1ovn-nb(5)                     Open vSwitch Manual                    ovn-nb(5)
2
3
4

NAME

6       ovn-nb - OVN_Northbound database schema
7
8       This  database  is  the  interface between OVN and the cloud management
9       system (CMS), such as OpenStack, running above it. The CMS produces al‐
10       most  all of the contents of the database. The ovn-northd program moni‐
11       tors the database contents, transforms  it,  and  stores  it  into  the
12       OVN_Southbound database.
13
14       We  generally  speak  of  ``the’’ CMS, but one can imagine scenarios in
15       which multiple CMSes manage different parts of an OVN deployment.
16
17   External IDs
18       Each of the tables in this database contains a  special  column,  named
19       external_ids.  This  column has the same form and purpose each place it
20       appears.
21
22              external_ids: map of string-string pairs
23                     Key-value pairs for use by the CMS.  The  CMS  might  use
24                     certain  pairs,  for example, to identify entities in its
25                     own configuration that correspond to those in this  data‐
26                     base.
27

TABLE SUMMARY

29       The  following list summarizes the purpose of each of the tables in the
30       OVN_Northbound database.  Each table is described in more detail  on  a
31       later page.
32
33       Table     Purpose
34       NB_Global Northbound configuration
35       Copp      Control plane protection
36       Logical_Switch
37                 L2 logical switch
38       Logical_Switch_Port
39                 L2 logical switch port
40       Forwarding_Group
41                 forwarding group
42       Address_Set
43                 Address Sets
44       Port_Group
45                 Port Groups
46       Load_Balancer
47                 load balancer
48       Load_Balancer_Group
49                 load balancer group
50       Load_Balancer_Health_Check
51                 load balancer
52       ACL       Access Control List (ACL) rule
53       Logical_Router
54                 L3 logical router
55       QoS       QoS rule
56       Mirror    Mirror Entry
57       Meter     Meter entry
58       Meter_Band
59                 Band for meter entries
60       Logical_Router_Port
61                 L3 logical router port
62       Logical_Router_Static_Route
63                 Logical router static routes
64       Logical_Router_Policy
65                 Logical router policies
66       NAT       NAT rules
67       DHCP_Options
68                 DHCP options
69       Connection
70                 OVSDB client connections.
71       DNS       Native DNS resolution
72       SSL       SSL configuration.
73       Gateway_Chassis
74                 Gateway_Chassis configuration.
75       HA_Chassis_Group
76                 HA_Chassis_Group configuration.
77       HA_Chassis
78                 HA_Chassis configuration.
79       BFD       BFD configuration.
80       Static_MAC_Binding
81                 Static_MAC_Binding configuration.
82       Chassis_Template_Var
83                 Chassis_Template_Var configuration.
84

NB_Global TABLE

86       Northbound  configuration  for  an OVN system. This table must have ex‐
87       actly one row.
88
89   Summary:
90       Identity:
91         name                        string
92       Status:
93         nb_cfg                      integer
94         nb_cfg_timestamp            integer
95         sb_cfg                      integer
96         sb_cfg_timestamp            integer
97         hv_cfg                      integer
98         hv_cfg_timestamp            integer
99       Common Columns:
100         external_ids                map of string-string pairs
101       Common options:
102         options                     map of string-string pairs
103         Options for configuring OVS BFD:
104            options : bfd-min-rx     optional string
105            options : bfd-decay-min-rx
106                                     optional string
107            options : bfd-min-tx     optional string
108            options : bfd-mult       optional string
109         options : mac_prefix        optional string
110         options : mac_binding_removal_limit
111                                     optional string, containing  an  integer,
112                                     in range 0 to 4,294,967,295
113         options : fdb_removal_limit
114                                     optional  string,  containing an integer,
115                                     in range 0 to 4,294,967,295
116         options : controller_event  optional string, either true or false
117         options : northd_probe_interval
118                                     optional string
119         options : ic_probe_interval
120                                     optional string
121         options : nbctl_probe_interval
122                                     optional string
123         options : northd_trim_timeout
124                                     optional string
125         options : use_logical_dp_groups
126                                     optional string
127         options : use_parallel_build
128                                     optional string
129         options : ignore_lsp_down   optional string
130         options : use_ct_inv_match  optional string
131         options : default_acl_drop  optional string
132         options : debug_drop_domain_id
133                                     optional string
134         options : debug_drop_collector_set
135                                     optional string
136         options : use_common_zone   optional string, either true or false
137         options : northd-backoff-interval-ms
138                                     optional string
139         Options for configuring interconnection route advertisement:
140            options : ic-route-adv   optional string
141            options : ic-route-learn optional string
142            options : ic-route-adv-default
143                                     optional string
144            options : ic-route-learn-default
145                                     optional string
146            options : ic-route-blacklist
147                                     optional string
148       Connection Options:
149         connections                 set of Connections
150         ssl                         optional SSL
151       Security Configurations:
152         ipsec                       boolean
153       Read-only Options:
154         options : max_tunid         optional string
155
156   Details:
157     Identity:
158
159       name: string
160              The name of the OVN cluster, which uniquely identifies  the  OVN
161              cluster  throughout  all  OVN  clusters supposed to interconnect
162              with each other.
163
164     Status:
165
166       These columns allow a client to track the overall  configuration  state
167       of the system.
168
169       nb_cfg: integer
170              Sequence  number for client to increment. When a client modifies
171              any part of the northbound database configuration and wishes  to
172              wait  for ovn-northd and possibly all of the hypervisors to fin‐
173              ish applying the changes, it may increment this sequence number.
174
175       nb_cfg_timestamp: integer
176              The timestamp, in milliseconds since the epoch, when  ovn-northd
177              sees the latest nb_cfg and starts processing.
178
179              To print the timestamp as a human-readable date:
180
181                        date -d "@$(ovn-nbctl get NB_Global . nb_cfg_timestamp | sed ’s/...$//’)"
182
183
184       sb_cfg: integer
185              Sequence  number that ovn-northd sets to the value of nb_cfg af‐
186              ter it finishes applying the corresponding configuration changes
187              to the OVN_Southbound database.
188
189       sb_cfg_timestamp: integer
190              The  timestamp, in milliseconds since the epoch, when ovn-northd
191              finishes applying the corresponding configuration changes to the
192              OVN_Southbound database successfully.
193
194       hv_cfg: integer
195              Sequence  number  that  ovn-northd sets to the smallest sequence
196              number of all the chassis in the  system,  as  reported  in  the
197              Chassis_Private  table  in the southbound database. Thus, hv_cfg
198              equals nb_cfg if all chassis are caught up with  the  northbound
199              configuration  (which may never happen, if any chassis is down).
200              This value can regress, if a chassis was removed from the system
201              and rejoins before catching up.
202
203              If  there  are  no  chassis,  then  ovn-northd  copies nb_cfg to
204              hv_cfg. Thus, in this case, the  (nonexistent)  hypervisors  are
205              always  considered  to be caught up. This means that hypervisors
206              can be "caught up" even in cases where sb_cfg  would  show  that
207              the southbound database is not. To detect when both the hypervi‐
208              sors and the southbound database are caught up, a client  should
209              take the smaller of sb_cfg and hv_cfg.
210
211       hv_cfg_timestamp: integer
212              The  largest  timestamp, in milliseconds since the epoch, of the
213              smallest sequence number of all the chassis in  the  system,  as
214              reported  in  the  Chassis_Private table in the southbound data‐
215              base. In other words, this timestamp reflects the time when  the
216              slowest  chassis  catches  up with the northbound configuration,
217              which is useful for end-to-end control  plane  latency  measure‐
218              ment.
219
220     Common Columns:
221
222       external_ids: map of string-string pairs
223              See External IDs at the beginning of this document.
224
225     Common options:
226
227       options: map of string-string pairs
228              This  column  provides general key/value settings. The supported
229              options are described individually below.
230
231     Options for configuring OVS BFD:
232
233       These options apply when ovn-controller configures OVS BFD  on  tunnels
234       interfaces. Please note these parameters refer to legacy OVS BFD imple‐
235       mentation and not to OVN BFD one.
236
237       options : bfd-min-rx: optional string
238              BFD option min-rx value to use when configuring  BFD  on  tunnel
239              interfaces.
240
241       options : bfd-decay-min-rx: optional string
242              BFD  option  decay-min-rx  value  to use when configuring BFD on
243              tunnel interfaces.
244
245       options : bfd-min-tx: optional string
246              BFD option min-tx value to use when configuring  BFD  on  tunnel
247              interfaces.
248
249       options : bfd-mult: optional string
250              BFD  option mult value to use when configuring BFD on tunnel in‐
251              terfaces.
252
253       options : mac_prefix: optional string
254              Configure a given OUI to be used as prefix when  L2  address  is
255              dynamically assigned, e.g. 00:11:22
256
257       options : mac_binding_removal_limit: optional string, containing an in‐
258       teger, in range 0 to 4,294,967,295
259              MAC binding aging bulk removal limit. This limits how many  rows
260              can  expire in a single transaction. Default value is 0 which is
261              unlimited. When we hit the limit next batch removal  is  delayed
262              by 5 s.
263
264       options : fdb_removal_limit: optional string, containing an integer, in
265       range 0 to 4,294,967,295
266              FDB aging bulk removal limit. This limits how many rows can  ex‐
267              pire in a single transaction. Default value is 0 which is unlim‐
268              ited. When we hit the limit next batch removal is delayed  by  5
269              s.
270
271       options : controller_event: optional string, either true or false
272              Value  set by the CMS to enable/disable ovn-controller event re‐
273              porting. Traffic into OVS can raise a  ’controller’  event  that
274              results   in  a  Controller_Event  being  written  to  the  Con‐
275              troller_Event table in SBDB. When the CMS has seen the event and
276              taken appropriate action, it can remove the corresponding row in
277              Controller_Event table. The intention is for a CMS  to  see  the
278              events  and  take  some  sort  of  action.  Please  see the Con‐
279              troller_Event table in SBDB. It is possible to associate a meter
280              to each controller event type in order to not overload the pinc‐
281              trl thread under heavy load. Each event type relies on  a  meter
282              with a defined name:
283
284              •      empty_lb_backends: event-elb
285
286       options : northd_probe_interval: optional string
287              The  inactivity  probe  interval  of  the  connection to the OVN
288              Northbound and Southbound databases  from  ovn-northd,  in  mil‐
289              liseconds.  If  the  value  is  zero, it disables the connection
290              keepalive feature.
291
292              If the value is nonzero, then it will be forced to a value of at
293              least 1000 ms.
294
295       options : ic_probe_interval: optional string
296              The  inactivity  probe  interval  of  the  connection to the OVN
297              Northbound and Southbound databases from  ovn-ic,  in  millisec‐
298              onds. If the value is zero, it disables the connection keepalive
299              feature.
300
301              If the value is nonzero, then it will be forced to a value of at
302              least 1000 ms.
303
304       options : nbctl_probe_interval: optional string
305              The  inactivity  probe  interval  of  the  connection to the OVN
306              Northbound database from ovn-nbctl utility, in milliseconds.  If
307              the value is zero, it disables the connection keepalive feature.
308
309              If the value is nonzero, then it will be forced to a value of at
310              least 1000 ms.
311
312              If the value is less than  zero,  then  the  default  inactivity
313              probe interval for ovn-nbctl would be left intact (120000 ms).
314
315       options : northd_trim_timeout: optional string
316              When  used, this configuration value specifies the time, in mil‐
317              liseconds, since the  last  ovn-northd  active  operation  after
318              which  memory  trimming  is performed. By default this is set to
319              30000 (30 seconds).
320
321       options : use_logical_dp_groups: optional string
322              Note: This option is deprecated, the only behavior is to  always
323              combine  logical flows by datapath groups. Changing the value or
324              removing this option all toghether will have no effect.
325
326              ovn-northd combines logical flows that differs only  by  logical
327              datapath  into a single logical flow with logical datapath group
328              attached.
329
330       options : use_parallel_build: optional string
331              If set to true, ovn-northd will attempt to compute logical flows
332              in parallel.
333
334              Parallel computation is enabled only if the system has 4 or more
335              cores/threads available to be used by ovn-northd.
336
337              The default value is false.
338
339       options : ignore_lsp_down: optional string
340              If set to false, ARP/ND reply flows  for  logical  switch  ports
341              will  be  installed  only  if  the port is up, i.e. claimed by a
342              Chassis. If set to true, these flows are installed regardless of
343              the status of the port, which can result in a situation that ARP
344              request to an IP is resolved even before  the  relevant  VM/con‐
345              tainer  is running. For environments where this is not an issue,
346              setting it to true can reduce the load and latency of  the  con‐
347              trol plane. The default value is true.
348
349       options : use_ct_inv_match: optional string
350              If set to false, ovn-northd will not use the ct.inv field in any
351              of the logical flow matches. The default value is true.  If  the
352              NIC  supports  offloading OVS datapath flows but doesn’t support
353              offloading ct_state inv flag, then the datapath  flows  matching
354              on  this  flag  (either +inv or -inv) will not be offloaded. CMS
355              should consider setting use_ct_inv_match to false in such cases.
356              This results in a side effect of the invalid packets getting de‐
357              livered to the destination VIF, which otherwise would have  been
358              dropped by OVN.
359
360       options : default_acl_drop: optional string
361              If set to true., ovn-northd will generate a logical flow to drop
362              all traffic in the ACL stages. By default this option is set  to
363              false.
364
365       options : debug_drop_domain_id: optional string
366              If set to a 8-bit number and if debug_drop_collector_set is also
367              configured, ovn-northd will add a sample action to every logical
368              flow  that contains a ’drop’ action. The 8 most significant bits
369              of the observation_domain_id field will be  those  specified  in
370              the   debug_drop_domain_id. The 24 least significant bits of the
371              observation_domain_id field will be the datapath’s key.
372
373              The observation_point_id will be set to the first 32 bits of the
374              logical flow’s UUID.
375
376       options : debug_drop_collector_set: optional string
377              If set to a 32-bit number ovn-northd will add a sample action to
378              every logical flow that contains a ’drop’ action. The sample ac‐
379              tion  will  have  the specified collector_set_id. The value must
380              match that of  the  local  OVS  configuration  as  described  in
381              ovs-actions(7).
382
383       options : use_common_zone: optional string, either true or false
384              Default value is false. If set to true the SNAT and DNAT happens
385              in common zone, instead of happening in separate zones,  depend‐
386              ing  on  the  configuration. However, this option breaks traffic
387              when there is configuration of DGP + LB + SNAT on this  LR.  The
388              value  true  should  be  used only in case of HWOL compatibility
389              with GDP.
390
391       options : northd-backoff-interval-ms: optional string
392              Maximum interval that the northd incremental engine  is  delayed
393              by in milliseconds. Setting the value to nonzero delays the next
394              northd engine run by the previous run time, capped by the speci‐
395              fied  value. If the value is zero the engine won’t be delayed at
396              all. The recommended period is smaller than 500 ms, beyond  that
397              the latency of SB changes would be very noticeable.
398
399     Options for configuring interconnection route advertisement:
400
401       These options control how routes are advertised between OVN deployments
402       for interconnection. If enabled, ovn-ic from different OVN  deployments
403       exchanges  routes  between  each other through the global OVN_IC_South‐
404       bound database. Only routers with ports  connected  to  interconnection
405       transit  switches participate in route advertisement. For each of these
406       routers, there are two types of routes to be advertised:
407
408       Firstly, the static routes configured in the router are advertised.
409
410       Secondly, the networks configured in the logical router ports that  are
411       not on the transit switches are advertised. These are considered as di‐
412       rectly connected subnets on the router.
413
414       Link local prefixes (IPv4 169.254.0.0/16 and IPv6 FE80::/10) are  never
415       advertised.
416
417       The  learned  routes are added to the static_routes column of the Logi‐
418       cal_Router table, with external_ids:ic-learned-route set to the uuid of
419       the row in Route table of the OVN_IC_Southbound database.
420
421       options : ic-route-adv: optional string
422              A  boolean  value that enables route advertisement to the global
423              OVN_IC_Southbound database. Default is false.
424
425       options : ic-route-learn: optional string
426              A boolean value that enables  route  learning  from  the  global
427              OVN_IC_Southbound database. Default is false.
428
429       options : ic-route-adv-default: optional string
430              A  boolean  value  that enables advertising default route to the
431              global OVN_IC_Southbound database. Default is false. This option
432              takes effect only when option ic-route-adv is true.
433
434       options : ic-route-learn-default: optional string
435              A  boolean  value  that  enables learning default route from the
436              global OVN_IC_Southbound database. Default is false. This option
437              takes effect only when option ic-route-learn is true.
438
439       options : ic-route-blacklist: optional string
440              A  string  value  contains  a  list of CIDRs delimited by ",". A
441              route will not be advertised or learned if  the  route’s  prefix
442              belongs to any of the CIDRs listed.
443
444     Connection Options:
445
446       connections: set of Connections
447              Database  clients  to  which  the  Open  vSwitch database server
448              should connect or on which it should listen, along with  options
449              for  how these connections should be configured. See the Connec‐
450              tion table for more information.
451
452       ssl: optional SSL
453              Global SSL configuration.
454
455     Security Configurations:
456
457       ipsec: boolean
458              Tunnel encryption configuration. If this column  is  set  to  be
459              true, all OVN tunnels will be encrypted with IPsec.
460
461     Read-only Options:
462
463       options : max_tunid: optional string
464              The  maximum supported tunnel ID. Depends on types of encapsula‐
465              tion enabled in the cluster.
466

Copp TABLE

468       This table is used to define control plane protection  policies,  i.e.,
469       associate entries from table Meter to control protocol names.
470
471   Summary:
472       name                          string (must be unique within table)
473       meters : arp                  optional string
474       meters : arp-resolve          optional string
475       meters : dhcpv4-opts          optional string
476       meters : dhcpv6-opts          optional string
477       meters : dns                  optional string
478       meters : event-elb            optional string
479       meters : icmp4-error          optional string
480       meters : icmp6-error          optional string
481       meters : igmp                 optional string
482       meters : nd-na                optional string
483       meters : nd-ns                optional string
484       meters : nd-ns-resolve        optional string
485       meters : nd-ra-opts           optional string
486       meters : tcp-reset            optional string
487       meters : bfd                  optional string
488       meters : reject               optional string
489       meters : svc-monitor          optional string
490       external_ids                  map of string-string pairs
491
492   Details:
493       name: string (must be unique within table)
494              CoPP name.
495
496       meters : arp: optional string
497              Rate  limiting  meter  for  ARP packets (request/reply) used for
498              learning neighbors.
499
500       meters : arp-resolve: optional string
501              Rate limiting meter for packets that require resolving the next-
502              hop (through ARP).
503
504       meters : dhcpv4-opts: optional string
505              Rate  limiting  meter for packets that require adding DHCPv4 op‐
506              tions.
507
508       meters : dhcpv6-opts: optional string
509              Rate limiting meter for packets that require adding  DHCPv6  op‐
510              tions.
511
512       meters : dns: optional string
513              Rate  limiting  meter  for  DNS  query  packets  that need to be
514              replied to.
515
516       meters : event-elb: optional string
517              Rate limiting meter for empty load balancer events.
518
519       meters : icmp4-error: optional string
520              Rate limiting meter for packets that require  replying  with  an
521              ICMP error.
522
523       meters : icmp6-error: optional string
524              Rate  limiting  meter  for packets that require replying with an
525              ICMPv6 error.
526
527       meters : igmp: optional string
528              Rate limiting meter for IGMP packets.
529
530       meters : nd-na: optional string
531              Rate limiting meter for ND neighbor advertisement  packets  used
532              for learning neighbors.
533
534       meters : nd-ns: optional string
535              Rate  limiting  meter  for ND neighbor solicitation packets used
536              for learning neighbors.
537
538       meters : nd-ns-resolve: optional string
539              Rate limiting meter for packets that require resolving the next-
540              hop (through ND).
541
542       meters : nd-ra-opts: optional string
543              Rate  limiting  meter  for packets that require adding ND router
544              advertisement options.
545
546       meters : tcp-reset: optional string
547              Rate limiting meter for packets that require replying  with  TCP
548              RST packet.
549
550       meters : bfd: optional string
551              Rate limiting meter for BFD packets.
552
553       meters : reject: optional string
554              Rate limiting meter for packets that trigger a reject action
555
556       meters : svc-monitor: optional string
557              Rate  limiting  meter  for  packets that are arriving to service
558              monitor MAC address.
559
560       external_ids: map of string-string pairs
561              See External IDs at the beginning of this document.
562

Logical_Switch TABLE

564       Each row represents one L2 logical switch.
565
566       There are two kinds of logical switches, that is, ones that fully  vir‐
567       tualize  the  network  (overlay logical switches) and ones that provide
568       simple connectivity to physical networks  (bridged  logical  switches).
569       They  work  in the same way when providing connectivity between logical
570       ports on same chassis, but differently when connecting  remote  logical
571       ports.  Overlay  logical  switches connect remote logical ports by tun‐
572       nels, while bridged logical switches  provide  connectivity  to  remote
573       ports  by  bridging  the packets to directly connected physical L2 seg‐
574       ments with the help of localnet ports. Each bridged logical switch  has
575       one  or  more  localnet  ports, which have only one special address un‐
576       known.
577
578   Summary:
579       ports                         set of Logical_Switch_Ports
580       load_balancer                 set of weak reference to Load_Balancers
581       load_balancer_group           set of Load_Balancer_Groups
582       acls                          set of ACLs
583       qos_rules                     set of QoSes
584       dns_records                   set of weak reference to DNSes
585       forwarding_groups             set of Forwarding_Groups
586       Naming:
587         name                        string
588         external_ids : neutron:network_name
589                                     optional string
590       IP Address Assignment:
591         other_config : subnet       optional string
592         other_config : exclude_ips  optional string
593         other_config : ipv6_prefix  optional string
594         other_config : mac_only     optional string, either true or false
595         other_config : fdb_age_threshold
596                                     optional string, containing  an  integer,
597                                     in range 0 to 4,294,967,295
598       IP Multicast Snooping Options:
599         other_config : mcast_snoop  optional string, either true or false
600         other_config : mcast_querier
601                                     optional string, either true or false
602         other_config : mcast_flood_unregistered
603                                     optional string, either true or false
604         other_config : mcast_table_size
605                                     optional  string,  containing an integer,
606                                     in range 1 to 32,766
607         other_config : mcast_idle_timeout
608                                     optional string, containing  an  integer,
609                                     in range 15 to 3,600
610         other_config : mcast_query_interval
611                                     optional  string,  containing an integer,
612                                     in range 1 to 3,600
613         other_config : mcast_query_max_response
614                                     optional string, containing  an  integer,
615                                     in range 1 to 10
616         other_config : mcast_eth_src
617                                     optional string
618         other_config : mcast_ip4_src
619                                     optional string
620         other_config : mcast_ip6_src
621                                     optional string
622       Interconnection:
623         other_config : interconn-ts
624                                     optional string
625       Tunnel Key:
626         other_config : requested-tnl-key
627                                     optional  string,  containing an integer,
628                                     in range 1 to 16,777,215
629       copp                          optional weak reference to Copp
630       Other options:
631         other_config : vlan-passthru
632                                     optional string, either true or false
633         other_config : broadcast-arps-to-all-routers
634                                     optional string, either true or false
635       Common Columns:
636         external_ids                map of string-string pairs
637
638   Details:
639       ports: set of Logical_Switch_Ports
640              The logical ports connected to the logical switch.
641
642              It is an error for multiple logical switches to include the same
643              logical port.
644
645       load_balancer: set of weak reference to Load_Balancers
646              Set of load balancers associated to this logical switch.
647
648       load_balancer_group: set of Load_Balancer_Groups
649              Set of load balancers groups associated to this logical switch.
650
651       acls: set of ACLs
652              Access  control  rules  that apply to packets within the logical
653              switch.
654
655       qos_rules: set of QoSes
656              QoS marking and metering rules that apply to packets within  the
657              logical switch.
658
659       dns_records: set of weak reference to DNSes
660              This column defines the DNS records to be used for resolving in‐
661              ternal DNS queries within the logical switch by the  native  DNS
662              resolver. Please see the DNS table.
663
664       forwarding_groups: set of Forwarding_Groups
665              Groups  a set of logical port endpoints for traffic going out of
666              the logical switch.
667
668     Naming:
669
670       These columns provide names for the logical switch. From OVN’s perspec‐
671       tive, these names have no special meaning or purpose other than to pro‐
672       vide convenience for human interaction with the database. There  is  no
673       requirement  for  the name to be unique. (For a unique identifier for a
674       logical switch, use its row UUID.)
675
676       (Originally, name was intended to serve the purpose of a human-friendly
677       name,  but the Neutron integration used it to uniquely identify its own
678       switch object, in the format neutron-uuid. Later  on,  Neutron  started
679       propagating  the friendly name of a switch as external_ids:neutron:net‐
680       work_name. Perhaps this can be cleaned up someday.)
681
682       name: string
683              A name for the logical switch.
684
685       external_ids : neutron:network_name: optional string
686              Another name for the logical switch.
687
688     IP Address Assignment:
689
690       These options control automatic IP address management (IPAM) for  ports
691       attached to the logical switch. To enable IPAM for IPv4, set other_con‐
692       fig:subnet and optionally other_config:exclude_ips. To enable IPAM  for
693       IPv6,  set  other_config:ipv6_prefix.  IPv4 and IPv6 may be enabled to‐
694       gether or separately.
695
696       To request dynamic address assignment for a particular  port,  use  the
697       dynamic   keyword   in   the  addresses  column  of  the  port’s  Logi‐
698       cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
699       IPAM for IPv4 and IPv6 are both enabled.
700
701       other_config : subnet: optional string
702              Set  this  to  an  IPv4  subnet,  e.g. 192.168.0.0/24, to enable
703              ovn-northd to automatically assign IP addresses within that sub‐
704              net.
705
706       other_config : exclude_ips: optional string
707              To  exclude some addresses from automatic IP address management,
708              set this to a list of the IPv4 addresses or ..-delimited  ranges
709              to  exclude. The addresses or ranges should be a subset of those
710              in other_config:subnet.
711
712              Whether listed or not, ovn-northd will never allocate the  first
713              or   last   address   in   a  subnet,  such  as  192.168.0.0  or
714              192.168.0.255 in 192.168.0.0/24.
715
716              Examples:
717
718192.168.0.2 192.168.0.10
719
720192.168.0.4                    192.168.0.30..192.168.0.60
721                     192.168.0.110..192.168.0.120
722
723192.168.0.110..192.168.0.120   192.168.0.25..192.168.0.30
724                     192.168.0.144
725
726       other_config : ipv6_prefix: optional string
727              Set this to an IPv6 prefix to enable ovn-northd to automatically
728              assign  IPv6  addresses using this prefix. The assigned IPv6 ad‐
729              dress will be generated using the IPv6 prefix and  the  MAC  ad‐
730              dress  (converted  to an IEEE EUI64 identifier) of the port. The
731              IPv6 prefix defined here should be a valid IPv6  address  ending
732              with ::.
733
734              Examples:
735
736aef0::
737
738bef0:1234:a890:5678::
739
7408230:5678::
741
742       other_config : mac_only: optional string, either true or false
743              Value  used to request to assign L2 address only if neither sub‐
744              net nor ipv6_prefix are specified
745
746       other_config : fdb_age_threshold: optional string, containing an  inte‐
747       ger, in range 0 to 4,294,967,295
748              FDB aging threshold value in seconds. FDB exceeding this timeout
749              will be automatically removed. The value defaults  to  0,  which
750              means disabled.
751
752     IP Multicast Snooping Options:
753
754       These  options control IP Multicast Snooping configuration of the logi‐
755       cal  switch.  To  enable   IP   Multicast   Snooping   set   other_con‐
756       fig:mcast_snoop  to true. To enable IP Multicast Querier set other_con‐
757       fig:mcast_querier  to  true.  If  IP  Multicast  Querier   is   enabled
758       other_config:mcast_eth_src and other_config:mcast_ip4_src must be set.
759
760       other_config : mcast_snoop: optional string, either true or false
761              Enables/disables  IP  Multicast  Snooping on the logical switch.
762              Default: false.
763
764       other_config : mcast_querier: optional string, either true or false
765              Enables/disables IP Multicast Querier  on  the  logical  switch.
766              Only applicable if other_config:mcast_snoop is enabled. Default:
767              true.
768
769       other_config : mcast_flood_unregistered: optional string,  either  true
770       or false
771              Determines  whether  unregistered  multicast  traffic  should be
772              flooded or not. Only applicable if  other_config:mcast_snoop  is
773              enabled. Default: false.
774
775       other_config  :  mcast_table_size: optional string, containing an inte‐
776       ger, in range 1 to 32,766
777              Number of multicast groups to be stored. Default: 2048.
778
779       other_config : mcast_idle_timeout: optional string, containing an inte‐
780       ger, in range 15 to 3,600
781              Configures the IP Multicast Snooping group idle timeout (in sec‐
782              onds). Default: 300 seconds.
783
784       other_config : mcast_query_interval: optional string, containing an in‐
785       teger, in range 1 to 3,600
786              Configures the IP Multicast Querier interval between queries (in
787              seconds). Default: other_config:mcast_idle_timeout / 2.
788
789       other_config : mcast_query_max_response: optional string, containing an
790       integer, in range 1 to 10
791              Configures  the  value of the "max-response" field in the multi‐
792              cast queries originated by the logical switch. Default:  1  sec‐
793              ond.
794
795       other_config : mcast_eth_src: optional string
796              Configures the source Ethernet address for queries originated by
797              the logical switch.
798
799       other_config : mcast_ip4_src: optional string
800              Configures the source IPv4 address for queries originated by the
801              logical switch.
802
803       other_config : mcast_ip6_src: optional string
804              Configures the source IPv6 address for queries originated by the
805              logical switch.
806
807     Interconnection:
808
809       other_config : interconn-ts: optional string
810              The name of corresponding transit  switch  in  OVN_IC_Northbound
811              database.  This kind of logical switch is created and controlled
812              by ovn-ic.
813
814     Tunnel Key:
815
816       other_config : requested-tnl-key: optional string, containing an  inte‐
817       ger, in range 1 to 16,777,215
818              Configures  the datapath tunnel key for the logical switch. Usu‐
819              ally this is not needed because ovn-northd will assign an unique
820              key  for  each datapath by itself. However, if it is configured,
821              ovn-northd honors the configured value. The typical use case  is
822              for  interconnection:  the tunnel keys for transit switches need
823              to be unique globally, so they  are  maintained  in  the  global
824              OVN_IC_Southbound  database,  and  ovn-ic simply syncs the value
825              from OVN_IC_Southbound through this config.
826
827       copp: optional weak reference to Copp
828              The control plane protection policy from table Copp used for me‐
829              tering packets sent to ovn-controller from ports of this logical
830              switch.
831
832     Other options:
833
834       other_config : vlan-passthru: optional string, either true or false
835              Determines whether VLAN tagged incoming traffic  should  be  al‐
836              lowed.  Note  that  this may have security implications when en‐
837              abled for a logical switch with a tag=0 localnet  port.  If  not
838              properly isolated from other localnet ports, fabric traffic that
839              belongs to other tagged networks may be passed  through  such  a
840              port.
841
842       other_config  :  broadcast-arps-to-all-routers: optional string, either
843       true or false
844              Determines whether arp requests and ipv6 neighbor  solicitations
845              should be sent to all routers and other switchports (default) or
846              if it should only be sent to switchports where  the  ip/mac  ad‐
847              dress is unknown. Setting this to false can significantly reduce
848              the load if the logical switch can receive arp requests for  ips
849              it does not know about. However setting this to false also means
850              that garps are no longer forwarded to all routers  and  therefor
851              the mac bindings of the routers are no longer updated.
852
853     Common Columns:
854
855       external_ids: map of string-string pairs
856              See External IDs at the beginning of this document.
857

Logical_Switch_Port TABLE

859       A port within an L2 logical switch.
860
861   Summary:
862       Core Features:
863         name                        string (must be unique within table)
864         type                        string
865       Options:
866         options                     map of string-string pairs
867         Options for router ports:
868            options : router-port    optional string
869            options : nat-addresses  optional string
870            options : exclude-lb-vips-from-garp
871                                     optional string
872            options : arp_proxy      optional string
873         Options for localnet ports:
874            options : network_name   optional string
875            options : ethtype        optional string
876            options : localnet_learn_fdb
877                                     optional string, either true or false
878         Options for l2gateway ports:
879            options : network_name   optional string
880            options : l2gateway-chassis
881                                     optional string
882         Options for vtep ports:
883            options : vtep-physical-switch
884                                     optional string
885            options : vtep-logical-switch
886                                     optional string
887         VMI (or VIF) Options:
888            options : requested-chassis
889                                     optional string
890            options : activation-strategy
891                                     optional string
892            options : iface-id-ver   optional string
893            options : qos_min_rate   optional string
894            options : qos_max_rate   optional string
895            options : qos_burst      optional string
896            options : hostname       optional string
897            VIF Plugging Options:
898              options : vif-plug-type
899                                     optional string
900              options : vif-plug-mtu-request
901                                     optional string
902         Virtual port Options:
903            options : virtual-ip     optional string
904            options : virtual-parents
905                                     optional string
906         IP Multicast Snooping Options:
907            options : mcast_flood    optional string, either true or false
908            options : mcast_flood_reports
909                                     optional string, either true or false
910       Containers:
911         parent_name                 optional string
912         tag_request                 optional integer, in range 0 to 4,095
913         tag                         optional integer, in range 1 to 4,095
914       Port State:
915         up                          optional boolean
916         enabled                     optional boolean
917       Addressing:
918         addresses                   set of strings
919         dynamic_addresses           optional string
920         port_security               set of strings
921       DHCP:
922         dhcpv4_options              optional weak reference to DHCP_Options
923         dhcpv6_options              optional weak reference to DHCP_Options
924       mirror_rules                  set of weak reference to Mirrors
925       ha_chassis_group              optional HA_Chassis_Group
926       Naming:
927         external_ids : neutron:port_name
928                                     optional string
929       Tunnel Key:
930         options : requested-tnl-key
931                                     optional  string,  containing an integer,
932                                     in range 1 to 32,767
933       Common Columns:
934         external_ids                map of string-string pairs
935
936   Details:
937     Core Features:
938
939       name: string (must be unique within table)
940              The logical port name.
941
942              For entities (VMs or containers) that are spawned in the  hyper‐
943              visor,  the  name  used here must match those used in the exter‐
944              nal_ids:iface-id in the Open_vSwitch database’s Interface table,
945              because hypervisors use external_ids:iface-id as a lookup key to
946              identify the network interface of that entity.
947
948              For containers that share a VIF within a VM, the name can be any
949              unique identifier. See Containers, below, for more information.
950
951              A  logical  switch  port may not have the same name as a logical
952              router port, but the database schema cannot enforce this.
953
954       type: string
955              Specify a type for this logical port. Logical ports can be  used
956              to model other types of connectivity into an OVN logical switch.
957              The following types are defined:
958
959              (empty string)
960                     A VM (or VIF) interface.
961
962              router A connection to  a  logical  router.  The  value  of  op‐
963                     tions:router-port   specifies   the  name  of  the  Logi‐
964                     cal_Router_Port to which this logical switch port is con‐
965                     nected.
966
967              localnet
968                     A   connection  to  a  locally  accessible  network  from
969                     ovn-controller instances that have a corresponding bridge
970                     mapping.  A  logical  switch  can  have multiple localnet
971                     ports attached. This type is used to model direct connec‐
972                     tivity  to  existing networks. In this case, each chassis
973                     should have a mapping for one of  the  physical  networks
974                     only.  Note:  nothing  said  above implies that a chassis
975                     cannot be plugged to multiple physical networks  as  long
976                     as they belong to different switches.
977
978              localport
979                     A  connection  to  a local VIF. Traffic that arrives on a
980                     localport is never forwarded over  a  tunnel  to  another
981                     chassis.  These  ports  are  present on every chassis and
982                     have the same address in all of them.  This  is  used  to
983                     model  connectivity  to  local services that run on every
984                     hypervisor.
985
986              l2gateway
987                     A connection to a physical network.
988
989              vtep   A port to a logical switch on a VTEP gateway.
990
991              external
992                     Represents a logical port which is external and not  hav‐
993                     ing an OVS port in the integration bridge. OVN will never
994                     receive any traffic from this port or send any traffic to
995                     this   port.   OVN   can  support  native  services  like
996                     DHCPv4/DHCPv6/DNS for this port. If  ha_chassis_group  is
997                     defined,  ovn-controller running in the master chassis of
998                     the HA chassis group will bind this port to provide these
999                     native  services. It is expected that this port belong to
1000                     a bridged logical switch (with a localnet port).
1001
1002                     It is recommended to use the same HA  chassis  group  for
1003                     all  the  external  ports of a logical switch. Otherwise,
1004                     the physical switch might see MAC flap issue when differ‐
1005                     ent chassis provide the native services. For example when
1006                     supporting native DHCPv4 service, DHCPv4 server mac (con‐
1007                     figured  in  options:server_mac  column in table DHCP_Op‐
1008                     tions) originating from different  ports  can  cause  MAC
1009                     flap  issue. The MAC of the logical router IP(s) can also
1010                     flap if the same HA chassis group is not set for all  the
1011                     external ports of a logical switch.
1012
1013                     Below  are some of the use cases where external ports can
1014                     be used.
1015
1016                     •      VMs connected to SR-IOV nics - Traffic from  these
1017                            VMs  by passes the kernel stack and local ovn-con‐
1018                            troller do not bind these ports and  cannot  serve
1019                            the native services.
1020
1021                     •      When CMS supports provisioning baremetal servers.
1022
1023              virtual
1024                     Represents a logical port which does not have an OVS port
1025                     in the integration bridge and has a virtual ip configured
1026                     in  the  options:virtual-ip  column.  This virtual ip can
1027                     move around between the logical ports configured  in  the
1028                     options:virtual-parents column.
1029
1030                     One of the use case where virtual ports can be used is.
1031
1032                     •      The  virtual ip represents a load balancer vip and
1033                            the virtual parents provide load balancer  service
1034                            in an active-standby setup with the active virtual
1035                            parent owning the virtual ip.
1036
1037              remote A remote port is to model a port that resides remotely on
1038                     another OVN, which is on the other side of a transit log‐
1039                     ical switch for OVN interconnection. This type  of  ports
1040                     are  created  by  ovn-ic instead of by CMS. Any change to
1041                     the port will be automatically overwritten by ovn-ic.
1042
1043     Options:
1044
1045       options: map of string-string pairs
1046              This column provides key/value settings specific to the  logical
1047              port  type. The type-specific options are described individually
1048              below.
1049
1050     Options for router ports:
1051
1052       These options apply when type is router.
1053
1054       options : router-port: optional string
1055              Required. The name of the Logical_Router_Port to which this log‐
1056              ical switch port is connected.
1057
1058       options : nat-addresses: optional string
1059              This  is  used  to send gratuitous ARPs for SNAT and DNAT IP ad‐
1060              dresses via the localnet port that is attached to the same logi‐
1061              cal switch as this type router port. This option is specified on
1062              a logical switch port that is connected to a gateway router,  or
1063              a logical switch port that is connected to a distributed gateway
1064              port on a logical router.
1065
1066              This must take one of the following forms:
1067
1068              router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
1069                     nal  IP  addresses and for all load balancer IP addresses
1070                     defined on the options:router-port’s logical router,  us‐
1071                     ing the options:router-port’s MAC address.
1072
1073                     This  form  of options:nat-addresses is valid for logical
1074                     switch ports where options:router-port is the name  of  a
1075                     port  on  a  gateway router, or the name of a distributed
1076                     gateway port.
1077
1078                     Supported only in OVN 2.8 and later. Earlier versions re‐
1079                     quired NAT addresses to be manually synchronized.
1080
1081              Ethernet address followed by one or more IPv4 addresses
1082                     Example:   80:fa:5b:06:72:b7  158.36.44.22  158.36.44.24.
1083                     This would result in generation of gratuitous ARPs for IP
1084                     addresses  158.36.44.22  and  158.36.44.24 with a MAC ad‐
1085                     dress of 80:fa:5b:06:72:b7.
1086
1087                     This form of options:nat-addresses is only valid for log‐
1088                     ical  switch  ports where options:router-port is the name
1089                     of a port on a gateway router.
1090
1091       options : exclude-lb-vips-from-garp: optional string
1092              If options:nat-addresses is set to router, Gratuitous ARPs  will
1093              be  sent  for all SNAT and DNAT external IP addresses defined on
1094              the  options:router-port’s  logical  router,   using   the   op‐
1095              tions:router-port’s  MAC address, not cosidering configured load
1096              balancers.
1097
1098       options : arp_proxy: optional string
1099              Optional.  A  list  of  MAC  and  addresses/cidrs  or  just  ad‐
1100              dresses/cidrs that this logical switch router port will reply to
1101              ARP/NDP  requests.  Examples:   169.254.239.254   169.254.239.2,
1102              0a:58:a9:fe:01:01          169.254.239.254         169.254.239.2
1103              169.254.238.0/24, fd7b:6b4d:7b25:d22f::1 fd7b:6b4d:7b25:d22f::2,
1104              0a:58:a9:fe:01:01  fd7b:6b4d:7b25:d22f::0/64. Theoptions:router-
1105              port’s logical router should have a  route  to  forward  packets
1106              sent  to configured proxy ARP MAC/IPs to an appropriate destina‐
1107              tion.
1108
1109     Options for localnet ports:
1110
1111       These options apply when type is localnet.
1112
1113       options : network_name: optional string
1114              Required. The name of the network to which the localnet port  is
1115              connected.  Each  hypervisor, via ovn-controller, uses its local
1116              configuration to determine exactly how to connect  to  this  lo‐
1117              cally accessible network, if at all.
1118
1119       options : ethtype: optional string
1120              Optional.  VLAN  EtherType  field  value  for encapsulating VLAN
1121              headers. Supported values: 802.11q (default), 802.11ad.
1122
1123       options : localnet_learn_fdb: optional string, either true or false
1124              Optional. Allows localnet port to learn MACs and store  them  in
1125              FDB table if set to true. The default value is false.
1126
1127     Options for l2gateway ports:
1128
1129       These options apply when type is l2gateway.
1130
1131       options : network_name: optional string
1132              Required. The name of the network to which the l2gateway port is
1133              connected. The L2 gateway, via ovn-controller,  uses  its  local
1134              configuration  to  determine exactly how to connect to this net‐
1135              work.
1136
1137       options : l2gateway-chassis: optional string
1138              Required. The chassis on which the l2gateway logical port should
1139              be  bound to. ovn-controller running on the defined chassis will
1140              connect this logical port to the physical network.
1141
1142     Options for vtep ports:
1143
1144       These options apply when type is vtep.
1145
1146       options : vtep-physical-switch: optional string
1147              Required. The name of the VTEP gateway.
1148
1149       options : vtep-logical-switch: optional string
1150              Required. A logical switch name connected by the VTEP gateway.
1151
1152     VMI (or VIF) Options:
1153
1154       These options apply to logical ports with type having (empty string)
1155
1156       options : requested-chassis: optional string
1157              If set, identifies a specific chassis (by name or hostname) that
1158              is  allowed  to  bind  this port. Using this option will prevent
1159              thrashing between two chassis trying to bind the same port  dur‐
1160              ing  a live migration. It can also prevent similar thrashing due
1161              to a mis-configuration, if a port  is  accidentally  created  on
1162              more than one chassis.
1163
1164              If set to a comma separated list, the first entry identifies the
1165              main chassis and the rest are one  or  more  additional  chassis
1166              that are allowed to bind the same port.
1167
1168              When  multiple  chassis  are  set  for the port, and the logical
1169              switch is connected to an external network  through  a  localnet
1170              port,  tunneling  is enforced for the port to guarantee delivery
1171              of packets directed to the port to all its locations.  This  has
1172              MTU  implications  because  the  network used for tunneling must
1173              have MTU larger than localnet for stable connectivity.
1174
1175              If the same host co-hosts more than one controller instance (ei‐
1176              ther belonging to the same or separate clusters), special atten‐
1177              tion should be given to consistently using unique chassis  names
1178              used  in this option. It is advised that chassis names - and not
1179              host names - are used for this option.
1180
1181       options : activation-strategy: optional string
1182              If used with multiple chassis set in  requested-chassis,  speci‐
1183              fies  an  activation strategy for all additional chassis. By de‐
1184              fault, no activation strategy is used, meaning  additional  port
1185              locations are immediately available for use. When set to "rarp",
1186              the port is blocked for ingress and egress communication until a
1187              RARP  packet is sent from a new location. The "rarp" strategy is
1188              useful in live migration scenarios for virtual machines.
1189
1190       options : iface-id-ver: optional string
1191              If set, this port will be bound by ovn-controller only  if  this
1192              same  key  and value is configured in the external_ids column in
1193              the Open_vSwitch database’s Interface table.
1194
1195       options : qos_min_rate: optional string
1196              If set, indicates the minimum guaranteed rate available for data
1197              sent from this interface, in bit/s.
1198
1199       options : qos_max_rate: optional string
1200              If  set,  indicates the maximum rate for data sent from this in‐
1201              terface, in bit/s. The traffic will be shaped according to  this
1202              limit.
1203
1204       options : qos_burst: optional string
1205              If set, indicates the maximum burst size for data sent from this
1206              interface, in bits.
1207
1208       options : hostname: optional string
1209              If set, indicates the DHCPv4 option "Hostname" (option code  12)
1210              associated  for  this  Logical Switch Port. If DHCPv4 is enabled
1211              for this Logical Switch Port, hostname dhcp option will  be  in‐
1212              cluded in DHCP reply.
1213
1214     VIF Plugging Options:
1215
1216       options : vif-plug-type: optional string
1217              If set, OVN will attempt to perform plugging of this VIF. In or‐
1218              der to get this port plugged by the OVN controller, OVN must  be
1219              built with support for VIF plugging. The default behavior is for
1220              the CMS to do the VIF plugging.  Each  VIF  plug  provider  have
1221              their own options namespaced by name, for example "vif-plug:rep‐
1222              resentor:key". Please refer to the VIF plug provider  documenta‐
1223              tion  located  in  Documentation/topics/vif-plug-providers/  for
1224              more information.
1225
1226       options : vif-plug-mtu-request: optional string
1227              Requested MTU for plugged interfaces.  When  set  the  OVN  con‐
1228              troller  will  fill  the  mtu_request column of the Open vSwitch
1229              database’s Interface table. This in turn will make OVS  vswitchd
1230              update the MTU of the linked interface.
1231
1232     Virtual port Options:
1233
1234       These options apply when type is virtual.
1235
1236       options : virtual-ip: optional string
1237              This option represents the virtual IPv4 address.
1238
1239       options : virtual-parents: optional string
1240              This options represents a set of logical port names (with in the
1241              same logical switch) which can own the virtual ip configured  in
1242              the options:virtual-ip. All these virtual parents should add the
1243              virtual ip in the port_security if port security  addressed  are
1244              enabled.
1245
1246     IP Multicast Snooping Options:
1247
1248       These options apply when the port is part of a logical switch which has
1249       other_config :mcast_snoop set to true.
1250
1251       options : mcast_flood: optional string, either true or false
1252              If set to true, multicast packets (except reports) are  uncondi‐
1253              tionally forwarded to the specific port. Default: false.
1254
1255       options : mcast_flood_reports: optional string, either true or false
1256              If  set to true, multicast reports are unconditionally forwarded
1257              to the specific port. Default: false.
1258
1259     Containers:
1260
1261       When a large number of containers are nested within a VM, it may be too
1262       expensive to dedicate a VIF to each container. OVN can use VLAN tags to
1263       support such cases. Each container is  assigned  a  VLAN  ID  and  each
1264       packet that passes between the hypervisor and the VM is tagged with the
1265       appropriate ID for the container. Such VLAN IDs never appear on a phys‐
1266       ical wire, even inside a tunnel, so they need not be unique except rel‐
1267       ative to a single VM on a hypervisor.
1268
1269       These columns are used for VIFs that represent nested containers  using
1270       shared  VIFs. For VMs and for containers that have dedicated VIFs, they
1271       are empty.
1272
1273       parent_name: optional string
1274              The VM interface through which the nested  container  sends  its
1275              network  traffic. This must match the name column for some other
1276              Logical_Switch_Port. Note: for performance of the OVN Southbound
1277              database   conditional  monitoring,  unlike  for  regular  VIFs,
1278              ovn-controller will register to get updates about all OVN South‐
1279              bound  database  Port_Binding  table  records that correspond to
1280              nested container ports even if  external_ids:ovn-monitor-all  is
1281              set to false. See ovn-controller(8) for more information.
1282
1283       tag_request: optional integer, in range 0 to 4,095
1284              The  VLAN  tag  in  the  network  traffic associated with a con‐
1285              tainer’s network interface. The client can request ovn-northd to
1286              allocate  a  tag  that  is unique within the scope of a specific
1287              parent (specified in parent_name) by setting a  value  of  0  in
1288              this column. The allocated value is written by ovn-northd in the
1289              tag column. (Note that these tags are allocated and managed  lo‐
1290              cally  in  ovn-northd,  so  they  cannot be reconstructed in the
1291              event that the database is lost.) The client can also request  a
1292              specific non-zero tag and ovn-northd will honor it and copy that
1293              value to the tag column.
1294
1295              When type is set to localnet or l2gateway, this can  be  set  to
1296              indicate  that  the  port  represents a connection to a specific
1297              VLAN on a locally accessible network. The VLAN  ID  is  used  to
1298              match incoming traffic and is also added to outgoing traffic.
1299
1300       tag: optional integer, in range 1 to 4,095
1301              The  VLAN  tag  allocated by ovn-northd based on the contents of
1302              the tag_request column.
1303
1304     Port State:
1305
1306       up: optional boolean
1307              This column is populated by ovn-northd, rather than by  the  CMS
1308              plugin as is most of this database. When a logical port is bound
1309              to a physical location in the OVN  Southbound  database  Binding
1310              table, ovn-northd sets this column to true; otherwise, or if the
1311              port becomes unbound later, it sets it to false. If this  column
1312              is  empty, the port is not considered up. This allows the CMS to
1313              wait for a VM’s (or container’s) networking to become active be‐
1314              fore it allows the VM (or container) to start.
1315
1316              Logical ports of router type are an exception to this rule. They
1317              are considered to be always up, that is this  column  is  always
1318              set to true.
1319
1320       enabled: optional boolean
1321              This  column is used to administratively set port state. If this
1322              column is empty or is set to true, the port is enabled. If  this
1323              column  is  set  to false, the port is disabled. A disabled port
1324              has all ingress and egress traffic dropped.
1325
1326     Addressing:
1327
1328       addresses: set of strings
1329              Addresses owned by the logical port.
1330
1331              Each element in the set must take one of the following forms:
1332
1333              Ethernet address followed by zero or more IPv4 or IPv6 addresses
1334              (or both)
1335                     An Ethernet address defined is owned by the logical port.
1336                     Like a physical Ethernet NIC, a logical  port  ordinarily
1337                     has a single fixed Ethernet address.
1338
1339                     When  a  OVN  logical switch processes a unicast Ethernet
1340                     frame whose destination  MAC  address  is  in  a  logical
1341                     port’s  addresses  column,  it  delivers  it only to that
1342                     port, as if a MAC learning process had learned  that  MAC
1343                     address on the port.
1344
1345                     If IPv4 or IPv6 address(es) (or both) are defined, it in‐
1346                     dicates that the logical  port  owns  the  given  IP  ad‐
1347                     dresses.
1348
1349                     If  IPv4  address(es) are defined, the OVN logical switch
1350                     uses this information to synthesize responses to ARP  re‐
1351                     quests  without  traversing the physical network. The OVN
1352                     logical router connected to the logical switch,  if  any,
1353                     uses  this  information to avoid issuing ARP requests for
1354                     logical switch ports.
1355
1356                     Note that the order here is important. The  Ethernet  ad‐
1357                     dress  must  be  listed  before the IP address(es) if de‐
1358                     fined.
1359
1360                     Examples:
1361
1362                     80:fa:5b:06:72:b7
1363                            This indicates that  the  logical  port  owns  the
1364                            above mac address.
1365
1366                     80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
1367                            This  indicates that the logical port owns the mac
1368                            address and two IPv4 addresses.
1369
1370                     80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1371                            This indicates that the logical port owns the  mac
1372                            address and 1 IPv6 address.
1373
1374                     80:fa:5b:06:72:b7                                10.0.0.4
1375                     fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1376                            This indicates that the logical port owns the  mac
1377                            address and 1 IPv4 address and 1 IPv6 address.
1378
1379              unknown
1380                     This  indicates  that the logical port has an unknown set
1381                     of Ethernet addresses. When an OVN  logical  switch  pro‐
1382                     cesses a unicast Ethernet frame whose destination MAC ad‐
1383                     dress is not in any logical port’s addresses  column,  it
1384                     delivers  it  to the port (or ports) whose addresses col‐
1385                     umns include unknown.
1386
1387              dynamic
1388                     Use dynamic to make ovn-northd generate a globally unique
1389                     MAC address, choose an unused IPv4 address with the logi‐
1390                     cal port’s subnet (if other_config:subnet is set  in  the
1391                     port’s Logical_Switch), and generate an IPv6 address from
1392                     the MAC address (if other_config:ipv6_prefix  is  set  in
1393                     the  port’s  Logical_Switch) and store them in the port’s
1394                     dynamic_addresses column.
1395
1396                     Only one element containing dynamic  may  appear  in  ad‐
1397                     dresses.
1398
1399              dynamic ip
1400              dynamic ipv6
1401              dynamic ip ipv6
1402                   These act like dynamic alone but specify particular IPv4 or
1403                   IPv6 addresses to use. OVN IPAM  will  still  automatically
1404                   allocate the other address if configured appropriately. Ex‐
1405                   ample: dynamic 192.168.0.1 2001::1.
1406
1407              mac dynamic
1408                   This acts like dynamic alone but specifies a particular MAC
1409                   address  to use. OVN IPAM will still automatically allocate
1410                   IPv4 or IPv6 addresses, or both,  if  configured  appropri‐
1411                   ately. Example: 80:fa:5b:06:72:b7 dynamic
1412
1413              router
1414                   Accepted  only when type is router. This indicates that the
1415                   Ethernet, IPv4, and IPv6 addresses for this logical  switch
1416                   port  should  be obtained from the connected logical router
1417                   port, as specified by router-port in options.
1418
1419                   The resulting addresses are used to  populate  the  logical
1420                   switch’s  destination  lookup,  and  also  for  the logical
1421                   switch to generate ARP and ND replies.
1422
1423                   If the connected logical  router  port  has  a  distributed
1424                   gateway  port  specified  and  the logical router has rules
1425                   specified in nat with external_mac,  then  those  addresses
1426                   are also used to populate the switch’s destination lookup.
1427
1428                   Supported  only  in OVN 2.7 and later. Earlier versions re‐
1429                   quired router addresses to be manually synchronized.
1430
1431       dynamic_addresses: optional string
1432              Addresses assigned to the logical port by ovn-northd, if dynamic
1433              is  specified in addresses. Addresses will be of the same format
1434              as those that populate the addresses column. Note  that  dynami‐
1435              cally  assigned addresses are constructed and managed locally in
1436              ovn-northd, so they cannot be reconstructed in  the  event  that
1437              the database is lost.
1438
1439       port_security: set of strings
1440              This  column controls the addresses from which the host attached
1441              to the logical port (``the host’’) is allowed  to  send  packets
1442              and to which it is allowed to receive packets. If this column is
1443              empty, all addresses are permitted.
1444
1445              Each element in the set must begin with  one  Ethernet  address.
1446              This would restrict the host to sending packets from and receiv‐
1447              ing packets to the ethernet addresses  defined  in  the  logical
1448              port’s  port_security column. It also restricts the inner source
1449              MAC addresses that the host may send in ARP  and  IPv6  Neighbor
1450              Discovery packets. The host is always allowed to receive packets
1451              to multicast and broadcast Ethernet addresses.
1452
1453              Each element in the set may additionally  contain  one  or  more
1454              IPv4 or IPv6 addresses (or both), with optional masks. If a mask
1455              is given, it must be a CIDR mask. In addition  to  the  restric‐
1456              tions  described  for  Ethernet addresses above, such an element
1457              restricts the IPv4 or IPv6 addresses from  which  the  host  may
1458              send  and  to  which it may receive packets to the specified ad‐
1459              dresses. A masked address, if the host part is  zero,  indicates
1460              that  the  host  is allowed to use any address in the subnet; if
1461              the host part is nonzero, the mask simply indicates the size  of
1462              the subnet. In addition:
1463
1464              •      If any IPv4 address is given, the host is also allowed to
1465                     receive packets  to  the  IPv4  local  broadcast  address
1466                     255.255.255.255   and   to   IPv4   multicast   addresses
1467                     (224.0.0.0/4). If an IPv4 address with a mask  is  given,
1468                     the host is also allowed to receive packets to the broad‐
1469                     cast address in that specified subnet.
1470
1471                     If any IPv4 address is given, the  host  is  additionally
1472                     restricted  to  sending  ARP  packets  with the specified
1473                     source IPv4 address. (RARP is not restricted.)
1474
1475              •      If any IPv6 address is given, the host is also allowed to
1476                     receive packets to IPv6 multicast addresses (ff00::/8).
1477
1478                     If  any  IPv6  address is given, the host is additionally
1479                     restricted to sending IPv6 Neighbor  Discovery  Solicita‐
1480                     tion  or  Advertisement packets with the specified source
1481                     address or, for solicitations, the unspecified address.
1482
1483              If an element includes an IPv4 address, but no  IPv6  addresses,
1484              then IPv6 traffic is not allowed. If an element includes an IPv6
1485              address, but no IPv4 address, then IPv4 and ARP traffic  is  not
1486              allowed.
1487
1488              This  column uses the same lexical syntax as the match column in
1489              the OVN Southbound database’s Pipeline table. Multiple addresses
1490              within an element may be space or comma separated.
1491
1492              This  column  is  provided  as a convenience to cloud management
1493              systems, but all of the features that it implements can  be  im‐
1494              plemented as ACLs using the ACL table.
1495
1496              Examples:
1497
1498              80:fa:5b:06:72:b7
1499                     The host may send traffic from and receive traffic to the
1500                     specified MAC address, and to receive traffic to Ethernet
1501                     multicast and broadcast addresses, but not otherwise. The
1502                     host may not send ARP or IPv6 Neighbor Discovery  packets
1503                     with  inner  source Ethernet addresses other than the one
1504                     specified.
1505
1506              80:fa:5b:06:72:b7 192.168.1.10/24
1507                     This adds further restrictions to the first example.  The
1508                     host  may  send IPv4 packets from or receive IPv4 packets
1509                     to only 192.168.1.10, except that  it  may  also  receive
1510                     IPv4 packets to 192.168.1.255 (based on the subnet mask),
1511                     255.255.255.255, and any address in 224.0.0.0/4. The host
1512                     may  not  send  ARPs with a source Ethernet address other
1513                     than 80:fa:5b:06:72:b7 or source IPv4 address other  than
1514                     192.168.1.10.  The  host may not send or receive any IPv6
1515                     (including IPv6 Neighbor Discovery) traffic.
1516
1517              "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
1518                     The host may send traffic from and receive traffic to the
1519                     specified MAC addresses, and to receive traffic to Ether‐
1520                     net multicast and broadcast addresses, but not otherwise.
1521                     With  MAC  80:fa:5b:12:42:ba,  the  host may send traffic
1522                     from and receive traffic to  any  L3  address.  With  MAC
1523                     80:fa:5b:06:72:b7, the host may send IPv4 packets from or
1524                     receive IPv4 packets to only 192.168.1.10, except that it
1525                     may  also receive IPv4 packets to 192.168.1.255 (based on
1526                     the subnet mask), 255.255.255.255,  and  any  address  in
1527                     224.0.0.0/4.  The  host  may not send or receive any IPv6
1528                     (including IPv6 Neighbor Discovery) traffic.
1529
1530     DHCP:
1531
1532       dhcpv4_options: optional weak reference to DHCP_Options
1533              This column defines the DHCPv4 Options to  be  included  by  the
1534              ovn-controller  when  it  replies to the DHCPv4 requests. Please
1535              see the DHCP_Options table.
1536
1537       dhcpv6_options: optional weak reference to DHCP_Options
1538              This column defines the DHCPv6 Options to  be  included  by  the
1539              ovn-controller  when  it  replies to the DHCPv6 requests. Please
1540              see the DHCP_Options table.
1541
1542       mirror_rules: set of weak reference to Mirrors
1543              Mirror rules that apply to logical  switch  port  which  is  the
1544              source. Please see the Mirror table.
1545
1546       ha_chassis_group: optional HA_Chassis_Group
1547              References  a  row  in  the  OVN  Northbound database’s HA_Chas‐
1548              sis_Group table. It indicates the HA chassis group to use if the
1549              type is set to external. If type is not external, this column is
1550              ignored.
1551
1552     Naming:
1553
1554       external_ids : neutron:port_name: optional string
1555              This column gives an optional human-friendly name for the  port.
1556              This  name  has no special meaning or purpose other than to pro‐
1557              vide convenience for human interaction with the northbound data‐
1558              base.
1559
1560              Neutron  copies  this  from its own port object’s name. (Neutron
1561              ports do are not assigned human-friendly names by default, so it
1562              will often be empty.)
1563
1564     Tunnel Key:
1565
1566       options : requested-tnl-key: optional string, containing an integer, in
1567       range 1 to 32,767
1568              Configures the port binding tunnel key  for  the  port.  Usually
1569              this  is not needed because ovn-northd will assign an unique key
1570              for  each  port  by  itself.  However,  if  it  is   configured,
1571              ovn-northd  honors the configured value. The typical use case is
1572              for interconnection:  the  tunnel  keys  for  ports  on  transit
1573              switches  need  to be unique globally, so they are maintained in
1574              the global OVN_IC_Southbound database, and ovn-ic  simply  syncs
1575              the value from OVN_IC_Southbound through this config.
1576
1577     Common Columns:
1578
1579       external_ids: map of string-string pairs
1580              See External IDs at the beginning of this document.
1581
1582              The  ovn-northd  program  copies all these pairs into the exter‐
1583              nal_ids column of the Port_Binding table in OVN_Southbound data‐
1584              base.
1585

Forwarding_Group TABLE

1587       Each row represents one forwarding group.
1588
1589   Summary:
1590       name                          string
1591       vip                           string
1592       vmac                          string
1593       liveness                      boolean
1594       child_port                    set of 1 or more strings
1595       Common Columns:
1596         external_ids                map of string-string pairs
1597
1598   Details:
1599       name: string
1600              A  name for the forwarding group. This name has no special mean‐
1601              ing or purpose other than to provide convenience for  human  in‐
1602              teraction with the ovn-nb database.
1603
1604       vip: string
1605              The virtual IP address assigned to the forwarding group. It will
1606              respond with vmac when an ARP request is sent for vip.
1607
1608       vmac: string
1609              The virtual MAC address assigned to the forwarding group.
1610
1611       liveness: boolean
1612              If set to true, liveness is enabled for child ports otherwise it
1613              is disabled.
1614
1615       child_port: set of 1 or more strings
1616              List of child ports in the forwarding group.
1617
1618     Common Columns:
1619
1620       external_ids: map of string-string pairs
1621              See External IDs at the beginning of this document.
1622

Address_Set TABLE

1624       Each  row in this table represents a named set of addresses. An address
1625       set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
1626       or  CIDR  masks.  Address set may ultimately be used in ACLs to compare
1627       against fields such as ip4.src or ip6.src. A single  address  set  must
1628       contain  addresses of the same type. As an example, the following would
1629       create an address set with three IP addresses:
1630
1631             ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1632
1633
1634       Address sets may be used in the match column of the ACL table. For syn‐
1635       tax  information,  see  the details of the expression language used for
1636       the match column in the Logical_Flow table of the OVN_Southbound  data‐
1637       base.
1638
1639   Summary:
1640       name                          string (must be unique within table)
1641       addresses                     set of strings
1642       Common Columns:
1643         external_ids                map of string-string pairs
1644
1645   Details:
1646       name: string (must be unique within table)
1647              A  name  for  the  address  set.  Names are ASCII and must match
1648              [a-zA-Z_.][a-zA-Z_.0-9]*.
1649
1650       addresses: set of strings
1651              The set of addresses in string form.
1652
1653     Common Columns:
1654
1655       external_ids: map of string-string pairs
1656              See External IDs at the beginning of this document.
1657

Port_Group TABLE

1659       Each row in this table represents  a  named  group  of  logical  switch
1660       ports.
1661
1662       Port  groups may be used in the match column of the ACL table. For syn‐
1663       tax information, see the details of the expression  language  used  for
1664       the  match column in the Logical_Flow table of the OVN_Southbound data‐
1665       base.
1666
1667       For each port group, there are two address sets generated  to  the  Ad‐
1668       dress_Set  table  of the OVN_Southbound database, containing the IP ad‐
1669       dresses of the group of ports, one for IPv4, and the  other  for  IPv6,
1670       with  name  being  the name of the Port_Group followed by a suffix _ip4
1671       for IPv4 and _ip6 for IPv6. The generated address sets can be  used  in
1672       the same way as regular address sets in the match column of the ACL ta‐
1673       ble. For syntax information, see the details of the expression language
1674       used  for  the match column in the Logical_Flow table of the OVN_South‐
1675       bound database.
1676
1677   Summary:
1678       name                          string (must be unique within table)
1679       ports                         set   of   weak   reference   to    Logi‐
1680                                     cal_Switch_Ports
1681       acls                          set of ACLs
1682       Common Columns:
1683         external_ids                map of string-string pairs
1684
1685   Details:
1686       name: string (must be unique within table)
1687              A  name  for  the  port  group.  Names  are ASCII and must match
1688              [a-zA-Z_.][a-zA-Z_.0-9]*.
1689
1690       ports: set of weak reference to Logical_Switch_Ports
1691              The logical switch ports belonging to the group in uuids.
1692
1693       acls: set of ACLs
1694              Access control rules that apply to the port group.  Applying  an
1695              ACL  to  a port group has the same effect as applying the ACL to
1696              all logical lswitches that the ports of the  port  group  belong
1697              to.
1698
1699     Common Columns:
1700
1701       external_ids: map of string-string pairs
1702              See External IDs at the beginning of this document.
1703

Load_Balancer TABLE

1705       Each row represents one load balancer.
1706
1707   Summary:
1708       name                          string
1709       vips                          map of string-string pairs
1710       protocol                      optional string, one of sctp, tcp, or udp
1711       Health Checks:
1712         health_check                set of Load_Balancer_Health_Checks
1713         ip_port_mappings            map of string-string pairs
1714       selection_fields              set  of strings, one of eth_dst, eth_src,
1715                                     ip_dst, ip_src, tp_dst, or tp_src
1716       Common Columns:
1717         external_ids                map of string-string pairs
1718       Load_Balancer options:
1719         options : reject            optional string, either true or false
1720         options : hairpin_snat_ip   optional string
1721         options : skip_snat         optional string
1722         options : add_route         optional string
1723         options : neighbor_responder
1724                                     optional string
1725         options : template          optional string
1726         options : address-family    optional string
1727         options : affinity_timeout  optional string
1728         options : ct_flush          optional string, either true or false
1729
1730   Details:
1731       name: string
1732              A name for the load balancer. This name has no  special  meaning
1733              or  purpose other than to provide convenience for human interac‐
1734              tion with the ovn-nb database.
1735
1736       vips: map of string-string pairs
1737              A map of virtual IP addresses (and an optional port number  with
1738              :  as  a separator) associated with this load balancer and their
1739              corresponding endpoint IP addresses (and optional  port  numbers
1740              with : as separators) separated by commas. If the destination IP
1741              address (and port number) of a packet leaving a container  or  a
1742              VM  matches  the  virtual  IP address (and port number) provided
1743              here as a key, then OVN will statefully replace the  destination
1744              IP  address  by one of the provided IP address (and port number)
1745              in this map as a value. IPv4 and IPv6  addresses  are  supported
1746              for  load balancing; however a VIP of one address family may not
1747              be mapped to a destination IP address of a different family.  If
1748              specifying an IPv6 address with a port, the address portion must
1749              be  enclosed  in  square  brackets.  Examples   for   keys   are
1750              "192.168.1.4"  and  "[fd0f::1]:8800".  Examples  for  value  are
1751              "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1752
1753              When the Load_Balancer is added to the logical_switch,  the  VIP
1754              has  to be in a different subnet than the one used for the logi‐
1755              cal_switch. Since VIP is in a different subnet, you should  con‐
1756              nect  your  logical  switch  to either a OVN logical router or a
1757              real router (this is because the client can now  send  a  packet
1758              with  VIP as the destination IP address and router’s mac address
1759              as the destination MAC address).
1760
1761       protocol: optional string, one of sctp, tcp, or udp
1762              Valid protocols are tcp, udp, or sctp.  This  column  is  useful
1763              when  a  port  number is provided as part of the vips column. If
1764              this column is empty and a port number is provided  as  part  of
1765              vips column, OVN assumes the protocol to be tcp.
1766
1767     Health Checks:
1768
1769       OVN  supports  health  checks  for load balancer endpoints. When health
1770       checks are enabled, the load balancer uses only healthy endpoints.
1771
1772       Suppose     that     vips      contains      a      key-value      pair
1773       10.0.0.10:80=10.0.0.4:8080,20.0.0.4:8080.  To  enable health checks for
1774       this virtual’s endpoints, add two key-value pairs to  ip_port_mappings,
1775       with keys 10.0.0.4 and 20.0.0.4, and add to health_check a reference to
1776       a Load_Balancer_Health_Check row whose vip is  set  to  10.0.0.10.  The
1777       same approach can be used for IPv6 as well.
1778
1779       health_check: set of Load_Balancer_Health_Checks
1780              Load balancer health checks associated with this load balancer.
1781
1782       ip_port_mappings: map of string-string pairs
1783              Maps  from endpoint IP to a colon-separated pair of logical port
1784              name and source IP, e.g.  port_name:sourc_ip  for  IPv4.  Health
1785              checks  are  sent to this port with the specified source IP. For
1786              IPv6 square brackets  must  be  used  around  IP  address,  e.g:
1787              port_name:[sourc_ip]
1788
1789              For  example, in the example above, IP to port mappings might be
1790              defined         as         10.0.0.4=sw0-p1:10.0.0.2          and
1791              20.0.0.4=sw1-p1:20.0.0.2,  if  the  values  given  were suitable
1792              ports and IP addresses.
1793
1794              For  IPv6  IP   to   port   mappings   might   be   defined   as
1795              [2001::1]=sw0-p1:[2002::1].
1796
1797       selection_fields:  set  of  strings,  one  of eth_dst, eth_src, ip_dst,
1798       ip_src, tp_dst, or tp_src
1799              OVN native load  balancers  are  supported  using  the  OpenFlow
1800              groups  of  type  select.  OVS  supports  two selection methods:
1801              dp_hash and hash (with optional fields specified)  in  selecting
1802              the  buckets  of  a group. Please see the OVS documentation (man
1803              ovs-ofctl) for more details on the selection methods. Each  end‐
1804              point  IP  (and  port if set) is mapped to a bucket in the group
1805              flow.
1806
1807              CMS can choose the hash selection method by setting  the  selec‐
1808              tion  fields  in  this  column.  ovs-vswitchd uses the specified
1809              fields in generating the hash.
1810
1811              dp_hash selection method uses the assistance of datapath to cal‐
1812              culate the hash and it is expected to be faster than hash selec‐
1813              tion method. So CMS should take this into  consideration  before
1814              using  the hash method. Please consult the OVS documentation and
1815              OVS sources for the implementation details.
1816
1817     Common Columns:
1818
1819       external_ids: map of string-string pairs
1820              See External IDs at the beginning of this document.
1821
1822     Load_Balancer options:
1823
1824       options : reject: optional string, either true or false
1825              If the load balancer is created with --reject option and it  has
1826              no  active  backends,  a  TCP reset segment (for tcp) or an ICMP
1827              port unreachable packet (for all other kind of traffic) will  be
1828              sent  whenever an incoming packet is received for this load-bal‐
1829              ancer. Please note using --reject option will  disable  empty_lb
1830              SB controller event for this load balancer.
1831
1832       options : hairpin_snat_ip: optional string
1833              IP  to  be  used  as  source IP for packets that have been hair-
1834              pinned after load balancing. The default behavior when  the  op‐
1835              tion  is  not  set is to use the load balancer VIP as source IP.
1836              This option may have exactly one IPv4 and/or one IPv6 address on
1837              it, separated by a space character.
1838
1839       options : skip_snat: optional string
1840              If  the load balancing rule is configured with skip_snat option,
1841              the option lb_force_snat_ip configured for  the  logical  router
1842              that  references this load balancer will not be applied for this
1843              load balancer.
1844
1845       options : add_route: optional string
1846              If set to true, then neighbor routers will  have  logical  flows
1847              added  that  will  allow for routing to the VIP IP. It also will
1848              have ARP resolution logical flows added. By setting this option,
1849              it    means   there   is   no   reason   to   create   a   Logi‐
1850              cal_Router_Static_Route from neighbor routers to  this  NAT  ad‐
1851              dress.  It also means that no ARP request is required for neigh‐
1852              bor routers to learn the IP-MAC mapping for  this  VIP  IP.  For
1853              more  information  about  what  flows  are  added for IP routes,
1854              please see the ovn-northd manpage section on IP Routing.
1855
1856       options : neighbor_responder: optional string
1857              If set to all, then routers on which the load  balancer  is  ap‐
1858              plied  reply  to ARP/neighbor discovery requests for all VIPs of
1859              the load balancer. If set to reachable, then  routers  on  which
1860              the load balancer is applied reply to ARP/neighbor discovery re‐
1861              quests only for VIPs that are part of a router’s subnet. If  set
1862              to  none,  then  routers  on  which the load balancer is applied
1863              never reply to ARP/neighbor discovery requests for  any  of  the
1864              load balancer VIPs. Load balancers with options:template=true do
1865              not support reachable as a valid mode. The default value of this
1866              option,  if  not  specified,  is reachable for regular load bal‐
1867              ancers and none for template load balancers.
1868
1869       options : template: optional string
1870              Option to be set to true, if the load balancer  is  a  template.
1871              The  load  balancer VIPs and backends must be using Chassis_Tem‐
1872              plate_Var in their definitions.
1873
1874              Load balancer template VIP supported formats are:
1875
1876              ^VIP_VAR[:^PORT_VAR|:port]
1877
1878
1879              where VIP_VAR and PORT_VAR are keys of the  Chassis_Template_Var
1880              variables records.
1881
1882              Note: The VIP and PORT cannot be combined into a single template
1883              variable. For example, a Chassis_Template_Var variable expanding
1884              to 10.0.0.1:8080 is not valid if used as VIP.
1885
1886              Load balancer template backend supported formats are:
1887
1888              ^BACKEND_VAR1[:^PORT_VAR1|:port],^BACKEND_VAR2[:^PORT_VAR2|:port]
1889              or
1890              ^BACKENDS_VAR1,^BACKENDS_VAR2
1891
1892
1893              where  BACKEND_VAR1,  PORT_VAR1,  BACKEND_VAR2, PORT_VAR2, BACK‐
1894              ENDS_VAR1 and BACKENDS_VAR2 are keys of the Chassis_Template_Var
1895              variables records.
1896
1897       options : address-family: optional string
1898              Address  family  used by the load balancer. Supported values are
1899              ipv4 and ipv6. The address-family is only  used  for  load  bal‐
1900              ancers  with options:template=true. For explicit load balancers,
1901              setting the address-family has no effect.
1902
1903       options : affinity_timeout: optional string
1904              If the CMS provides a positive value  (in  seconds)  for  affin‐
1905              ity_timeout,  OVN  will  dnat connections received from the same
1906              client to this lb to the same backend if received in the  affin‐
1907              ity timeslot. Max supported affinity_timeout is 65535 seconds.
1908
1909       options : ct_flush: optional string, either true or false
1910              The  value  indicates whether ovn-controller should flush CT en‐
1911              tries that are related to this LB. The flush happens if  the  LB
1912              is  removed, any of the backends is updated/removed or the LB is
1913              not considered local anymore by the ovn-controller. This  option
1914              is set to false by default.
1915

Load_Balancer_Group TABLE

1917       Each  row  represents a logical grouping of load balancers. It is up to
1918       the CMS to decide the criteria on which load balancers are grouped  to‐
1919       gether.  To  simplify configuration and to optimize its processing load
1920       balancers that must be associated to the same set of  logical  switches
1921       and/or logical routers should be grouped together.
1922
1923   Summary:
1924       name                          string (must be unique within table)
1925       load_balancer                 set of weak reference to Load_Balancers
1926
1927   Details:
1928       name: string (must be unique within table)
1929              A  name  for  the  load balancer group. This name has no special
1930              meaning or purpose other than to provide convenience  for  human
1931              interaction with the ovn-nb database.
1932
1933       load_balancer: set of weak reference to Load_Balancers
1934              A set of load balancers.
1935

Load_Balancer_Health_Check TABLE

1937       Each row represents one load balancer health check.
1938
1939   Summary:
1940       vip                           string
1941       Health check options:
1942         options : interval          optional string, containing an integer
1943         options : timeout           optional string, containing an integer
1944         options : success_count     optional string, containing an integer
1945         options : failure_count     optional string, containing an integer
1946       Common Columns:
1947         external_ids                map of string-string pairs
1948
1949   Details:
1950       vip: string
1951              vip whose endpoints should be monitored for health check.
1952
1953     Health check options:
1954
1955       options : interval: optional string, containing an integer
1956              The interval, in seconds, between health checks.
1957
1958       options : timeout: optional string, containing an integer
1959              The time, in seconds, after which a health check times out.
1960
1961       options : success_count: optional string, containing an integer
1962              The number of successful checks after which the endpoint is con‐
1963              sidered online.
1964
1965       options : failure_count: optional string, containing an integer
1966              The number of failure checks after which the endpoint is consid‐
1967              ered offline.
1968
1969     Common Columns:
1970
1971       external_ids: map of string-string pairs
1972              See External IDs at the beginning of this document.
1973

ACL TABLE

1975       Each  row in this table represents one ACL rule for a logical switch or
1976       a port group that points to it through its acls column. The action col‐
1977       umn  for  the  highest-priority matching row in this table determines a
1978       packet’s treatment. If no row matches, packets are allowed by  default.
1979       (Default-deny  treatment  is possible: add a rule with priority 0, 1 as
1980       match, and deny as action.)
1981
1982   Summary:
1983       label                         integer, in range 0 to 4,294,967,295
1984       priority                      integer, in range 0 to 32,767
1985       direction                     string, either from-lport or to-lport
1986       match                         string
1987       action                        string,   one   of   allow-related,   al‐
1988                                     low-stateless,  allow, drop, pass, or re‐
1989                                     ject
1990       tier                          integer, in range 0 to 3
1991       options:
1992         options : apply-after-lb    optional string
1993       Logging:
1994         log                         boolean
1995         name                        optional string, at  most  63  characters
1996                                     long
1997         severity                    optional  string,  one  of  alert, debug,
1998                                     info, notice, or warning
1999         meter                       optional string
2000       Common Columns:
2001         options                     map of string-string pairs
2002         ACL configuration options:
2003            options : log-related    optional string
2004         external_ids                map of string-string pairs
2005
2006   Details:
2007       label: integer, in range 0 to 4,294,967,295
2008              Associates an identifier with the ACL. The same  value  will  be
2009              written  to  corresponding  connection  tracker entry. The value
2010              should be a valid 32-bit unsigned integer. This value  can  help
2011              in  debugging from connection tracker side. For example, through
2012              this "label" we can backtrack to the ACL rule which is causing a
2013              "leaked" connection. Connection tracker entries are created only
2014              for allowed connections so the label is valid only for allow and
2015              allow-related actions.
2016
2017       priority: integer, in range 0 to 32,767
2018              The  ACL rule’s priority. Rules with numerically higher priority
2019              take precedence over those with lower. If two ACL rules with the
2020              same  priority  both  match,  then the one actually applied to a
2021              packet is undefined.
2022
2023              Return traffic from an allow-related flow is always allowed  and
2024              cannot be changed through an ACL.
2025
2026              allow-stateless  flows  always  take  precedence before stateful
2027              ACLs, regardless of their priority. (Both  allow  and  allow-re‐
2028              lated ACLs can be stateful.)
2029
2030       direction: string, either from-lport or to-lport
2031              Direction of the traffic to which this rule should apply:
2032
2033from-lport: Used to implement filters on traffic arriving
2034                     from a logical port. These rules are applied to the logi‐
2035                     cal switch’s ingress pipeline.
2036
2037to-lport:  Used to implement filters on traffic forwarded
2038                     to a logical port. These rules are applied to the logical
2039                     switch’s egress pipeline.
2040
2041       match: string
2042              The  packets  that  the ACL should match, in the same expression
2043              language used for the match column in the OVN  Southbound  data‐
2044              base’s  Logical_Flow  table.  The  outport  logical port is only
2045              available in the to-lport direction (the inport is available  in
2046              both directions).
2047
2048              By  default all traffic is allowed. When writing a more restric‐
2049              tive policy, it is important to remember to allow flows such  as
2050              ARP and IPv6 neighbor discovery packets.
2051
2052              Note  that  you  can  not  create an ACL matching on a port with
2053              type=router or type=localnet.
2054
2055       action: string, one of  allow-related,  allow-stateless,  allow,  drop,
2056       pass, or reject
2057              The action to take when the ACL rule matches:
2058
2059allow-stateless:  Always  forward the packet in stateless
2060                     manner, omitting connection tracking  mechanism,  regard‐
2061                     less  of  other rules defined for the switch. May require
2062                     defining additional rules for inbound replies. For  exam‐
2063                     ple,  if  you define a rule to allow outgoing TCP traffic
2064                     directed to an IP address, then you probably also want to
2065                     define  another rule to allow incoming TCP traffic coming
2066                     from this same IP  address.  In  addition,  traffic  that
2067                     matches stateless ACLs will bypass load-balancer DNAT/un-
2068                     DNAT processing. Stateful ACLs should be used instead  if
2069                     the traffic is supposed to be load-balanced.
2070
2071allow:  Forward the packet. It will also send the packets
2072                     through connection tracking when allow-related rules  ex‐
2073                     ist  on the logical switch. Otherwise, it’s equivalent to
2074                     allow-stateless.
2075
2076allow-related: Forward the  packet  and  related  traffic
2077                     (e.g. inbound replies to an outbound connection).
2078
2079drop: Silently drop the packet.
2080
2081reject:  Drop  the packet, replying with a RST for TCP or
2082                     ICMPv4/ICMPv6    unreachable    message     for     other
2083                     IPv4/IPv6-based protocols.
2084
2085pass:  Pass  to  the next ACL tier. If using multiple ACL
2086                     tiers, a match on this ACL will stop evaluating  ACLs  at
2087                     the  current  tier and move to the next one. If not using
2088                     ACL tiers or if a pass ACL is matched at the final  tier,
2089                     then   the   options:default_acl_drop   option  from  the
2090                     NB_Global table is used to determine how to proceed.
2091
2092       tier: integer, in range 0 to 3
2093              The hierarchical tier that this ACL belongs to.
2094
2095              ACLs can be assigned to numerical tiers. When  evaluating  ACLs,
2096              an  internal  counter  is  used  to determine which tier of ACLs
2097              should be evaluated. Tier 0 ACLs are evaluated first. If no ver‐
2098              dict  can  be  determined,  then tier 1 ACLs are evaluated next.
2099              This continues until the maximum tier value is reached.  If  all
2100              tiers  of ACLs are evaluated and no verdict is reached, then the
2101              options:default_acl_drop option from table NB_Global is used  to
2102              determine how to proceed.
2103
2104              In  this  version  of OVN, the maximum tier value for ACLs is 3,
2105              meaning there are 4 tiers of ACLs allowed (0-3).
2106
2107     options:
2108
2109       ACLs options.
2110
2111       options : apply-after-lb: optional string
2112              If set to true, the ACL will be  applied  after  load  balancing
2113              stage. Supported only for from-lport direction.
2114
2115              The  main use case of this option is to support ACLs matching on
2116              the destination IP address of the packet for the backend IPs  of
2117              load balancers.
2118
2119              OVN  will  apply the from-lport ACLs in two stages. ACLs without
2120              this option apply-after-lb set, will be applied before the  load
2121              balancer stage and ACLs with this option set will be applied af‐
2122              ter the load balancer stage. The priorities are  indepedent  be‐
2123              tween  these stages and may not be obvious to the CMS. Hence CMS
2124              should be extra careful when using this option and should  care‐
2125              fully  evaluate  the  priorities of all the ACLs and the default
2126              deny/allow ACLs if any.
2127
2128     Logging:
2129
2130       These columns control whether and how OVN logs packets  that  match  an
2131       ACL.
2132
2133       log: boolean
2134              If  set  to  true, packets that match the ACL will trigger a log
2135              message on the transport node or nodes that perform ACL process‐
2136              ing. Logging may be combined with any action.
2137
2138              If  set  to  false,  the remaining columns in this group have no
2139              significance.
2140
2141       name: optional string, at most 63 characters long
2142              This name, if it is provided, is included  in  log  records.  It
2143              provides the administrator and the cloud management system a way
2144              to associate a log record with a particular ACL.
2145
2146       severity: optional string, one of alert, debug, info, notice, or  warn‐
2147       ing
2148              The severity of the ACL. The severity levels match those of sys‐
2149              log, in decreasing level of severity:  alert,  warning,  notice,
2150              info, or debug. When the column is empty, the default is info.
2151
2152       meter: optional string
2153              The  name of a meter to rate-limit log messages for the ACL. The
2154              string must match the name column of a row in the  Meter  table.
2155              By  default,  log messages are not rate-limited. In order to en‐
2156              sure that the same Meter rate limits  multiple  ACL  logs  sepa‐
2157              rately, set the fair column.
2158
2159     Common Columns:
2160
2161       options: map of string-string pairs
2162              This  column  provides general key/value settings. The supported
2163              options are described individually below.
2164
2165     ACL configuration options:
2166
2167       options : log-related: optional string
2168              If set to true, then log when reply or related traffic is admit‐
2169              ted  from  a stateful ACL. In order for this option to function,
2170              the log option must be set to true and a label must be set,  and
2171              it  must  be  unique to the ACL. The label is necessary as it is
2172              the only means to associate the reply traffic with  the  ACL  to
2173              which it belongs. It must be unique, because otherwise it is am‐
2174              biguous which ACL will be matched. Note: If this option  is  en‐
2175              abled,  an  extra  flow is installed in order to log the related
2176              traffic. Therefore, if this is enabled on all ACLs, then the to‐
2177              tal number of flows necessary to log the ACL traffic is doubled,
2178              compared to if this option is not enabled.
2179
2180       external_ids: map of string-string pairs
2181              See External IDs at the beginning of this document.
2182

Logical_Router TABLE

2184       Each row represents one L3 logical router.
2185
2186   Summary:
2187       ports                         set of Logical_Router_Ports
2188       static_routes                 set of Logical_Router_Static_Routes
2189       policies                      set of Logical_Router_Policys
2190       enabled                       optional boolean
2191       nat                           set of NATs
2192       load_balancer                 set of weak reference to Load_Balancers
2193       load_balancer_group           set of Load_Balancer_Groups
2194       Naming:
2195         name                        string
2196         external_ids : neutron:router_name
2197                                     optional string
2198       copp                          optional weak reference to Copp
2199       Options:
2200         options : chassis           optional string
2201         options : dnat_force_snat_ip
2202                                     optional string
2203         options : lb_force_snat_ip  optional string
2204         options : mcast_relay       optional string, either true or false
2205         options : dynamic_neigh_routers
2206                                     optional string, either true or false
2207         options : always_learn_from_arp_request
2208                                     optional string, either true or false
2209         options : requested-tnl-key
2210                                     optional string, containing  an  integer,
2211                                     in range 1 to 16,777,215
2212         options : snat-ct-zone      optional  string,  containing an integer,
2213                                     in range 0 to 65,535
2214         options : mac_binding_age_threshold
2215                                     optional string, containing  an  integer,
2216                                     in range 0 to 4,294,967,295
2217       Common Columns:
2218         external_ids                map of string-string pairs
2219
2220   Details:
2221       ports: set of Logical_Router_Ports
2222              The router’s ports.
2223
2224       static_routes: set of Logical_Router_Static_Routes
2225              Zero or more static routes for the router.
2226
2227       policies: set of Logical_Router_Policys
2228              Zero or more routing policies for the router.
2229
2230       enabled: optional boolean
2231              This  column  is  used  to administratively set router state. If
2232              this column is empty or is set to true, the router  is  enabled.
2233              If  this  column is set to false, the router is disabled. A dis‐
2234              abled router has all ingress and egress traffic dropped.
2235
2236       nat: set of NATs
2237              One or more NAT rules for the router. NAT  rules  only  work  on
2238              Gateway  routers,  and  on distributed routers with one and only
2239              one distributed gateway port.
2240
2241       load_balancer: set of weak reference to Load_Balancers
2242              Set of load balancers associated to this  logical  router.  Load
2243              balancer Load balancer rules only work on the Gateway routers or
2244              routers with one and only one distributed gateway port.
2245
2246       load_balancer_group: set of Load_Balancer_Groups
2247              Set of load balancers groups associated to this logical router.
2248
2249     Naming:
2250
2251       These columns provide names for the logical router. From OVN’s perspec‐
2252       tive, these names have no special meaning or purpose other than to pro‐
2253       vide convenience for human interaction with  the  northbound  database.
2254       There  is no requirement for the name to be unique. (For a unique iden‐
2255       tifier for a logical router, use its row UUID.)
2256
2257       (Originally, name was intended to serve the purpose of a human-friendly
2258       name,  but the Neutron integration used it to uniquely identify its own
2259       router object, in the format neutron-uuid. Later  on,  Neutron  started
2260       propagating   the  friendly  name  of  a  router  as  external_ids:neu‐
2261       tron:router_name. Perhaps this can be cleaned up someday.)
2262
2263       name: string
2264              A name for the logical router.
2265
2266       external_ids : neutron:router_name: optional string
2267              Another name for the logical router.
2268
2269       copp: optional weak reference to Copp
2270              The control plane protection policy from table Copp used for me‐
2271              tering packets sent to ovn-controller from logical ports of this
2272              router.
2273
2274     Options:
2275
2276       Additional options for the logical router.
2277
2278       options : chassis: optional string
2279              If set, indicates that the logical router in question is a Gate‐
2280              way  router  (which is centralized) and resides in the set chas‐
2281              sis. The same value is also used by ovn-controller  to  uniquely
2282              identify the chassis in the OVN deployment and comes from exter‐
2283              nal_ids:system-id in  the  Open_vSwitch  table  of  Open_vSwitch
2284              database.
2285
2286              The Gateway router can only be connected to a distributed router
2287              via a switch if SNAT and DNAT are to be configured in the  Gate‐
2288              way router.
2289
2290       options : dnat_force_snat_ip: optional string
2291              If  set,  indicates a set of IP addresses to use to force SNAT a
2292              packet that has already been DNATed in the gateway router.  When
2293              multiple  gateway  routers  are  configured, a packet can poten‐
2294              tially enter any of the gateway router, get DNATted and  eventu‐
2295              ally reach the logical switch port. For the return traffic to go
2296              back to the same gateway  router  (for  unDNATing),  the  packet
2297              needs a SNAT in the first place. This can be achieved by setting
2298              the above option with a gateway specific set  of  IP  addresses.
2299              This option may have exactly one IPv4 and/or one IPv6 address on
2300              it, separated by a a space.
2301
2302       options : lb_force_snat_ip: optional string
2303              If set, this option can take two possible type of values. Either
2304              a set of IP addresses or the string value - router_ip.
2305
2306              If  a set of IP addresses are configured, it indicates to use to
2307              force SNAT a packet that has already been load-balanced  in  the
2308              gateway  router. When multiple gateway routers are configured, a
2309              packet can potentially enter any of  the  gateway  routers,  get
2310              DNATted  as  part of the load-balancing and eventually reach the
2311              logical switch port. For the return traffic to go  back  to  the
2312              same  gateway router (for unDNATing), the packet needs a SNAT in
2313              the first place. This can be achieved by setting the  above  op‐
2314              tion  with  a  gateway specific set of IP addresses. This option
2315              may have exactly one IPv4 and/or one IPv6 address on  it,  sepa‐
2316              rated by a space character.
2317
2318              If it is configured with the value router_ip, then the load bal‐
2319              anced packet is SNATed with the IP of router port  (attached  to
2320              the gateway router) selected as the destination after taking the
2321              routing decision.
2322
2323       options : mcast_relay: optional string, either true or false
2324              Enables/disables IP multicast  relay  between  logical  switches
2325              connected to the logical router. Default: False.
2326
2327       options : dynamic_neigh_routers: optional string, either true or false
2328              If  set  to  true, the router will resolve neighbor routers’ MAC
2329              addresses only  by  dynamic  ARP/ND,  instead  of  prepopulating
2330              static  mappings  for all neighbor routers in the ARP/ND Resolu‐
2331              tion stage. This reduces number of flows,  but  requires  ARP/ND
2332              messages to resolve the IP-MAC bindings when needed. It is false
2333              by default. It is recommended to set to true when a large number
2334              of  logical routers are connected to the same logical switch but
2335              most of them never need to send traffic between each  other.  By
2336              default,  ovn-northd  does  not  create mappings to NAT and load
2337              balancer addresess. However, for NAT and load balancer addresses
2338              that  have  the  add_route  option added, ovn-northd will create
2339              logical flows that map NAT and load balancer IP addresses to the
2340              appropriate  MAC  address. Setting dynamic_neigh_routers to true
2341              will prevent the automatic creation of these logical flows.
2342
2343       options : always_learn_from_arp_request: optional string,  either  true
2344       or false
2345              This  option  controls  the  behavior when handling IPv4 ARP re‐
2346              quests or IPv6 ND-NS packets - whether a dynamic  neighbor  (MAC
2347              binding) entry is added/updated.
2348
2349              true  -  Always learn the MAC-IP binding, and add/update the MAC
2350              binding entry.
2351
2352              false - If there is a MAC binding for that IP  and  the  MAC  is
2353              different,  or, if TPA of ARP request belongs to any router port
2354              on this router, then update/add that MAC-IP binding.  Otherwise,
2355              don’t update/add entries.
2356
2357              It  is true by default. It is recommended to set to false when a
2358              large number of logical routers are connected to the same  logi‐
2359              cal  switch  but most of them never need to send traffic between
2360              each other, to reduce the size of the MAC binding table.
2361
2362       options : requested-tnl-key: optional string, containing an integer, in
2363       range 1 to 16,777,215
2364              Configures  the datapath tunnel key for the logical router. This
2365              is not needed because ovn-northd will assign an unique  key  for
2366              each   datapath   by  itself.  However,  if  it  is  configured,
2367              ovn-northd honors the configured value.
2368
2369       options : snat-ct-zone: optional  string,  containing  an  integer,  in
2370       range 0 to 65,535
2371              Use the requested conntrack zone for SNAT with this router. This
2372              can be useful if egress traffic from the host running OVN  comes
2373              from  both  OVN  and  other sources. This way, OVN and the other
2374              sources can make use of the same conntrack zone.
2375
2376       options : mac_binding_age_threshold: optional string, containing an in‐
2377       teger, in range 0 to 4,294,967,295
2378              MAC  binding  aging  threshold value in seconds. MAC binding ex‐
2379              ceeding this timeout will be automatically  removed.  The  value
2380              defaults to 0, which means disabled.
2381
2382     Common Columns:
2383
2384       external_ids: map of string-string pairs
2385              See External IDs at the beginning of this document.
2386

QoS TABLE

2388       Each  row  in  this  table represents one QoS rule for a logical switch
2389       that points to it through its qos_rules column. Two types  of  QoS  are
2390       supported: DSCP marking and metering. A match with the highest-priority
2391       will have QoS applied to it. If the action column  is  specified,  then
2392       matching  packets will have DSCP marking applied. If the bandwidth col‐
2393       umn is specified, then matching packets will have metering applied. ac‐
2394       tion  and  bandwidth are not exclusive, so both marking and metering by
2395       defined for the same QoS entry. If no row  matches,  packets  will  not
2396       have any QoS applied.
2397
2398   Summary:
2399       priority                      integer, in range 0 to 32,767
2400       direction                     string, either from-lport or to-lport
2401       match                         string
2402       action                        map  of string-integer pairs, key must be
2403                                     dscp, value in range 0 to 63
2404       bandwidth                     map of string-integer pairs,  key  either
2405                                     burst  or  rate,  value  in  range  1  to
2406                                     4,294,967,295
2407       external_ids                  map of string-string pairs
2408
2409   Details:
2410       priority: integer, in range 0 to 32,767
2411              The QoS rule’s priority. Rules with numerically higher  priority
2412              take precedence over those with lower. If two QoS rules with the
2413              same priority both match, then the one  actually  applied  to  a
2414              packet is undefined.
2415
2416       direction: string, either from-lport or to-lport
2417              The  value  of  this  field  is similar to ACL column in the OVN
2418              Northbound database’s ACL table.
2419
2420       match: string
2421              The packets that the QoS rules should match, in the same expres‐
2422              sion  language  used  for the match column in the OVN Southbound
2423              database’s Logical_Flow table. The outport logical port is  only
2424              available  in the to-lport direction (the inport is available in
2425              both directions).
2426
2427       action: map of string-integer pairs, key must be dscp, value in range 0
2428       to 63
2429              When specified, matching flows will have DSCP marking applied.
2430
2431dscp:  The value of this action should be in the range of
2432                     0 to 63 (inclusive).
2433
2434       bandwidth: map of string-integer pairs, key either burst or rate, value
2435       in range 1 to 4,294,967,295
2436              When  specified,  matching  packets will have bandwidth metering
2437              applied. Traffic over the limit will be dropped.
2438
2439rate: The value of rate limit in kbps.
2440
2441burst: The value of burst rate limit in kilobits. This is
2442                     optional and needs to specify the rate.
2443
2444       external_ids: map of string-string pairs
2445              See External IDs at the beginning of this document.
2446

Mirror TABLE

2448       Each  row  in  this table represents a mirror that can be used for port
2449       mirroring. These mirrors are referenced by the mirror_rules  column  in
2450       the Logical_Switch_Port table.
2451
2452   Summary:
2453       name                          string (must be unique within table)
2454       filter                        string,   one  of  both,  from-lport,  or
2455                                     to-lport
2456       sink                          string
2457       type                          string, one of erspan, gre, or local
2458       index                         integer
2459       external_ids                  map of string-string pairs
2460
2461   Details:
2462       name: string (must be unique within table)
2463              Represents the name of the mirror.
2464
2465       filter: string, one of both, from-lport, or to-lport
2466              The value of this field represents  selection  criteria  of  the
2467              mirror.  to-lport  mirrors the packets coming into logical port.
2468              from-lport mirrors the packets going out of logical  port.  both
2469              mirrors for both directions.
2470
2471       sink: string
2472              The  value  of this field represents the destination/sink of the
2473              mirror. If the type is gre or erspan, the  value  indicates  the
2474              tunnel  remote  IP  (either  IPv4 or IPv6). For a type of local,
2475              this field defines a local  interface  on  the  OVS  integration
2476              bridge  to be used as the mirror destination. The interface must
2477              possess external-ids:mirror-id that matches this string.
2478
2479       type: string, one of erspan, gre, or local
2480              The value of this field specifies the mirror type - gre,  erspan
2481              or local.
2482
2483       index: integer
2484              The value of this field represents the tunnel ID. If the config‐
2485              ured tunnel type is gre, this field represents the GRE key value
2486              and  if  the  configured tunnel type is erspan it represents the
2487              erspan_idx value. It is ignored if the type is local.
2488
2489       external_ids: map of string-string pairs
2490              See External IDs at the beginning of this document.
2491

Meter TABLE

2493       Each row in this table represents a meter that can be used for  QoS  or
2494       rate-limiting.
2495
2496   Summary:
2497       name                          string (must be unique within table)
2498       unit                          string, either kbps or pktps
2499       bands                         set of 1 or more Meter_Bands
2500       fair                          optional boolean
2501       external_ids                  map of string-string pairs
2502
2503   Details:
2504       name: string (must be unique within table)
2505              A name for this meter.
2506
2507              Names  that  begin  with "__" (two underscores) are reserved for
2508              OVN internal use and should not be added manually.
2509
2510       unit: string, either kbps or pktps
2511              The unit for rate and burst_rate parameters in the bands  entry.
2512              kbps  specifies kilobits per second, and pktps specifies packets
2513              per second.
2514
2515       bands: set of 1 or more Meter_Bands
2516              The bands associated with this meter. Each band specifies a rate
2517              above  which  the band is to take the action action. If multiple
2518              bands’ rates are exceeded, then the band with the  highest  rate
2519              among the exceeded bands is selected.
2520
2521       fair: optional boolean
2522              This  column is used to further describe the desired behavior of
2523              the meter when there are multiple references to it. If this col‐
2524              umn  is empty or is set to false, the rate will be shared across
2525              all rows that refer to the same  Meter  name.  Conversely,  when
2526              this  column is set to true, each user of the same Meter will be
2527              rate-limited on its own.
2528
2529       external_ids: map of string-string pairs
2530              See External IDs at the beginning of this document.
2531

Meter_Band TABLE

2533       Each row in this table represents a meter band which specifies the rate
2534       above  which  the  configured action should be applied. These bands are
2535       referenced by the bands column in the Meter table.
2536
2537   Summary:
2538       action                        string, must be drop
2539       rate                          integer, in range 1 to 4,294,967,295
2540       burst_size                    integer, in range 0 to 4,294,967,295
2541       external_ids                  map of string-string pairs
2542
2543   Details:
2544       action: string, must be drop
2545              The action to execute when this band matches. The only supported
2546              action is drop.
2547
2548       rate: integer, in range 1 to 4,294,967,295
2549              The rate limit for this band, in kilobits per second or bits per
2550              second, depending on whether the parent Meter entry’s unit  col‐
2551              umn specified kbps or pktps.
2552
2553       burst_size: integer, in range 0 to 4,294,967,295
2554              The  maximum  burst allowed for the band in kilobits or packets,
2555              depending on whether kbps or pktps was selected  in  the  parent
2556              Meter  entry’s  unit  column. If the size is zero, the switch is
2557              free to select some reasonable value depending on its configura‐
2558              tion.
2559
2560       external_ids: map of string-string pairs
2561              See External IDs at the beginning of this document.
2562

Logical_Router_Port TABLE

2564       A port within an L3 logical router.
2565
2566       Exactly  one  Logical_Router  row must reference a given logical router
2567       port.
2568
2569   Summary:
2570       name                          string (must be unique within table)
2571       networks                      set of 1 or more strings
2572       mac                           string
2573       enabled                       optional boolean
2574       Distributed Gateway Ports:
2575         ha_chassis_group            optional HA_Chassis_Group
2576         gateway_chassis             set of Gateway_Chassises
2577         Options for Physical VLAN MTU Issues:
2578            options : reside-on-redirect-chassis
2579                                     optional string, either true or false
2580            options : redirect-type  optional string, either bridged or  over‐
2581                                     lay
2582       ipv6_prefix                   set of strings
2583       ipv6_ra_configs:
2584         ipv6_ra_configs : address_mode
2585                                     optional string
2586         ipv6_ra_configs : router_preference
2587                                     optional string
2588         ipv6_ra_configs : route_info
2589                                     optional string
2590         ipv6_ra_configs : mtu       optional string
2591         ipv6_ra_configs : send_periodic
2592                                     optional string
2593         ipv6_ra_configs : max_interval
2594                                     optional string
2595         ipv6_ra_configs : min_interval
2596                                     optional string
2597         ipv6_ra_configs : rdnss     optional string
2598         ipv6_ra_configs : dnssl     optional string
2599       Options:
2600         options : mcast_flood       optional string, either true or false
2601         options : requested-tnl-key
2602                                     optional  string,  containing an integer,
2603                                     in range 1 to 32,767
2604         options : prefix_delegation
2605                                     optional string, either true or false
2606         options : prefix            optional string, either true or false
2607         options : route_table       optional string
2608         options : gateway_mtu       optional string, containing  an  integer,
2609                                     in range 68 to 65,535
2610         options : gateway_mtu_bypass
2611                                     optional string
2612       Attachment:
2613         peer                        optional string
2614       Common Columns:
2615         external_ids                map of string-string pairs
2616       Status:
2617         status : hosting-chassis    optional string
2618
2619   Details:
2620       name: string (must be unique within table)
2621              A name for the logical router port.
2622
2623              In  addition  to  provide convenience for human interaction with
2624              the northbound database, this column is used as reference by its
2625              patch port in Logical_Switch_Port or another logical router port
2626              in Logical_Router_Port.
2627
2628              A logical router port may not have the same name  as  a  logical
2629              switch port, but the database schema cannot enforce this.
2630
2631       networks: set of 1 or more strings
2632              The  IP  addresses  and  netmasks  of  the  router. For example,
2633              192.168.0.1/24  indicates  that  the  router’s  IP  address   is
2634              192.168.0.1  and  that packets destined to 192.168.0.x should be
2635              routed to this port.
2636
2637              A logical router port always  adds  a  link-local  IPv6  address
2638              (fe80::/64) automatically generated from the interface’s MAC ad‐
2639              dress using the modified EUI-64 format.
2640
2641       mac: string
2642              The Ethernet address that belongs to this router port.
2643
2644       enabled: optional boolean
2645              This column is used to administratively set port state. If  this
2646              column  is empty or is set to true, the port is enabled. If this
2647              column is set to false, the port is disabled.  A  disabled  port
2648              has all ingress and egress traffic dropped.
2649
2650     Distributed Gateway Ports:
2651
2652       Gateways,  as  documented under Gateways in the OVN architecture guide,
2653       provide limited connectivity  between  logical  networks  and  physical
2654       ones.  OVN  support multiple kinds of gateways. The Logical_Router_Port
2655       table can be used two different ways to configure  distributed  gateway
2656       ports,  which are one kind of gateway. These two forms of configuration
2657       exist for historical reasons. Both of them produce the same kind of OVN
2658       southbound records and the same behavior in practice.
2659
2660       If  either of these are set, this logical router port represents a dis‐
2661       tributed gateway port that connects this router  to  a  logical  switch
2662       with a localnet port or a connection to another OVN deployment.
2663
2664       Also mentioned in the OVN architecture guide, distributed gateway ports
2665       can also be used for scalability reasons in deployments  where  logical
2666       switches are dedicated to chassises rather than distributed.
2667
2668       The preferred way to configure a gateway is ha_chassis_group, but gate‐
2669       way_chassis is also supported for backward compatibility. Only  one  of
2670       these  should be set at a time on a given LRP, since they configure the
2671       same features.
2672
2673       Even when a gateway is configured, the logical router port still effec‐
2674       tively resides on each chassis. However, due to the implications of the
2675       use of L2 learning in the physical network, as well as the need to sup‐
2676       port advanced features such as one-to-many NAT (aka IP masquerading), a
2677       subset of the logical router processing is  handled  in  a  centralized
2678       manner on the gateway chassis.
2679
2680       There can be more than one distributed gateway ports configured on each
2681       logical router, each connecting to different L2 segments.  Load-balanc‐
2682       ing is not yet supported on logical routers with more than one distrib‐
2683       uted gateway ports.
2684
2685       For each distributed gateway port, it may have more  than  one  gateway
2686       chassises.  When  more  than one gateway chassis is specified, OVN only
2687       uses one at a time. OVN can rely on OVS BFD implementation  to  monitor
2688       gateway  connectivity,  preferring the highest-priority gateway that is
2689       online. Priorities are  specified  in  the  priority  column  of  Gate‐
2690       way_Chassis or HA_Chassis.
2691
2692       ovn-northd  programs  the  external_mac rules specified in the LRP’s LR
2693       into the peer logical switch’s destination lookup on the chassis  where
2694       the logical_port resides. In addition, the logical router’s MAC address
2695       is automatically programmed in the peer  logical  switch’s  destination
2696       lookup  flow on the gateway chasssis. If it is desired to generate gra‐
2697       tuitous ARPs for NAT addresses, then set the peer LSP’s options:nat-ad‐
2698       dresses to router.
2699
2700       OVN  20.03  and  earlier supported a third way to configure distributed
2701       gateway ports using options:redirect-chassis  to  specify  the  gateway
2702       chassis. This method is no longer supported. Any remaining users should
2703       switch to one of the newer methods instead. A  gateway_chassis  may  be
2704       easily  configured  from the command line, e.g. ovn-nbctl lrp-set-gate‐
2705       way-chassis lrp chassis.
2706
2707       ha_chassis_group: optional HA_Chassis_Group
2708              Designates an HA_Chassis_Group to provide  gateway  high  avail‐
2709              ability.
2710
2711       gateway_chassis: set of Gateway_Chassises
2712              Designates  one  or  more Gateway_Chassis for the logical router
2713              port.
2714
2715     Options for Physical VLAN MTU Issues:
2716
2717       MTU issues arise in mixing  tunnels  with  logical  networks  that  are
2718       bridged  to  a physical VLAN. For an explanation of the MTU issues, see
2719       Physical VLAN MTU Issues in the OVN architecture document. The  follow‐
2720       ing  options,  which  are alternatives, provide solutions. Both of them
2721       cause packets to be sent over localnet instead  of  tunnels,  but  they
2722       differ in whether some or all packets are sent this way. The most prom‐
2723       inent tradeoff between these options is that reside-on-redirect-chassis
2724       is easier to configure and that redirect-type performs better for east-
2725       west traffic.
2726
2727       options : reside-on-redirect-chassis: optional string, either  true  or
2728       false
2729              If  set to true, this option forces all traffic across the logi‐
2730              cal router port to pass through the gateway chassis using a  hop
2731              across a localnet port. This changes behavior in two ways:
2732
2733              •      Without  this  option,  east-west traffic passes directly
2734                     between source and destination chassis (or even within  a
2735                     single  chassis,  for  co-located VMs). With this option,
2736                     all east-west traffic passes through the gateway chassis.
2737
2738              •      Without this option, traffic between the gateway  chassis
2739                     and  other  chassis is encapsulated in tunnels. With this
2740                     option, traffic passes over a localnet interface.
2741
2742              This option may usefully be set only  on  logical  router  ports
2743              that  connect  a  distributed logical router to a logical switch
2744              with VIFs. It should not be set on a distributed gateway port.
2745
2746              OVN honors this option only if the logical router  has  one  and
2747              only  one  distributed gateway port and if the LRP’s peer switch
2748              has a localnet port.
2749
2750       options : redirect-type: optional string, either bridged or overlay
2751              If set to bridged on a distributed  gateway  port,  this  option
2752              causes OVN to redirect packets to the gateway chassis over a lo‐
2753              calnet port instead of a tunnel. The relevant chassis must share
2754              a localnet port.
2755
2756              This  feature requires the administrator or the CMS to configure
2757              each participating chassis with a unique  Ethernet  address  for
2758              the  logical  router  by setting ovn-chassis-mac-mappings in the
2759              Open vSwitch database, for use by ovn-controller.
2760
2761              Setting this option to overlay or leaving it unset  has  no  ef‐
2762              fect.  This  option  may  usefully  be set only on a distributed
2763              gateway port when there is one and only one distributed  gateway
2764              port on the logical router. It is otherwise ignored.
2765
2766       ipv6_prefix: set of strings
2767              This  column  contains IPv6 prefix obtained by prefix delegation
2768              router according to RFC 3633
2769
2770     ipv6_ra_configs:
2771
2772       This column defines the IPv6 ND RA address mode and ND MTU Option to be
2773       included by ovn-controller when it replies to the IPv6 Router solicita‐
2774       tion requests.
2775
2776       ipv6_ra_configs : address_mode: optional string
2777              The address mode to be used for IPv6 address configuration.  The
2778              supported values are:
2779
2780slaac:  Address  configuration using Router Advertisement
2781                     (RA) packet. The  IPv6  prefixes  defined  in  the  Logi‐
2782                     cal_Router_Port  table’s networks column will be included
2783                     in the RA’s ICMPv6 option - Prefix information.
2784
2785dhcpv6_stateful: Address configuration using DHCPv6.
2786
2787dhcpv6_stateless: Address configuration using Router  Ad‐
2788                     vertisement  (RA) packet. Other IPv6 options are provided
2789                     by DHCPv6.
2790
2791       ipv6_ra_configs : router_preference: optional string
2792              Default Router Preference (PRF) indicates whether to prefer this
2793              router  over  other  default routers (RFC 4191). Possible values
2794              are:
2795
2796              •      HIGH: mapped to 0x01 in RA PRF field
2797
2798              •      MEDIUM: mapped to 0x00 in RA PRF field
2799
2800              •      LOW: mapped to 0x11 in RA PRF field
2801
2802       ipv6_ra_configs : route_info: optional string
2803              Route Info is used to configure Route Info Option sent in Router
2804              Advertisement according to RFC 4191. Route Info is a comma sepa‐
2805              rated string where each field provides  PRF  and  prefix  for  a
2806              given route (e.g: HIGH-aef1::11/48,LOW-aef2::11/96) Possible PRF
2807              values are:
2808
2809              •      HIGH: mapped to 0x01 in RA PRF field
2810
2811              •      MEDIUM: mapped to 0x00 in RA PRF field
2812
2813              •      LOW: mapped to 0x11 in RA PRF field
2814
2815       ipv6_ra_configs : mtu: optional string
2816              The recommended MTU for the link. Default is 0, which  means  no
2817              MTU  Option  will  be  included in RA packet replied by ovn-con‐
2818              troller. Per RFC 2460, the mtu value is recommended no less than
2819              1280,  so  any mtu value less than 1280 will be considered as no
2820              MTU Option.
2821
2822       ipv6_ra_configs : send_periodic: optional string
2823              If set to true, then this router interface will send router  ad‐
2824              vertisements periodically. The default is false.
2825
2826       ipv6_ra_configs : max_interval: optional string
2827              The  maximum  number of seconds to wait between sending periodic
2828              router advertisements. This option has no effect if ipv6_ra_con‐
2829              figs:send_periodic is false. The default is 600.
2830
2831       ipv6_ra_configs : min_interval: optional string
2832              The  minimum  number of seconds to wait between sending periodic
2833              router advertisements. This option has no effect if ipv6_ra_con‐
2834              figs:send_periodic   is  false.  The  default  is  one-third  of
2835              ipv6_ra_configs:max_interval, i.e. 200 seconds if  that  key  is
2836              unset.
2837
2838       ipv6_ra_configs : rdnss: optional string
2839              IPv6 address of RDNSS server announced in RA packets. At the mo‐
2840              ment OVN supports just one RDNSS server.
2841
2842       ipv6_ra_configs : dnssl: optional string
2843              DNS Search List announced in RA  packets.  Multiple  DNS  Search
2844              List must be ’comma’ separated (e.g. "a.b.c, d.e.f")
2845
2846     Options:
2847
2848       Additional options for the logical router port.
2849
2850       options : mcast_flood: optional string, either true or false
2851              If set to true, multicast traffic (including reports) are uncon‐
2852              ditionally forwarded to the specific port.
2853
2854              This option applies when the port is part of  a  logical  router
2855              which has options:mcast_relay set to true.
2856
2857              Default: false.
2858
2859       options : requested-tnl-key: optional string, containing an integer, in
2860       range 1 to 32,767
2861              Configures the port binding tunnel key  for  the  port.  Usually
2862              this  is not needed because ovn-northd will assign an unique key
2863              for  each  port  by  itself.  However,  if  it  is   configured,
2864              ovn-northd honors the configured value.
2865
2866       options : prefix_delegation: optional string, either true or false
2867              If  set  to true, enable IPv6 prefix delegation state machine on
2868              this logical router port (RFC3633). IPv6  prefix  delegation  is
2869              available just on a gateway router or on a gateway router port.
2870
2871       options : prefix: optional string, either true or false
2872              If  set  to true, this interface will receive an IPv6 prefix ac‐
2873              cording to RFC3663
2874
2875       options : route_table: optional string
2876              Designates lookup  Logical_Router_Static_Routes  with  specified
2877              route_table  value.  Routes  to directly connected networks from
2878              same Logical Router and routes without  route_table  option  set
2879              have higher priority than routes with route_table option set.
2880
2881       options : gateway_mtu: optional string, containing an integer, in range
2882       68 to 65,535
2883              If set, logical flows will be added to router pipeline to  check
2884              packet  length.  If packet length is greater than the value set,
2885              ICMPv4 type 3 (Destination Unreachable)  code  4  (Fragmentation
2886              Needed  and Don’t Fragment was Set) or ICMPv6 type 2 (Packet Too
2887              Big) code 0 (no route to destination) packets will be generated.
2888              This allows for Path MTU Discovery.
2889
2890       options : gateway_mtu_bypass: optional string
2891              When  configured, represents a match expression, in the same ex‐
2892              pression language used for the match column in  the  OVN  South‐
2893              bound  database’s  Logical_Flow table. Packets matching this ex‐
2894              pression will bypass the length check configured through the op‐
2895              tions:gateway_mtu option.
2896
2897     Attachment:
2898
2899       A given router port serves one of two purposes:
2900
2901              •      To attach a logical switch to a logical router. A logical
2902                     router port of this type is  referenced  by  exactly  one
2903                     Logical_Switch_Port  of type router. The value of name is
2904                     set  as  router-port   in   column   options   of   Logi‐
2905                     cal_Switch_Port. In this case peer column is empty.
2906
2907              •      To connect one logical router to another. This requires a
2908                     pair of logical router ports, each connected to a differ‐
2909                     ent  router.  Each  router port in the pair specifies the
2910                     other in its peer column. No Logical_Switch refers to the
2911                     router port.
2912
2913       peer: optional string
2914              For  a  router  port  used  to connect two logical routers, this
2915              identifies the other router port in the pair by name.
2916
2917              For a router port attached to a logical switch, this  column  is
2918              empty.
2919
2920     Common Columns:
2921
2922       external_ids: map of string-string pairs
2923              See External IDs at the beginning of this document.
2924
2925              The  ovn-northd  program  copies all these pairs into the exter‐
2926              nal_ids column of the Port_Binding table in OVN_Southbound data‐
2927              base.
2928
2929     Status:
2930
2931       Additional status about the logical router port.
2932
2933       status : hosting-chassis: optional string
2934              This option is populated by ovn-northd.
2935
2936              When  a  distributed  gateway port is bound to a location in the
2937              OVN Southbound database Port_Binding  ovn-northd  will  populate
2938              this  key with the name of the Chassis that is currently hosting
2939              this port.

Logical_Router_Static_Route TABLE

2941       Each record represents a static route.
2942
2943       When multiple routes match a packet, the longest-prefix match  is  cho‐
2944       sen.  For  a  given  prefix  length, a dst-ip route is preferred over a
2945       src-ip route.
2946
2947       When there are ECMP routes, i.e. multiple routes with same  prefix  and
2948       policy,  one  of  them will be selected based on the 5-tuple hashing of
2949       the packet header.
2950
2951   Summary:
2952       ip_prefix                     string
2953       policy                        optional string, either dst-ip or src-ip
2954       nexthop                       string
2955       output_port                   optional string
2956       bfd                           optional weak reference to BFD
2957       route_table                   string
2958       external_ids : ic-learned-route
2959                                     optional string
2960       Common Columns:
2961         external_ids                map of string-string pairs
2962       Common options:
2963         options                     map of string-string pairs
2964         options : ecmp_symmetric_reply
2965                                     optional string
2966         options : origin            optional string
2967
2968   Details:
2969       ip_prefix: string
2970              IP prefix of this route (e.g. 192.168.100.0/24).
2971
2972       policy: optional string, either dst-ip or src-ip
2973              If it is specified, this setting describes the  policy  used  to
2974              make  routing decisions. This setting must be one of the follow‐
2975              ing strings:
2976
2977src-ip: This policy sends the packet to the nexthop  when
2978                     the packet’s source IP address matches ip_prefix.
2979
2980dst-ip:  This policy sends the packet to the nexthop when
2981                     the packet’s destination IP address matches ip_prefix.
2982
2983              If not specified, the default is dst-ip.
2984
2985       nexthop: string
2986              Nexthop IP address for this route. Nexthop IP address should  be
2987              the IP address of a connected router port or the IP address of a
2988              logical port or can be set to discard for dropping packets which
2989              match the given route.
2990
2991       output_port: optional string
2992              The  name  of the Logical_Router_Port via which the packet needs
2993              to be sent out. This is optional and  when  not  specified,  OVN
2994              will  automatically  figure  this out based on the nexthop. When
2995              this is specified and there are multiple  IP  addresses  on  the
2996              router  port and none of them are in the same subnet of nexthop,
2997              OVN chooses the first IP address as the one via which  the  nex‐
2998              thop is reachable.
2999
3000       bfd: optional weak reference to BFD
3001              Reference to BFD row if the route has associated a BFD session
3002
3003       route_table: string
3004              Any  string to place route to separate routing table. If Logical
3005              Router Port has configured value  in  options:route_table  other
3006              than empty string, OVN performs route lookup for all packets en‐
3007              tering Logical Router ingress pipeline from  this  port  in  the
3008              following manner:
3009
3010              •      1.  First  lookup  among  "global" routes: routes without
3011                     route_table value set and routes  to  directly  connected
3012                     networks.
3013
3014              •      2.  Next  lookup among routes with same route_table value
3015                     as specified in LRP’s options:route_table field.
3016
3017       external_ids : ic-learned-route: optional string
3018              ovn-ic populates this key if  the  route  is  learned  from  the
3019              global  OVN_IC_Southbound  database. In this case the value will
3020              be  set  to  the  uuid  of  the  row  in  Route  table  of   the
3021              OVN_IC_Southbound database.
3022
3023     Common Columns:
3024
3025       external_ids: map of string-string pairs
3026              See External IDs at the beginning of this document.
3027
3028     Common options:
3029
3030       options: map of string-string pairs
3031              This  column  provides general key/value settings. The supported
3032              options are described individually below.
3033
3034       options : ecmp_symmetric_reply: optional string
3035              If true, then new traffic that arrives over this route will have
3036              its  reply  traffic bypass ECMP route selection and will be sent
3037              out this route instead. Note  that  this  option  overrides  any
3038              rules  set  in the Logical_Router_policy table. This option only
3039              works on gateway  routers  (routers  that  have  options:chassis
3040              set).
3041
3042       options : origin: optional string
3043              In case ovn-interconnection has been learned this route, it will
3044              have its origin set: either "connected" or "static". This key is
3045              supposed  to  be  written only by ovn-ic daemon. ovn-northd then
3046              checks  this  value  when  generating   Logical   Flows.   Logi‐
3047              cal_Router_Static_Route  records with same ip_prefix within same
3048              Logical Router will have next lookup order based on  origin  key
3049              value:
3050
3051              1.  connected
3052
3053              2.  static
3054

Logical_Router_Policy TABLE

3056       Each  row  in  this  table  represents one routing policy for a logical
3057       router that points to it through its policies column. The action column
3058       for  the  highest-priority  matching  row  in  this  table determines a
3059       packet’s treatment. If no row matches, packets are allowed by  default.
3060       (Default-deny  treatment  is possible: add a rule with priority 0, 1 as
3061       match, and drop as action.)
3062
3063   Summary:
3064       priority                      integer, in range 0 to 32,767
3065       match                         string
3066       action                        string, one of allow, drop, or reroute
3067       nexthop                       optional string
3068       nexthops                      set of strings
3069       options : pkt_mark            optional string
3070       Common Columns:
3071         external_ids                map of string-string pairs
3072
3073   Details:
3074       priority: integer, in range 0 to 32,767
3075              The routing policy’s priority.  Rules  with  numerically  higher
3076              priority  take  precedence  over  those  with  lower.  A rule is
3077              uniquely identified by the priority and match string.
3078
3079       match: string
3080              The packets that the routing policy should match,  in  the  same
3081              expression  language used for the match column in the OVN South‐
3082              bound database’s Logical_Flow table.
3083
3084              By default all traffic is allowed. When writing a more  restric‐
3085              tive  policy, it is important to remember to allow flows such as
3086              ARP and IPv6 neighbor discovery packets.
3087
3088       action: string, one of allow, drop, or reroute
3089              The action to take when the routing policy matches:
3090
3091allow: Forward the packet.
3092
3093drop: Silently drop the packet.
3094
3095reroute: Reroute packet to nexthop or nexthops.
3096
3097       nexthop: optional string
3098              Note: This column is deprecated in favor of nexthops.
3099
3100              Next-hop IP address for this route, which should be the  IP  ad‐
3101              dress  of a connected router port or the IP address of a logical
3102              port.
3103
3104       nexthops: set of strings
3105              Next-hop ECMP IP addresses for this route. Each IP in  the  list
3106              should  be  the  IP address of a connected router port or the IP
3107              address of a logical port.
3108
3109              One IP from the list is selected as next hop.
3110
3111       options : pkt_mark: optional string
3112              Marks the packet with the value specified when the router policy
3113              is applied. CMS can inspect this packet marker and take some de‐
3114              cisions if desired. This value is not preserved when the  packet
3115              goes out on the wire.
3116
3117     Common Columns:
3118
3119       external_ids: map of string-string pairs
3120              See External IDs at the beginning of this document.
3121

NAT TABLE

3123       Each record represents a NAT rule.
3124
3125   Summary:
3126       type                          string,  one  of  dnat, dnat_and_snat, or
3127                                     snat
3128       external_ip                   string
3129       external_mac                  optional string
3130       external_port_range           string
3131       logical_ip                    string
3132       logical_port                  optional string
3133       allowed_ext_ips               optional Address_Set
3134       exempted_ext_ips              optional Address_Set
3135       gateway_port                  optional   weak   reference   to    Logi‐
3136                                     cal_Router_Port
3137       options : stateless           optional string
3138       options : add_route           optional string
3139       Common Columns:
3140         external_ids                map of string-string pairs
3141
3142   Details:
3143       type: string, one of dnat, dnat_and_snat, or snat
3144              Type of the NAT rule.
3145
3146              •      When  type is dnat, the externally visible IP address ex‐
3147                     ternal_ip is DNATted to the IP address logical_ip in  the
3148                     logical space.
3149
3150              •      When  type  is  snat, IP packets with their source IP ad‐
3151                     dress that either matches the IP address in logical_ip or
3152                     is  in  the network provided by logical_ip is SNATed into
3153                     the IP address in external_ip.
3154
3155              •      When type is dnat_and_snat, the externally visible IP ad‐
3156                     dress external_ip is DNATted to the IP address logical_ip
3157                     in the logical space. In addition, IP  packets  with  the
3158                     source  IP address that matches logical_ip is SNATed into
3159                     the IP address in external_ip.
3160
3161       external_ip: string
3162              An IPv4 address.
3163
3164       external_mac: optional string
3165              A MAC address.
3166
3167              This is only used on the gateway port  on  distributed  routers.
3168              This must be specified in order for the NAT rule to be processed
3169              in a distributed manner on all chassis. If this is not specified
3170              for  a NAT rule on a distributed router, then this NAT rule will
3171              be processed in a centralized manner on  the  gateway  port  in‐
3172              stance on the gateway chassis.
3173
3174              This  MAC  address must be unique on the logical switch that the
3175              gateway port is attached to. If the MAC address used on the log‐
3176              ical_port is globally unique, then that MAC address can be spec‐
3177              ified as this external_mac.
3178
3179       external_port_range: string
3180              L4 source port range
3181
3182              Range of ports, from which a port number  will  be  picked  that
3183              will  replace the source port of to be NATed packet. This is ba‐
3184              sically PAT (port address translation).
3185
3186              Value of the column is in the format, port_lo-port_hi. For exam‐
3187              ple: external_port_range : "1-30000"
3188
3189              Valid range of ports is 1-65535.
3190
3191       logical_ip: string
3192              An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
3193
3194       logical_port: optional string
3195              The name of the logical port where the logical_ip resides.
3196
3197              This is only used on distributed routers. This must be specified
3198              in order for the NAT rule to be processed in a distributed  man‐
3199              ner on all chassis. If this is not specified for a NAT rule on a
3200              distributed router, then this NAT rule will be  processed  in  a
3201              centralized  manner  on the gateway port instance on the gateway
3202              chassis.
3203
3204       allowed_ext_ips: optional Address_Set
3205              It represents Address Set of external ips that NAT rule  is  ap‐
3206              plicable to. For SNAT type NAT rules, this refers to destination
3207              addresses. For DNAT type NAT rules, this refers  to  source  ad‐
3208              dresses.
3209
3210              This  configuration overrides the default NAT behavior of apply‐
3211              ing a rule solely based on internal IP. Without this  configura‐
3212              tion,  NAT  happens  without  considering  the  external IP (i.e
3213              dest/source for snat/dnat type rule).  With  this  configuration
3214              NAT  rule is applied ONLY if external ip is in the input Address
3215              Set.
3216
3217       exempted_ext_ips: optional Address_Set
3218              It represents Address Set of external ips that NAT rule  is  NOT
3219              applicable  to. For SNAT type NAT rules, this refers to destina‐
3220              tion addresses. For DNAT type NAT rules, this refers  to  source
3221              addresses.
3222
3223              This  configuration overrides the default NAT behavior of apply‐
3224              ing a rule solely based on internal IP. Without this  configura‐
3225              tion,  NAT  happens  without  considering  the  external IP (i.e
3226              dest/source for snat/dnat type rule).  With  this  configuration
3227              NAT  rule  is NOT applied if external ip is in the input Address
3228              Set.
3229
3230              If there are NAT rules in a logical router with  overlapping  IP
3231              prefixes  (including /32), then usage of exempted_ext_ips should
3232              be avoided in following scenario.  a.  SNAT  rule  (let  us  say
3233              RULE1)  with logical_ip PREFIX/MASK (let us say 50.0.0.0/24). b.
3234              SNAT rule (let us say RULE2) with logical_ip PREFIX/MASK+1  (let
3235              us  say  50.0.0.0/25). c. Now, if exempted_ext_ips is associated
3236              with RULE2, then a logical ip which matches both 50.0.0.0/24 and
3237              50.0.0.0/25 may get the RULE2 applied to it instead of RULE1.
3238
3239              allowed_ext_ips  and  exempted_ext_ips are mutually exclusive to
3240              each other. If both Address Sets are set for a  rule,  then  the
3241              NAT rule is not considered.
3242
3243       gateway_port: optional weak reference to Logical_Router_Port
3244              A  distributed  gateway  port  in  the Logical_Router_Port table
3245              where the NAT rule needs to be applied.
3246
3247              When multiple distributed gateway ports are configured on a Log‐
3248              ical_Router,  applying  a  NAT  rule  at each of the distributed
3249              gateway ports might not be desired. Consider the  case  where  a
3250              logical router has 2 distributed gateway port, one with networks
3251              50.0.0.10/24 and the other with networks  60.0.0.10/24.  If  the
3252              logical   router  has  a  NAT  rule  of  type  snat,  logical_ip
3253              10.1.1.0/24 and external_ip 50.1.1.20/24, the rule needs  to  be
3254              selectively applied on matching packets entering/leaving through
3255              the distributed gateway port with networks 50.0.0.10/24.
3256
3257              When a logical router has multiple distributed gateway ports and
3258              this column is not set for a NAT rule, then the rule will be ap‐
3259              plied at the distributed gateway port which is in the same  net‐
3260              work  as  the external_ip of the NAT rule, if such a router port
3261              exists. If logical router has a single distributed gateway  port
3262              and  this column is not set for a NAT rule, the rule will be ap‐
3263              plied at the distributed gateway port even if the router port is
3264              not in the same network as the external_ip of the NAT rule.
3265
3266       options : stateless: optional string
3267              Indicates  if  a  dnat_and_snat  rule  should lead to connection
3268              tracking state or not.
3269
3270       options : add_route: optional string
3271              If set to true, then neighbor routers will  have  logical  flows
3272              added  that  will  allow for routing to the NAT address. It also
3273              will have ARP resolution logical flows added.  By  setting  this
3274              option,   it  means  there  is  no  reason  to  create  a  Logi‐
3275              cal_Router_Static_Route from neighbor routers to  this  NAT  ad‐
3276              dress.  It also means that no ARP request is required for neigh‐
3277              bor routers to learn the IP-MAC mapping for  this  NAT  address.
3278              This option only applies to NATs of type dnat and dnat_and_snat.
3279              For more information about what flows are added for  IP  routes,
3280              please see the ovn-northd manpage section on IP Routing.
3281
3282     Common Columns:
3283
3284       external_ids: map of string-string pairs
3285              See External IDs at the beginning of this document.
3286

DHCP_Options TABLE

3288       OVN  implements  native  DHCPv4  support which caters to the common use
3289       case of providing an IPv4 address to a booting  instance  by  providing
3290       stateless replies to DHCPv4 requests based on statically configured ad‐
3291       dress mappings. To do this it allows a short list of DHCPv4 options  to
3292       be configured and applied at each compute host running ovn-controller.
3293
3294       OVN  also  implements  native  DHCPv6  support which provides stateless
3295       replies to DHCPv6 requests.
3296
3297   Summary:
3298       cidr                          string
3299       DHCPv4 options:
3300         Mandatory DHCPv4 options:
3301            options : server_id      optional string
3302            options : server_mac     optional string
3303            options : lease_time     optional string, containing  an  integer,
3304                                     in range 0 to 4,294,967,295
3305         IPv4 DHCP Options:
3306            options : router         optional string
3307            options : netmask        optional string
3308            options : dns_server     optional string
3309            options : log_server     optional string
3310            options : lpr_server     optional string
3311            options : swap_server    optional string
3312            options : policy_filter  optional string
3313            options : router_solicitation
3314                                     optional string
3315            options : nis_server     optional string
3316            options : ntp_server     optional string
3317            options : netbios_name_server
3318                                     optional string
3319            options : classless_static_route
3320                                     optional string
3321            options : ms_classless_static_route
3322                                     optional string
3323            options : next_server    optional string
3324         Boolean DHCP Options:
3325            options : ip_forward_enable
3326                                     optional string, either 0 or 1
3327            options : router_discovery
3328                                     optional string, either 0 or 1
3329            options : ethernet_encap optional string, either 0 or 1
3330         Integer DHCP Options:
3331            options : default_ttl    optional  string,  containing an integer,
3332                                     in range 0 to 255
3333            options : tcp_ttl        optional string, containing  an  integer,
3334                                     in range 0 to 255
3335            options : mtu            optional  string,  containing an integer,
3336                                     in range 68 to 65,535
3337            options : T1             optional string, containing  an  integer,
3338                                     in range 68 to 4,294,967,295
3339            options : T2             optional  string,  containing an integer,
3340                                     in range 68 to 4,294,967,295
3341            options : arp_cache_timeout
3342                                     optional string, containing  an  integer,
3343                                     in range 0 to 255
3344            options : tcp_keepalive_interval
3345                                     optional  string,  containing an integer,
3346                                     in range 0 to 255
3347            options : netbios_node_type
3348                                     optional string, containing  an  integer,
3349                                     in range 0 to 255
3350         String DHCP Options:
3351            options : wpad           optional string
3352            options : bootfile_name  optional string
3353            options : path_prefix    optional string
3354            options : tftp_server_address
3355                                     optional string
3356            options : hostname       optional string
3357            options : domain_name    optional string
3358            options : bootfile_name_alt
3359                                     optional string
3360            options : broadcast_address
3361                                     optional string
3362         DHCP Options of type host_id:
3363            options : tftp_server    optional string
3364          DHCP Options of type domains:
3365            options : domain_search_list
3366                                     optional string
3367       DHCPv6 options:
3368         Mandatory DHCPv6 options:
3369            options : server_id      optional string
3370         IPv6 DHCPv6 options:
3371            options : dns_server     optional string
3372         String DHCPv6 options:
3373            options : domain_search  optional string
3374            options : dhcpv6_stateless
3375                                     optional string
3376            options : fqdn           optional string
3377       Common Columns:
3378         external_ids                map of string-string pairs
3379
3380   Details:
3381       cidr: string
3382              The  DHCPv4/DHCPv6  options will be included if the logical port
3383              has its IP address in this cidr.
3384
3385     DHCPv4 options:
3386
3387       The CMS should define the set of DHCPv4 options as key/value  pairs  in
3388       the  options  column of this table. For ovn-controller to include these
3389       DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should  refer
3390       to an entry in this table.
3391
3392     Mandatory DHCPv4 options:
3393
3394       The following options must be defined.
3395
3396       options : server_id: optional string
3397              The IP address for the DHCP server to use. This should be in the
3398              subnet of the offered IP. This is also included in the DHCP  of‐
3399              fer as option 54, ``server identifier.’’
3400
3401       options : server_mac: optional string
3402              The Ethernet address for the DHCP server to use.
3403
3404       options  : lease_time: optional string, containing an integer, in range
3405       0 to 4,294,967,295
3406              The offered lease time in seconds,
3407
3408              The DHCPv4 option code for this option is 51.
3409
3410     IPv4 DHCP Options:
3411
3412       Below are the supported DHCPv4 options whose values  are  an  IPv4  ad‐
3413       dress,  e.g.  192.168.1.1.  Some options accept multiple IPv4 addresses
3414       enclosed within curly braces, e.g. {192.168.1.2,  192.168.1.3}.  Please
3415       refer to RFC 2132 for more details on DHCPv4 options and their codes.
3416
3417       options : router: optional string
3418              The  IP  address of a gateway for the client to use. This should
3419              be in the subnet of the offered IP. The DHCPv4 option  code  for
3420              this option is 3.
3421
3422       options : netmask: optional string
3423              The DHCPv4 option code for this option is 1.
3424
3425       options : dns_server: optional string
3426              The DHCPv4 option code for this option is 6.
3427
3428       options : log_server: optional string
3429              The DHCPv4 option code for this option is 7.
3430
3431       options : lpr_server: optional string
3432              The DHCPv4 option code for this option is 9.
3433
3434       options : swap_server: optional string
3435              The DHCPv4 option code for this option is 16.
3436
3437       options : policy_filter: optional string
3438              The DHCPv4 option code for this option is 21.
3439
3440       options : router_solicitation: optional string
3441              The DHCPv4 option code for this option is 32.
3442
3443       options : nis_server: optional string
3444              The DHCPv4 option code for this option is 41.
3445
3446       options : ntp_server: optional string
3447              The DHCPv4 option code for this option is 42.
3448
3449       options : netbios_name_server: optional string
3450              The DHCPv4 option code for this option is 44.
3451
3452       options : classless_static_route: optional string
3453              The DHCPv4 option code for this option is 121.
3454
3455              This option can contain one or more static routes, each of which
3456              consists of a destination descriptor and the IP address  of  the
3457              router that should be used to reach that destination. Please see
3458              RFC 3442 for more details.
3459
3460              Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
3461
3462       options : ms_classless_static_route: optional string
3463              The DHCPv4 option code for this option is 249.  This  option  is
3464              similar to classless_static_route supported by Microsoft Windows
3465              DHCPv4 clients.
3466
3467       options : next_server: optional string
3468              The DHCPv4 option code for setting the "Next server IP  address"
3469              field in the DHCP header.
3470
3471     Boolean DHCP Options:
3472
3473       These options accept a Boolean value, expressed as 0 for false or 1 for
3474       true.
3475
3476       options : ip_forward_enable: optional string, either 0 or 1
3477              The DHCPv4 option code for this option is 19.
3478
3479       options : router_discovery: optional string, either 0 or 1
3480              The DHCPv4 option code for this option is 31.
3481
3482       options : ethernet_encap: optional string, either 0 or 1
3483              The DHCPv4 option code for this option is 36.
3484
3485     Integer DHCP Options:
3486
3487       These options accept a nonnegative integer value.
3488
3489       options : default_ttl: optional string, containing an integer, in range
3490       0 to 255
3491              The DHCPv4 option code for this option is 23.
3492
3493       options  :  tcp_ttl: optional string, containing an integer, in range 0
3494       to 255
3495              The DHCPv4 option code for this option is 37.
3496
3497       options : mtu: optional string, containing an integer, in range  68  to
3498       65,535
3499              The DHCPv4 option code for this option is 26.
3500
3501       options  :  T1:  optional string, containing an integer, in range 68 to
3502       4,294,967,295
3503              This specifies the time interval from address  assignment  until
3504              the client begins trying to renew its address. The DHCPv4 option
3505              code for this option is 58.
3506
3507       options : T2: optional string, containing an integer, in  range  68  to
3508       4,294,967,295
3509              This  specifies  the time interval from address assignment until
3510              the client begins trying to rebind its address. The  DHCPv4  op‐
3511              tion code for this option is 59.
3512
3513       options : arp_cache_timeout: optional string, containing an integer, in
3514       range 0 to 255
3515              The DHCPv4 option code for this option is 35. This option speci‐
3516              fies the timeout in seconds for ARP cache entries.
3517
3518       options  : tcp_keepalive_interval: optional string, containing an inte‐
3519       ger, in range 0 to 255
3520              The DHCPv4 option code for this option is 38. This option speci‐
3521              fies the interval that the client TCP should wait before sending
3522              a keepalive message on a TCP connection.
3523
3524       options : netbios_node_type: optional string, containing an integer, in
3525       range 0 to 255
3526              The DHCPv4 option code for this option is 46.
3527
3528     String DHCP Options:
3529
3530       These options accept a string value.
3531
3532       options : wpad: optional string
3533              The  DHCPv4  option  code for this option is 252. This option is
3534              used as part of web proxy auto discovery to provide a URL for  a
3535              web proxy.
3536
3537       options : bootfile_name: optional string
3538              The  DHCPv4  option  code  for this option is 67. This option is
3539              used to identify a bootfile.
3540
3541       options : path_prefix: optional string
3542              The DHCPv4 option code for this option is 210. In PXELINUX’ case
3543              this  option is used to set a common path prefix, instead of de‐
3544              riving it from the bootfile name.
3545
3546       options : tftp_server_address: optional string
3547              The DHCPv4 option code for this option is 150. The  option  con‐
3548              tains  one  or more IPv4 addresses that the client MAY use. This
3549              option is Cisco proprietary, the IEEE standard that matches with
3550              this requirement is option 66 (tftp_server).
3551
3552       options : hostname: optional string
3553              The  DHCPv4 option code for this option is 12. If set, indicates
3554              the DHCPv4 option "Hostname". Alternatively, this option can  be
3555              configured   in   options:hostname   column   in   table   Logi‐
3556              cal_Switch_Port. If Hostname option value is set  in  both  con‐
3557              flicting  Logical_Switch_Port  and  DHCP_Options  tables,  Logi‐
3558              cal_Switch_Port takes precedence.
3559
3560       options : domain_name: optional string
3561              The DHCPv4 option code for this option is 15. This option speci‐
3562              fies the domain name that client should use when resolving host‐
3563              names via the Domain Name System.
3564
3565       options : bootfile_name_alt: optional string
3566              "bootfile_name_alt" option is used to support  iPXE.  When  both
3567              "bootfile_name" and "bootfile_name_alt" are provided by the CMS,
3568              "bootfile_name" will be used for option 67 if the  dhcp  request
3569              contains  etherboot  option (175), otherwise "bootfile_name_alt"
3570              will be used.
3571
3572       options : broadcast_address: optional string
3573              The DHCPv4 option code for this option is 28. This option speci‐
3574              fies the IP address used as a broadcast address.
3575
3576     DHCP Options of type host_id:
3577
3578       These options accept either an IPv4 address or a string value.
3579
3580       options : tftp_server: optional string
3581              The DHCPv4 option code for this option is 66.
3582
3583      DHCP Options of type domains:
3584
3585       These  options  accept  string value which is a comma separated list of
3586       domain names. The domain names are encoded based on RFC 1035.
3587
3588       options : domain_search_list: optional string
3589              The DHCPv4 option code for this option is 119.
3590
3591     DHCPv6 options:
3592
3593       OVN also implements native DHCPv6 support. The CMS  should  define  the
3594       set  of  DHCPv6  options  as key/value pairs. The define DHCPv6 options
3595       will be included in the  DHCPv6  response  to  the  DHCPv6  Solicit/Re‐
3596       quest/Confirm  packet  from the logical ports having the IPv6 addresses
3597       in the cidr.
3598
3599     Mandatory DHCPv6 options:
3600
3601       The following options must be defined.
3602
3603       options : server_id: optional string
3604              The Ethernet address for the DHCP server to use.  This  is  also
3605              included  in the DHCPv6 reply as option 2, ``Server Identifier’’
3606              to carry a DUID identifying a server  between  a  client  and  a
3607              server.  ovn-controller defines DUID based on Link-layer Address
3608              [DUID-LL].
3609
3610     IPv6 DHCPv6 options:
3611
3612       Below are the supported DHCPv6 options whose values  are  an  IPv6  ad‐
3613       dress,  e.g.  aef0::4.  Some options accept multiple IPv6 addresses en‐
3614       closed within curly braces, e.g. {aef0::4, aef0::5}.  Please  refer  to
3615       RFC 3315 for more details on DHCPv6 options and their codes.
3616
3617       options : dns_server: optional string
3618              The DHCPv6 option code for this option is 23. This option speci‐
3619              fies the DNS servers that the VM should use.
3620
3621     String DHCPv6 options:
3622
3623       These options accept string values.
3624
3625       options : domain_search: optional string
3626              The DHCPv6 option code for this option is 24. This option speci‐
3627              fies  the  domain  search  list the client should use to resolve
3628              hostnames with DNS.
3629
3630              Example: "ovn.org".
3631
3632       options : dhcpv6_stateless: optional string
3633              This option specifies the OVN native DHCPv6 will work in  state‐
3634              less mode, which means OVN native DHCPv6 will not offer IPv6 ad‐
3635              dresses for VM/VIF ports, but only reply  other  configurations,
3636              such  as  DNS  and  domain search list. When setting this option
3637              with string value "true", VM/VIF will configure  IPv6  addresses
3638              by stateless way. Default value for this option is false.
3639
3640       options : fqdn: optional string
3641              The  DHCPv6 option code for this option is 39. If set, indicates
3642              the DHCPv6 option "FQDN".
3643
3644     Common Columns:
3645
3646       external_ids: map of string-string pairs
3647              See External IDs at the beginning of this document.
3648

Connection TABLE

3650       Configuration for a database connection to  an  Open  vSwitch  database
3651       (OVSDB) client.
3652
3653       This  table  primarily  configures  the  Open  vSwitch  database server
3654       (ovsdb-server).
3655
3656       The Open vSwitch database server can initiate and maintain active  con‐
3657       nections  to  remote  clients.  It can also listen for database connec‐
3658       tions.
3659
3660   Summary:
3661       Core Features:
3662         target                      string (must be unique within table)
3663       Client Failure Detection and Handling:
3664         max_backoff                 optional integer, at least 1,000
3665         inactivity_probe            optional integer
3666       Status:
3667         is_connected                boolean
3668         status : last_error         optional string
3669         status : state              optional string, one of ACTIVE,  BACKOFF,
3670                                     CONNECTING, IDLE, or VOID
3671         status : sec_since_connect  optional  string,  containing an integer,
3672                                     at least 0
3673         status : sec_since_disconnect
3674                                     optional string, containing  an  integer,
3675                                     at least 0
3676         status : locks_held         optional string
3677         status : locks_waiting      optional string
3678         status : locks_lost         optional string
3679         status : n_connections      optional  string,  containing an integer,
3680                                     at least 2
3681         status : bound_port         optional string, containing an integer
3682       Common Columns:
3683         external_ids                map of string-string pairs
3684         other_config                map of string-string pairs
3685
3686   Details:
3687     Core Features:
3688
3689       target: string (must be unique within table)
3690              Connection methods for clients.
3691
3692              The following connection methods are currently supported:
3693
3694              ssl:host[:port]
3695                     The specified SSL port on the host  at  the  given  host,
3696                     which can either be a DNS name (if built with unbound li‐
3697                     brary) or an IP address. A valid SSL  configuration  must
3698                     be  provided  when  this form is used, this configuration
3699                     can be specified via command-line options or the SSL  ta‐
3700                     ble.
3701
3702                     If port is not specified, it defaults to 6640.
3703
3704                     SSL  support  is  an  optional feature that is not always
3705                     built as part of Open vSwitch.
3706
3707              tcp:host[:port]
3708                     The specified TCP port on the host  at  the  given  host,
3709                     which can either be a DNS name (if built with unbound li‐
3710                     brary) or an IP address. If host is an IPv6 address, wrap
3711                     it in square brackets, e.g. tcp:[::1]:6640.
3712
3713                     If port is not specified, it defaults to 6640.
3714
3715              pssl:[port][:host]
3716                     Listens  for  SSL  connections on the specified TCP port.
3717                     Specify 0 for  port  to  have  the  kernel  automatically
3718                     choose  an available port. If host, which can either be a
3719                     DNS name (if built with unbound library)  or  an  IP  ad‐
3720                     dress,  is  specified, then connections are restricted to
3721                     the resolved or specified local IPaddress (either IPv4 or
3722                     IPv6 address). If host is an IPv6 address, wrap in square
3723                     brackets, e.g. pssl:6640:[::1]. If host is not  specified
3724                     then  it listens only on IPv4 (but not IPv6) addresses. A
3725                     valid SSL configuration must be provided when  this  form
3726                     is  used,  this  can be specified either via command-line
3727                     options or the SSL table.
3728
3729                     If port is not specified, it defaults to 6640.
3730
3731                     SSL support is an optional feature  that  is  not  always
3732                     built as part of Open vSwitch.
3733
3734              ptcp:[port][:host]
3735                     Listens  for connections on the specified TCP port. Spec‐
3736                     ify 0 for port to have the kernel automatically choose an
3737                     available  port.  If host, which can either be a DNS name
3738                     (if built with unbound library)  or  an  IP  address,  is
3739                     specified,  then  connections  are  restricted to the re‐
3740                     solved or specified local IP address (either IPv4 or IPv6
3741                     address).  If  host is an IPv6 address, wrap it in square
3742                     brackets, e.g. ptcp:6640:[::1]. If host is not  specified
3743                     then it listens only on IPv4 addresses.
3744
3745                     If port is not specified, it defaults to 6640.
3746
3747              When  multiple clients are configured, the target values must be
3748              unique. Duplicate target values yield unspecified results.
3749
3750     Client Failure Detection and Handling:
3751
3752       max_backoff: optional integer, at least 1,000
3753              Maximum number of milliseconds to wait  between  connection  at‐
3754              tempts. Default is implementation-specific.
3755
3756       inactivity_probe: optional integer
3757              Maximum number of milliseconds of idle time on connection to the
3758              client before sending  an  inactivity  probe  message.  If  Open
3759              vSwitch  does  not communicate with the client for the specified
3760              number of seconds, it will send a probe. If a  response  is  not
3761              received  for  the  same additional amount of time, Open vSwitch
3762              assumes the connection has been broken and  attempts  to  recon‐
3763              nect.  Default is implementation-specific. A value of 0 disables
3764              inactivity probes.
3765
3766     Status:
3767
3768       Key-value pair of is_connected is always updated. Other key-value pairs
3769       in the status columns may be updated depends on the target type.
3770
3771       When target specifies a connection method that listens for inbound con‐
3772       nections (e.g. ptcp: or punix:), both  n_connections  and  is_connected
3773       may also be updated while the remaining key-value pairs are omitted.
3774
3775       On  the  other  hand, when target specifies an outbound connection, all
3776       key-value pairs may be updated, except  the  above-mentioned  two  key-
3777       value  pairs associated with inbound connection targets. They are omit‐
3778       ted.
3779
3780       is_connected: boolean
3781              true if currently connected to this client, false otherwise.
3782
3783       status : last_error: optional string
3784              A human-readable description of the last error on the connection
3785              to  the  manager; i.e. strerror(errno). This key will exist only
3786              if an error has occurred.
3787
3788       status : state: optional string, one of  ACTIVE,  BACKOFF,  CONNECTING,
3789       IDLE, or VOID
3790              The state of the connection to the manager:
3791
3792              VOID   Connection is disabled.
3793
3794              BACKOFF
3795                     Attempting to reconnect at an increasing period.
3796
3797              CONNECTING
3798                     Attempting to connect.
3799
3800              ACTIVE Connected, remote host responsive.
3801
3802              IDLE   Connection is idle. Waiting for response to keep-alive.
3803
3804              These  values  may  change in the future. They are provided only
3805              for human consumption.
3806
3807       status : sec_since_connect: optional string, containing an integer,  at
3808       least 0
3809              The amount of time since this client last successfully connected
3810              to the database (in seconds). Value is empty if client has never
3811              successfully been connected.
3812
3813       status  : sec_since_disconnect: optional string, containing an integer,
3814       at least 0
3815              The amount of time since this client last disconnected from  the
3816              database  (in  seconds). Value is empty if client has never dis‐
3817              connected.
3818
3819       status : locks_held: optional string
3820              Space-separated list of the names of OVSDB locks that  the  con‐
3821              nection  holds.  Omitted  if  the  connection  does not hold any
3822              locks.
3823
3824       status : locks_waiting: optional string
3825              Space-separated list of the names of OVSDB locks that  the  con‐
3826              nection  is currently waiting to acquire. Omitted if the connec‐
3827              tion is not waiting for any locks.
3828
3829       status : locks_lost: optional string
3830              Space-separated list of the names of OVSDB locks that  the  con‐
3831              nection  has  had  stolen by another OVSDB client. Omitted if no
3832              locks have been stolen from this connection.
3833
3834       status : n_connections: optional  string,  containing  an  integer,  at
3835       least 2
3836              When  target  specifies a connection method that listens for in‐
3837              bound connections (e.g. ptcp: or pssl:) and more than  one  con‐
3838              nection  is  actually  active, the value is the number of active
3839              connections. Otherwise, this key-value pair is omitted.
3840
3841       status : bound_port: optional string, containing an integer
3842              When target is ptcp: or pssl:, this is the TCP port on which the
3843              OVSDB  server  is  listening.  (This is particularly useful when
3844              target specifies a port of 0, allowing the kernel to choose  any
3845              available port.)
3846
3847     Common Columns:
3848
3849       The  overall purpose of these columns is described under Common Columns
3850       at the beginning of this document.
3851
3852       external_ids: map of string-string pairs
3853
3854       other_config: map of string-string pairs
3855

DNS TABLE

3857       Each row in this table stores the DNS records. The  Logical_Switch  ta‐
3858       ble’s dns_records references these records.
3859
3860   Summary:
3861       records                       map of string-string pairs
3862       external_ids                  map of string-string pairs
3863
3864   Details:
3865       records: map of string-string pairs
3866              Key-value pair of DNS records with DNS query name as the key and
3867              value as a string of IP address(es) separated by comma or space.
3868              For  PTR  requests,  the  key-value pair can be Reverse IPv4 ad‐
3869              dress.in-addr.arpa and the value DNS domain name. For  IPv6  ad‐
3870              dresses, the key has to be Reverse IPv6 address.ip6.arpa.
3871
3872              Example:  "vm1.ovn.org" = "10.0.0.4 aef0::4"
3873
3874              Example:  "4.0.0.10.in-addr.arpa" = "vm1.ovn.org"
3875
3876       external_ids: map of string-string pairs
3877              See External IDs at the beginning of this document.
3878

SSL TABLE

3880       SSL configuration for ovn-nb database access.
3881
3882   Summary:
3883       private_key                   string
3884       certificate                   string
3885       ca_cert                       string
3886       bootstrap_ca_cert             boolean
3887       ssl_protocols                 string
3888       ssl_ciphers                   string
3889       Common Columns:
3890         external_ids                map of string-string pairs
3891
3892   Details:
3893       private_key: string
3894              Name  of  a  PEM  file  containing  the  private key used as the
3895              switch’s identity for SSL connections to the controller.
3896
3897       certificate: string
3898              Name of a PEM file containing a certificate, signed by the  cer‐
3899              tificate authority (CA) used by the controller and manager, that
3900              certifies the switch’s private key,  identifying  a  trustworthy
3901              switch.
3902
3903       ca_cert: string
3904              Name  of a PEM file containing the CA certificate used to verify
3905              that the switch is connected to a trustworthy controller.
3906
3907       bootstrap_ca_cert: boolean
3908              If set to true, then Open vSwitch will attempt to obtain the  CA
3909              certificate  from the controller on its first SSL connection and
3910              save it to the named PEM file. If it is successful, it will  im‐
3911              mediately  drop  the  connection and reconnect, and from then on
3912              all SSL connections  must  be  authenticated  by  a  certificate
3913              signed  by the CA certificate thus obtained. This option exposes
3914              the SSL connection to a man-in-the-middle attack  obtaining  the
3915              initial  CA  certificate.  It may still be useful for bootstrap‐
3916              ping.
3917
3918       ssl_protocols: string
3919              List of SSL protocols to be enabled for SSL connections. The de‐
3920              fault when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
3921
3922       ssl_ciphers: string
3923              List  of  ciphers  (in  OpenSSL cipher string format) to be sup‐
3924              ported for SSL connections. The  default  when  this  option  is
3925              omitted is HIGH:!aNULL:!MD5.
3926
3927     Common Columns:
3928
3929       The  overall purpose of these columns is described under Common Columns
3930       at the beginning of this document.
3931
3932       external_ids: map of string-string pairs
3933

Gateway_Chassis TABLE

3935       Association of a chassis to a logical router port.  The  traffic  going
3936       out through an specific router port will be redirected to a chassis, or
3937       a set of them in high availability configurations.
3938
3939   Summary:
3940       name                          string (must be unique within table)
3941       chassis_name                  string
3942       priority                      integer, in range 0 to 32,767
3943       options                       map of string-string pairs
3944       Common Columns:
3945         external_ids                map of string-string pairs
3946
3947   Details:
3948       name: string (must be unique within table)
3949              Name of the Gateway_Chassis.
3950
3951              A   suggested,   but   not   required   naming   convention   is
3952              ${port_name}_${chassis_name}.
3953
3954       chassis_name: string
3955              Name of the chassis that we want to redirect traffic through for
3956              the associated logical router port. The  value  must  match  the
3957              name column of the Chassis table in the OVN_Southbound database.
3958
3959       priority: integer, in range 0 to 32,767
3960              This  is the priority of a chassis among all Gateway_Chassis be‐
3961              longing to the same logical router port.
3962
3963       options: map of string-string pairs
3964              Reserved for future use.
3965
3966     Common Columns:
3967
3968       external_ids: map of string-string pairs
3969              See External IDs at the beginning of this document.
3970

HA_Chassis_Group TABLE

3972       Table representing a group of chassis which can provide high availabil‐
3973       ity  services.  Each  chassis  in the group is represented by the table
3974       HA_Chassis. The HA chassis with highest priority will be the master  of
3975       this  group. If the master chassis failover is detected, the HA chassis
3976       with the next higher priority takes over the responsibility of  provid‐
3977       ing  the  HA.  If a distributed gateway router port references a row in
3978       this table, then the master HA chassis in this group provides the gate‐
3979       way functionality.
3980
3981   Summary:
3982       name                          string (must be unique within table)
3983       ha_chassis                    set of HA_Chassises
3984       Common Columns:
3985         external_ids                map of string-string pairs
3986
3987   Details:
3988       name: string (must be unique within table)
3989              Name of the HA_Chassis_Group. Name should be unique.
3990
3991       ha_chassis: set of HA_Chassises
3992              A list of HA chassis which belongs to this group.
3993
3994     Common Columns:
3995
3996       external_ids: map of string-string pairs
3997              See External IDs at the beginning of this document.
3998

HA_Chassis TABLE

4000   Summary:
4001       chassis_name                  string
4002       priority                      integer, in range 0 to 32,767
4003       Common Columns:
4004         external_ids                map of string-string pairs
4005
4006   Details:
4007       chassis_name: string
4008              Name  of  the chassis which is part of the HA chassis group. The
4009              value must match the name column of the  Chassis  table  in  the
4010              OVN_Southbound database.
4011
4012       priority: integer, in range 0 to 32,767
4013              Priority  of  the chassis. Chassis with highest priority will be
4014              the master.
4015
4016     Common Columns:
4017
4018       external_ids: map of string-string pairs
4019              See External IDs at the beginning of this document.
4020

BFD TABLE

4022       Contains BFD parameter for ovn-controller BFD  configuration.  OVN  BFD
4023       implementation is used to provide detection of failures in the path be‐
4024       tween adjacent forwarding engines, including the  OVN  interfaces.  OVN
4025       BFD  provides link status info to OVN northd in order to update logical
4026       flows according to the status of BFD endpoints. In the  current  imple‐
4027       mentation  OVN  BFD  is  used to check next-hop status for ECMP routes.
4028       Please note BFD table refers to OVN BFD implementation and not  to  OVS
4029       legacy one.
4030
4031   Summary:
4032       Configuration:
4033         logical_port                string
4034         dst_ip                      string
4035         min_tx                      optional integer, at least 1
4036         min_rx                      optional integer
4037         detect_mult                 optional integer, at least 1
4038         options                     map of string-string pairs
4039         external_ids                map of string-string pairs
4040       Status Reporting:
4041         status                      optional string, one of admin_down, down,
4042                                     init, or up
4043
4044   Details:
4045     Configuration:
4046
4047       ovn-northd reads configuration from these columns.
4048
4049       logical_port: string
4050              OVN logical port when BFD engine is running.
4051
4052       dst_ip: string
4053              BFD peer IP address.
4054
4055       min_tx: optional integer, at least 1
4056              This is the minimum interval, in milliseconds,  that  the  local
4057              system  would like to use when transmitting BFD Control packets,
4058              less any jitter applied. The value  zero  is  reserved.  Default
4059              value is 1000 ms.
4060
4061       min_rx: optional integer
4062              This  is the minimum interval, in milliseconds, between received
4063              BFD Control packets that this system is capable  of  supporting,
4064              less  any  jitter  applied by the sender. If this value is zero,
4065              the transmitting system does not want the remote system to  send
4066              any periodic BFD Control packets.
4067
4068       detect_mult: optional integer, at least 1
4069              Detection  time  multiplier.  The  negotiated transmit interval,
4070              multiplied by this value, provides the Detection  Time  for  the
4071              receiving system in Asynchronous mode. Default value is 5.
4072
4073       options: map of string-string pairs
4074              Reserved for future use.
4075
4076       external_ids: map of string-string pairs
4077              See External IDs at the beginning of this document.
4078
4079     Status Reporting:
4080
4081       ovn-northd writes BFD status into these columns.
4082
4083       status: optional string, one of admin_down, down, init, or up
4084              BFD port logical states. Possible values are:
4085
4086admin_down
4087
4088down
4089
4090init
4091
4092up
4093

Static_MAC_Binding TABLE

4095       Each record represents a Static_MAC_Binding entry for a logical router.
4096
4097   Summary:
4098       Configuration:
4099         logical_port                string
4100         ip                          string
4101         mac                         string
4102         override_dynamic_mac        boolean
4103
4104   Details:
4105     Configuration:
4106
4107       ovn-northd  reads  configuration  from these columns and propagates the
4108       value to SBDB.
4109
4110       logical_port: string
4111              The logical router port for the binding.
4112
4113       ip: string
4114              The bound IP address.
4115
4116       mac: string
4117              The Ethernet address to which the IP is bound.
4118
4119       override_dynamic_mac: boolean
4120              Override dynamically learnt MACs.
4121

Chassis_Template_Var TABLE

4123       One record per chassis, each containing a map, variables, between  tem‐
4124       plate  variable names and their value for that specific chassis. A tem‐
4125       plate variable has a name and potentially different values on different
4126       hypervisors  in  the  OVN  cluster. For example, two rows, R1 = (.chas‐
4127       sis=C1, variables={(N: V1)} and R2 = (.chassis=C2, variables={(N:  V2)}
4128       will make ovn-controller running on chassis C1 and C2 interpret the to‐
4129       ken N either as V1 (on C1) or as V2 (on C2). Users can  refer  to  tem‐
4130       plate variables from within other logical components, e.g., within ACL,
4131       QoS or Logical_Router_Policy matches  or  from  Load_Balancer  VIP  and
4132       backend definitions.
4133
4134       If  a template variable is referenced on a chassis for which that vari‐
4135       able is not defined then ovn-controller running on  that  chassis  will
4136       just interpret it as a raw string literal.
4137
4138   Summary:
4139       chassis                       string (must be unique within table)
4140       variables                     map of string-string pairs
4141       Common Columns:
4142         external_ids                map of string-string pairs
4143
4144   Details:
4145       chassis: string (must be unique within table)
4146              The chassis this set of variable values applies to.
4147
4148       variables: map of string-string pairs
4149              The set of variable values for a given chassis.
4150
4151     Common Columns:
4152
4153       external_ids: map of string-string pairs
4154              See External IDs at the beginning of this document.
4155
4156
4157
4158Open vSwitch 23.09.2            DB Schema 7.1.0                      ovn-nb(5)
Impressum