN_IC_Northbound
811 database. This kind of logical switch is created and controlled
812 by ovn-ic.
813
814 Tunnel Key:
815
816 other_config : requested-tnl-key: optional string, containing an inte‐
817 ger, in range 1 to 16,777,215
818 Configures the datapath tunnel key for the logical switch. Usu‐
819 ally this is not needed because ovn-northd will assign an unique
820 key for each datapath by itself. However, if it is configured,
821 ovn-northd honors the configured value. The typical use case is
822 for interconnection: the tunnel keys for transit switches need
823 to be unique globally, so they are maintained in the global
824 OVN_IC_Southbound database, and ovn-ic simply syncs the value
825 from OVN_IC_Southbound through this config.
826
827 copp: optional weak reference to Copp
828 The control plane protection policy from table Copp used for me‐
829 tering packets sent to ovn-controller from ports of this logical
830 switch.
831
832 Other options:
833
834 other_config : vlan-passthru: optional string, either true or false
835 Determines whether VLAN tagged incoming traffic should be al‐
836 lowed. Note that this may have security implications when en‐
837 abled for a logical switch with a tag=0 localnet port. If not
838 properly isolated from other localnet ports, fabric traffic that
839 belongs to other tagged networks may be passed through such a
840 port.
841
842 other_config : broadcast-arps-to-all-routers: optional string, either
843 true or false
844 Determines whether arp requests and ipv6 neighbor solicitations
845 should be sent to all routers and other switchports (default) or
846 if it should only be sent to switchports where the ip/mac ad‐
847 dress is unknown. Setting this to false can significantly reduce
848 the load if the logical switch can receive arp requests for ips
849 it does not know about. However setting this to false also means
850 that garps are no longer forwarded to all routers and therefor
851 the mac bindings of the routers are no longer updated.
852
853 Common Columns:
854
855 external_ids: map of string-string pairs
856 See External IDs at the beginning of this document.
857
859 A port within an L2 logical switch.
860
861 Summary:
862 Core Features:
863 name string (must be unique within table)
864 type string
865 Options:
866 options map of string-string pairs
867 Options for router ports:
868 options : router-port optional string
869 options : nat-addresses optional string
870 options : exclude-lb-vips-from-garp
871 optional string
872 options : arp_proxy optional string
873 Options for localnet ports:
874 options : network_name optional string
875 options : ethtype optional string
876 options : localnet_learn_fdb
877 optional string, either true or false
878 Options for l2gateway ports:
879 options : network_name optional string
880 options : l2gateway-chassis
881 optional string
882 Options for vtep ports:
883 options : vtep-physical-switch
884 optional string
885 options : vtep-logical-switch
886 optional string
887 VMI (or VIF) Options:
888 options : requested-chassis
889 optional string
890 options : activation-strategy
891 optional string
892 options : iface-id-ver optional string
893 options : qos_min_rate optional string
894 options : qos_max_rate optional string
895 options : qos_burst optional string
896 options : hostname optional string
897 VIF Plugging Options:
898 options : vif-plug-type
899 optional string
900 options : vif-plug-mtu-request
901 optional string
902 Virtual port Options:
903 options : virtual-ip optional string
904 options : virtual-parents
905 optional string
906 IP Multicast Snooping Options:
907 options : mcast_flood optional string, either true or false
908 options : mcast_flood_reports
909 optional string, either true or false
910 Containers:
911 parent_name optional string
912 tag_request optional integer, in range 0 to 4,095
913 tag optional integer, in range 1 to 4,095
914 Port State:
915 up optional boolean
916 enabled optional boolean
917 Addressing:
918 addresses set of strings
919 dynamic_addresses optional string
920 port_security set of strings
921 DHCP:
922 dhcpv4_options optional weak reference to DHCP_Options
923 dhcpv6_options optional weak reference to DHCP_Options
924 mirror_rules set of weak reference to Mirrors
925 ha_chassis_group optional HA_Chassis_Group
926 Naming:
927 external_ids : neutron:port_name
928 optional string
929 Tunnel Key:
930 options : requested-tnl-key
931 optional string, containing an integer,
932 in range 1 to 32,767
933 Common Columns:
934 external_ids map of string-string pairs
935
936 Details:
937 Core Features:
938
939 name: string (must be unique within table)
940 The logical port name.
941
942 For entities (VMs or containers) that are spawned in the hyper‐
943 visor, the name used here must match those used in the exter‐
944 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
945 because hypervisors use external_ids:iface-id as a lookup key to
946 identify the network interface of that entity.
947
948 For containers that share a VIF within a VM, the name can be any
949 unique identifier. See Containers, below, for more information.
950
951 A logical switch port may not have the same name as a logical
952 router port, but the database schema cannot enforce this.
953
954 type: string
955 Specify a type for this logical port. Logical ports can be used
956 to model other types of connectivity into an OVN logical switch.
957 The following types are defined:
958
959 (empty string)
960 A VM (or VIF) interface.
961
962 router A connection to a logical router. The value of op‐
963 tions:router-port specifies the name of the Logi‐
964 cal_Router_Port to which this logical switch port is con‐
965 nected.
966
967 localnet
968 A connection to a locally accessible network from
969 ovn-controller instances that have a corresponding bridge
970 mapping. A logical switch can have multiple localnet
971 ports attached. This type is used to model direct connec‐
972 tivity to existing networks. In this case, each chassis
973 should have a mapping for one of the physical networks
974 only. Note: nothing said above implies that a chassis
975 cannot be plugged to multiple physical networks as long
976 as they belong to different switches.
977
978 localport
979 A connection to a local VIF. Traffic that arrives on a
980 localport is never forwarded over a tunnel to another
981 chassis. These ports are present on every chassis and
982 have the same address in all of them. This is used to
983 model connectivity to local services that run on every
984 hypervisor.
985
986 l2gateway
987 A connection to a physical network.
988
989 vtep A port to a logical switch on a VTEP gateway.
990
991 external
992 Represents a logical port which is external and not hav‐
993 ing an OVS port in the integration bridge. OVN will never
994 receive any traffic from this port or send any traffic to
995 this port. OVN can support native services like
996 DHCPv4/DHCPv6/DNS for this port. If ha_chassis_group is
997 defined, ovn-controller running in the master chassis of
998 the HA chassis group will bind this port to provide these
999 native services. It is expected that this port belong to
1000 a bridged logical switch (with a localnet port).
1001
1002 It is recommended to use the same HA chassis group for
1003 all the external ports of a logical switch. Otherwise,
1004 the physical switch might see MAC flap issue when differ‐
1005 ent chassis provide the native services. For example when
1006 supporting native DHCPv4 service, DHCPv4 server mac (con‐
1007 figured in options:server_mac column in table DHCP_Op‐
1008 tions) originating from different ports can cause MAC
1009 flap issue. The MAC of the logical router IP(s) can also
1010 flap if the same HA chassis group is not set for all the
1011 external ports of a logical switch.
1012
1013 Below are some of the use cases where external ports can
1014 be used.
1015
1016 • VMs connected to SR-IOV nics - Traffic from these
1017 VMs by passes the kernel stack and local ovn-con‐
1018 troller do not bind these ports and cannot serve
1019 the native services.
1020
1021 • When CMS supports provisioning baremetal servers.
1022
1023 virtual
1024 Represents a logical port which does not have an OVS port
1025 in the integration bridge and has a virtual ip configured
1026 in the options:virtual-ip column. This virtual ip can
1027 move around between the logical ports configured in the
1028 options:virtual-parents column.
1029
1030 One of the use case where virtual ports can be used is.
1031
1032 • The virtual ip represents a load balancer vip and
1033 the virtual parents provide load balancer service
1034 in an active-standby setup with the active virtual
1035 parent owning the virtual ip.
1036
1037 remote A remote port is to model a port that resides remotely on
1038 another OVN, which is on the other side of a transit log‐
1039 ical switch for OVN interconnection. This type of ports
1040 are created by ovn-ic instead of by CMS. Any change to
1041 the port will be automatically overwritten by ovn-ic.
1042
1043 Options:
1044
1045 options: map of string-string pairs
1046 This column provides key/value settings specific to the logical
1047 port type. The type-specific options are described individually
1048 below.
1049
1050 Options for router ports:
1051
1052 These options apply when type is router.
1053
1054 options : router-port: optional string
1055 Required. The name of the Logical_Router_Port to which this log‐
1056 ical switch port is connected.
1057
1058 options : nat-addresses: optional string
1059 This is used to send gratuitous ARPs for SNAT and DNAT IP ad‐
1060 dresses via the localnet port that is attached to the same logi‐
1061 cal switch as this type router port. This option is specified on
1062 a logical switch port that is connected to a gateway router, or
1063 a logical switch port that is connected to a distributed gateway
1064 port on a logical router.
1065
1066 This must take one of the following forms:
1067
1068 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
1069 nal IP addresses and for all load balancer IP addresses
1070 defined on the options:router-port’s logical router, us‐
1071 ing the options:router-port’s MAC address.
1072
1073 This form of options:nat-addresses is valid for logical
1074 switch ports where options:router-port is the name of a
1075 port on a gateway router, or the name of a distributed
1076 gateway port.
1077
1078 Supported only in OVN 2.8 and later. Earlier versions re‐
1079 quired NAT addresses to be manually synchronized.
1080
1081 Ethernet address followed by one or more IPv4 addresses
1082 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
1083 This would result in generation of gratuitous ARPs for IP
1084 addresses 158.36.44.22 and 158.36.44.24 with a MAC ad‐
1085 dress of 80:fa:5b:06:72:b7.
1086
1087 This form of options:nat-addresses is only valid for log‐
1088 ical switch ports where options:router-port is the name
1089 of a port on a gateway router.
1090
1091 options : exclude-lb-vips-from-garp: optional string
1092 If options:nat-addresses is set to router, Gratuitous ARPs will
1093 be sent for all SNAT and DNAT external IP addresses defined on
1094 the options:router-port’s logical router, using the op‐
1095 tions:router-port’s MAC address, not cosidering configured load
1096 balancers.
1097
1098 options : arp_proxy: optional string
1099 Optional. A list of MAC and addresses/cidrs or just ad‐
1100 dresses/cidrs that this logical switch router port will reply to
1101 ARP/NDP requests. Examples: 169.254.239.254 169.254.239.2,
1102 0a:58:a9:fe:01:01 169.254.239.254 169.254.239.2
1103 169.254.238.0/24, fd7b:6b4d:7b25:d22f::1 fd7b:6b4d:7b25:d22f::2,
1104 0a:58:a9:fe:01:01 fd7b:6b4d:7b25:d22f::0/64. Theoptions:router-
1105 port’s logical router should have a route to forward packets
1106 sent to configured proxy ARP MAC/IPs to an appropriate destina‐
1107 tion.
1108
1109 Options for localnet ports:
1110
1111 These options apply when type is localnet.
1112
1113 options : network_name: optional string
1114 Required. The name of the network to which the localnet port is
1115 connected. Each hypervisor, via ovn-controller, uses its local
1116 configuration to determine exactly how to connect to this lo‐
1117 cally accessible network, if at all.
1118
1119 options : ethtype: optional string
1120 Optional. VLAN EtherType field value for encapsulating VLAN
1121 headers. Supported values: 802.11q (default), 802.11ad.
1122
1123 options : localnet_learn_fdb: optional string, either true or false
1124 Optional. Allows localnet port to learn MACs and store them in
1125 FDB table if set to true. The default value is false.
1126
1127 Options for l2gateway ports:
1128
1129 These options apply when type is l2gateway.
1130
1131 options : network_name: optional string
1132 Required. The name of the network to which the l2gateway port is
1133 connected. The L2 gateway, via ovn-controller, uses its local
1134 configuration to determine exactly how to connect to this net‐
1135 work.
1136
1137 options : l2gateway-chassis: optional string
1138 Required. The chassis on which the l2gateway logical port should
1139 be bound to. ovn-controller running on the defined chassis will
1140 connect this logical port to the physical network.
1141
1142 Options for vtep ports:
1143
1144 These options apply when type is vtep.
1145
1146 options : vtep-physical-switch: optional string
1147 Required. The name of the VTEP gateway.
1148
1149 options : vtep-logical-switch: optional string
1150 Required. A logical switch name connected by the VTEP gateway.
1151
1152 VMI (or VIF) Options:
1153
1154 These options apply to logical ports with type having (empty string)
1155
1156 options : requested-chassis: optional string
1157 If set, identifies a specific chassis (by name or hostname) that
1158 is allowed to bind this port. Using this option will prevent
1159 thrashing between two chassis trying to bind the same port dur‐
1160 ing a live migration. It can also prevent similar thrashing due
1161 to a mis-configuration, if a port is accidentally created on
1162 more than one chassis.
1163
1164 If set to a comma separated list, the first entry identifies the
1165 main chassis and the rest are one or more additional chassis
1166 that are allowed to bind the same port.
1167
1168 When multiple chassis are set for the port, and the logical
1169 switch is connected to an external network through a localnet
1170 port, tunneling is enforced for the port to guarantee delivery
1171 of packets directed to the port to all its locations. This has
1172 MTU implications because the network used for tunneling must
1173 have MTU larger than localnet for stable connectivity.
1174
1175 If the same host co-hosts more than one controller instance (ei‐
1176 ther belonging to the same or separate clusters), special atten‐
1177 tion should be given to consistently using unique chassis names
1178 used in this option. It is advised that chassis names - and not
1179 host names - are used for this option.
1180
1181 options : activation-strategy: optional string
1182 If used with multiple chassis set in requested-chassis, speci‐
1183 fies an activation strategy for all additional chassis. By de‐
1184 fault, no activation strategy is used, meaning additional port
1185 locations are immediately available for use. When set to "rarp",
1186 the port is blocked for ingress and egress communication until a
1187 RARP packet is sent from a new location. The "rarp" strategy is
1188 useful in live migration scenarios for virtual machines.
1189
1190 options : iface-id-ver: optional string
1191 If set, this port will be bound by ovn-controller only if this
1192 same key and value is configured in the external_ids column in
1193 the Open_vSwitch database’s Interface table.
1194
1195 options : qos_min_rate: optional string
1196 If set, indicates the minimum guaranteed rate available for data
1197 sent from this interface, in bit/s.
1198
1199 options : qos_max_rate: optional string
1200 If set, indicates the maximum rate for data sent from this in‐
1201 terface, in bit/s. The traffic will be shaped according to this
1202 limit.
1203
1204 options : qos_burst: optional string
1205 If set, indicates the maximum burst size for data sent from this
1206 interface, in bits.
1207
1208 options : hostname: optional string
1209 If set, indicates the DHCPv4 option "Hostname" (option code 12)
1210 associated for this Logical Switch Port. If DHCPv4 is enabled
1211 for this Logical Switch Port, hostname dhcp option will be in‐
1212 cluded in DHCP reply.
1213
1214 VIF Plugging Options:
1215
1216 options : vif-plug-type: optional string
1217 If set, OVN will attempt to perform plugging of this VIF. In or‐
1218 der to get this port plugged by the OVN controller, OVN must be
1219 built with support for VIF plugging. The default behavior is for
1220 the CMS to do the VIF plugging. Each VIF plug provider have
1221 their own options namespaced by name, for example "vif-plug:rep‐
1222 resentor:key". Please refer to the VIF plug provider documenta‐
1223 tion located in Documentation/topics/vif-plug-providers/ for
1224 more information.
1225
1226 options : vif-plug-mtu-request: optional string
1227 Requested MTU for plugged interfaces. When set the OVN con‐
1228 troller will fill the mtu_request column of the Open vSwitch
1229 database’s Interface table. This in turn will make OVS vswitchd
1230 update the MTU of the linked interface.
1231
1232 Virtual port Options:
1233
1234 These options apply when type is virtual.
1235
1236 options : virtual-ip: optional string
1237 This option represents the virtual IPv4 address.
1238
1239 options : virtual-parents: optional string
1240 This options represents a set of logical port names (with in the
1241 same logical switch) which can own the virtual ip configured in
1242 the options:virtual-ip. All these virtual parents should add the
1243 virtual ip in the port_security if port security addressed are
1244 enabled.
1245
1246 IP Multicast Snooping Options:
1247
1248 These options apply when the port is part of a logical switch which has
1249 other_config :mcast_snoop set to true.
1250
1251 options : mcast_flood: optional string, either true or false
1252 If set to true, multicast packets (except reports) are uncondi‐
1253 tionally forwarded to the specific port. Default: false.
1254
1255 options : mcast_flood_reports: optional string, either true or false
1256 If set to true, multicast reports are unconditionally forwarded
1257 to the specific port. Default: false.
1258
1259 Containers:
1260
1261 When a large number of containers are nested within a VM, it may be too
1262 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
1263 support such cases. Each container is assigned a VLAN ID and each
1264 packet that passes between the hypervisor and the VM is tagged with the
1265 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
1266 ical wire, even inside a tunnel, so they need not be unique except rel‐
1267 ative to a single VM on a hypervisor.
1268
1269 These columns are used for VIFs that represent nested containers using
1270 shared VIFs. For VMs and for containers that have dedicated VIFs, they
1271 are empty.
1272
1273 parent_name: optional string
1274 The VM interface through which the nested container sends its
1275 network traffic. This must match the name column for some other
1276 Logical_Switch_Port. Note: for performance of the OVN Southbound
1277 database conditional monitoring, unlike for regular VIFs,
1278 ovn-controller will register to get updates about all OVN South‐
1279 bound database Port_Binding table records that correspond to
1280 nested container ports even if external_ids:ovn-monitor-all is
1281 set to false. See ovn-controller(8) for more information.
1282
1283 tag_request: optional integer, in range 0 to 4,095
1284 The VLAN tag in the network traffic associated with a con‐
1285 tainer’s network interface. The client can request ovn-northd to
1286 allocate a tag that is unique within the scope of a specific
1287 parent (specified in parent_name) by setting a value of 0 in
1288 this column. The allocated value is written by ovn-northd in the
1289 tag column. (Note that these tags are allocated and managed lo‐
1290 cally in ovn-northd, so they cannot be reconstructed in the
1291 event that the database is lost.) The client can also request a
1292 specific non-zero tag and ovn-northd will honor it and copy that
1293 value to the tag column.
1294
1295 When type is set to localnet or l2gateway, this can be set to
1296 indicate that the port represents a connection to a specific
1297 VLAN on a locally accessible network. The VLAN ID is used to
1298 match incoming traffic and is also added to outgoing traffic.
1299
1300 tag: optional integer, in range 1 to 4,095
1301 The VLAN tag allocated by ovn-northd based on the contents of
1302 the tag_request column.
1303
1304 Port State:
1305
1306 up: optional boolean
1307 This column is populated by ovn-northd, rather than by the CMS
1308 plugin as is most of this database. When a logical port is bound
1309 to a physical location in the OVN Southbound database Binding
1310 table, ovn-northd sets this column to true; otherwise, or if the
1311 port becomes unbound later, it sets it to false. If this column
1312 is empty, the port is not considered up. This allows the CMS to
1313 wait for a VM’s (or container’s) networking to become active be‐
1314 fore it allows the VM (or container) to start.
1315
1316 Logical ports of router type are an exception to this rule. They
1317 are considered to be always up, that is this column is always
1318 set to true.
1319
1320 enabled: optional boolean
1321 This column is used to administratively set port state. If this
1322 column is empty or is set to true, the port is enabled. If this
1323 column is set to false, the port is disabled. A disabled port
1324 has all ingress and egress traffic dropped.
1325
1326 Addressing:
1327
1328 addresses: set of strings
1329 Addresses owned by the logical port.
1330
1331 Each element in the set must take one of the following forms:
1332
1333 Ethernet address followed by zero or more IPv4 or IPv6 addresses
1334 (or both)
1335 An Ethernet address defined is owned by the logical port.
1336 Like a physical Ethernet NIC, a logical port ordinarily
1337 has a single fixed Ethernet address.
1338
1339 When a OVN logical switch processes a unicast Ethernet
1340 frame whose destination MAC address is in a logical
1341 port’s addresses column, it delivers it only to that
1342 port, as if a MAC learning process had learned that MAC
1343 address on the port.
1344
1345 If IPv4 or IPv6 address(es) (or both) are defined, it in‐
1346 dicates that the logical port owns the given IP ad‐
1347 dresses.
1348
1349 If IPv4 address(es) are defined, the OVN logical switch
1350 uses this information to synthesize responses to ARP re‐
1351 quests without traversing the physical network. The OVN
1352 logical router connected to the logical switch, if any,
1353 uses this information to avoid issuing ARP requests for
1354 logical switch ports.
1355
1356 Note that the order here is important. The Ethernet ad‐
1357 dress must be listed before the IP address(es) if de‐
1358 fined.
1359
1360 Examples:
1361
1362 80:fa:5b:06:72:b7
1363 This indicates that the logical port owns the
1364 above mac address.
1365
1366 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
1367 This indicates that the logical port owns the mac
1368 address and two IPv4 addresses.
1369
1370 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1371 This indicates that the logical port owns the mac
1372 address and 1 IPv6 address.
1373
1374 80:fa:5b:06:72:b7 10.0.0.4
1375 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1376 This indicates that the logical port owns the mac
1377 address and 1 IPv4 address and 1 IPv6 address.
1378
1379 unknown
1380 This indicates that the logical port has an unknown set
1381 of Ethernet addresses. When an OVN logical switch pro‐
1382 cesses a unicast Ethernet frame whose destination MAC ad‐
1383 dress is not in any logical port’s addresses column, it
1384 delivers it to the port (or ports) whose addresses col‐
1385 umns include unknown.
1386
1387 dynamic
1388 Use dynamic to make ovn-northd generate a globally unique
1389 MAC address, choose an unused IPv4 address with the logi‐
1390 cal port’s subnet (if other_config:subnet is set in the
1391 port’s Logical_Switch), and generate an IPv6 address from
1392 the MAC address (if other_config:ipv6_prefix is set in
1393 the port’s Logical_Switch) and store them in the port’s
1394 dynamic_addresses column.
1395
1396 Only one element containing dynamic may appear in ad‐
1397 dresses.
1398
1399 dynamic ip
1400 dynamic ipv6
1401 dynamic ip ipv6
1402 These act like dynamic alone but specify particular IPv4 or
1403 IPv6 addresses to use. OVN IPAM will still automatically
1404 allocate the other address if configured appropriately. Ex‐
1405 ample: dynamic 192.168.0.1 2001::1.
1406
1407 mac dynamic
1408 This acts like dynamic alone but specifies a particular MAC
1409 address to use. OVN IPAM will still automatically allocate
1410 IPv4 or IPv6 addresses, or both, if configured appropri‐
1411 ately. Example: 80:fa:5b:06:72:b7 dynamic
1412
1413 router
1414 Accepted only when type is router. This indicates that the
1415 Ethernet, IPv4, and IPv6 addresses for this logical switch
1416 port should be obtained from the connected logical router
1417 port, as specified by router-port in options.
1418
1419 The resulting addresses are used to populate the logical
1420 switch’s destination lookup, and also for the logical
1421 switch to generate ARP and ND replies.
1422
1423 If the connected logical router port has a distributed
1424 gateway port specified and the logical router has rules
1425 specified in nat with external_mac, then those addresses
1426 are also used to populate the switch’s destination lookup.
1427
1428 Supported only in OVN 2.7 and later. Earlier versions re‐
1429 quired router addresses to be manually synchronized.
1430
1431 dynamic_addresses: optional string
1432 Addresses assigned to the logical port by ovn-northd, if dynamic
1433 is specified in addresses. Addresses will be of the same format
1434 as those that populate the addresses column. Note that dynami‐
1435 cally assigned addresses are constructed and managed locally in
1436 ovn-northd, so they cannot be reconstructed in the event that
1437 the database is lost.
1438
1439 port_security: set of strings
1440 This column controls the addresses from which the host attached
1441 to the logical port (``the host’’) is allowed to send packets
1442 and to which it is allowed to receive packets. If this column is
1443 empty, all addresses are permitted.
1444
1445 Each element in the set must begin with one Ethernet address.
1446 This would restrict the host to sending packets from and receiv‐
1447 ing packets to the ethernet addresses defined in the logical
1448 port’s port_security column. It also restricts the inner source
1449 MAC addresses that the host may send in ARP and IPv6 Neighbor
1450 Discovery packets. The host is always allowed to receive packets
1451 to multicast and broadcast Ethernet addresses.
1452
1453 Each element in the set may additionally contain one or more
1454 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
1455 is given, it must be a CIDR mask. In addition to the restric‐
1456 tions described for Ethernet addresses above, such an element
1457 restricts the IPv4 or IPv6 addresses from which the host may
1458 send and to which it may receive packets to the specified ad‐
1459 dresses. A masked address, if the host part is zero, indicates
1460 that the host is allowed to use any address in the subnet; if
1461 the host part is nonzero, the mask simply indicates the size of
1462 the subnet. In addition:
1463
1464 • If any IPv4 address is given, the host is also allowed to
1465 receive packets to the IPv4 local broadcast address
1466 255.255.255.255 and to IPv4 multicast addresses
1467 (224.0.0.0/4). If an IPv4 address with a mask is given,
1468 the host is also allowed to receive packets to the broad‐
1469 cast address in that specified subnet.
1470
1471 If any IPv4 address is given, the host is additionally
1472 restricted to sending ARP packets with the specified
1473 source IPv4 address. (RARP is not restricted.)
1474
1475 • If any IPv6 address is given, the host is also allowed to
1476 receive packets to IPv6 multicast addresses (ff00::/8).
1477
1478 If any IPv6 address is given, the host is additionally
1479 restricted to sending IPv6 Neighbor Discovery Solicita‐
1480 tion or Advertisement packets with the specified source
1481 address or, for solicitations, the unspecified address.
1482
1483 If an element includes an IPv4 address, but no IPv6 addresses,
1484 then IPv6 traffic is not allowed. If an element includes an IPv6
1485 address, but no IPv4 address, then IPv4 and ARP traffic is not
1486 allowed.
1487
1488 This column uses the same lexical syntax as the match column in
1489 the OVN Southbound database’s Pipeline table. Multiple addresses
1490 within an element may be space or comma separated.
1491
1492 This column is provided as a convenience to cloud management
1493 systems, but all of the features that it implements can be im‐
1494 plemented as ACLs using the ACL table.
1495
1496 Examples:
1497
1498 80:fa:5b:06:72:b7
1499 The host may send traffic from and receive traffic to the
1500 specified MAC address, and to receive traffic to Ethernet
1501 multicast and broadcast addresses, but not otherwise. The
1502 host may not send ARP or IPv6 Neighbor Discovery packets
1503 with inner source Ethernet addresses other than the one
1504 specified.
1505
1506 80:fa:5b:06:72:b7 192.168.1.10/24
1507 This adds further restrictions to the first example. The
1508 host may send IPv4 packets from or receive IPv4 packets
1509 to only 192.168.1.10, except that it may also receive
1510 IPv4 packets to 192.168.1.255 (based on the subnet mask),
1511 255.255.255.255, and any address in 224.0.0.0/4. The host
1512 may not send ARPs with a source Ethernet address other
1513 than 80:fa:5b:06:72:b7 or source IPv4 address other than
1514 192.168.1.10. The host may not send or receive any IPv6
1515 (including IPv6 Neighbor Discovery) traffic.
1516
1517 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
1518 The host may send traffic from and receive traffic to the
1519 specified MAC addresses, and to receive traffic to Ether‐
1520 net multicast and broadcast addresses, but not otherwise.
1521 With MAC 80:fa:5b:12:42:ba, the host may send traffic
1522 from and receive traffic to any L3 address. With MAC
1523 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
1524 receive IPv4 packets to only 192.168.1.10, except that it
1525 may also receive IPv4 packets to 192.168.1.255 (based on
1526 the subnet mask), 255.255.255.255, and any address in
1527 224.0.0.0/4. The host may not send or receive any IPv6
1528 (including IPv6 Neighbor Discovery) traffic.
1529
1530 DHCP:
1531
1532 dhcpv4_options: optional weak reference to DHCP_Options
1533 This column defines the DHCPv4 Options to be included by the
1534 ovn-controller when it replies to the DHCPv4 requests. Please
1535 see the DHCP_Options table.
1536
1537 dhcpv6_options: optional weak reference to DHCP_Options
1538 This column defines the DHCPv6 Options to be included by the
1539 ovn-controller when it replies to the DHCPv6 requests. Please
1540 see the DHCP_Options table.
1541
1542 mirror_rules: set of weak reference to Mirrors
1543 Mirror rules that apply to logical switch port which is the
1544 source. Please see the Mirror table.
1545
1546 ha_chassis_group: optional HA_Chassis_Group
1547 References a row in the OVN Northbound database’s HA_Chas‐
1548 sis_Group table. It indicates the HA chassis group to use if the
1549 type is set to external. If type is not external, this column is
1550 ignored.
1551
1552 Naming:
1553
1554 external_ids : neutron:port_name: optional string
1555 This column gives an optional human-friendly name for the port.
1556 This name has no special meaning or purpose other than to pro‐
1557 vide convenience for human interaction with the northbound data‐
1558 base.
1559
1560 Neutron copies this from its own port object’s name. (Neutron
1561 ports do are not assigned human-friendly names by default, so it
1562 will often be empty.)
1563
1564 Tunnel Key:
1565
1566 options : requested-tnl-key: optional string, containing an integer, in
1567 range 1 to 32,767
1568 Configures the port binding tunnel key for the port. Usually
1569 this is not needed because ovn-northd will assign an unique key
1570 for each port by itself. However, if it is configured,
1571 ovn-northd honors the configured value. The typical use case is
1572 for interconnection: the tunnel keys for ports on transit
1573 switches need to be unique globally, so they are maintained in
1574 the global OVN_IC_Southbound database, and ovn-ic simply syncs
1575 the value from OVN_IC_Southbound through this config.
1576
1577 Common Columns:
1578
1579 external_ids: map of string-string pairs
1580 See External IDs at the beginning of this document.
1581
1582 The ovn-northd program copies all these pairs into the exter‐
1583 nal_ids column of the Port_Binding table in OVN_Southbound data‐
1584 base.
1585
1587 Each row represents one forwarding group.
1588
1589 Summary:
1590 name string
1591 vip string
1592 vmac string
1593 liveness boolean
1594 child_port set of 1 or more strings
1595 Common Columns:
1596 external_ids map of string-string pairs
1597
1598 Details:
1599 name: string
1600 A name for the forwarding group. This name has no special mean‐
1601 ing or purpose other than to provide convenience for human in‐
1602 teraction with the ovn-nb database.
1603
1604 vip: string
1605 The virtual IP address assigned to the forwarding group. It will
1606 respond with vmac when an ARP request is sent for vip.
1607
1608 vmac: string
1609 The virtual MAC address assigned to the forwarding group.
1610
1611 liveness: boolean
1612 If set to true, liveness is enabled for child ports otherwise it
1613 is disabled.
1614
1615 child_port: set of 1 or more strings
1616 List of child ports in the forwarding group.
1617
1618 Common Columns:
1619
1620 external_ids: map of string-string pairs
1621 See External IDs at the beginning of this document.
1622
1624 Each row in this table represents a named set of addresses. An address
1625 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
1626 or CIDR masks. Address set may ultimately be used in ACLs to compare
1627 against fields such as ip4.src or ip6.src. A single address set must
1628 contain addresses of the same type. As an example, the following would
1629 create an address set with three IP addresses:
1630
1631 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1632
1633
1634 Address sets may be used in the match column of the ACL table. For syn‐
1635 tax information, see the details of the expression language used for
1636 the match column in the Logical_Flow table of the OVN_Southbound data‐
1637 base.
1638
1639 Summary:
1640 name string (must be unique within table)
1641 addresses set of strings
1642 Common Columns:
1643 external_ids map of string-string pairs
1644
1645 Details:
1646 name: string (must be unique within table)
1647 A name for the address set. Names are ASCII and must match
1648 [a-zA-Z_.][a-zA-Z_.0-9]*.
1649
1650 addresses: set of strings
1651 The set of addresses in string form.
1652
1653 Common Columns:
1654
1655 external_ids: map of string-string pairs
1656 See External IDs at the beginning of this document.
1657
1659 Each row in this table represents a named group of logical switch
1660 ports.
1661
1662 Port groups may be used in the match column of the ACL table. For syn‐
1663 tax information, see the details of the expression language used for
1664 the match column in the Logical_Flow table of the OVN_Southbound data‐
1665 base.
1666
1667 For each port group, there are two address sets generated to the Ad‐
1668 dress_Set table of the OVN_Southbound database, containing the IP ad‐
1669 dresses of the group of ports, one for IPv4, and the other for IPv6,
1670 with name being the name of the Port_Group followed by a suffix _ip4
1671 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
1672 the same way as regular address sets in the match column of the ACL ta‐
1673 ble. For syntax information, see the details of the expression language
1674 used for the match column in the Logical_Flow table of the OVN_South‐
1675 bound database.
1676
1677 Summary:
1678 name string (must be unique within table)
1679 ports set of weak reference to Logi‐
1680 cal_Switch_Ports
1681 acls set of ACLs
1682 Common Columns:
1683 external_ids map of string-string pairs
1684
1685 Details:
1686 name: string (must be unique within table)
1687 A name for the port group. Names are ASCII and must match
1688 [a-zA-Z_.][a-zA-Z_.0-9]*.
1689
1690 ports: set of weak reference to Logical_Switch_Ports
1691 The logical switch ports belonging to the group in uuids.
1692
1693 acls: set of ACLs
1694 Access control rules that apply to the port group. Applying an
1695 ACL to a port group has the same effect as applying the ACL to
1696 all logical lswitches that the ports of the port group belong
1697 to.
1698
1699 Common Columns:
1700
1701 external_ids: map of string-string pairs
1702 See External IDs at the beginning of this document.
1703
1705 Each row represents one load balancer.
1706
1707 Summary:
1708 name string
1709 vips map of string-string pairs
1710 protocol optional string, one of sctp, tcp, or udp
1711 Health Checks:
1712 health_check set of Load_Balancer_Health_Checks
1713 ip_port_mappings map of string-string pairs
1714 selection_fields set of strings, one of eth_dst, eth_src,
1715 ip_dst, ip_src, tp_dst, or tp_src
1716 Common Columns:
1717 external_ids map of string-string pairs
1718 Load_Balancer options:
1719 options : reject optional string, either true or false
1720 options : hairpin_snat_ip optional string
1721 options : skip_snat optional string
1722 options : add_route optional string
1723 options : neighbor_responder
1724 optional string
1725 options : template optional string
1726 options : address-family optional string
1727 options : affinity_timeout optional string
1728 options : ct_flush optional string, either true or false
1729
1730 Details:
1731 name: string
1732 A name for the load balancer. This name has no special meaning
1733 or purpose other than to provide convenience for human interac‐
1734 tion with the ovn-nb database.
1735
1736 vips: map of string-string pairs
1737 A map of virtual IP addresses (and an optional port number with
1738 : as a separator) associated with this load balancer and their
1739 corresponding endpoint IP addresses (and optional port numbers
1740 with : as separators) separated by commas. If the destination IP
1741 address (and port number) of a packet leaving a container or a
1742 VM matches the virtual IP address (and port number) provided
1743 here as a key, then OVN will statefully replace the destination
1744 IP address by one of the provided IP address (and port number)
1745 in this map as a value. IPv4 and IPv6 addresses are supported
1746 for load balancing; however a VIP of one address family may not
1747 be mapped to a destination IP address of a different family. If
1748 specifying an IPv6 address with a port, the address portion must
1749 be enclosed in square brackets. Examples for keys are
1750 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
1751 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1752
1753 When the Load_Balancer is added to the logical_switch, the VIP
1754 has to be in a different subnet than the one used for the logi‐
1755 cal_switch. Since VIP is in a different subnet, you should con‐
1756 nect your logical switch to either a OVN logical router or a
1757 real router (this is because the client can now send a packet
1758 with VIP as the destination IP address and router’s mac address
1759 as the destination MAC address).
1760
1761 protocol: optional string, one of sctp, tcp, or udp
1762 Valid protocols are tcp, udp, or sctp. This column is useful
1763 when a port number is provided as part of the vips column. If
1764 this column is empty and a port number is provided as part of
1765 vips column, OVN assumes the protocol to be tcp.
1766
1767 Health Checks:
1768
1769 OVN supports health checks for load balancer endpoints. When health
1770 checks are enabled, the load balancer uses only healthy endpoints.
1771
1772 Suppose that vips contains a key-value pair
1773 10.0.0.10:80=10.0.0.4:8080,20.0.0.4:8080. To enable health checks for
1774 this virtual’s endpoints, add two key-value pairs to ip_port_mappings,
1775 with keys 10.0.0.4 and 20.0.0.4, and add to health_check a reference to
1776 a Load_Balancer_Health_Check row whose vip is set to 10.0.0.10. The
1777 same approach can be used for IPv6 as well.
1778
1779 health_check: set of Load_Balancer_Health_Checks
1780 Load balancer health checks associated with this load balancer.
1781
1782 ip_port_mappings: map of string-string pairs
1783 Maps from endpoint IP to a colon-separated pair of logical port
1784 name and source IP, e.g. port_name:sourc_ip for IPv4. Health
1785 checks are sent to this port with the specified source IP. For
1786 IPv6 square brackets must be used around IP address, e.g:
1787 port_name:[sourc_ip]
1788
1789 For example, in the example above, IP to port mappings might be
1790 defined as 10.0.0.4=sw0-p1:10.0.0.2 and
1791 20.0.0.4=sw1-p1:20.0.0.2, if the values given were suitable
1792 ports and IP addresses.
1793
1794 For IPv6 IP to port mappings might be defined as
1795 [2001::1]=sw0-p1:[2002::1].
1796
1797 selection_fields: set of strings, one of eth_dst, eth_src, ip_dst,
1798 ip_src, tp_dst, or tp_src
1799 OVN native load balancers are supported using the OpenFlow
1800 groups of type select. OVS supports two selection methods:
1801 dp_hash and hash (with optional fields specified) in selecting
1802 the buckets of a group. Please see the OVS documentation (man
1803 ovs-ofctl) for more details on the selection methods. Each end‐
1804 point IP (and port if set) is mapped to a bucket in the group
1805 flow.
1806
1807 CMS can choose the hash selection method by setting the selec‐
1808 tion fields in this column. ovs-vswitchd uses the specified
1809 fields in generating the hash.
1810
1811 dp_hash selection method uses the assistance of datapath to cal‐
1812 culate the hash and it is expected to be faster than hash selec‐
1813 tion method. So CMS should take this into consideration before
1814 using the hash method. Please consult the OVS documentation and
1815 OVS sources for the implementation details.
1816
1817 Common Columns:
1818
1819 external_ids: map of string-string pairs
1820 See External IDs at the beginning of this document.
1821
1822 Load_Balancer options:
1823
1824 options : reject: optional string, either true or false
1825 If the load balancer is created with --reject option and it has
1826 no active backends, a TCP reset segment (for tcp) or an ICMP
1827 port unreachable packet (for all other kind of traffic) will be
1828 sent whenever an incoming packet is received for this load-bal‐
1829 ancer. Please note using --reject option will disable empty_lb
1830 SB controller event for this load balancer.
1831
1832 options : hairpin_snat_ip: optional string
1833 IP to be used as source IP for packets that have been hair-
1834 pinned after load balancing. The default behavior when the op‐
1835 tion is not set is to use the load balancer VIP as source IP.
1836 This option may have exactly one IPv4 and/or one IPv6 address on
1837 it, separated by a space character.
1838
1839 options : skip_snat: optional string
1840 If the load balancing rule is configured with skip_snat option,
1841 the option lb_force_snat_ip configured for the logical router
1842 that references this load balancer will not be applied for this
1843 load balancer.
1844
1845 options : add_route: optional string
1846 If set to true, then neighbor routers will have logical flows
1847 added that will allow for routing to the VIP IP. It also will
1848 have ARP resolution logical flows added. By setting this option,
1849 it means there is no reason to create a Logi‐
1850 cal_Router_Static_Route from neighbor routers to this NAT ad‐
1851 dress. It also means that no ARP request is required for neigh‐
1852 bor routers to learn the IP-MAC mapping for this VIP IP. For
1853 more information about what flows are added for IP routes,
1854 please see the ovn-northd manpage section on IP Routing.
1855
1856 options : neighbor_responder: optional string
1857 If set to all, then routers on which the load balancer is ap‐
1858 plied reply to ARP/neighbor discovery requests for all VIPs of
1859 the load balancer. If set to reachable, then routers on which
1860 the load balancer is applied reply to ARP/neighbor discovery re‐
1861 quests only for VIPs that are part of a router’s subnet. If set
1862 to none, then routers on which the load balancer is applied
1863 never reply to ARP/neighbor discovery requests for any of the
1864 load balancer VIPs. Load balancers with options:template=true do
1865 not support reachable as a valid mode. The default value of this
1866 option, if not specified, is reachable for regular load bal‐
1867 ancers and none for template load balancers.
1868
1869 options : template: optional string
1870 Option to be set to true, if the load balancer is a template.
1871 The load balancer VIPs and backends must be using Chassis_Tem‐
1872 plate_Var in their definitions.
1873
1874 Load balancer template VIP supported formats are:
1875
1876 ^VIP_VAR[:^PORT_VAR|:port]
1877
1878
1879 where VIP_VAR and PORT_VAR are keys of the Chassis_Template_Var
1880 variables records.
1881
1882 Note: The VIP and PORT cannot be combined into a single template
1883 variable. For example, a Chassis_Template_Var variable expanding
1884 to 10.0.0.1:8080 is not valid if used as VIP.
1885
1886 Load balancer template backend supported formats are:
1887
1888 ^BACKEND_VAR1[:^PORT_VAR1|:port],^BACKEND_VAR2[:^PORT_VAR2|:port]
1889 or
1890 ^BACKENDS_VAR1,^BACKENDS_VAR2
1891
1892
1893 where BACKEND_VAR1, PORT_VAR1, BACKEND_VAR2, PORT_VAR2, BACK‐
1894 ENDS_VAR1 and BACKENDS_VAR2 are keys of the Chassis_Template_Var
1895 variables records.
1896
1897 options : address-family: optional string
1898 Address family used by the load balancer. Supported values are
1899 ipv4 and ipv6. The address-family is only used for load bal‐
1900 ancers with options:template=true. For explicit load balancers,
1901 setting the address-family has no effect.
1902
1903 options : affinity_timeout: optional string
1904 If the CMS provides a positive value (in seconds) for affin‐
1905 ity_timeout, OVN will dnat connections received from the same
1906 client to this lb to the same backend if received in the affin‐
1907 ity timeslot. Max supported affinity_timeout is 65535 seconds.
1908
1909 options : ct_flush: optional string, either true or false
1910 The value indicates whether ovn-controller should flush CT en‐
1911 tries that are related to this LB. The flush happens if the LB
1912 is removed, any of the backends is updated/removed or the LB is
1913 not considered local anymore by the ovn-controller. This option
1914 is set to false by default.
1915
1917 Each row represents a logical grouping of load balancers. It is up to
1918 the CMS to decide the criteria on which load balancers are grouped to‐
1919 gether. To simplify configuration and to optimize its processing load
1920 balancers that must be associated to the same set of logical switches
1921 and/or logical routers should be grouped together.
1922
1923 Summary:
1924 name string (must be unique within table)
1925 load_balancer set of weak reference to Load_Balancers
1926
1927 Details:
1928 name: string (must be unique within table)
1929 A name for the load balancer group. This name has no special
1930 meaning or purpose other than to provide convenience for human
1931 interaction with the ovn-nb database.
1932
1933 load_balancer: set of weak reference to Load_Balancers
1934 A set of load balancers.
1935
1937 Each row represents one load balancer health check.
1938
1939 Summary:
1940 vip string
1941 Health check options:
1942 options : interval optional string, containing an integer
1943 options : timeout optional string, containing an integer
1944 options : success_count optional string, containing an integer
1945 options : failure_count optional string, containing an integer
1946 Common Columns:
1947 external_ids map of string-string pairs
1948
1949 Details:
1950 vip: string
1951 vip whose endpoints should be monitored for health check.
1952
1953 Health check options:
1954
1955 options : interval: optional string, containing an integer
1956 The interval, in seconds, between health checks.
1957
1958 options : timeout: optional string, containing an integer
1959 The time, in seconds, after which a health check times out.
1960
1961 options : success_count: optional string, containing an integer
1962 The number of successful checks after which the endpoint is con‐
1963 sidered online.
1964
1965 options : failure_count: optional string, containing an integer
1966 The number of failure checks after which the endpoint is consid‐
1967 ered offline.
1968
1969 Common Columns:
1970
1971 external_ids: map of string-string pairs
1972 See External IDs at the beginning of this document.
1973
1975 Each row in this table represents one ACL rule for a logical switch or
1976 a port group that points to it through its acls column. The action col‐
1977 umn for the highest-priority matching row in this table determines a
1978 packet’s treatment. If no row matches, packets are allowed by default.
1979 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1980 match, and deny as action.)
1981
1982 Summary:
1983 label integer, in range 0 to 4,294,967,295
1984 priority integer, in range 0 to 32,767
1985 direction string, either from-lport or to-lport
1986 match string
1987 action string, one of allow-related, al‐
1988 low-stateless, allow, drop, pass, or re‐
1989 ject
1990 tier integer, in range 0 to 3
1991 options:
1992 options : apply-after-lb optional string
1993 Logging:
1994 log boolean
1995 name optional string, at most 63 characters
1996 long
1997 severity optional string, one of alert, debug,
1998 info, notice, or warning
1999 meter optional string
2000 Common Columns:
2001 options map of string-string pairs
2002 ACL configuration options:
2003 options : log-related optional string
2004 external_ids map of string-string pairs
2005
2006 Details:
2007 label: integer, in range 0 to 4,294,967,295
2008 Associates an identifier with the ACL. The same value will be
2009 written to corresponding connection tracker entry. The value
2010 should be a valid 32-bit unsigned integer. This value can help
2011 in debugging from connection tracker side. For example, through
2012 this "label" we can backtrack to the ACL rule which is causing a
2013 "leaked" connection. Connection tracker entries are created only
2014 for allowed connections so the label is valid only for allow and
2015 allow-related actions.
2016
2017 priority: integer, in range 0 to 32,767
2018 The ACL rule’s priority. Rules with numerically higher priority
2019 take precedence over those with lower. If two ACL rules with the
2020 same priority both match, then the one actually applied to a
2021 packet is undefined.
2022
2023 Return traffic from an allow-related flow is always allowed and
2024 cannot be changed through an ACL.
2025
2026 allow-stateless flows always take precedence before stateful
2027 ACLs, regardless of their priority. (Both allow and allow-re‐
2028 lated ACLs can be stateful.)
2029
2030 direction: string, either from-lport or to-lport
2031 Direction of the traffic to which this rule should apply:
2032
2033 • from-lport: Used to implement filters on traffic arriving
2034 from a logical port. These rules are applied to the logi‐
2035 cal switch’s ingress pipeline.
2036
2037 • to-lport: Used to implement filters on traffic forwarded
2038 to a logical port. These rules are applied to the logical
2039 switch’s egress pipeline.
2040
2041 match: string
2042 The packets that the ACL should match, in the same expression
2043 language used for the match column in the OVN Southbound data‐
2044 base’s Logical_Flow table. The outport logical port is only
2045 available in the to-lport direction (the inport is available in
2046 both directions).
2047
2048 By default all traffic is allowed. When writing a more restric‐
2049 tive policy, it is important to remember to allow flows such as
2050 ARP and IPv6 neighbor discovery packets.
2051
2052 Note that you can not create an ACL matching on a port with
2053 type=router or type=localnet.
2054
2055 action: string, one of allow-related, allow-stateless, allow, drop,
2056 pass, or reject
2057 The action to take when the ACL rule matches:
2058
2059 • allow-stateless: Always forward the packet in stateless
2060 manner, omitting connection tracking mechanism, regard‐
2061 less of other rules defined for the switch. May require
2062 defining additional rules for inbound replies. For exam‐
2063 ple, if you define a rule to allow outgoing TCP traffic
2064 directed to an IP address, then you probably also want to
2065 define another rule to allow incoming TCP traffic coming
2066 from this same IP address. In addition, traffic that
2067 matches stateless ACLs will bypass load-balancer DNAT/un-
2068 DNAT processing. Stateful ACLs should be used instead if
2069 the traffic is supposed to be load-balanced.
2070
2071 • allow: Forward the packet. It will also send the packets
2072 through connection tracking when allow-related rules ex‐
2073 ist on the logical switch. Otherwise, it’s equivalent to
2074 allow-stateless.
2075
2076 • allow-related: Forward the packet and related traffic
2077 (e.g. inbound replies to an outbound connection).
2078
2079 • drop: Silently drop the packet.
2080
2081 • reject: Drop the packet, replying with a RST for TCP or
2082 ICMPv4/ICMPv6 unreachable message for other
2083 IPv4/IPv6-based protocols.
2084
2085 • pass: Pass to the next ACL tier. If using multiple ACL
2086 tiers, a match on this ACL will stop evaluating ACLs at
2087 the current tier and move to the next one. If not using
2088 ACL tiers or if a pass ACL is matched at the final tier,
2089 then the options:default_acl_drop option from the
2090 NB_Global table is used to determine how to proceed.
2091
2092 tier: integer, in range 0 to 3
2093 The hierarchical tier that this ACL belongs to.
2094
2095 ACLs can be assigned to numerical tiers. When evaluating ACLs,
2096 an internal counter is used to determine which tier of ACLs
2097 should be evaluated. Tier 0 ACLs are evaluated first. If no ver‐
2098 dict can be determined, then tier 1 ACLs are evaluated next.
2099 This continues until the maximum tier value is reached. If all
2100 tiers of ACLs are evaluated and no verdict is reached, then the
2101 options:default_acl_drop option from table NB_Global is used to
2102 determine how to proceed.
2103
2104 In this version of OVN, the maximum tier value for ACLs is 3,
2105 meaning there are 4 tiers of ACLs allowed (0-3).
2106
2107 options:
2108
2109 ACLs options.
2110
2111 options : apply-after-lb: optional string
2112 If set to true, the ACL will be applied after load balancing
2113 stage. Supported only for from-lport direction.
2114
2115 The main use case of this option is to support ACLs matching on
2116 the destination IP address of the packet for the backend IPs of
2117 load balancers.
2118
2119 OVN will apply the from-lport ACLs in two stages. ACLs without
2120 this option apply-after-lb set, will be applied before the load
2121 balancer stage and ACLs with this option set will be applied af‐
2122 ter the load balancer stage. The priorities are indepedent be‐
2123 tween these stages and may not be obvious to the CMS. Hence CMS
2124 should be extra careful when using this option and should care‐
2125 fully evaluate the priorities of all the ACLs and the default
2126 deny/allow ACLs if any.
2127
2128 Logging:
2129
2130 These columns control whether and how OVN logs packets that match an
2131 ACL.
2132
2133 log: boolean
2134 If set to true, packets that match the ACL will trigger a log
2135 message on the transport node or nodes that perform ACL process‐
2136 ing. Logging may be combined with any action.
2137
2138 If set to false, the remaining columns in this group have no
2139 significance.
2140
2141 name: optional string, at most 63 characters long
2142 This name, if it is provided, is included in log records. It
2143 provides the administrator and the cloud management system a way
2144 to associate a log record with a particular ACL.
2145
2146 severity: optional string, one of alert, debug, info, notice, or warn‐
2147 ing
2148 The severity of the ACL. The severity levels match those of sys‐
2149 log, in decreasing level of severity: alert, warning, notice,
2150 info, or debug. When the column is empty, the default is info.
2151
2152 meter: optional string
2153 The name of a meter to rate-limit log messages for the ACL. The
2154 string must match the name column of a row in the Meter table.
2155 By default, log messages are not rate-limited. In order to en‐
2156 sure that the same Meter rate limits multiple ACL logs sepa‐
2157 rately, set the fair column.
2158
2159 Common Columns:
2160
2161 options: map of string-string pairs
2162 This column provides general key/value settings. The supported
2163 options are described individually below.
2164
2165 ACL configuration options:
2166
2167 options : log-related: optional string
2168 If set to true, then log when reply or related traffic is admit‐
2169 ted from a stateful ACL. In order for this option to function,
2170 the log option must be set to true and a label must be set, and
2171 it must be unique to the ACL. The label is necessary as it is
2172 the only means to associate the reply traffic with the ACL to
2173 which it belongs. It must be unique, because otherwise it is am‐
2174 biguous which ACL will be matched. Note: If this option is en‐
2175 abled, an extra flow is installed in order to log the related
2176 traffic. Therefore, if this is enabled on all ACLs, then the to‐
2177 tal number of flows necessary to log the ACL traffic is doubled,
2178 compared to if this option is not enabled.
2179
2180 external_ids: map of string-string pairs
2181 See External IDs at the beginning of this document.
2182
2184 Each row represents one L3 logical router.
2185
2186 Summary:
2187 ports set of Logical_Router_Ports
2188 static_routes set of Logical_Router_Static_Routes
2189 policies set of Logical_Router_Policys
2190 enabled optional boolean
2191 nat set of NATs
2192 load_balancer set of weak reference to Load_Balancers
2193 load_balancer_group set of Load_Balancer_Groups
2194 Naming:
2195 name string
2196 external_ids : neutron:router_name
2197 optional string
2198 copp optional weak reference to Copp
2199 Options:
2200 options : chassis optional string
2201 options : dnat_force_snat_ip
2202 optional string
2203 options : lb_force_snat_ip optional string
2204 options : mcast_relay optional string, either true or false
2205 options : dynamic_neigh_routers
2206 optional string, either true or false
2207 options : always_learn_from_arp_request
2208 optional string, either true or false
2209 options : requested-tnl-key
2210 optional string, containing an integer,
2211 in range 1 to 16,777,215
2212 options : snat-ct-zone optional string, containing an integer,
2213 in range 0 to 65,535
2214 options : mac_binding_age_threshold
2215 optional string, containing an integer,
2216 in range 0 to 4,294,967,295
2217 Common Columns:
2218 external_ids map of string-string pairs
2219
2220 Details:
2221 ports: set of Logical_Router_Ports
2222 The router’s ports.
2223
2224 static_routes: set of Logical_Router_Static_Routes
2225 Zero or more static routes for the router.
2226
2227 policies: set of Logical_Router_Policys
2228 Zero or more routing policies for the router.
2229
2230 enabled: optional boolean
2231 This column is used to administratively set router state. If
2232 this column is empty or is set to true, the router is enabled.
2233 If this column is set to false, the router is disabled. A dis‐
2234 abled router has all ingress and egress traffic dropped.
2235
2236 nat: set of NATs
2237 One or more NAT rules for the router. NAT rules only work on
2238 Gateway routers, and on distributed routers with one and only
2239 one distributed gateway port.
2240
2241 load_balancer: set of weak reference to Load_Balancers
2242 Set of load balancers associated to this logical router. Load
2243 balancer Load balancer rules only work on the Gateway routers or
2244 routers with one and only one distributed gateway port.
2245
2246 load_balancer_group: set of Load_Balancer_Groups
2247 Set of load balancers groups associated to this logical router.
2248
2249 Naming:
2250
2251 These columns provide names for the logical router. From OVN’s perspec‐
2252 tive, these names have no special meaning or purpose other than to pro‐
2253 vide convenience for human interaction with the northbound database.
2254 There is no requirement for the name to be unique. (For a unique iden‐
2255 tifier for a logical router, use its row UUID.)
2256
2257 (Originally, name was intended to serve the purpose of a human-friendly
2258 name, but the Neutron integration used it to uniquely identify its own
2259 router object, in the format neutron-uuid. Later on, Neutron started
2260 propagating the friendly name of a router as external_ids:neu‐
2261 tron:router_name. Perhaps this can be cleaned up someday.)
2262
2263 name: string
2264 A name for the logical router.
2265
2266 external_ids : neutron:router_name: optional string
2267 Another name for the logical router.
2268
2269 copp: optional weak reference to Copp
2270 The control plane protection policy from table Copp used for me‐
2271 tering packets sent to ovn-controller from logical ports of this
2272 router.
2273
2274 Options:
2275
2276 Additional options for the logical router.
2277
2278 options : chassis: optional string
2279 If set, indicates that the logical router in question is a Gate‐
2280 way router (which is centralized) and resides in the set chas‐
2281 sis. The same value is also used by ovn-controller to uniquely
2282 identify the chassis in the OVN deployment and comes from exter‐
2283 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
2284 database.
2285
2286 The Gateway router can only be connected to a distributed router
2287 via a switch if SNAT and DNAT are to be configured in the Gate‐
2288 way router.
2289
2290 options : dnat_force_snat_ip: optional string
2291 If set, indicates a set of IP addresses to use to force SNAT a
2292 packet that has already been DNATed in the gateway router. When
2293 multiple gateway routers are configured, a packet can poten‐
2294 tially enter any of the gateway router, get DNATted and eventu‐
2295 ally reach the logical switch port. For the return traffic to go
2296 back to the same gateway router (for unDNATing), the packet
2297 needs a SNAT in the first place. This can be achieved by setting
2298 the above option with a gateway specific set of IP addresses.
2299 This option may have exactly one IPv4 and/or one IPv6 address on
2300 it, separated by a a space.
2301
2302 options : lb_force_snat_ip: optional string
2303 If set, this option can take two possible type of values. Either
2304 a set of IP addresses or the string value - router_ip.
2305
2306 If a set of IP addresses are configured, it indicates to use to
2307 force SNAT a packet that has already been load-balanced in the
2308 gateway router. When multiple gateway routers are configured, a
2309 packet can potentially enter any of the gateway routers, get
2310 DNATted as part of the load-balancing and eventually reach the
2311 logical switch port. For the return traffic to go back to the
2312 same gateway router (for unDNATing), the packet needs a SNAT in
2313 the first place. This can be achieved by setting the above op‐
2314 tion with a gateway specific set of IP addresses. This option
2315 may have exactly one IPv4 and/or one IPv6 address on it, sepa‐
2316 rated by a space character.
2317
2318 If it is configured with the value router_ip, then the load bal‐
2319 anced packet is SNATed with the IP of router port (attached to
2320 the gateway router) selected as the destination after taking the
2321 routing decision.
2322
2323 options : mcast_relay: optional string, either true or false
2324 Enables/disables IP multicast relay between logical switches
2325 connected to the logical router. Default: False.
2326
2327 options : dynamic_neigh_routers: optional string, either true or false
2328 If set to true, the router will resolve neighbor routers’ MAC
2329 addresses only by dynamic ARP/ND, instead of prepopulating
2330 static mappings for all neighbor routers in the ARP/ND Resolu‐
2331 tion stage. This reduces number of flows, but requires ARP/ND
2332 messages to resolve the IP-MAC bindings when needed. It is false
2333 by default. It is recommended to set to true when a large number
2334 of logical routers are connected to the same logical switch but
2335 most of them never need to send traffic between each other. By
2336 default, ovn-northd does not create mappings to NAT and load
2337 balancer addresess. However, for NAT and load balancer addresses
2338 that have the add_route option added, ovn-northd will create
2339 logical flows that map NAT and load balancer IP addresses to the
2340 appropriate MAC address. Setting dynamic_neigh_routers to true
2341 will prevent the automatic creation of these logical flows.
2342
2343 options : always_learn_from_arp_request: optional string, either true
2344 or false
2345 This option controls the behavior when handling IPv4 ARP re‐
2346 quests or IPv6 ND-NS packets - whether a dynamic neighbor (MAC
2347 binding) entry is added/updated.
2348
2349 true - Always learn the MAC-IP binding, and add/update the MAC
2350 binding entry.
2351
2352 false - If there is a MAC binding for that IP and the MAC is
2353 different, or, if TPA of ARP request belongs to any router port
2354 on this router, then update/add that MAC-IP binding. Otherwise,
2355 don’t update/add entries.
2356
2357 It is true by default. It is recommended to set to false when a
2358 large number of logical routers are connected to the same logi‐
2359 cal switch but most of them never need to send traffic between
2360 each other, to reduce the size of the MAC binding table.
2361
2362 options : requested-tnl-key: optional string, containing an integer, in
2363 range 1 to 16,777,215
2364 Configures the datapath tunnel key for the logical router. This
2365 is not needed because ovn-northd will assign an unique key for
2366 each datapath by itself. However, if it is configured,
2367 ovn-northd honors the configured value.
2368
2369 options : snat-ct-zone: optional string, containing an integer, in
2370 range 0 to 65,535
2371 Use the requested conntrack zone for SNAT with this router. This
2372 can be useful if egress traffic from the host running OVN comes
2373 from both OVN and other sources. This way, OVN and the other
2374 sources can make use of the same conntrack zone.
2375
2376 options : mac_binding_age_threshold: optional string, containing an in‐
2377 teger, in range 0 to 4,294,967,295
2378 MAC binding aging threshold value in seconds. MAC binding ex‐
2379 ceeding this timeout will be automatically removed. The value
2380 defaults to 0, which means disabled.
2381
2382 Common Columns:
2383
2384 external_ids: map of string-string pairs
2385 See External IDs at the beginning of this document.
2386
2388 Each row in this table represents one QoS rule for a logical switch
2389 that points to it through its qos_rules column. Two types of QoS are
2390 supported: DSCP marking and metering. A match with the highest-priority
2391 will have QoS applied to it. If the action column is specified, then
2392 matching packets will have DSCP marking applied. If the bandwidth col‐
2393 umn is specified, then matching packets will have metering applied. ac‐
2394 tion and bandwidth are not exclusive, so both marking and metering by
2395 defined for the same QoS entry. If no row matches, packets will not
2396 have any QoS applied.
2397
2398 Summary:
2399 priority integer, in range 0 to 32,767
2400 direction string, either from-lport or to-lport
2401 match string
2402 action map of string-integer pairs, key must be
2403 dscp, value in range 0 to 63
2404 bandwidth map of string-integer pairs, key either
2405 burst or rate, value in range 1 to
2406 4,294,967,295
2407 external_ids map of string-string pairs
2408
2409 Details:
2410 priority: integer, in range 0 to 32,767
2411 The QoS rule’s priority. Rules with numerically higher priority
2412 take precedence over those with lower. If two QoS rules with the
2413 same priority both match, then the one actually applied to a
2414 packet is undefined.
2415
2416 direction: string, either from-lport or to-lport
2417 The value of this field is similar to ACL column in the OVN
2418 Northbound database’s ACL table.
2419
2420 match: string
2421 The packets that the QoS rules should match, in the same expres‐
2422 sion language used for the match column in the OVN Southbound
2423 database’s Logical_Flow table. The outport logical port is only
2424 available in the to-lport direction (the inport is available in
2425 both directions).
2426
2427 action: map of string-integer pairs, key must be dscp, value in range 0
2428 to 63
2429 When specified, matching flows will have DSCP marking applied.
2430
2431 • dscp: The value of this action should be in the range of
2432 0 to 63 (inclusive).
2433
2434 bandwidth: map of string-integer pairs, key either burst or rate, value
2435 in range 1 to 4,294,967,295
2436 When specified, matching packets will have bandwidth metering
2437 applied. Traffic over the limit will be dropped.
2438
2439 • rate: The value of rate limit in kbps.
2440
2441 • burst: The value of burst rate limit in kilobits. This is
2442 optional and needs to specify the rate.
2443
2444 external_ids: map of string-string pairs
2445 See External IDs at the beginning of this document.
2446
2448 Each row in this table represents a mirror that can be used for port
2449 mirroring. These mirrors are referenced by the mirror_rules column in
2450 the Logical_Switch_Port table.
2451
2452 Summary:
2453 name string (must be unique within table)
2454 filter string, one of both, from-lport, or
2455 to-lport
2456 sink string
2457 type string, one of erspan, gre, or local
2458 index integer
2459 external_ids map of string-string pairs
2460
2461 Details:
2462 name: string (must be unique within table)
2463 Represents the name of the mirror.
2464
2465 filter: string, one of both, from-lport, or to-lport
2466 The value of this field represents selection criteria of the
2467 mirror. to-lport mirrors the packets coming into logical port.
2468 from-lport mirrors the packets going out of logical port. both
2469 mirrors for both directions.
2470
2471 sink: string
2472 The value of this field represents the destination/sink of the
2473 mirror. If the type is gre or erspan, the value indicates the
2474 tunnel remote IP (either IPv4 or IPv6). For a type of local,
2475 this field defines a local interface on the OVS integration
2476 bridge to be used as the mirror destination. The interface must
2477 possess external-ids:mirror-id that matches this string.
2478
2479 type: string, one of erspan, gre, or local
2480 The value of this field specifies the mirror type - gre, erspan
2481 or local.
2482
2483 index: integer
2484 The value of this field represents the tunnel ID. If the config‐
2485 ured tunnel type is gre, this field represents the GRE key value
2486 and if the configured tunnel type is erspan it represents the
2487 erspan_idx value. It is ignored if the type is local.
2488
2489 external_ids: map of string-string pairs
2490 See External IDs at the beginning of this document.
2491
2493 Each row in this table represents a meter that can be used for QoS or
2494 rate-limiting.
2495
2496 Summary:
2497 name string (must be unique within table)
2498 unit string, either kbps or pktps
2499 bands set of 1 or more Meter_Bands
2500 fair optional boolean
2501 external_ids map of string-string pairs
2502
2503 Details:
2504 name: string (must be unique within table)
2505 A name for this meter.
2506
2507 Names that begin with "__" (two underscores) are reserved for
2508 OVN internal use and should not be added manually.
2509
2510 unit: string, either kbps or pktps
2511 The unit for rate and burst_rate parameters in the bands entry.
2512 kbps specifies kilobits per second, and pktps specifies packets
2513 per second.
2514
2515 bands: set of 1 or more Meter_Bands
2516 The bands associated with this meter. Each band specifies a rate
2517 above which the band is to take the action action. If multiple
2518 bands’ rates are exceeded, then the band with the highest rate
2519 among the exceeded bands is selected.
2520
2521 fair: optional boolean
2522 This column is used to further describe the desired behavior of
2523 the meter when there are multiple references to it. If this col‐
2524 umn is empty or is set to false, the rate will be shared across
2525 all rows that refer to the same Meter name. Conversely, when
2526 this column is set to true, each user of the same Meter will be
2527 rate-limited on its own.
2528
2529 external_ids: map of string-string pairs
2530 See External IDs at the beginning of this document.
2531
2533 Each row in this table represents a meter band which specifies the rate
2534 above which the configured action should be applied. These bands are
2535 referenced by the bands column in the Meter table.
2536
2537 Summary:
2538 action string, must be drop
2539 rate integer, in range 1 to 4,294,967,295
2540 burst_size integer, in range 0 to 4,294,967,295
2541 external_ids map of string-string pairs
2542
2543 Details:
2544 action: string, must be drop
2545 The action to execute when this band matches. The only supported
2546 action is drop.
2547
2548 rate: integer, in range 1 to 4,294,967,295
2549 The rate limit for this band, in kilobits per second or bits per
2550 second, depending on whether the parent Meter entry’s unit col‐
2551 umn specified kbps or pktps.
2552
2553 burst_size: integer, in range 0 to 4,294,967,295
2554 The maximum burst allowed for the band in kilobits or packets,
2555 depending on whether kbps or pktps was selected in the parent
2556 Meter entry’s unit column. If the size is zero, the switch is
2557 free to select some reasonable value depending on its configura‐
2558 tion.
2559
2560 external_ids: map of string-string pairs
2561 See External IDs at the beginning of this document.
2562
2564 A port within an L3 logical router.
2565
2566 Exactly one Logical_Router row must reference a given logical router
2567 port.
2568
2569 Summary:
2570 name string (must be unique within table)
2571 networks set of 1 or more strings
2572 mac string
2573 enabled optional boolean
2574 Distributed Gateway Ports:
2575 ha_chassis_group optional HA_Chassis_Group
2576 gateway_chassis set of Gateway_Chassises
2577 Options for Physical VLAN MTU Issues:
2578 options : reside-on-redirect-chassis
2579 optional string, either true or false
2580 options : redirect-type optional string, either bridged or over‐
2581 lay
2582 ipv6_prefix set of strings
2583 ipv6_ra_configs:
2584 ipv6_ra_configs : address_mode
2585 optional string
2586 ipv6_ra_configs : router_preference
2587 optional string
2588 ipv6_ra_configs : route_info
2589 optional string
2590 ipv6_ra_configs : mtu optional string
2591 ipv6_ra_configs : send_periodic
2592 optional string
2593 ipv6_ra_configs : max_interval
2594 optional string
2595 ipv6_ra_configs : min_interval
2596 optional string
2597 ipv6_ra_configs : rdnss optional string
2598 ipv6_ra_configs : dnssl optional string
2599 Options:
2600 options : mcast_flood optional string, either true or false
2601 options : requested-tnl-key
2602 optional string, containing an integer,
2603 in range 1 to 32,767
2604 options : prefix_delegation
2605 optional string, either true or false
2606 options : prefix optional string, either true or false
2607 options : route_table optional string
2608 options : gateway_mtu optional string, containing an integer,
2609 in range 68 to 65,535
2610 options : gateway_mtu_bypass
2611 optional string
2612 Attachment:
2613 peer optional string
2614 Common Columns:
2615 external_ids map of string-string pairs
2616 Status:
2617 status : hosting-chassis optional string
2618
2619 Details:
2620 name: string (must be unique within table)
2621 A name for the logical router port.
2622
2623 In addition to provide convenience for human interaction with
2624 the northbound database, this column is used as reference by its
2625 patch port in Logical_Switch_Port or another logical router port
2626 in Logical_Router_Port.
2627
2628 A logical router port may not have the same name as a logical
2629 switch port, but the database schema cannot enforce this.
2630
2631 networks: set of 1 or more strings
2632 The IP addresses and netmasks of the router. For example,
2633 192.168.0.1/24 indicates that the router’s IP address is
2634 192.168.0.1 and that packets destined to 192.168.0.x should be
2635 routed to this port.
2636
2637 A logical router port always adds a link-local IPv6 address
2638 (fe80::/64) automatically generated from the interface’s MAC ad‐
2639 dress using the modified EUI-64 format.
2640
2641 mac: string
2642 The Ethernet address that belongs to this router port.
2643
2644 enabled: optional boolean
2645 This column is used to administratively set port state. If this
2646 column is empty or is set to true, the port is enabled. If this
2647 column is set to false, the port is disabled. A disabled port
2648 has all ingress and egress traffic dropped.
2649
2650 Distributed Gateway Ports:
2651
2652 Gateways, as documented under Gateways in the OVN architecture guide,
2653 provide limited connectivity between logical networks and physical
2654 ones. OVN support multiple kinds of gateways. The Logical_Router_Port
2655 table can be used two different ways to configure distributed gateway
2656 ports, which are one kind of gateway. These two forms of configuration
2657 exist for historical reasons. Both of them produce the same kind of OVN
2658 southbound records and the same behavior in practice.
2659
2660 If either of these are set, this logical router port represents a dis‐
2661 tributed gateway port that connects this router to a logical switch
2662 with a localnet port or a connection to another OVN deployment.
2663
2664 Also mentioned in the OVN architecture guide, distributed gateway ports
2665 can also be used for scalability reasons in deployments where logical
2666 switches are dedicated to chassises rather than distributed.
2667
2668 The preferred way to configure a gateway is ha_chassis_group, but gate‐
2669 way_chassis is also supported for backward compatibility. Only one of
2670 these should be set at a time on a given LRP, since they configure the
2671 same features.
2672
2673 Even when a gateway is configured, the logical router port still effec‐
2674 tively resides on each chassis. However, due to the implications of the
2675 use of L2 learning in the physical network, as well as the need to sup‐
2676 port advanced features such as one-to-many NAT (aka IP masquerading), a
2677 subset of the logical router processing is handled in a centralized
2678 manner on the gateway chassis.
2679
2680 There can be more than one distributed gateway ports configured on each
2681 logical router, each connecting to different L2 segments. Load-balanc‐
2682 ing is not yet supported on logical routers with more than one distrib‐
2683 uted gateway ports.
2684
2685 For each distributed gateway port, it may have more than one gateway
2686 chassises. When more than one gateway chassis is specified, OVN only
2687 uses one at a time. OVN can rely on OVS BFD implementation to monitor
2688 gateway connectivity, preferring the highest-priority gateway that is
2689 online. Priorities are specified in the priority column of Gate‐
2690 way_Chassis or HA_Chassis.
2691
2692 ovn-northd programs the external_mac rules specified in the LRP’s LR
2693 into the peer logical switch’s destination lookup on the chassis where
2694 the logical_port resides. In addition, the logical router’s MAC address
2695 is automatically programmed in the peer logical switch’s destination
2696 lookup flow on the gateway chasssis. If it is desired to generate gra‐
2697 tuitous ARPs for NAT addresses, then set the peer LSP’s options:nat-ad‐
2698 dresses to router.
2699
2700 OVN 20.03 and earlier supported a third way to configure distributed
2701 gateway ports using options:redirect-chassis to specify the gateway
2702 chassis. This method is no longer supported. Any remaining users should
2703 switch to one of the newer methods instead. A gateway_chassis may be
2704 easily configured from the command line, e.g. ovn-nbctl lrp-set-gate‐
2705 way-chassis lrp chassis.
2706
2707 ha_chassis_group: optional HA_Chassis_Group
2708 Designates an HA_Chassis_Group to provide gateway high avail‐
2709 ability.
2710
2711 gateway_chassis: set of Gateway_Chassises
2712 Designates one or more Gateway_Chassis for the logical router
2713 port.
2714
2715 Options for Physical VLAN MTU Issues:
2716
2717 MTU issues arise in mixing tunnels with logical networks that are
2718 bridged to a physical VLAN. For an explanation of the MTU issues, see
2719 Physical VLAN MTU Issues in the OVN architecture document. The follow‐
2720 ing options, which are alternatives, provide solutions. Both of them
2721 cause packets to be sent over localnet instead of tunnels, but they
2722 differ in whether some or all packets are sent this way. The most prom‐
2723 inent tradeoff between these options is that reside-on-redirect-chassis
2724 is easier to configure and that redirect-type performs better for east-
2725 west traffic.
2726
2727 options : reside-on-redirect-chassis: optional string, either true or
2728 false
2729 If set to true, this option forces all traffic across the logi‐
2730 cal router port to pass through the gateway chassis using a hop
2731 across a localnet port. This changes behavior in two ways:
2732
2733 • Without this option, east-west traffic passes directly
2734 between source and destination chassis (or even within a
2735 single chassis, for co-located VMs). With this option,
2736 all east-west traffic passes through the gateway chassis.
2737
2738 • Without this option, traffic between the gateway chassis
2739 and other chassis is encapsulated in tunnels. With this
2740 option, traffic passes over a localnet interface.
2741
2742 This option may usefully be set only on logical router ports
2743 that connect a distributed logical router to a logical switch
2744 with VIFs. It should not be set on a distributed gateway port.
2745
2746 OVN honors this option only if the logical router has one and
2747 only one distributed gateway port and if the LRP’s peer switch
2748 has a localnet port.
2749
2750 options : redirect-type: optional string, either bridged or overlay
2751 If set to bridged on a distributed gateway port, this option
2752 causes OVN to redirect packets to the gateway chassis over a lo‐
2753 calnet port instead of a tunnel. The relevant chassis must share
2754 a localnet port.
2755
2756 This feature requires the administrator or the CMS to configure
2757 each participating chassis with a unique Ethernet address for
2758 the logical router by setting ovn-chassis-mac-mappings in the
2759 Open vSwitch database, for use by ovn-controller.
2760
2761 Setting this option to overlay or leaving it unset has no ef‐
2762 fect. This option may usefully be set only on a distributed
2763 gateway port when there is one and only one distributed gateway
2764 port on the logical router. It is otherwise ignored.
2765
2766 ipv6_prefix: set of strings
2767 This column contains IPv6 prefix obtained by prefix delegation
2768 router according to RFC 3633
2769
2770 ipv6_ra_configs:
2771
2772 This column defines the IPv6 ND RA address mode and ND MTU Option to be
2773 included by ovn-controller when it replies to the IPv6 Router solicita‐
2774 tion requests.
2775
2776 ipv6_ra_configs : address_mode: optional string
2777 The address mode to be used for IPv6 address configuration. The
2778 supported values are:
2779
2780 • slaac: Address configuration using Router Advertisement
2781 (RA) packet. The IPv6 prefixes defined in the Logi‐
2782 cal_Router_Port table’s networks column will be included
2783 in the RA’s ICMPv6 option - Prefix information.
2784
2785 • dhcpv6_stateful: Address configuration using DHCPv6.
2786
2787 • dhcpv6_stateless: Address configuration using Router Ad‐
2788 vertisement (RA) packet. Other IPv6 options are provided
2789 by DHCPv6.
2790
2791 ipv6_ra_configs : router_preference: optional string
2792 Default Router Preference (PRF) indicates whether to prefer this
2793 router over other default routers (RFC 4191). Possible values
2794 are:
2795
2796 • HIGH: mapped to 0x01 in RA PRF field
2797
2798 • MEDIUM: mapped to 0x00 in RA PRF field
2799
2800 • LOW: mapped to 0x11 in RA PRF field
2801
2802 ipv6_ra_configs : route_info: optional string
2803 Route Info is used to configure Route Info Option sent in Router
2804 Advertisement according to RFC 4191. Route Info is a comma sepa‐
2805 rated string where each field provides PRF and prefix for a
2806 given route (e.g: HIGH-aef1::11/48,LOW-aef2::11/96) Possible PRF
2807 values are:
2808
2809 • HIGH: mapped to 0x01 in RA PRF field
2810
2811 • MEDIUM: mapped to 0x00 in RA PRF field
2812
2813 • LOW: mapped to 0x11 in RA PRF field
2814
2815 ipv6_ra_configs : mtu: optional string
2816 The recommended MTU for the link. Default is 0, which means no
2817 MTU Option will be included in RA packet replied by ovn-con‐
2818 troller. Per RFC 2460, the mtu value is recommended no less than
2819 1280, so any mtu value less than 1280 will be considered as no
2820 MTU Option.
2821
2822 ipv6_ra_configs : send_periodic: optional string
2823 If set to true, then this router interface will send router ad‐
2824 vertisements periodically. The default is false.
2825
2826 ipv6_ra_configs : max_interval: optional string
2827 The maximum number of seconds to wait between sending periodic
2828 router advertisements. This option has no effect if ipv6_ra_con‐
2829 figs:send_periodic is false. The default is 600.
2830
2831 ipv6_ra_configs : min_interval: optional string
2832 The minimum number of seconds to wait between sending periodic
2833 router advertisements. This option has no effect if ipv6_ra_con‐
2834 figs:send_periodic is false. The default is one-third of
2835 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
2836 unset.
2837
2838 ipv6_ra_configs : rdnss: optional string
2839 IPv6 address of RDNSS server announced in RA packets. At the mo‐
2840 ment OVN supports just one RDNSS server.
2841
2842 ipv6_ra_configs : dnssl: optional string
2843 DNS Search List announced in RA packets. Multiple DNS Search
2844 List must be ’comma’ separated (e.g. "a.b.c, d.e.f")
2845
2846 Options:
2847
2848 Additional options for the logical router port.
2849
2850 options : mcast_flood: optional string, either true or false
2851 If set to true, multicast traffic (including reports) are uncon‐
2852 ditionally forwarded to the specific port.
2853
2854 This option applies when the port is part of a logical router
2855 which has options:mcast_relay set to true.
2856
2857 Default: false.
2858
2859 options : requested-tnl-key: optional string, containing an integer, in
2860 range 1 to 32,767
2861 Configures the port binding tunnel key for the port. Usually
2862 this is not needed because ovn-northd will assign an unique key
2863 for each port by itself. However, if it is configured,
2864 ovn-northd honors the configured value.
2865
2866 options : prefix_delegation: optional string, either true or false
2867 If set to true, enable IPv6 prefix delegation state machine on
2868 this logical router port (RFC3633). IPv6 prefix delegation is
2869 available just on a gateway router or on a gateway router port.
2870
2871 options : prefix: optional string, either true or false
2872 If set to true, this interface will receive an IPv6 prefix ac‐
2873 cording to RFC3663
2874
2875 options : route_table: optional string
2876 Designates lookup Logical_Router_Static_Routes with specified
2877 route_table value. Routes to directly connected networks from
2878 same Logical Router and routes without route_table option set
2879 have higher priority than routes with route_table option set.
2880
2881 options : gateway_mtu: optional string, containing an integer, in range
2882 68 to 65,535
2883 If set, logical flows will be added to router pipeline to check
2884 packet length. If packet length is greater than the value set,
2885 ICMPv4 type 3 (Destination Unreachable) code 4 (Fragmentation
2886 Needed and Don’t Fragment was Set) or ICMPv6 type 2 (Packet Too
2887 Big) code 0 (no route to destination) packets will be generated.
2888 This allows for Path MTU Discovery.
2889
2890 options : gateway_mtu_bypass: optional string
2891 When configured, represents a match expression, in the same ex‐
2892 pression language used for the match column in the OVN South‐
2893 bound database’s Logical_Flow table. Packets matching this ex‐
2894 pression will bypass the length check configured through the op‐
2895 tions:gateway_mtu option.
2896
2897 Attachment:
2898
2899 A given router port serves one of two purposes:
2900
2901 • To attach a logical switch to a logical router. A logical
2902 router port of this type is referenced by exactly one
2903 Logical_Switch_Port of type router. The value of name is
2904 set as router-port in column options of Logi‐
2905 cal_Switch_Port. In this case peer column is empty.
2906
2907 • To connect one logical router to another. This requires a
2908 pair of logical router ports, each connected to a differ‐
2909 ent router. Each router port in the pair specifies the
2910 other in its peer column. No Logical_Switch refers to the
2911 router port.
2912
2913 peer: optional string
2914 For a router port used to connect two logical routers, this
2915 identifies the other router port in the pair by name.
2916
2917 For a router port attached to a logical switch, this column is
2918 empty.
2919
2920 Common Columns:
2921
2922 external_ids: map of string-string pairs
2923 See External IDs at the beginning of this document.
2924
2925 The ovn-northd program copies all these pairs into the exter‐
2926 nal_ids column of the Port_Binding table in OVN_Southbound data‐
2927 base.
2928
2929 Status:
2930
2931 Additional status about the logical router port.
2932
2933 status : hosting-chassis: optional string
2934 This option is populated by ovn-northd.
2935
2936 When a distributed gateway port is bound to a location in the
2937 OVN Southbound database Port_Binding ovn-northd will populate
2938 this key with the name of the Chassis that is currently hosting
2939 this port.
2941 Each record represents a static route.
2942
2943 When multiple routes match a packet, the longest-prefix match is cho‐
2944 sen. For a given prefix length, a dst-ip route is preferred over a
2945 src-ip route.
2946
2947 When there are ECMP routes, i.e. multiple routes with same prefix and
2948 policy, one of them will be selected based on the 5-tuple hashing of
2949 the packet header.
2950
2951 Summary:
2952 ip_prefix string
2953 policy optional string, either dst-ip or src-ip
2954 nexthop string
2955 output_port optional string
2956 bfd optional weak reference to BFD
2957 route_table string
2958 external_ids : ic-learned-route
2959 optional string
2960 Common Columns:
2961 external_ids map of string-string pairs
2962 Common options:
2963 options map of string-string pairs
2964 options : ecmp_symmetric_reply
2965 optional string
2966 options : origin optional string
2967
2968 Details:
2969 ip_prefix: string
2970 IP prefix of this route (e.g. 192.168.100.0/24).
2971
2972 policy: optional string, either dst-ip or src-ip
2973 If it is specified, this setting describes the policy used to
2974 make routing decisions. This setting must be one of the follow‐
2975 ing strings:
2976
2977 • src-ip: This policy sends the packet to the nexthop when
2978 the packet’s source IP address matches ip_prefix.
2979
2980 • dst-ip: This policy sends the packet to the nexthop when
2981 the packet’s destination IP address matches ip_prefix.
2982
2983 If not specified, the default is dst-ip.
2984
2985 nexthop: string
2986 Nexthop IP address for this route. Nexthop IP address should be
2987 the IP address of a connected router port or the IP address of a
2988 logical port or can be set to discard for dropping packets which
2989 match the given route.
2990
2991 output_port: optional string
2992 The name of the Logical_Router_Port via which the packet needs
2993 to be sent out. This is optional and when not specified, OVN
2994 will automatically figure this out based on the nexthop. When
2995 this is specified and there are multiple IP addresses on the
2996 router port and none of them are in the same subnet of nexthop,
2997 OVN chooses the first IP address as the one via which the nex‐
2998 thop is reachable.
2999
3000 bfd: optional weak reference to BFD
3001 Reference to BFD row if the route has associated a BFD session
3002
3003 route_table: string
3004 Any string to place route to separate routing table. If Logical
3005 Router Port has configured value in options:route_table other
3006 than empty string, OVN performs route lookup for all packets en‐
3007 tering Logical Router ingress pipeline from this port in the
3008 following manner:
3009
3010 • 1. First lookup among "global" routes: routes without
3011 route_table value set and routes to directly connected
3012 networks.
3013
3014 • 2. Next lookup among routes with same route_table value
3015 as specified in LRP’s options:route_table field.
3016
3017 external_ids : ic-learned-route: optional string
3018 ovn-ic populates this key if the route is learned from the
3019 global OVN_IC_Southbound database. In this case the value will
3020 be set to the uuid of the row in Route table of the
3021 OVN_IC_Southbound database.
3022
3023 Common Columns:
3024
3025 external_ids: map of string-string pairs
3026 See External IDs at the beginning of this document.
3027
3028 Common options:
3029
3030 options: map of string-string pairs
3031 This column provides general key/value settings. The supported
3032 options are described individually below.
3033
3034 options : ecmp_symmetric_reply: optional string
3035 If true, then new traffic that arrives over this route will have
3036 its reply traffic bypass ECMP route selection and will be sent
3037 out this route instead. Note that this option overrides any
3038 rules set in the Logical_Router_policy table. This option only
3039 works on gateway routers (routers that have options:chassis
3040 set).
3041
3042 options : origin: optional string
3043 In case ovn-interconnection has been learned this route, it will
3044 have its origin set: either "connected" or "static". This key is
3045 supposed to be written only by ovn-ic daemon. ovn-northd then
3046 checks this value when generating Logical Flows. Logi‐
3047 cal_Router_Static_Route records with same ip_prefix within same
3048 Logical Router will have next lookup order based on origin key
3049 value:
3050
3051 1. connected
3052
3053 2. static
3054
3056 Each row in this table represents one routing policy for a logical
3057 router that points to it through its policies column. The action column
3058 for the highest-priority matching row in this table determines a
3059 packet’s treatment. If no row matches, packets are allowed by default.
3060 (Default-deny treatment is possible: add a rule with priority 0, 1 as
3061 match, and drop as action.)
3062
3063 Summary:
3064 priority integer, in range 0 to 32,767
3065 match string
3066 action string, one of allow, drop, or reroute
3067 nexthop optional string
3068 nexthops set of strings
3069 options : pkt_mark optional string
3070 Common Columns:
3071 external_ids map of string-string pairs
3072
3073 Details:
3074 priority: integer, in range 0 to 32,767
3075 The routing policy’s priority. Rules with numerically higher
3076 priority take precedence over those with lower. A rule is
3077 uniquely identified by the priority and match string.
3078
3079 match: string
3080 The packets that the routing policy should match, in the same
3081 expression language used for the match column in the OVN South‐
3082 bound database’s Logical_Flow table.
3083
3084 By default all traffic is allowed. When writing a more restric‐
3085 tive policy, it is important to remember to allow flows such as
3086 ARP and IPv6 neighbor discovery packets.
3087
3088 action: string, one of allow, drop, or reroute
3089 The action to take when the routing policy matches:
3090
3091 • allow: Forward the packet.
3092
3093 • drop: Silently drop the packet.
3094
3095 • reroute: Reroute packet to nexthop or nexthops.
3096
3097 nexthop: optional string
3098 Note: This column is deprecated in favor of nexthops.
3099
3100 Next-hop IP address for this route, which should be the IP ad‐
3101 dress of a connected router port or the IP address of a logical
3102 port.
3103
3104 nexthops: set of strings
3105 Next-hop ECMP IP addresses for this route. Each IP in the list
3106 should be the IP address of a connected router port or the IP
3107 address of a logical port.
3108
3109 One IP from the list is selected as next hop.
3110
3111 options : pkt_mark: optional string
3112 Marks the packet with the value specified when the router policy
3113 is applied. CMS can inspect this packet marker and take some de‐
3114 cisions if desired. This value is not preserved when the packet
3115 goes out on the wire.
3116
3117 Common Columns:
3118
3119 external_ids: map of string-string pairs
3120 See External IDs at the beginning of this document.
3121
3123 Each record represents a NAT rule.
3124
3125 Summary:
3126 type string, one of dnat, dnat_and_snat, or
3127 snat
3128 external_ip string
3129 external_mac optional string
3130 external_port_range string
3131 logical_ip string
3132 logical_port optional string
3133 allowed_ext_ips optional Address_Set
3134 exempted_ext_ips optional Address_Set
3135 gateway_port optional weak reference to Logi‐
3136 cal_Router_Port
3137 options : stateless optional string
3138 options : add_route optional string
3139 Common Columns:
3140 external_ids map of string-string pairs
3141
3142 Details:
3143 type: string, one of dnat, dnat_and_snat, or snat
3144 Type of the NAT rule.
3145
3146 • When type is dnat, the externally visible IP address ex‐
3147 ternal_ip is DNATted to the IP address logical_ip in the
3148 logical space.
3149
3150 • When type is snat, IP packets with their source IP ad‐
3151 dress that either matches the IP address in logical_ip or
3152 is in the network provided by logical_ip is SNATed into
3153 the IP address in external_ip.
3154
3155 • When type is dnat_and_snat, the externally visible IP ad‐
3156 dress external_ip is DNATted to the IP address logical_ip
3157 in the logical space. In addition, IP packets with the
3158 source IP address that matches logical_ip is SNATed into
3159 the IP address in external_ip.
3160
3161 external_ip: string
3162 An IPv4 address.
3163
3164 external_mac: optional string
3165 A MAC address.
3166
3167 This is only used on the gateway port on distributed routers.
3168 This must be specified in order for the NAT rule to be processed
3169 in a distributed manner on all chassis. If this is not specified
3170 for a NAT rule on a distributed router, then this NAT rule will
3171 be processed in a centralized manner on the gateway port in‐
3172 stance on the gateway chassis.
3173
3174 This MAC address must be unique on the logical switch that the
3175 gateway port is attached to. If the MAC address used on the log‐
3176 ical_port is globally unique, then that MAC address can be spec‐
3177 ified as this external_mac.
3178
3179 external_port_range: string
3180 L4 source port range
3181
3182 Range of ports, from which a port number will be picked that
3183 will replace the source port of to be NATed packet. This is ba‐
3184 sically PAT (port address translation).
3185
3186 Value of the column is in the format, port_lo-port_hi. For exam‐
3187 ple: external_port_range : "1-30000"
3188
3189 Valid range of ports is 1-65535.
3190
3191 logical_ip: string
3192 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
3193
3194 logical_port: optional string
3195 The name of the logical port where the logical_ip resides.
3196
3197 This is only used on distributed routers. This must be specified
3198 in order for the NAT rule to be processed in a distributed man‐
3199 ner on all chassis. If this is not specified for a NAT rule on a
3200 distributed router, then this NAT rule will be processed in a
3201 centralized manner on the gateway port instance on the gateway
3202 chassis.
3203
3204 allowed_ext_ips: optional Address_Set
3205 It represents Address Set of external ips that NAT rule is ap‐
3206 plicable to. For SNAT type NAT rules, this refers to destination
3207 addresses. For DNAT type NAT rules, this refers to source ad‐
3208 dresses.
3209
3210 This configuration overrides the default NAT behavior of apply‐
3211 ing a rule solely based on internal IP. Without this configura‐
3212 tion, NAT happens without considering the external IP (i.e
3213 dest/source for snat/dnat type rule). With this configuration
3214 NAT rule is applied ONLY if external ip is in the input Address
3215 Set.
3216
3217 exempted_ext_ips: optional Address_Set
3218 It represents Address Set of external ips that NAT rule is NOT
3219 applicable to. For SNAT type NAT rules, this refers to destina‐
3220 tion addresses. For DNAT type NAT rules, this refers to source
3221 addresses.
3222
3223 This configuration overrides the default NAT behavior of apply‐
3224 ing a rule solely based on internal IP. Without this configura‐
3225 tion, NAT happens without considering the external IP (i.e
3226 dest/source for snat/dnat type rule). With this configuration
3227 NAT rule is NOT applied if external ip is in the input Address
3228 Set.
3229
3230 If there are NAT rules in a logical router with overlapping IP
3231 prefixes (including /32), then usage of exempted_ext_ips should
3232 be avoided in following scenario. a. SNAT rule (let us say
3233 RULE1) with logical_ip PREFIX/MASK (let us say 50.0.0.0/24). b.
3234 SNAT rule (let us say RULE2) with logical_ip PREFIX/MASK+1 (let
3235 us say 50.0.0.0/25). c. Now, if exempted_ext_ips is associated
3236 with RULE2, then a logical ip which matches both 50.0.0.0/24 and
3237 50.0.0.0/25 may get the RULE2 applied to it instead of RULE1.
3238
3239 allowed_ext_ips and exempted_ext_ips are mutually exclusive to
3240 each other. If both Address Sets are set for a rule, then the
3241 NAT rule is not considered.
3242
3243 gateway_port: optional weak reference to Logical_Router_Port
3244 A distributed gateway port in the Logical_Router_Port table
3245 where the NAT rule needs to be applied.
3246
3247 When multiple distributed gateway ports are configured on a Log‐
3248 ical_Router, applying a NAT rule at each of the distributed
3249 gateway ports might not be desired. Consider the case where a
3250 logical router has 2 distributed gateway port, one with networks
3251 50.0.0.10/24 and the other with networks 60.0.0.10/24. If the
3252 logical router has a NAT rule of type snat, logical_ip
3253 10.1.1.0/24 and external_ip 50.1.1.20/24, the rule needs to be
3254 selectively applied on matching packets entering/leaving through
3255 the distributed gateway port with networks 50.0.0.10/24.
3256
3257 When a logical router has multiple distributed gateway ports and
3258 this column is not set for a NAT rule, then the rule will be ap‐
3259 plied at the distributed gateway port which is in the same net‐
3260 work as the external_ip of the NAT rule, if such a router port
3261 exists. If logical router has a single distributed gateway port
3262 and this column is not set for a NAT rule, the rule will be ap‐
3263 plied at the distributed gateway port even if the router port is
3264 not in the same network as the external_ip of the NAT rule.
3265
3266 options : stateless: optional string
3267 Indicates if a dnat_and_snat rule should lead to connection
3268 tracking state or not.
3269
3270 options : add_route: optional string
3271 If set to true, then neighbor routers will have logical flows
3272 added that will allow for routing to the NAT address. It also
3273 will have ARP resolution logical flows added. By setting this
3274 option, it means there is no reason to create a Logi‐
3275 cal_Router_Static_Route from neighbor routers to this NAT ad‐
3276 dress. It also means that no ARP request is required for neigh‐
3277 bor routers to learn the IP-MAC mapping for this NAT address.
3278 This option only applies to NATs of type dnat and dnat_and_snat.
3279 For more information about what flows are added for IP routes,
3280 please see the ovn-northd manpage section on IP Routing.
3281
3282 Common Columns:
3283
3284 external_ids: map of string-string pairs
3285 See External IDs at the beginning of this document.
3286
3288 OVN implements native DHCPv4 support which caters to the common use
3289 case of providing an IPv4 address to a booting instance by providing
3290 stateless replies to DHCPv4 requests based on statically configured ad‐
3291 dress mappings. To do this it allows a short list of DHCPv4 options to
3292 be configured and applied at each compute host running ovn-controller.
3293
3294 OVN also implements native DHCPv6 support which provides stateless
3295 replies to DHCPv6 requests.
3296
3297 Summary:
3298 cidr string
3299 DHCPv4 options:
3300 Mandatory DHCPv4 options:
3301 options : server_id optional string
3302 options : server_mac optional string
3303 options : lease_time optional string, containing an integer,
3304 in range 0 to 4,294,967,295
3305 IPv4 DHCP Options:
3306 options : router optional string
3307 options : netmask optional string
3308 options : dns_server optional string
3309 options : log_server optional string
3310 options : lpr_server optional string
3311 options : swap_server optional string
3312 options : policy_filter optional string
3313 options : router_solicitation
3314 optional string
3315 options : nis_server optional string
3316 options : ntp_server optional string
3317 options : netbios_name_server
3318 optional string
3319 options : classless_static_route
3320 optional string
3321 options : ms_classless_static_route
3322 optional string
3323 options : next_server optional string
3324 Boolean DHCP Options:
3325 options : ip_forward_enable
3326 optional string, either 0 or 1
3327 options : router_discovery
3328 optional string, either 0 or 1
3329 options : ethernet_encap optional string, either 0 or 1
3330 Integer DHCP Options:
3331 options : default_ttl optional string, containing an integer,
3332 in range 0 to 255
3333 options : tcp_ttl optional string, containing an integer,
3334 in range 0 to 255
3335 options : mtu optional string, containing an integer,
3336 in range 68 to 65,535
3337 options : T1 optional string, containing an integer,
3338 in range 68 to 4,294,967,295
3339 options : T2 optional string, containing an integer,
3340 in range 68 to 4,294,967,295
3341 options : arp_cache_timeout
3342 optional string, containing an integer,
3343 in range 0 to 255
3344 options : tcp_keepalive_interval
3345 optional string, containing an integer,
3346 in range 0 to 255
3347 options : netbios_node_type
3348 optional string, containing an integer,
3349 in range 0 to 255
3350 String DHCP Options:
3351 options : wpad optional string
3352 options : bootfile_name optional string
3353 options : path_prefix optional string
3354 options : tftp_server_address
3355 optional string
3356 options : hostname optional string
3357 options : domain_name optional string
3358 options : bootfile_name_alt
3359 optional string
3360 options : broadcast_address
3361 optional string
3362 DHCP Options of type host_id:
3363 options : tftp_server optional string
3364 DHCP Options of type domains:
3365 options : domain_search_list
3366 optional string
3367 DHCPv6 options:
3368 Mandatory DHCPv6 options:
3369 options : server_id optional string
3370 IPv6 DHCPv6 options:
3371 options : dns_server optional string
3372 String DHCPv6 options:
3373 options : domain_search optional string
3374 options : dhcpv6_stateless
3375 optional string
3376 options : fqdn optional string
3377 Common Columns:
3378 external_ids map of string-string pairs
3379
3380 Details:
3381 cidr: string
3382 The DHCPv4/DHCPv6 options will be included if the logical port
3383 has its IP address in this cidr.
3384
3385 DHCPv4 options:
3386
3387 The CMS should define the set of DHCPv4 options as key/value pairs in
3388 the options column of this table. For ovn-controller to include these
3389 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
3390 to an entry in this table.
3391
3392 Mandatory DHCPv4 options:
3393
3394 The following options must be defined.
3395
3396 options : server_id: optional string
3397 The IP address for the DHCP server to use. This should be in the
3398 subnet of the offered IP. This is also included in the DHCP of‐
3399 fer as option 54, ``server identifier.’’
3400
3401 options : server_mac: optional string
3402 The Ethernet address for the DHCP server to use.
3403
3404 options : lease_time: optional string, containing an integer, in range
3405 0 to 4,294,967,295
3406 The offered lease time in seconds,
3407
3408 The DHCPv4 option code for this option is 51.
3409
3410 IPv4 DHCP Options:
3411
3412 Below are the supported DHCPv4 options whose values are an IPv4 ad‐
3413 dress, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
3414 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
3415 refer to RFC 2132 for more details on DHCPv4 options and their codes.
3416
3417 options : router: optional string
3418 The IP address of a gateway for the client to use. This should
3419 be in the subnet of the offered IP. The DHCPv4 option code for
3420 this option is 3.
3421
3422 options : netmask: optional string
3423 The DHCPv4 option code for this option is 1.
3424
3425 options : dns_server: optional string
3426 The DHCPv4 option code for this option is 6.
3427
3428 options : log_server: optional string
3429 The DHCPv4 option code for this option is 7.
3430
3431 options : lpr_server: optional string
3432 The DHCPv4 option code for this option is 9.
3433
3434 options : swap_server: optional string
3435 The DHCPv4 option code for this option is 16.
3436
3437 options : policy_filter: optional string
3438 The DHCPv4 option code for this option is 21.
3439
3440 options : router_solicitation: optional string
3441 The DHCPv4 option code for this option is 32.
3442
3443 options : nis_server: optional string
3444 The DHCPv4 option code for this option is 41.
3445
3446 options : ntp_server: optional string
3447 The DHCPv4 option code for this option is 42.
3448
3449 options : netbios_name_server: optional string
3450 The DHCPv4 option code for this option is 44.
3451
3452 options : classless_static_route: optional string
3453 The DHCPv4 option code for this option is 121.
3454
3455 This option can contain one or more static routes, each of which
3456 consists of a destination descriptor and the IP address of the
3457 router that should be used to reach that destination. Please see
3458 RFC 3442 for more details.
3459
3460 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
3461
3462 options : ms_classless_static_route: optional string
3463 The DHCPv4 option code for this option is 249. This option is
3464 similar to classless_static_route supported by Microsoft Windows
3465 DHCPv4 clients.
3466
3467 options : next_server: optional string
3468 The DHCPv4 option code for setting the "Next server IP address"
3469 field in the DHCP header.
3470
3471 Boolean DHCP Options:
3472
3473 These options accept a Boolean value, expressed as 0 for false or 1 for
3474 true.
3475
3476 options : ip_forward_enable: optional string, either 0 or 1
3477 The DHCPv4 option code for this option is 19.
3478
3479 options : router_discovery: optional string, either 0 or 1
3480 The DHCPv4 option code for this option is 31.
3481
3482 options : ethernet_encap: optional string, either 0 or 1
3483 The DHCPv4 option code for this option is 36.
3484
3485 Integer DHCP Options:
3486
3487 These options accept a nonnegative integer value.
3488
3489 options : default_ttl: optional string, containing an integer, in range
3490 0 to 255
3491 The DHCPv4 option code for this option is 23.
3492
3493 options : tcp_ttl: optional string, containing an integer, in range 0
3494 to 255
3495 The DHCPv4 option code for this option is 37.
3496
3497 options : mtu: optional string, containing an integer, in range 68 to
3498 65,535
3499 The DHCPv4 option code for this option is 26.
3500
3501 options : T1: optional string, containing an integer, in range 68 to
3502 4,294,967,295
3503 This specifies the time interval from address assignment until
3504 the client begins trying to renew its address. The DHCPv4 option
3505 code for this option is 58.
3506
3507 options : T2: optional string, containing an integer, in range 68 to
3508 4,294,967,295
3509 This specifies the time interval from address assignment until
3510 the client begins trying to rebind its address. The DHCPv4 op‐
3511 tion code for this option is 59.
3512
3513 options : arp_cache_timeout: optional string, containing an integer, in
3514 range 0 to 255
3515 The DHCPv4 option code for this option is 35. This option speci‐
3516 fies the timeout in seconds for ARP cache entries.
3517
3518 options : tcp_keepalive_interval: optional string, containing an inte‐
3519 ger, in range 0 to 255
3520 The DHCPv4 option code for this option is 38. This option speci‐
3521 fies the interval that the client TCP should wait before sending
3522 a keepalive message on a TCP connection.
3523
3524 options : netbios_node_type: optional string, containing an integer, in
3525 range 0 to 255
3526 The DHCPv4 option code for this option is 46.
3527
3528 String DHCP Options:
3529
3530 These options accept a string value.
3531
3532 options : wpad: optional string
3533 The DHCPv4 option code for this option is 252. This option is
3534 used as part of web proxy auto discovery to provide a URL for a
3535 web proxy.
3536
3537 options : bootfile_name: optional string
3538 The DHCPv4 option code for this option is 67. This option is
3539 used to identify a bootfile.
3540
3541 options : path_prefix: optional string
3542 The DHCPv4 option code for this option is 210. In PXELINUX’ case
3543 this option is used to set a common path prefix, instead of de‐
3544 riving it from the bootfile name.
3545
3546 options : tftp_server_address: optional string
3547 The DHCPv4 option code for this option is 150. The option con‐
3548 tains one or more IPv4 addresses that the client MAY use. This
3549 option is Cisco proprietary, the IEEE standard that matches with
3550 this requirement is option 66 (tftp_server).
3551
3552 options : hostname: optional string
3553 The DHCPv4 option code for this option is 12. If set, indicates
3554 the DHCPv4 option "Hostname". Alternatively, this option can be
3555 configured in options:hostname column in table Logi‐
3556 cal_Switch_Port. If Hostname option value is set in both con‐
3557 flicting Logical_Switch_Port and DHCP_Options tables, Logi‐
3558 cal_Switch_Port takes precedence.
3559
3560 options : domain_name: optional string
3561 The DHCPv4 option code for this option is 15. This option speci‐
3562 fies the domain name that client should use when resolving host‐
3563 names via the Domain Name System.
3564
3565 options : bootfile_name_alt: optional string
3566 "bootfile_name_alt" option is used to support iPXE. When both
3567 "bootfile_name" and "bootfile_name_alt" are provided by the CMS,
3568 "bootfile_name" will be used for option 67 if the dhcp request
3569 contains etherboot option (175), otherwise "bootfile_name_alt"
3570 will be used.
3571
3572 options : broadcast_address: optional string
3573 The DHCPv4 option code for this option is 28. This option speci‐
3574 fies the IP address used as a broadcast address.
3575
3576 DHCP Options of type host_id:
3577
3578 These options accept either an IPv4 address or a string value.
3579
3580 options : tftp_server: optional string
3581 The DHCPv4 option code for this option is 66.
3582
3583 DHCP Options of type domains:
3584
3585 These options accept string value which is a comma separated list of
3586 domain names. The domain names are encoded based on RFC 1035.
3587
3588 options : domain_search_list: optional string
3589 The DHCPv4 option code for this option is 119.
3590
3591 DHCPv6 options:
3592
3593 OVN also implements native DHCPv6 support. The CMS should define the
3594 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
3595 will be included in the DHCPv6 response to the DHCPv6 Solicit/Re‐
3596 quest/Confirm packet from the logical ports having the IPv6 addresses
3597 in the cidr.
3598
3599 Mandatory DHCPv6 options:
3600
3601 The following options must be defined.
3602
3603 options : server_id: optional string
3604 The Ethernet address for the DHCP server to use. This is also
3605 included in the DHCPv6 reply as option 2, ``Server Identifier’’
3606 to carry a DUID identifying a server between a client and a
3607 server. ovn-controller defines DUID based on Link-layer Address
3608 [DUID-LL].
3609
3610 IPv6 DHCPv6 options:
3611
3612 Below are the supported DHCPv6 options whose values are an IPv6 ad‐
3613 dress, e.g. aef0::4. Some options accept multiple IPv6 addresses en‐
3614 closed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
3615 RFC 3315 for more details on DHCPv6 options and their codes.
3616
3617 options : dns_server: optional string
3618 The DHCPv6 option code for this option is 23. This option speci‐
3619 fies the DNS servers that the VM should use.
3620
3621 String DHCPv6 options:
3622
3623 These options accept string values.
3624
3625 options : domain_search: optional string
3626 The DHCPv6 option code for this option is 24. This option speci‐
3627 fies the domain search list the client should use to resolve
3628 hostnames with DNS.
3629
3630 Example: "ovn.org".
3631
3632 options : dhcpv6_stateless: optional string
3633 This option specifies the OVN native DHCPv6 will work in state‐
3634 less mode, which means OVN native DHCPv6 will not offer IPv6 ad‐
3635 dresses for VM/VIF ports, but only reply other configurations,
3636 such as DNS and domain search list. When setting this option
3637 with string value "true", VM/VIF will configure IPv6 addresses
3638 by stateless way. Default value for this option is false.
3639
3640 options : fqdn: optional string
3641 The DHCPv6 option code for this option is 39. If set, indicates
3642 the DHCPv6 option "FQDN".
3643
3644 Common Columns:
3645
3646 external_ids: map of string-string pairs
3647 See External IDs at the beginning of this document.
3648
3650 Configuration for a database connection to an Open vSwitch database
3651 (OVSDB) client.
3652
3653 This table primarily configures the Open vSwitch database server
3654 (ovsdb-server).
3655
3656 The Open vSwitch database server can initiate and maintain active con‐
3657 nections to remote clients. It can also listen for database connec‐
3658 tions.
3659
3660 Summary:
3661 Core Features:
3662 target string (must be unique within table)
3663 Client Failure Detection and Handling:
3664 max_backoff optional integer, at least 1,000
3665 inactivity_probe optional integer
3666 Status:
3667 is_connected boolean
3668 status : last_error optional string
3669 status : state optional string, one of ACTIVE, BACKOFF,
3670 CONNECTING, IDLE, or VOID
3671 status : sec_since_connect optional string, containing an integer,
3672 at least 0
3673 status : sec_since_disconnect
3674 optional string, containing an integer,
3675 at least 0
3676 status : locks_held optional string
3677 status : locks_waiting optional string
3678 status : locks_lost optional string
3679 status : n_connections optional string, containing an integer,
3680 at least 2
3681 status : bound_port optional string, containing an integer
3682 Common Columns:
3683 external_ids map of string-string pairs
3684 other_config map of string-string pairs
3685
3686 Details:
3687 Core Features:
3688
3689 target: string (must be unique within table)
3690 Connection methods for clients.
3691
3692 The following connection methods are currently supported:
3693
3694 ssl:host[:port]
3695 The specified SSL port on the host at the given host,
3696 which can either be a DNS name (if built with unbound li‐
3697 brary) or an IP address. A valid SSL configuration must
3698 be provided when this form is used, this configuration
3699 can be specified via command-line options or the SSL ta‐
3700 ble.
3701
3702 If port is not specified, it defaults to 6640.
3703
3704 SSL support is an optional feature that is not always
3705 built as part of Open vSwitch.
3706
3707 tcp:host[:port]
3708 The specified TCP port on the host at the given host,
3709 which can either be a DNS name (if built with unbound li‐
3710 brary) or an IP address. If host is an IPv6 address, wrap
3711 it in square brackets, e.g. tcp:[::1]:6640.
3712
3713 If port is not specified, it defaults to 6640.
3714
3715 pssl:[port][:host]
3716 Listens for SSL connections on the specified TCP port.
3717 Specify 0 for port to have the kernel automatically
3718 choose an available port. If host, which can either be a
3719 DNS name (if built with unbound library) or an IP ad‐
3720 dress, is specified, then connections are restricted to
3721 the resolved or specified local IPaddress (either IPv4 or
3722 IPv6 address). If host is an IPv6 address, wrap in square
3723 brackets, e.g. pssl:6640:[::1]. If host is not specified
3724 then it listens only on IPv4 (but not IPv6) addresses. A
3725 valid SSL configuration must be provided when this form
3726 is used, this can be specified either via command-line
3727 options or the SSL table.
3728
3729 If port is not specified, it defaults to 6640.
3730
3731 SSL support is an optional feature that is not always
3732 built as part of Open vSwitch.
3733
3734 ptcp:[port][:host]
3735 Listens for connections on the specified TCP port. Spec‐
3736 ify 0 for port to have the kernel automatically choose an
3737 available port. If host, which can either be a DNS name
3738 (if built with unbound library) or an IP address, is
3739 specified, then connections are restricted to the re‐
3740 solved or specified local IP address (either IPv4 or IPv6
3741 address). If host is an IPv6 address, wrap it in square
3742 brackets, e.g. ptcp:6640:[::1]. If host is not specified
3743 then it listens only on IPv4 addresses.
3744
3745 If port is not specified, it defaults to 6640.
3746
3747 When multiple clients are configured, the target values must be
3748 unique. Duplicate target values yield unspecified results.
3749
3750 Client Failure Detection and Handling:
3751
3752 max_backoff: optional integer, at least 1,000
3753 Maximum number of milliseconds to wait between connection at‐
3754 tempts. Default is implementation-specific.
3755
3756 inactivity_probe: optional integer
3757 Maximum number of milliseconds of idle time on connection to the
3758 client before sending an inactivity probe message. If Open
3759 vSwitch does not communicate with the client for the specified
3760 number of seconds, it will send a probe. If a response is not
3761 received for the same additional amount of time, Open vSwitch
3762 assumes the connection has been broken and attempts to recon‐
3763 nect. Default is implementation-specific. A value of 0 disables
3764 inactivity probes.
3765
3766 Status:
3767
3768 Key-value pair of is_connected is always updated. Other key-value pairs
3769 in the status columns may be updated depends on the target type.
3770
3771 When target specifies a connection method that listens for inbound con‐
3772 nections (e.g. ptcp: or punix:), both n_connections and is_connected
3773 may also be updated while the remaining key-value pairs are omitted.
3774
3775 On the other hand, when target specifies an outbound connection, all
3776 key-value pairs may be updated, except the above-mentioned two key-
3777 value pairs associated with inbound connection targets. They are omit‐
3778 ted.
3779
3780 is_connected: boolean
3781 true if currently connected to this client, false otherwise.
3782
3783 status : last_error: optional string
3784 A human-readable description of the last error on the connection
3785 to the manager; i.e. strerror(errno). This key will exist only
3786 if an error has occurred.
3787
3788 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
3789 IDLE, or VOID
3790 The state of the connection to the manager:
3791
3792 VOID Connection is disabled.
3793
3794 BACKOFF
3795 Attempting to reconnect at an increasing period.
3796
3797 CONNECTING
3798 Attempting to connect.
3799
3800 ACTIVE Connected, remote host responsive.
3801
3802 IDLE Connection is idle. Waiting for response to keep-alive.
3803
3804 These values may change in the future. They are provided only
3805 for human consumption.
3806
3807 status : sec_since_connect: optional string, containing an integer, at
3808 least 0
3809 The amount of time since this client last successfully connected
3810 to the database (in seconds). Value is empty if client has never
3811 successfully been connected.
3812
3813 status : sec_since_disconnect: optional string, containing an integer,
3814 at least 0
3815 The amount of time since this client last disconnected from the
3816 database (in seconds). Value is empty if client has never dis‐
3817 connected.
3818
3819 status : locks_held: optional string
3820 Space-separated list of the names of OVSDB locks that the con‐
3821 nection holds. Omitted if the connection does not hold any
3822 locks.
3823
3824 status : locks_waiting: optional string
3825 Space-separated list of the names of OVSDB locks that the con‐
3826 nection is currently waiting to acquire. Omitted if the connec‐
3827 tion is not waiting for any locks.
3828
3829 status : locks_lost: optional string
3830 Space-separated list of the names of OVSDB locks that the con‐
3831 nection has had stolen by another OVSDB client. Omitted if no
3832 locks have been stolen from this connection.
3833
3834 status : n_connections: optional string, containing an integer, at
3835 least 2
3836 When target specifies a connection method that listens for in‐
3837 bound connections (e.g. ptcp: or pssl:) and more than one con‐
3838 nection is actually active, the value is the number of active
3839 connections. Otherwise, this key-value pair is omitted.
3840
3841 status : bound_port: optional string, containing an integer
3842 When target is ptcp: or pssl:, this is the TCP port on which the
3843 OVSDB server is listening. (This is particularly useful when
3844 target specifies a port of 0, allowing the kernel to choose any
3845 available port.)
3846
3847 Common Columns:
3848
3849 The overall purpose of these columns is described under Common Columns
3850 at the beginning of this document.
3851
3852 external_ids: map of string-string pairs
3853
3854 other_config: map of string-string pairs
3855
3857 Each row in this table stores the DNS records. The Logical_Switch ta‐
3858 ble’s dns_records references these records.
3859
3860 Summary:
3861 records map of string-string pairs
3862 external_ids map of string-string pairs
3863
3864 Details:
3865 records: map of string-string pairs
3866 Key-value pair of DNS records with DNS query name as the key and
3867 value as a string of IP address(es) separated by comma or space.
3868 For PTR requests, the key-value pair can be Reverse IPv4 ad‐
3869 dress.in-addr.arpa and the value DNS domain name. For IPv6 ad‐
3870 dresses, the key has to be Reverse IPv6 address.ip6.arpa.
3871
3872 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
3873
3874 Example: "4.0.0.10.in-addr.arpa" = "vm1.ovn.org"
3875
3876 external_ids: map of string-string pairs
3877 See External IDs at the beginning of this document.
3878
3880 SSL configuration for ovn-nb database access.
3881
3882 Summary:
3883 private_key string
3884 certificate string
3885 ca_cert string
3886 bootstrap_ca_cert boolean
3887 ssl_protocols string
3888 ssl_ciphers string
3889 Common Columns:
3890 external_ids map of string-string pairs
3891
3892 Details:
3893 private_key: string
3894 Name of a PEM file containing the private key used as the
3895 switch’s identity for SSL connections to the controller.
3896
3897 certificate: string
3898 Name of a PEM file containing a certificate, signed by the cer‐
3899 tificate authority (CA) used by the controller and manager, that
3900 certifies the switch’s private key, identifying a trustworthy
3901 switch.
3902
3903 ca_cert: string
3904 Name of a PEM file containing the CA certificate used to verify
3905 that the switch is connected to a trustworthy controller.
3906
3907 bootstrap_ca_cert: boolean
3908 If set to true, then Open vSwitch will attempt to obtain the CA
3909 certificate from the controller on its first SSL connection and
3910 save it to the named PEM file. If it is successful, it will im‐
3911 mediately drop the connection and reconnect, and from then on
3912 all SSL connections must be authenticated by a certificate
3913 signed by the CA certificate thus obtained. This option exposes
3914 the SSL connection to a man-in-the-middle attack obtaining the
3915 initial CA certificate. It may still be useful for bootstrap‐
3916 ping.
3917
3918 ssl_protocols: string
3919 List of SSL protocols to be enabled for SSL connections. The de‐
3920 fault when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
3921
3922 ssl_ciphers: string
3923 List of ciphers (in OpenSSL cipher string format) to be sup‐
3924 ported for SSL connections. The default when this option is
3925 omitted is HIGH:!aNULL:!MD5.
3926
3927 Common Columns:
3928
3929 The overall purpose of these columns is described under Common Columns
3930 at the beginning of this document.
3931
3932 external_ids: map of string-string pairs
3933
3935 Association of a chassis to a logical router port. The traffic going
3936 out through an specific router port will be redirected to a chassis, or
3937 a set of them in high availability configurations.
3938
3939 Summary:
3940 name string (must be unique within table)
3941 chassis_name string
3942 priority integer, in range 0 to 32,767
3943 options map of string-string pairs
3944 Common Columns:
3945 external_ids map of string-string pairs
3946
3947 Details:
3948 name: string (must be unique within table)
3949 Name of the Gateway_Chassis.
3950
3951 A suggested, but not required naming convention is
3952 ${port_name}_${chassis_name}.
3953
3954 chassis_name: string
3955 Name of the chassis that we want to redirect traffic through for
3956 the associated logical router port. The value must match the
3957 name column of the Chassis table in the OVN_Southbound database.
3958
3959 priority: integer, in range 0 to 32,767
3960 This is the priority of a chassis among all Gateway_Chassis be‐
3961 longing to the same logical router port.
3962
3963 options: map of string-string pairs
3964 Reserved for future use.
3965
3966 Common Columns:
3967
3968 external_ids: map of string-string pairs
3969 See External IDs at the beginning of this document.
3970
3972 Table representing a group of chassis which can provide high availabil‐
3973 ity services. Each chassis in the group is represented by the table
3974 HA_Chassis. The HA chassis with highest priority will be the master of
3975 this group. If the master chassis failover is detected, the HA chassis
3976 with the next higher priority takes over the responsibility of provid‐
3977 ing the HA. If a distributed gateway router port references a row in
3978 this table, then the master HA chassis in this group provides the gate‐
3979 way functionality.
3980
3981 Summary:
3982 name string (must be unique within table)
3983 ha_chassis set of HA_Chassises
3984 Common Columns:
3985 external_ids map of string-string pairs
3986
3987 Details:
3988 name: string (must be unique within table)
3989 Name of the HA_Chassis_Group. Name should be unique.
3990
3991 ha_chassis: set of HA_Chassises
3992 A list of HA chassis which belongs to this group.
3993
3994 Common Columns:
3995
3996 external_ids: map of string-string pairs
3997 See External IDs at the beginning of this document.
3998
4000 Summary:
4001 chassis_name string
4002 priority integer, in range 0 to 32,767
4003 Common Columns:
4004 external_ids map of string-string pairs
4005
4006 Details:
4007 chassis_name: string
4008 Name of the chassis which is part of the HA chassis group. The
4009 value must match the name column of the Chassis table in the
4010 OVN_Southbound database.
4011
4012 priority: integer, in range 0 to 32,767
4013 Priority of the chassis. Chassis with highest priority will be
4014 the master.
4015
4016 Common Columns:
4017
4018 external_ids: map of string-string pairs
4019 See External IDs at the beginning of this document.
4020
4022 Contains BFD parameter for ovn-controller BFD configuration. OVN BFD
4023 implementation is used to provide detection of failures in the path be‐
4024 tween adjacent forwarding engines, including the OVN interfaces. OVN
4025 BFD provides link status info to OVN northd in order to update logical
4026 flows according to the status of BFD endpoints. In the current imple‐
4027 mentation OVN BFD is used to check next-hop status for ECMP routes.
4028 Please note BFD table refers to OVN BFD implementation and not to OVS
4029 legacy one.
4030
4031 Summary:
4032 Configuration:
4033 logical_port string
4034 dst_ip string
4035 min_tx optional integer, at least 1
4036 min_rx optional integer
4037 detect_mult optional integer, at least 1
4038 options map of string-string pairs
4039 external_ids map of string-string pairs
4040 Status Reporting:
4041 status optional string, one of admin_down, down,
4042 init, or up
4043
4044 Details:
4045 Configuration:
4046
4047 ovn-northd reads configuration from these columns.
4048
4049 logical_port: string
4050 OVN logical port when BFD engine is running.
4051
4052 dst_ip: string
4053 BFD peer IP address.
4054
4055 min_tx: optional integer, at least 1
4056 This is the minimum interval, in milliseconds, that the local
4057 system would like to use when transmitting BFD Control packets,
4058 less any jitter applied. The value zero is reserved. Default
4059 value is 1000 ms.
4060
4061 min_rx: optional integer
4062 This is the minimum interval, in milliseconds, between received
4063 BFD Control packets that this system is capable of supporting,
4064 less any jitter applied by the sender. If this value is zero,
4065 the transmitting system does not want the remote system to send
4066 any periodic BFD Control packets.
4067
4068 detect_mult: optional integer, at least 1
4069 Detection time multiplier. The negotiated transmit interval,
4070 multiplied by this value, provides the Detection Time for the
4071 receiving system in Asynchronous mode. Default value is 5.
4072
4073 options: map of string-string pairs
4074 Reserved for future use.
4075
4076 external_ids: map of string-string pairs
4077 See External IDs at the beginning of this document.
4078
4079 Status Reporting:
4080
4081 ovn-northd writes BFD status into these columns.
4082
4083 status: optional string, one of admin_down, down, init, or up
4084 BFD port logical states. Possible values are:
4085
4086 • admin_down
4087
4088 • down
4089
4090 • init
4091
4092 • up
4093
4095 Each record represents a Static_MAC_Binding entry for a logical router.
4096
4097 Summary:
4098 Configuration:
4099 logical_port string
4100 ip string
4101 mac string
4102 override_dynamic_mac boolean
4103
4104 Details:
4105 Configuration:
4106
4107 ovn-northd reads configuration from these columns and propagates the
4108 value to SBDB.
4109
4110 logical_port: string
4111 The logical router port for the binding.
4112
4113 ip: string
4114 The bound IP address.
4115
4116 mac: string
4117 The Ethernet address to which the IP is bound.
4118
4119 override_dynamic_mac: boolean
4120 Override dynamically learnt MACs.
4121
4123 One record per chassis, each containing a map, variables, between tem‐
4124 plate variable names and their value for that specific chassis. A tem‐
4125 plate variable has a name and potentially different values on different
4126 hypervisors in the OVN cluster. For example, two rows, R1 = (.chas‐
4127 sis=C1, variables={(N: V1)} and R2 = (.chassis=C2, variables={(N: V2)}
4128 will make ovn-controller running on chassis C1 and C2 interpret the to‐
4129 ken N either as V1 (on C1) or as V2 (on C2). Users can refer to tem‐
4130 plate variables from within other logical components, e.g., within ACL,
4131 QoS or Logical_Router_Policy matches or from Load_Balancer VIP and
4132 backend definitions.
4133
4134 If a template variable is referenced on a chassis for which that vari‐
4135 able is not defined then ovn-controller running on that chassis will
4136 just interpret it as a raw string literal.
4137
4138 Summary:
4139 chassis string (must be unique within table)
4140 variables map of string-string pairs
4141 Common Columns:
4142 external_ids map of string-string pairs
4143
4144 Details:
4145 chassis: string (must be unique within table)
4146 The chassis this set of variable values applies to.
4147
4148 variables: map of string-string pairs
4149 The set of variable values for a given chassis.
4150
4151 Common Columns:
4152
4153 external_ids: map of string-string pairs
4154 See External IDs at the beginning of this document.
4155
4156
4157
4158Open vSwitch 23.09.2 DB Schema 7.1.0 ovn-nb(5)