1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
6 ovn-nb - OVN_Northbound database schema
7 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces al‐
10 most all of the contents of the database. The ovn-northd program moni‐
11 tors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32 Table Purpose
34 NB_Global Northbound configuration
35 Copp Control plane protection
36 Logical_Switch
37 L2 logical switch
38 Logical_Switch_Port
39 L2 logical switch port
40 Forwarding_Group
41 forwarding group
42 Address_Set
43 Address Sets
44 Port_Group
45 Port Groups
46 Load_Balancer
47 load balancer
48 Load_Balancer_Group
49 load balancer group
50 Load_Balancer_Health_Check
51 load balancer
52 ACL Access Control List (ACL) rule
53 Logical_Router
54 L3 logical router
55 QoS QoS rule
56 Mirror Mirror Entry
57 Meter Meter entry
58 Meter_Band
59 Band for meter entries
60 Logical_Router_Port
61 L3 logical router port
62 Logical_Router_Static_Route
63 Logical router static routes
64 Logical_Router_Policy
65 Logical router policies
66 NAT NAT rules
67 DHCP_Options
68 DHCP options
69 Connection
70 OVSDB client connections.
71 DNS Native DNS resolution
72 SSL SSL configuration.
73 Gateway_Chassis
74 Gateway_Chassis configuration.
75 HA_Chassis_Group
76 HA_Chassis_Group configuration.
77 HA_Chassis
78 HA_Chassis configuration.
79 BFD BFD configuration.
80 Static_MAC_Binding
81 Static_MAC_Binding configuration.
82 Chassis_Template_Var
83 Chassis_Template_Var configuration.
84
86 Northbound configuration for an OVN system. This table must have ex‐
87 actly one row.
88 Summary:
90 Identity:
91 name string
92 Status:
93 nb_cfg integer
94 nb_cfg_timestamp integer
95 sb_cfg integer
96 sb_cfg_timestamp integer
97 hv_cfg integer
98 hv_cfg_timestamp integer
99 Common Columns:
100 external_ids map of string-string pairs
101 Common options:
102 options map of string-string pairs
103 Options for configuring OVS BFD:
104 options : bfd-min-rx optional string
105 options : bfd-decay-min-rx
106 optional string
107 options : bfd-min-tx optional string
108 options : bfd-mult optional string
109 options : mac_prefix optional string
110 options : mac_binding_removal_limit
111 optional string, containing an integer,
112 in range 0 to 4,294,967,295
113 options : fdb_removal_limit
114 optional string, containing an integer,
115 in range 0 to 4,294,967,295
116 options : controller_event optional string, either true or false
117 options : northd_probe_interval
118 optional string
119 options : ic_probe_interval
120 optional string
121 options : nbctl_probe_interval
122 optional string
123 options : northd_trim_timeout
124 optional string
125 options : use_logical_dp_groups
126 optional string
127 options : use_parallel_build
128 optional string
129 options : ignore_lsp_down optional string
130 options : use_ct_inv_match optional string
131 options : default_acl_drop optional string
132 options : debug_drop_domain_id
133 optional string
134 options : debug_drop_collector_set
135 optional string
136 options : use_common_zone optional string, either true or false
137 options : northd-backoff-interval-ms
138 optional string
139 Options for configuring interconnection route advertisement:
140 options : ic-route-adv optional string
141 options : ic-route-learn optional string
142 options : ic-route-adv-default
143 optional string
144 options : ic-route-learn-default
145 optional string
146 options : ic-route-blacklist
147 optional string
148 Connection Options:
149 connections set of Connections
150 ssl optional SSL
151 Security Configurations:
152 ipsec boolean
153 Read-only Options:
154 options : max_tunid optional string
155 Details:
157 Identity:
158 name: string
160 The name of the OVN cluster, which uniquely identifies the OVN
161 cluster throughout all OVN clusters supposed to interconnect
162 with each other.
163 Status:
165 These columns allow a client to track the overall configuration state
167 of the system.
168 nb_cfg: integer
170 Sequence number for client to increment. When a client modifies
171 any part of the northbound database configuration and wishes to
172 wait for ovn-northd and possibly all of the hypervisors to fin‐
173 ish applying the changes, it may increment this sequence number.
174 nb_cfg_timestamp: integer
176 The timestamp, in milliseconds since the epoch, when ovn-northd
177 sees the latest nb_cfg and starts processing.
178 To print the timestamp as a human-readable date:
180 date -d "@$(ovn-nbctl get NB_Global . nb_cfg_timestamp | sed ’s/...$//’)"
182 sb_cfg: integer
185 Sequence number that ovn-northd sets to the value of nb_cfg af‐
186 ter it finishes applying the corresponding configuration changes
187 to the OVN_Southbound database.
188 sb_cfg_timestamp: integer
190 The timestamp, in milliseconds since the epoch, when ovn-northd
191 finishes applying the corresponding configuration changes to the
192 OVN_Southbound database successfully.
193 hv_cfg: integer
195 Sequence number that ovn-northd sets to the smallest sequence
196 number of all the chassis in the system, as reported in the
197 Chassis_Private table in the southbound database. Thus, hv_cfg
198 equals nb_cfg if all chassis are caught up with the northbound
199 configuration (which may never happen, if any chassis is down).
200 This value can regress, if a chassis was removed from the system
201 and rejoins before catching up.
202 If there are no chassis, then ovn-northd copies nb_cfg to
204 hv_cfg. Thus, in this case, the (nonexistent) hypervisors are
205 always considered to be caught up. This means that hypervisors
206 can be "caught up" even in cases where sb_cfg would show that
207 the southbound database is not. To detect when both the hypervi‐
208 sors and the southbound database are caught up, a client should
209 take the smaller of sb_cfg and hv_cfg.
210 hv_cfg_timestamp: integer
212 The largest timestamp, in milliseconds since the epoch, of the
213 smallest sequence number of all the chassis in the system, as
214 reported in the Chassis_Private table in the southbound data‐
215 base. In other words, this timestamp reflects the time when the
216 slowest chassis catches up with the northbound configuration,
217 which is useful for end-to-end control plane latency measure‐
218 ment.
219 Common Columns:
221 external_ids: map of string-string pairs
223 See External IDs at the beginning of this document.
224 Common options:
226 options: map of string-string pairs
228 This column provides general key/value settings. The supported
229 options are described individually below.
230 Options for configuring OVS BFD:
232 These options apply when ovn-controller configures OVS BFD on tunnels
234 interfaces. Please note these parameters refer to legacy OVS BFD imple‐
235 mentation and not to OVN BFD one.
236 options : bfd-min-rx: optional string
238 BFD option min-rx value to use when configuring BFD on tunnel
239 interfaces.
240 options : bfd-decay-min-rx: optional string
242 BFD option decay-min-rx value to use when configuring BFD on
243 tunnel interfaces.
244 options : bfd-min-tx: optional string
246 BFD option min-tx value to use when configuring BFD on tunnel
247 interfaces.
248 options : bfd-mult: optional string
250 BFD option mult value to use when configuring BFD on tunnel in‐
251 terfaces.
252 options : mac_prefix: optional string
254 Configure a given OUI to be used as prefix when L2 address is
255 dynamically assigned, e.g. 00:11:22
256 options : mac_binding_removal_limit: optional string, containing an in‐
258 teger, in range 0 to 4,294,967,295
259 MAC binding aging bulk removal limit. This limits how many rows
260 can expire in a single transaction. Default value is 0 which is
261 unlimited. When we hit the limit next batch removal is delayed
262 by 5 s.
263 options : fdb_removal_limit: optional string, containing an integer, in
265 range 0 to 4,294,967,295
266 FDB aging bulk removal limit. This limits how many rows can ex‐
267 pire in a single transaction. Default value is 0 which is unlim‐
268 ited. When we hit the limit next batch removal is delayed by 5
269 s.
270 options : controller_event: optional string, either true or false
272 Value set by the CMS to enable/disable ovn-controller event re‐
273 porting. Traffic into OVS can raise a ’controller’ event that
274 results in a Controller_Event being written to the Con‐
275 troller_Event table in SBDB. When the CMS has seen the event and
276 taken appropriate action, it can remove the corresponding row in
277 Controller_Event table. The intention is for a CMS to see the
278 events and take some sort of action. Please see the Con‐
279 troller_Event table in SBDB. It is possible to associate a meter
280 to each controller event type in order to not overload the pinc‐
281 trl thread under heavy load. Each event type relies on a meter
282 with a defined name:
283 • empty_lb_backends: event-elb
285 options : northd_probe_interval: optional string
287 The inactivity probe interval of the connection to the OVN
288 Northbound and Southbound databases from ovn-northd, in mil‐
289 liseconds. If the value is zero, it disables the connection
290 keepalive feature.
291 If the value is nonzero, then it will be forced to a value of at
293 least 1000 ms.
294 options : ic_probe_interval: optional string
296 The inactivity probe interval of the connection to the OVN
297 Northbound and Southbound databases from ovn-ic, in millisec‐
298 onds. If the value is zero, it disables the connection keepalive
299 feature.
300 If the value is nonzero, then it will be forced to a value of at
302 least 1000 ms.
303 options : nbctl_probe_interval: optional string
305 The inactivity probe interval of the connection to the OVN
306 Northbound database from ovn-nbctl utility, in milliseconds. If
307 the value is zero, it disables the connection keepalive feature.
308 If the value is nonzero, then it will be forced to a value of at
310 least 1000 ms.
311 If the value is less than zero, then the default inactivity
313 probe interval for ovn-nbctl would be left intact (120000 ms).
314 options : northd_trim_timeout: optional string
316 When used, this configuration value specifies the time, in mil‐
317 liseconds, since the last ovn-northd active operation after
318 which memory trimming is performed. By default this is set to
319 30000 (30 seconds).
320 options : use_logical_dp_groups: optional string
322 Note: This option is deprecated, the only behavior is to always
323 combine logical flows by datapath groups. Changing the value or
324 removing this option all toghether will have no effect.
325 ovn-northd combines logical flows that differs only by logical
327 datapath into a single logical flow with logical datapath group
328 attached.
329 options : use_parallel_build: optional string
331 If set to true, ovn-northd will attempt to compute logical flows
332 in parallel.
333 Parallel computation is enabled only if the system has 4 or more
335 cores/threads available to be used by ovn-northd.
336 The default value is false.
338 options : ignore_lsp_down: optional string
340 If set to false, ARP/ND reply flows for logical switch ports
341 will be installed only if the port is up, i.e. claimed by a
342 Chassis. If set to true, these flows are installed regardless of
343 the status of the port, which can result in a situation that ARP
344 request to an IP is resolved even before the relevant VM/con‐
345 tainer is running. For environments where this is not an issue,
346 setting it to true can reduce the load and latency of the con‐
347 trol plane. The default value is true.
348 options : use_ct_inv_match: optional string
350 If set to false, ovn-northd will not use the ct.inv field in any
351 of the logical flow matches. The default value is true. If the
352 NIC supports offloading OVS datapath flows but doesn’t support
353 offloading ct_state inv flag, then the datapath flows matching
354 on this flag (either +inv or -inv) will not be offloaded. CMS
355 should consider setting use_ct_inv_match to false in such cases.
356 This results in a side effect of the invalid packets getting de‐
357 livered to the destination VIF, which otherwise would have been
358 dropped by OVN.
359 options : default_acl_drop: optional string
361 If set to true., ovn-northd will generate a logical flow to drop
362 all traffic in the ACL stages. By default this option is set to
363 false.
364 options : debug_drop_domain_id: optional string
366 If set to a 8-bit number and if debug_drop_collector_set is also
367 configured, ovn-northd will add a sample action to every logical
368 flow that contains a ’drop’ action. The 8 most significant bits
369 of the observation_domain_id field will be those specified in
370 the debug_drop_domain_id. The 24 least significant bits of the
371 observation_domain_id field will be the datapath’s key.
372 The observation_point_id will be set to the first 32 bits of the
374 logical flow’s UUID.
375 options : debug_drop_collector_set: optional string
377 If set to a 32-bit number ovn-northd will add a sample action to
378 every logical flow that contains a ’drop’ action. The sample ac‐
379 tion will have the specified collector_set_id. The value must
380 match that of the local OVS configuration as described in
381 ovs-actions(7).
382 options : use_common_zone: optional string, either true or false
384 Default value is false. If set to true the SNAT and DNAT happens
385 in common zone, instead of happening in separate zones, depend‐
386 ing on the configuration. However, this option breaks traffic
387 when there is configuration of DGP + LB + SNAT on this LR. The
388 value true should be used only in case of HWOL compatibility
389 with GDP.
390 options : northd-backoff-interval-ms: optional string
392 Maximum interval that the northd incremental engine is delayed
393 by in milliseconds. Setting the value to nonzero delays the next
394 northd engine run by the previous run time, capped by the speci‐
395 fied value. If the value is zero the engine won’t be delayed at
396 all. The recommended period is smaller than 500 ms, beyond that
397 the latency of SB changes would be very noticeable.
398 Options for configuring interconnection route advertisement:
400 These options control how routes are advertised between OVN deployments
402 for interconnection. If enabled, ovn-ic from different OVN deployments
403 exchanges routes between each other through the global OVN_IC_South‐
404 bound database. Only routers with ports connected to interconnection
405 transit switches participate in route advertisement. For each of these
406 routers, there are two types of routes to be advertised:
407 Firstly, the static routes configured in the router are advertised.
409 Secondly, the networks configured in the logical router ports that are
411 not on the transit switches are advertised. These are considered as di‐
412 rectly connected subnets on the router.
413 Link local prefixes (IPv4 169.254.0.0/16 and IPv6 FE80::/10) are never
415 advertised.
416 The learned routes are added to the static_routes column of the Logi‐
418 cal_Router table, with external_ids:ic-learned-route set to the uuid of
419 the row in Route table of the OVN_IC_Southbound database.
420 options : ic-route-adv: optional string
422 A boolean value that enables route advertisement to the global
423 OVN_IC_Southbound database. Default is false.
424 options : ic-route-learn: optional string
426 A boolean value that enables route learning from the global
427 OVN_IC_Southbound database. Default is false.
428 options : ic-route-adv-default: optional string
430 A boolean value that enables advertising default route to the
431 global OVN_IC_Southbound database. Default is false. This option
432 takes effect only when option ic-route-adv is true.
433 options : ic-route-learn-default: optional string
435 A boolean value that enables learning default route from the
436 global OVN_IC_Southbound database. Default is false. This option
437 takes effect only when option ic-route-learn is true.
438 options : ic-route-blacklist: optional string
440 A string value contains a list of CIDRs delimited by ",". A
441 route will not be advertised or learned if the route’s prefix
442 belongs to any of the CIDRs listed.
443 Connection Options:
445 connections: set of Connections
447 Database clients to which the Open vSwitch database server
448 should connect or on which it should listen, along with options
449 for how these connections should be configured. See the Connec‐
450 tion table for more information.
451 ssl: optional SSL
453 Global SSL configuration.
454 Security Configurations:
456 ipsec: boolean
458 Tunnel encryption configuration. If this column is set to be
459 true, all OVN tunnels will be encrypted with IPsec.
460 Read-only Options:
462 options : max_tunid: optional string
464 The maximum supported tunnel ID. Depends on types of encapsula‐
465 tion enabled in the cluster.
466
468 This table is used to define control plane protection policies, i.e.,
469 associate entries from table Meter to control protocol names.
470 Summary:
472 name string (must be unique within table)
473 meters : arp optional string
474 meters : arp-resolve optional string
475 meters : dhcpv4-opts optional string
476 meters : dhcpv6-opts optional string
477 meters : dns optional string
478 meters : event-elb optional string
479 meters : icmp4-error optional string
480 meters : icmp6-error optional string
481 meters : igmp optional string
482 meters : nd-na optional string
483 meters : nd-ns optional string
484 meters : nd-ns-resolve optional string
485 meters : nd-ra-opts optional string
486 meters : tcp-reset optional string
487 meters : bfd optional string
488 meters : reject optional string
489 meters : svc-monitor optional string
490 external_ids map of string-string pairs
491 Details:
493 name: string (must be unique within table)
494 CoPP name.
495 meters : arp: optional string
497 Rate limiting meter for ARP packets (request/reply) used for
498 learning neighbors.
499 meters : arp-resolve: optional string
501 Rate limiting meter for packets that require resolving the next-
502 hop (through ARP).
503 meters : dhcpv4-opts: optional string
505 Rate limiting meter for packets that require adding DHCPv4 op‐
506 tions.
507 meters : dhcpv6-opts: optional string
509 Rate limiting meter for packets that require adding DHCPv6 op‐
510 tions.
511 meters : dns: optional string
513 Rate limiting meter for DNS query packets that need to be
514 replied to.
515 meters : event-elb: optional string
517 Rate limiting meter for empty load balancer events.
518 meters : icmp4-error: optional string
520 Rate limiting meter for packets that require replying with an
521 ICMP error.
522 meters : icmp6-error: optional string
524 Rate limiting meter for packets that require replying with an
525 ICMPv6 error.
526 meters : igmp: optional string
528 Rate limiting meter for IGMP packets.
529 meters : nd-na: optional string
531 Rate limiting meter for ND neighbor advertisement packets used
532 for learning neighbors.
533 meters : nd-ns: optional string
535 Rate limiting meter for ND neighbor solicitation packets used
536 for learning neighbors.
537 meters : nd-ns-resolve: optional string
539 Rate limiting meter for packets that require resolving the next-
540 hop (through ND).
541 meters : nd-ra-opts: optional string
543 Rate limiting meter for packets that require adding ND router
544 advertisement options.
545 meters : tcp-reset: optional string
547 Rate limiting meter for packets that require replying with TCP
548 RST packet.
549 meters : bfd: optional string
551 Rate limiting meter for BFD packets.
552 meters : reject: optional string
554 Rate limiting meter for packets that trigger a reject action
555 meters : svc-monitor: optional string
557 Rate limiting meter for packets that are arriving to service
558 monitor MAC address.
559 external_ids: map of string-string pairs
561 See External IDs at the beginning of this document.
562
564 Each row represents one L2 logical switch.
565 There are two kinds of logical switches, that is, ones that fully vir‐
567 tualize the network (overlay logical switches) and ones that provide
568 simple connectivity to physical networks (bridged logical switches).
569 They work in the same way when providing connectivity between logical
570 ports on same chassis, but differently when connecting remote logical
571 ports. Overlay logical switches connect remote logical ports by tun‐
572 nels, while bridged logical switches provide connectivity to remote
573 ports by bridging the packets to directly connected physical L2 seg‐
574 ments with the help of localnet ports. Each bridged logical switch has
575 one or more localnet ports, which have only one special address un‐
576 known.
577 Summary:
579 ports set of Logical_Switch_Ports
580 load_balancer set of weak reference to Load_Balancers
581 load_balancer_group set of Load_Balancer_Groups
582 acls set of ACLs
583 qos_rules set of QoSes
584 dns_records set of weak reference to DNSes
585 forwarding_groups set of Forwarding_Groups
586 Naming:
587 name string
588 external_ids : neutron:network_name
589 optional string
590 IP Address Assignment:
591 other_config : subnet optional string
592 other_config : exclude_ips optional string
593 other_config : ipv6_prefix optional string
594 other_config : mac_only optional string, either true or false
595 other_config : fdb_age_threshold
596 optional string, containing an integer,
597 in range 0 to 4,294,967,295
598 IP Multicast Snooping Options:
599 other_config : mcast_snoop optional string, either true or false
600 other_config : mcast_querier
601 optional string, either true or false
602 other_config : mcast_flood_unregistered
603 optional string, either true or false
604 other_config : mcast_table_size
605 optional string, containing an integer,
606 in range 1 to 32,766
607 other_config : mcast_idle_timeout
608 optional string, containing an integer,
609 in range 15 to 3,600
610 other_config : mcast_query_interval
611 optional string, containing an integer,
612 in range 1 to 3,600
613 other_config : mcast_query_max_response
614 optional string, containing an integer,
615 in range 1 to 10
616 other_config : mcast_eth_src
617 optional string
618 other_config : mcast_ip4_src
619 optional string
620 other_config : mcast_ip6_src
621 optional string
622 Interconnection:
623 other_config : interconn-ts
624 optional string
625 Tunnel Key:
626 other_config : requested-tnl-key
627 optional string, containing an integer,
628 in range 1 to 16,777,215
629 copp optional weak reference to Copp
630 Other options:
631 other_config : vlan-passthru
632 optional string, either true or false
633 other_config : broadcast-arps-to-all-routers
634 optional string, either true or false
635 Common Columns:
636 external_ids map of string-string pairs
637 Details:
639 ports: set of Logical_Switch_Ports
640 The logical ports connected to the logical switch.
641 It is an error for multiple logical switches to include the same
643 logical port.
644 load_balancer: set of weak reference to Load_Balancers
646 Set of load balancers associated to this logical switch.
647 load_balancer_group: set of Load_Balancer_Groups
649 Set of load balancers groups associated to this logical switch.
650 acls: set of ACLs
652 Access control rules that apply to packets within the logical
653 switch.
654 qos_rules: set of QoSes
656 QoS marking and metering rules that apply to packets within the
657 logical switch.
658 dns_records: set of weak reference to DNSes
660 This column defines the DNS records to be used for resolving in‐
661 ternal DNS queries within the logical switch by the native DNS
662 resolver. Please see the DNS table.
663 forwarding_groups: set of Forwarding_Groups
665 Groups a set of logical port endpoints for traffic going out of
666 the logical switch.
667 Naming:
669 These columns provide names for the logical switch. From OVN’s perspec‐
671 tive, these names have no special meaning or purpose other than to pro‐
672 vide convenience for human interaction with the database. There is no
673 requirement for the name to be unique. (For a unique identifier for a
674 logical switch, use its row UUID.)
675 (Originally, name was intended to serve the purpose of a human-friendly
677 name, but the Neutron integration used it to uniquely identify its own
678 switch object, in the format neutron-uuid. Later on, Neutron started
679 propagating the friendly name of a switch as external_ids:neutron:net‐
680 work_name. Perhaps this can be cleaned up someday.)
681 name: string
683 A name for the logical switch.
684 external_ids : neutron:network_name: optional string
686 Another name for the logical switch.
687 IP Address Assignment:
689 These options control automatic IP address management (IPAM) for ports
691 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
692 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
693 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled to‐
694 gether or separately.
695 To request dynamic address assignment for a particular port, use the
697 dynamic keyword in the addresses column of the port’s Logi‐
698 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
699 IPAM for IPv4 and IPv6 are both enabled.
700 other_config : subnet: optional string
702 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
703 ovn-northd to automatically assign IP addresses within that sub‐
704 net.
705 other_config : exclude_ips: optional string
707 To exclude some addresses from automatic IP address management,
708 set this to a list of the IPv4 addresses or ..-delimited ranges
709 to exclude. The addresses or ranges should be a subset of those
710 in other_config:subnet.
711 Whether listed or not, ovn-northd will never allocate the first
713 or last address in a subnet, such as 192.168.0.0 or
714 192.168.0.255 in 192.168.0.0/24.
715 Examples:
717 • 192.168.0.2 192.168.0.10
719 • 192.168.0.4 192.168.0.30..192.168.0.60
721 192.168.0.110..192.168.0.120
722 • 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
724 192.168.0.144
725 other_config : ipv6_prefix: optional string
727 Set this to an IPv6 prefix to enable ovn-northd to automatically
728 assign IPv6 addresses using this prefix. The assigned IPv6 ad‐
729 dress will be generated using the IPv6 prefix and the MAC ad‐
730 dress (converted to an IEEE EUI64 identifier) of the port. The
731 IPv6 prefix defined here should be a valid IPv6 address ending
732 with ::.
733 Examples:
735 • aef0::
737 • bef0:1234:a890:5678::
739 • 8230:5678::
741 other_config : mac_only: optional string, either true or false
743 Value used to request to assign L2 address only if neither sub‐
744 net nor ipv6_prefix are specified
745 other_config : fdb_age_threshold: optional string, containing an inte‐
747 ger, in range 0 to 4,294,967,295
748 FDB aging threshold value in seconds. FDB exceeding this timeout
749 will be automatically removed. The value defaults to 0, which
750 means disabled.
751 IP Multicast Snooping Options:
753 These options control IP Multicast Snooping configuration of the logi‐
755 cal switch. To enable IP Multicast Snooping set other_con‐
756 fig:mcast_snoop to true. To enable IP Multicast Querier set other_con‐
757 fig:mcast_querier to true. If IP Multicast Querier is enabled
758 other_config:mcast_eth_src and other_config:mcast_ip4_src must be set.
759 other_config : mcast_snoop: optional string, either true or false
761 Enables/disables IP Multicast Snooping on the logical switch.
762 Default: false.
763 other_config : mcast_querier: optional string, either true or false
765 Enables/disables IP Multicast Querier on the logical switch.
766 Only applicable if other_config:mcast_snoop is enabled. Default:
767 true.
768 other_config : mcast_flood_unregistered: optional string, either true
770 or false
771 Determines whether unregistered multicast traffic should be
772 flooded or not. Only applicable if other_config:mcast_snoop is
773 enabled. Default: false.
774 other_config : mcast_table_size: optional string, containing an inte‐
776 ger, in range 1 to 32,766
777 Number of multicast groups to be stored. Default: 2048.
778 other_config : mcast_idle_timeout: optional string, containing an inte‐
780 ger, in range 15 to 3,600
781 Configures the IP Multicast Snooping group idle timeout (in sec‐
782 onds). Default: 300 seconds.
783 other_config : mcast_query_interval: optional string, containing an in‐
785 teger, in range 1 to 3,600
786 Configures the IP Multicast Querier interval between queries (in
787 seconds). Default: other_config:mcast_idle_timeout / 2.
788 other_config : mcast_query_max_response: optional string, containing an
790 integer, in range 1 to 10
791 Configures the value of the "max-response" field in the multi‐
792 cast queries originated by the logical switch. Default: 1 sec‐
793 ond.
794 other_config : mcast_eth_src: optional string
796 Configures the source Ethernet address for queries originated by
797 the logical switch.
798 other_config : mcast_ip4_src: optional string
800 Configures the source IPv4 address for queries originated by the
801 logical switch.
802 other_config : mcast_ip6_src: optional string
804 Configures the source IPv6 address for queries originated by the
805 logical switch.
806 Interconnection:
808 other_config : interconn-ts: optional string
810 The name of corresponding transit switch in OVN_IC_Northbound
811 database. This kind of logical switch is created and controlled
812 by ovn-ic.
813 Tunnel Key:
815 other_config : requested-tnl-key: optional string, containing an inte‐
817 ger, in range 1 to 16,777,215
818 Configures the datapath tunnel key for the logical switch. Usu‐
819 ally this is not needed because ovn-northd will assign an unique
820 key for each datapath by itself. However, if it is configured,
821 ovn-northd honors the configured value. The typical use case is
822 for interconnection: the tunnel keys for transit switches need
823 to be unique globally, so they are maintained in the global
824 OVN_IC_Southbound database, and ovn-ic simply syncs the value
825 from OVN_IC_Southbound through this config.
826 copp: optional weak reference to Copp
828 The control plane protection policy from table Copp used for me‐
829 tering packets sent to ovn-controller from ports of this logical
830 switch.
831 Other options:
833 other_config : vlan-passthru: optional string, either true or false
835 Determines whether VLAN tagged incoming traffic should be al‐
836 lowed. Note that this may have security implications when en‐
837 abled for a logical switch with a tag=0 localnet port. If not
838 properly isolated from other localnet ports, fabric traffic that
839 belongs to other tagged networks may be passed through such a
840 port.
841 other_config : broadcast-arps-to-all-routers: optional string, either
843 true or false
844 Determines whether arp requests and ipv6 neighbor solicitations
845 should be sent to all routers and other switchports (default) or
846 if it should only be sent to switchports where the ip/mac ad‐
847 dress is unknown. Setting this to false can significantly reduce
848 the load if the logical switch can receive arp requests for ips
849 it does not know about. However setting this to false also means
850 that garps are no longer forwarded to all routers and therefor
851 the mac bindings of the routers are no longer updated.
852 Common Columns:
854 external_ids: map of string-string pairs
856 See External IDs at the beginning of this document.
857
859 A port within an L2 logical switch.
860 Summary:
862 Core Features:
863 name string (must be unique within table)
864 type string
865 Options:
866 options map of string-string pairs
867 Options for router ports:
868 options : router-port optional string
869 options : nat-addresses optional string
870 options : exclude-lb-vips-from-garp
871 optional string
872 options : arp_proxy optional string
873 Options for localnet ports:
874 options : network_name optional string
875 options : ethtype optional string
876 options : localnet_learn_fdb
877 optional string, either true or false
878 Options for l2gateway ports:
879 options : network_name optional string
880 options : l2gateway-chassis
881 optional string
882 Options for vtep ports:
883 options : vtep-physical-switch
884 optional string
885 options : vtep-logical-switch
886 optional string
887 VMI (or VIF) Options:
888 options : requested-chassis
889 optional string
890 options : activation-strategy
891 optional string
892 options : iface-id-ver optional string
893 options : qos_min_rate optional string
894 options : qos_max_rate optional string
895 options : qos_burst optional string
896 options : hostname optional string
897 VIF Plugging Options:
898 options : vif-plug-type
899 optional string
900 options : vif-plug-mtu-request
901 optional string
902 Virtual port Options:
903 options : virtual-ip optional string
904 options : virtual-parents
905 optional string
906 IP Multicast Snooping Options:
907 options : mcast_flood optional string, either true or false
908 options : mcast_flood_reports
909 optional string, either true or false
910 Containers:
911 parent_name optional string
912 tag_request optional integer, in range 0 to 4,095
913 tag optional integer, in range 1 to 4,095
914 Port State:
915 up optional boolean
916 enabled optional boolean
917 Addressing:
918 addresses set of strings
919 dynamic_addresses optional string
920 port_security set of strings
921 DHCP:
922 dhcpv4_options optional weak reference to DHCP_Options
923 dhcpv6_options optional weak reference to DHCP_Options
924 mirror_rules set of weak reference to Mirrors
925 ha_chassis_group optional HA_Chassis_Group
926 Naming:
927 external_ids : neutron:port_name
928 optional string
929 Tunnel Key:
930 options : requested-tnl-key
931 optional string, containing an integer,
932 in range 1 to 32,767
933 Common Columns:
934 external_ids map of string-string pairs
935 Details:
937 Core Features:
938 name: string (must be unique within table)
940 The logical port name.
941 For entities (VMs or containers) that are spawned in the hyper‐
943 visor, the name used here must match those used in the exter‐
944 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
945 because hypervisors use external_ids:iface-id as a lookup key to
946 identify the network interface of that entity.
947 For containers that share a VIF within a VM, the name can be any
949 unique identifier. See Containers, below, for more information.
950 A logical switch port may not have the same name as a logical
952 router port, but the database schema cannot enforce this.
953 type: string
955 Specify a type for this logical port. Logical ports can be used
956 to model other types of connectivity into an OVN logical switch.
957 The following types are defined:
958 (empty string)
960 A VM (or VIF) interface.
961 router A connection to a logical router. The value of op‐
963 tions:router-port specifies the name of the Logi‐
964 cal_Router_Port to which this logical switch port is con‐
965 nected.
966 localnet
968 A connection to a locally accessible network from
969 ovn-controller instances that have a corresponding bridge
970 mapping. A logical switch can have multiple localnet
971 ports attached. This type is used to model direct connec‐
972 tivity to existing networks. In this case, each chassis
973 should have a mapping for one of the physical networks
974 only. Note: nothing said above implies that a chassis
975 cannot be plugged to multiple physical networks as long
976 as they belong to different switches.
977 localport
979 A connection to a local VIF. Traffic that arrives on a
980 localport is never forwarded over a tunnel to another
981 chassis. These ports are present on every chassis and
982 have the same address in all of them. This is used to
983 model connectivity to local services that run on every
984 hypervisor.
985 l2gateway
987 A connection to a physical network.
988 vtep A port to a logical switch on a VTEP gateway.
990 external
992 Represents a logical port which is external and not hav‐
993 ing an OVS port in the integration bridge. OVN will never
994 receive any traffic from this port or send any traffic to
995 this port. OVN can support native services like
996 DHCPv4/DHCPv6/DNS for this port. If ha_chassis_group is
997 defined, ovn-controller running in the master chassis of
998 the HA chassis group will bind this port to provide these
999 native services. It is expected that this port belong to
1000 a bridged logical switch (with a localnet port).
1001 It is recommended to use the same HA chassis group for
1003 all the external ports of a logical switch. Otherwise,
1004 the physical switch might see MAC flap issue when differ‐
1005 ent chassis provide the native services. For example when
1006 supporting native DHCPv4 service, DHCPv4 server mac (con‐
1007 figured in options:server_mac column in table DHCP_Op‐
1008 tions) originating from different ports can cause MAC
1009 flap issue. The MAC of the logical router IP(s) can also
1010 flap if the same HA chassis group is not set for all the
1011 external ports of a logical switch.
1012 Below are some of the use cases where external ports can
1014 be used.
1015 • VMs connected to SR-IOV nics - Traffic from these
1017 VMs by passes the kernel stack and local ovn-con‐
1018 troller do not bind these ports and cannot serve
1019 the native services.
1020 • When CMS supports provisioning baremetal servers.
1022 virtual
1024 Represents a logical port which does not have an OVS port
1025 in the integration bridge and has a virtual ip configured
1026 in the options:virtual-ip column. This virtual ip can
1027 move around between the logical ports configured in the
1028 options:virtual-parents column.
1029 One of the use case where virtual ports can be used is.
1031 • The virtual ip represents a load balancer vip and
1033 the virtual parents provide load balancer service
1034 in an active-standby setup with the active virtual
1035 parent owning the virtual ip.
1036 remote A remote port is to model a port that resides remotely on
1038 another OVN, which is on the other side of a transit log‐
1039 ical switch for OVN interconnection. This type of ports
1040 are created by ovn-ic instead of by CMS. Any change to
1041 the port will be automatically overwritten by ovn-ic.
1042 Options:
1044 options: map of string-string pairs
1046 This column provides key/value settings specific to the logical
1047 port type. The type-specific options are described individually
1048 below.
1049 Options for router ports:
1051 These options apply when type is router.
1053 options : router-port: optional string
1055 Required. The name of the Logical_Router_Port to which this log‐
1056 ical switch port is connected.
1057 options : nat-addresses: optional string
1059 This is used to send gratuitous ARPs for SNAT and DNAT IP ad‐
1060 dresses via the localnet port that is attached to the same logi‐
1061 cal switch as this type router port. This option is specified on
1062 a logical switch port that is connected to a gateway router, or
1063 a logical switch port that is connected to a distributed gateway
1064 port on a logical router.
1065 This must take one of the following forms:
1067 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
1069 nal IP addresses and for all load balancer IP addresses
1070 defined on the options:router-port’s logical router, us‐
1071 ing the options:router-port’s MAC address.
1072 This form of options:nat-addresses is valid for logical
1074 switch ports where options:router-port is the name of a
1075 port on a gateway router, or the name of a distributed
1076 gateway port.
1077 Supported only in OVN 2.8 and later. Earlier versions re‐
1079 quired NAT addresses to be manually synchronized.
1080 Ethernet address followed by one or more IPv4 addresses
1082 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
1083 This would result in generation of gratuitous ARPs for IP
1084 addresses 158.36.44.22 and 158.36.44.24 with a MAC ad‐
1085 dress of 80:fa:5b:06:72:b7.
1086 This form of options:nat-addresses is only valid for log‐
1088 ical switch ports where options:router-port is the name
1089 of a port on a gateway router.
1090 options : exclude-lb-vips-from-garp: optional string
1092 If options:nat-addresses is set to router, Gratuitous ARPs will
1093 be sent for all SNAT and DNAT external IP addresses defined on
1094 the options:router-port’s logical router, using the op‐
1095 tions:router-port’s MAC address, not cosidering configured load
1096 balancers.
1097 options : arp_proxy: optional string
1099 Optional. A list of MAC and addresses/cidrs or just ad‐
1100 dresses/cidrs that this logical switch router port will reply to
1101 ARP/NDP requests. Examples: 169.254.239.254 169.254.239.2,
1102 0a:58:a9:fe:01:01 169.254.239.254 169.254.239.2
1103 169.254.238.0/24, fd7b:6b4d:7b25:d22f::1 fd7b:6b4d:7b25:d22f::2,
1104 0a:58:a9:fe:01:01 fd7b:6b4d:7b25:d22f::0/64. Theoptions:router-
1105 port’s logical router should have a route to forward packets
1106 sent to configured proxy ARP MAC/IPs to an appropriate destina‐
1107 tion.
1108 Options for localnet ports:
1110 These options apply when type is localnet.
1112 options : network_name: optional string
1114 Required. The name of the network to which the localnet port is
1115 connected. Each hypervisor, via ovn-controller, uses its local
1116 configuration to determine exactly how to connect to this lo‐
1117 cally accessible network, if at all.
1118 options : ethtype: optional string
1120 Optional. VLAN EtherType field value for encapsulating VLAN
1121 headers. Supported values: 802.11q (default), 802.11ad.
1122 options : localnet_learn_fdb: optional string, either true or false
1124 Optional. Allows localnet port to learn MACs and store them in
1125 FDB table if set to true. The default value is false.
1126 Options for l2gateway ports:
1128 These options apply when type is l2gateway.
1130 options : network_name: optional string
1132 Required. The name of the network to which the l2gateway port is
1133 connected. The L2 gateway, via ovn-controller, uses its local
1134 configuration to determine exactly how to connect to this net‐
1135 work.
1136 options : l2gateway-chassis: optional string
1138 Required. The chassis on which the l2gateway logical port should
1139 be bound to. ovn-controller running on the defined chassis will
1140 connect this logical port to the physical network.
1141 Options for vtep ports:
1143 These options apply when type is vtep.
1145 options : vtep-physical-switch: optional string
1147 Required. The name of the VTEP gateway.
1148 options : vtep-logical-switch: optional string
1150 Required. A logical switch name connected by the VTEP gateway.
1151 VMI (or VIF) Options:
1153 These options apply to logical ports with type having (empty string)
1155 options : requested-chassis: optional string
1157 If set, identifies a specific chassis (by name or hostname) that
1158 is allowed to bind this port. Using this option will prevent
1159 thrashing between two chassis trying to bind the same port dur‐
1160 ing a live migration. It can also prevent similar thrashing due
1161 to a mis-configuration, if a port is accidentally created on
1162 more than one chassis.
1163 If set to a comma separated list, the first entry identifies the
1165 main chassis and the rest are one or more additional chassis
1166 that are allowed to bind the same port.
1167 When multiple chassis are set for the port, and the logical
1169 switch is connected to an external network through a localnet
1170 port, tunneling is enforced for the port to guarantee delivery
1171 of packets directed to the port to all its locations. This has
1172 MTU implications because the network used for tunneling must
1173 have MTU larger than localnet for stable connectivity.
1174 If the same host co-hosts more than one controller instance (ei‐
1176 ther belonging to the same or separate clusters), special atten‐
1177 tion should be given to consistently using unique chassis names
1178 used in this option. It is advised that chassis names - and not
1179 host names - are used for this option.
1180 options : activation-strategy: optional string
1182 If used with multiple chassis set in requested-chassis, speci‐
1183 fies an activation strategy for all additional chassis. By de‐
1184 fault, no activation strategy is used, meaning additional port
1185 locations are immediately available for use. When set to "rarp",
1186 the port is blocked for ingress and egress communication until a
1187 RARP packet is sent from a new location. The "rarp" strategy is
1188 useful in live migration scenarios for virtual machines.
1189 options : iface-id-ver: optional string
1191 If set, this port will be bound by ovn-controller only if this
1192 same key and value is configured in the external_ids column in
1193 the Open_vSwitch database’s Interface table.
1194 options : qos_min_rate: optional string
1196 If set, indicates the minimum guaranteed rate available for data
1197 sent from this interface, in bit/s.
1198 options : qos_max_rate: optional string
1200 If set, indicates the maximum rate for data sent from this in‐
1201 terface, in bit/s. The traffic will be shaped according to this
1202 limit.
1203 options : qos_burst: optional string
1205 If set, indicates the maximum burst size for data sent from this
1206 interface, in bits.
1207 options : hostname: optional string
1209 If set, indicates the DHCPv4 option "Hostname" (option code 12)
1210 associated for this Logical Switch Port. If DHCPv4 is enabled
1211 for this Logical Switch Port, hostname dhcp option will be in‐
1212 cluded in DHCP reply.
1213 VIF Plugging Options:
1215 options : vif-plug-type: optional string
1217 If set, OVN will attempt to perform plugging of this VIF. In or‐
1218 der to get this port plugged by the OVN controller, OVN must be
1219 built with support for VIF plugging. The default behavior is for
1220 the CMS to do the VIF plugging. Each VIF plug provider have
1221 their own options namespaced by name, for example "vif-plug:rep‐
1222 resentor:key". Please refer to the VIF plug provider documenta‐
1223 tion located in Documentation/topics/vif-plug-providers/ for
1224 more information.
1225 options : vif-plug-mtu-request: optional string
1227 Requested MTU for plugged interfaces. When set the OVN con‐
1228 troller will fill the mtu_request column of the Open vSwitch
1229 database’s Interface table. This in turn will make OVS vswitchd
1230 update the MTU of the linked interface.
1231 Virtual port Options:
1233 These options apply when type is virtual.
1235 options : virtual-ip: optional string
1237 This option represents the virtual IPv4 address.
1238 options : virtual-parents: optional string
1240 This options represents a set of logical port names (with in the
1241 same logical switch) which can own the virtual ip configured in
1242 the options:virtual-ip. All these virtual parents should add the
1243 virtual ip in the port_security if port security addressed are
1244 enabled.
1245 IP Multicast Snooping Options:
1247 These options apply when the port is part of a logical switch which has
1249 other_config :mcast_snoop set to true.
1250 options : mcast_flood: optional string, either true or false
1252 If set to true, multicast packets (except reports) are uncondi‐
1253 tionally forwarded to the specific port. Default: false.
1254 options : mcast_flood_reports: optional string, either true or false
1256 If set to true, multicast reports are unconditionally forwarded
1257 to the specific port. Default: false.
1258 Containers:
1260 When a large number of containers are nested within a VM, it may be too
1262 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
1263 support such cases. Each container is assigned a VLAN ID and each
1264 packet that passes between the hypervisor and the VM is tagged with the
1265 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
1266 ical wire, even inside a tunnel, so they need not be unique except rel‐
1267 ative to a single VM on a hypervisor.
1268 These columns are used for VIFs that represent nested containers using
1270 shared VIFs. For VMs and for containers that have dedicated VIFs, they
1271 are empty.
1272 parent_name: optional string
1274 The VM interface through which the nested container sends its
1275 network traffic. This must match the name column for some other
1276 Logical_Switch_Port. Note: for performance of the OVN Southbound
1277 database conditional monitoring, unlike for regular VIFs,
1278 ovn-controller will register to get updates about all OVN South‐
1279 bound database Port_Binding table records that correspond to
1280 nested container ports even if external_ids:ovn-monitor-all is
1281 set to false. See ovn-controller(8) for more information.
1282 tag_request: optional integer, in range 0 to 4,095
1284 The VLAN tag in the network traffic associated with a con‐
1285 tainer’s network interface. The client can request ovn-northd to
1286 allocate a tag that is unique within the scope of a specific
1287 parent (specified in parent_name) by setting a value of 0 in
1288 this column. The allocated value is written by ovn-northd in the
1289 tag column. (Note that these tags are allocated and managed lo‐
1290 cally in ovn-northd, so they cannot be reconstructed in the
1291 event that the database is lost.) The client can also request a
1292 specific non-zero tag and ovn-northd will honor it and copy that
1293 value to the tag column.
1294 When type is set to localnet or l2gateway, this can be set to
1296 indicate that the port represents a connection to a specific
1297 VLAN on a locally accessible network. The VLAN ID is used to
1298 match incoming traffic and is also added to outgoing traffic.
1299 tag: optional integer, in range 1 to 4,095
1301 The VLAN tag allocated by ovn-northd based on the contents of
1302 the tag_request column.
1303 Port State:
1305 up: optional boolean
1307 This column is populated by ovn-northd, rather than by the CMS
1308 plugin as is most of this database. When a logical port is bound
1309 to a physical location in the OVN Southbound database Binding
1310 table, ovn-northd sets this column to true; otherwise, or if the
1311 port becomes unbound later, it sets it to false. If this column
1312 is empty, the port is not considered up. This allows the CMS to
1313 wait for a VM’s (or container’s) networking to become active be‐
1314 fore it allows the VM (or container) to start.
1315 Logical ports of router type are an exception to this rule. They
1317 are considered to be always up, that is this column is always
1318 set to true.
1319 enabled: optional boolean
1321 This column is used to administratively set port state. If this
1322 column is empty or is set to true, the port is enabled. If this
1323 column is set to false, the port is disabled. A disabled port
1324 has all ingress and egress traffic dropped.
1325 Addressing:
1327 addresses: set of strings
1329 Addresses owned by the logical port.
1330 Each element in the set must take one of the following forms:
1332 Ethernet address followed by zero or more IPv4 or IPv6 addresses
1334 (or both)
1335 An Ethernet address defined is owned by the logical port.
1336 Like a physical Ethernet NIC, a logical port ordinarily
1337 has a single fixed Ethernet address.
1338 When a OVN logical switch processes a unicast Ethernet
1340 frame whose destination MAC address is in a logical
1341 port’s addresses column, it delivers it only to that
1342 port, as if a MAC learning process had learned that MAC
1343 address on the port.
1344 If IPv4 or IPv6 address(es) (or both) are defined, it in‐
1346 dicates that the logical port owns the given IP ad‐
1347 dresses.
1348 If IPv4 address(es) are defined, the OVN logical switch
1350 uses this information to synthesize responses to ARP re‐
1351 quests without traversing the physical network. The OVN
1352 logical router connected to the logical switch, if any,
1353 uses this information to avoid issuing ARP requests for
1354 logical switch ports.
1355 Note that the order here is important. The Ethernet ad‐
1357 dress must be listed before the IP address(es) if de‐
1358 fined.
1359 Examples:
1361 80:fa:5b:06:72:b7
1363 This indicates that the logical port owns the
1364 above mac address.
1365 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
1367 This indicates that the logical port owns the mac
1368 address and two IPv4 addresses.
1369 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1371 This indicates that the logical port owns the mac
1372 address and 1 IPv6 address.
1373 80:fa:5b:06:72:b7 10.0.0.4
1375 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1376 This indicates that the logical port owns the mac
1377 address and 1 IPv4 address and 1 IPv6 address.
1378 unknown
1380 This indicates that the logical port has an unknown set
1381 of Ethernet addresses. When an OVN logical switch pro‐
1382 cesses a unicast Ethernet frame whose destination MAC ad‐
1383 dress is not in any logical port’s addresses column, it
1384 delivers it to the port (or ports) whose addresses col‐
1385 umns include unknown.
1386 dynamic
1388 Use dynamic to make ovn-northd generate a globally unique
1389 MAC address, choose an unused IPv4 address with the logi‐
1390 cal port’s subnet (if other_config:subnet is set in the
1391 port’s Logical_Switch), and generate an IPv6 address from
1392 the MAC address (if other_config:ipv6_prefix is set in
1393 the port’s Logical_Switch) and store them in the port’s
1394 dynamic_addresses column.
1395 Only one element containing dynamic may appear in ad‐
1397 dresses.
1398 dynamic ip
1400 dynamic ipv6
1401 dynamic ip ipv6
1402 These act like dynamic alone but specify particular IPv4 or
1403 IPv6 addresses to use. OVN IPAM will still automatically
1404 allocate the other address if configured appropriately. Ex‐
1405 ample: dynamic 192.168.0.1 2001::1.
1406 mac dynamic
1408 This acts like dynamic alone but specifies a particular MAC
1409 address to use. OVN IPAM will still automatically allocate
1410 IPv4 or IPv6 addresses, or both, if configured appropri‐
1411 ately. Example: 80:fa:5b:06:72:b7 dynamic
1412 router
1414 Accepted only when type is router. This indicates that the
1415 Ethernet, IPv4, and IPv6 addresses for this logical switch
1416 port should be obtained from the connected logical router
1417 port, as specified by router-port in options.
1418 The resulting addresses are used to populate the logical
1420 switch’s destination lookup, and also for the logical
1421 switch to generate ARP and ND replies.
1422 If the connected logical router port has a distributed
1424 gateway port specified and the logical router has rules
1425 specified in nat with external_mac, then those addresses
1426 are also used to populate the switch’s destination lookup.
1427 Supported only in OVN 2.7 and later. Earlier versions re‐
1429 quired router addresses to be manually synchronized.
1430 dynamic_addresses: optional string
1432 Addresses assigned to the logical port by ovn-northd, if dynamic
1433 is specified in addresses. Addresses will be of the same format
1434 as those that populate the addresses column. Note that dynami‐
1435 cally assigned addresses are constructed and managed locally in
1436 ovn-northd, so they cannot be reconstructed in the event that
1437 the database is lost.
1438 port_security: set of strings
1440 This column controls the addresses from which the host attached
1441 to the logical port (``the host’’) is allowed to send packets
1442 and to which it is allowed to receive packets. If this column is
1443 empty, all addresses are permitted.
1444 Each element in the set must begin with one Ethernet address.
1446 This would restrict the host to sending packets from and receiv‐
1447 ing packets to the ethernet addresses defined in the logical
1448 port’s port_security column. It also restricts the inner source
1449 MAC addresses that the host may send in ARP and IPv6 Neighbor
1450 Discovery packets. The host is always allowed to receive packets
1451 to multicast and broadcast Ethernet addresses.
1452 Each element in the set may additionally contain one or more
1454 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
1455 is given, it must be a CIDR mask. In addition to the restric‐
1456 tions described for Ethernet addresses above, such an element
1457 restricts the IPv4 or IPv6 addresses from which the host may
1458 send and to which it may receive packets to the specified ad‐
1459 dresses. A masked address, if the host part is zero, indicates
1460 that the host is allowed to use any address in the subnet; if
1461 the host part is nonzero, the mask simply indicates the size of
1462 the subnet. In addition:
1463 • If any IPv4 address is given, the host is also allowed to
1465 receive packets to the IPv4 local broadcast address
1466 255.255.255.255 and to IPv4 multicast addresses
1467 (224.0.0.0/4). If an IPv4 address with a mask is given,
1468 the host is also allowed to receive packets to the broad‐
1469 cast address in that specified subnet.
1470 If any IPv4 address is given, the host is additionally
1472 restricted to sending ARP packets with the specified
1473 source IPv4 address. (RARP is not restricted.)
1474 • If any IPv6 address is given, the host is also allowed to
1476 receive packets to IPv6 multicast addresses (ff00::/8).
1477 If any IPv6 address is given, the host is additionally
1479 restricted to sending IPv6 Neighbor Discovery Solicita‐
1480 tion or Advertisement packets with the specified source
1481 address or, for solicitations, the unspecified address.
1482 If an element includes an IPv4 address, but no IPv6 addresses,
1484 then IPv6 traffic is not allowed. If an element includes an IPv6
1485 address, but no IPv4 address, then IPv4 and ARP traffic is not
1486 allowed.
1487 This column uses the same lexical syntax as the match column in
1489 the OVN Southbound database’s Pipeline table. Multiple addresses
1490 within an element may be space or comma separated.
1491 This column is provided as a convenience to cloud management
1493 systems, but all of the features that it implements can be im‐
1494 plemented as ACLs using the ACL table.
1495 Examples:
1497 80:fa:5b:06:72:b7
1499 The host may send traffic from and receive traffic to the
1500 specified MAC address, and to receive traffic to Ethernet
1501 multicast and broadcast addresses, but not otherwise. The
1502 host may not send ARP or IPv6 Neighbor Discovery packets
1503 with inner source Ethernet addresses other than the one
1504 specified.
1505 80:fa:5b:06:72:b7 192.168.1.10/24
1507 This adds further restrictions to the first example. The
1508 host may send IPv4 packets from or receive IPv4 packets
1509 to only 192.168.1.10, except that it may also receive
1510 IPv4 packets to 192.168.1.255 (based on the subnet mask),
1511 255.255.255.255, and any address in 224.0.0.0/4. The host
1512 may not send ARPs with a source Ethernet address other
1513 than 80:fa:5b:06:72:b7 or source IPv4 address other than
1514 192.168.1.10. The host may not send or receive any IPv6
1515 (including IPv6 Neighbor Discovery) traffic.
1516 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
1518 The host may send traffic from and receive traffic to the
1519 specified MAC addresses, and to receive traffic to Ether‐
1520 net multicast and broadcast addresses, but not otherwise.
1521 With MAC 80:fa:5b:12:42:ba, the host may send traffic
1522 from and receive traffic to any L3 address. With MAC
1523 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
1524 receive IPv4 packets to only 192.168.1.10, except that it
1525 may also receive IPv4 packets to 192.168.1.255 (based on
1526 the subnet mask), 255.255.255.255, and any address in
1527 224.0.0.0/4. The host may not send or receive any IPv6
1528 (including IPv6 Neighbor Discovery) traffic.
1529 DHCP:
1531 dhcpv4_options: optional weak reference to DHCP_Options
1533 This column defines the DHCPv4 Options to be included by the
1534 ovn-controller when it replies to the DHCPv4 requests. Please
1535 see the DHCP_Options table.
1536 dhcpv6_options: optional weak reference to DHCP_Options
1538 This column defines the DHCPv6 Options to be included by the
1539 ovn-controller when it replies to the DHCPv6 requests. Please
1540 see the DHCP_Options table.
1541 mirror_rules: set of weak reference to Mirrors
1543 Mirror rules that apply to logical switch port which is the
1544 source. Please see the Mirror table.
1545 ha_chassis_group: optional HA_Chassis_Group
1547 References a row in the OVN Northbound database’s HA_Chas‐
1548 sis_Group table. It indicates the HA chassis group to use if the
1549 type is set to external. If type is not external, this column is
1550 ignored.
1551 Naming:
1553 external_ids : neutron:port_name: optional string
1555 This column gives an optional human-friendly name for the port.
1556 This name has no special meaning or purpose other than to pro‐
1557 vide convenience for human interaction with the northbound data‐
1558 base.
1559 Neutron copies this from its own port object’s name. (Neutron
1561 ports do are not assigned human-friendly names by default, so it
1562 will often be empty.)
1563 Tunnel Key:
1565 options : requested-tnl-key: optional string, containing an integer, in
1567 range 1 to 32,767
1568 Configures the port binding tunnel key for the port. Usually
1569 this is not needed because ovn-northd will assign an unique key
1570 for each port by itself. However, if it is configured,
1571 ovn-northd honors the configured value. The typical use case is
1572 for interconnection: the tunnel keys for ports on transit
1573 switches need to be unique globally, so they are maintained in
1574 the global OVN_IC_Southbound database, and ovn-ic simply syncs
1575 the value from OVN_IC_Southbound through this config.
1576 Common Columns:
1578 external_ids: map of string-string pairs
1580 See External IDs at the beginning of this document.
1581 The ovn-northd program copies all these pairs into the exter‐
1583 nal_ids column of the Port_Binding table in OVN_Southbound data‐
1584 base.
1585
1587 Each row represents one forwarding group.
1588 Summary:
1590 name string
1591 vip string
1592 vmac string
1593 liveness boolean
1594 child_port set of 1 or more strings
1595 Common Columns:
1596 external_ids map of string-string pairs
1597 Details:
1599 name: string
1600 A name for the forwarding group. This name has no special mean‐
1601 ing or purpose other than to provide convenience for human in‐
1602 teraction with the ovn-nb database.
1603 vip: string
1605 The virtual IP address assigned to the forwarding group. It will
1606 respond with vmac when an ARP request is sent for vip.
1607 vmac: string
1609 The virtual MAC address assigned to the forwarding group.
1610 liveness: boolean
1612 If set to true, liveness is enabled for child ports otherwise it
1613 is disabled.
1614 child_port: set of 1 or more strings
1616 List of child ports in the forwarding group.
1617 Common Columns:
1619 external_ids: map of string-string pairs
1621 See External IDs at the beginning of this document.
1622
1624 Each row in this table represents a named set of addresses. An address
1625 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
1626 or CIDR masks. Address set may ultimately be used in ACLs to compare
1627 against fields such as ip4.src or ip6.src. A single address set must
1628 contain addresses of the same type. As an example, the following would
1629 create an address set with three IP addresses:
1630 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1632 Address sets may be used in the match column of the ACL table. For syn‐
1635 tax information, see the details of the expression language used for
1636 the match column in the Logical_Flow table of the OVN_Southbound data‐
1637 base.
1638 Summary:
1640 name string (must be unique within table)
1641 addresses set of strings
1642 Common Columns:
1643 external_ids map of string-string pairs
1644 Details:
1646 name: string (must be unique within table)
1647 A name for the address set. Names are ASCII and must match
1648 [a-zA-Z_.][a-zA-Z_.0-9]*.
1649 addresses: set of strings
1651 The set of addresses in string form.
1652 Common Columns:
1654 external_ids: map of string-string pairs
1656 See External IDs at the beginning of this document.
1657
1659 Each row in this table represents a named group of logical switch
1660 ports.
1661 Port groups may be used in the match column of the ACL table. For syn‐
1663 tax information, see the details of the expression language used for
1664 the match column in the Logical_Flow table of the OVN_Southbound data‐
1665 base.
1666 For each port group, there are two address sets generated to the Ad‐
1668 dress_Set table of the OVN_Southbound database, containing the IP ad‐
1669 dresses of the group of ports, one for IPv4, and the other for IPv6,
1670 with name being the name of the Port_Group followed by a suffix _ip4
1671 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
1672 the same way as regular address sets in the match column of the ACL ta‐
1673 ble. For syntax information, see the details of the expression language
1674 used for the match column in the Logical_Flow table of the OVN_South‐
1675 bound database.
1676 Summary:
1678 name string (must be unique within table)
1679 ports set of weak reference to Logi‐
1680 cal_Switch_Ports
1681 acls set of ACLs
1682 Common Columns:
1683 external_ids map of string-string pairs
1684 Details:
1686 name: string (must be unique within table)
1687 A name for the port group. Names are ASCII and must match
1688 [a-zA-Z_.][a-zA-Z_.0-9]*.
1689 ports: set of weak reference to Logical_Switch_Ports
1691 The logical switch ports belonging to the group in uuids.
1692 acls: set of ACLs
1694 Access control rules that apply to the port group. Applying an
1695 ACL to a port group has the same effect as applying the ACL to
1696 all logical lswitches that the ports of the port group belong
1697 to.
1698 Common Columns:
1700 external_ids: map of string-string pairs
1702 See External IDs at the beginning of this document.
1703
1705 Each row represents one load balancer.
1706 Summary:
1708 name string
1709 vips map of string-string pairs
1710 protocol optional string, one of sctp, tcp, or udp
1711 Health Checks:
1712 health_check set of Load_Balancer_Health_Checks
1713 ip_port_mappings map of string-string pairs
1714 selection_fields set of strings, one of eth_dst, eth_src,
1715 ip_dst, ip_src, tp_dst, or tp_src
1716 Common Columns:
1717 external_ids map of string-string pairs
1718 Load_Balancer options:
1719 options : reject optional string, either true or false
1720 options : hairpin_snat_ip optional string
1721 options : skip_snat optional string
1722 options : add_route optional string
1723 options : neighbor_responder
1724 optional string
1725 options : template optional string
1726 options : address-family optional string
1727 options : affinity_timeout optional string
1728 options : ct_flush optional string, either true or false
1729 Details:
1731 name: string
1732 A name for the load balancer. This name has no special meaning
1733 or purpose other than to provide convenience for human interac‐
1734 tion with the ovn-nb database.
1735 vips: map of string-string pairs
1737 A map of virtual IP addresses (and an optional port number with
1738 : as a separator) associated with this load balancer and their
1739 corresponding endpoint IP addresses (and optional port numbers
1740 with : as separators) separated by commas. If the destination IP
1741 address (and port number) of a packet leaving a container or a
1742 VM matches the virtual IP address (and port number) provided
1743 here as a key, then OVN will statefully replace the destination
1744 IP address by one of the provided IP address (and port number)
1745 in this map as a value. IPv4 and IPv6 addresses are supported
1746 for load balancing; however a VIP of one address family may not
1747 be mapped to a destination IP address of a different family. If
1748 specifying an IPv6 address with a port, the address portion must
1749 be enclosed in square brackets. Examples for keys are
1750 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
1751 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1752 When the Load_Balancer is added to the logical_switch, the VIP
1754 has to be in a different subnet than the one used for the logi‐
1755 cal_switch. Since VIP is in a different subnet, you should con‐
1756 nect your logical switch to either a OVN logical router or a
1757 real router (this is because the client can now send a packet
1758 with VIP as the destination IP address and router’s mac address
1759 as the destination MAC address).
1760 protocol: optional string, one of sctp, tcp, or udp
1762 Valid protocols are tcp, udp, or sctp. This column is useful
1763 when a port number is provided as part of the vips column. If
1764 this column is empty and a port number is provided as part of
1765 vips column, OVN assumes the protocol to be tcp.
1766 Health Checks:
1768 OVN supports health checks for load balancer endpoints. When health
1770 checks are enabled, the load balancer uses only healthy endpoints.
1771 Suppose that vips contains a key-value pair
1773 10.0.0.10:80=10.0.0.4:8080,20.0.0.4:8080. To enable health checks for
1774 this virtual’s endpoints, add two key-value pairs to ip_port_mappings,
1775 with keys 10.0.0.4 and 20.0.0.4, and add to health_check a reference to
1776 a Load_Balancer_Health_Check row whose vip is set to 10.0.0.10. The
1777 same approach can be used for IPv6 as well.
1778 health_check: set of Load_Balancer_Health_Checks
1780 Load balancer health checks associated with this load balancer.
1781 ip_port_mappings: map of string-string pairs
1783 Maps from endpoint IP to a colon-separated pair of logical port
1784 name and source IP, e.g. port_name:sourc_ip for IPv4. Health
1785 checks are sent to this port with the specified source IP. For
1786 IPv6 square brackets must be used around IP address, e.g:
1787 port_name:[sourc_ip]
1788 For example, in the example above, IP to port mappings might be
1790 defined as 10.0.0.4=sw0-p1:10.0.0.2 and
1791 20.0.0.4=sw1-p1:20.0.0.2, if the values given were suitable
1792 ports and IP addresses.
1793 For IPv6 IP to port mappings might be defined as
1795 [2001::1]=sw0-p1:[2002::1].
1796 selection_fields: set of strings, one of eth_dst, eth_src, ip_dst,
1798 ip_src, tp_dst, or tp_src
1799 OVN native load balancers are supported using the OpenFlow
1800 groups of type select. OVS supports two selection methods:
1801 dp_hash and hash (with optional fields specified) in selecting
1802 the buckets of a group. Please see the OVS documentation (man
1803 ovs-ofctl) for more details on the selection methods. Each end‐
1804 point IP (and port if set) is mapped to a bucket in the group
1805 flow.
1806 CMS can choose the hash selection method by setting the selec‐
1808 tion fields in this column. ovs-vswitchd uses the specified
1809 fields in generating the hash.
1810 dp_hash selection method uses the assistance of datapath to cal‐
1812 culate the hash and it is expected to be faster than hash selec‐
1813 tion method. So CMS should take this into consideration before
1814 using the hash method. Please consult the OVS documentation and
1815 OVS sources for the implementation details.
1816 Common Columns:
1818 external_ids: map of string-string pairs
1820 See External IDs at the beginning of this document.
1821 Load_Balancer options:
1823 options : reject: optional string, either true or false
1825 If the load balancer is created with --reject option and it has
1826 no active backends, a TCP reset segment (for tcp) or an ICMP
1827 port unreachable packet (for all other kind of traffic) will be
1828 sent whenever an incoming packet is received for this load-bal‐
1829 ancer. Please note using --reject option will disable empty_lb
1830 SB controller event for this load balancer.
1831 options : hairpin_snat_ip: optional string
1833 IP to be used as source IP for packets that have been hair-
1834 pinned after load balancing. The default behavior when the op‐
1835 tion is not set is to use the load balancer VIP as source IP.
1836 This option may have exactly one IPv4 and/or one IPv6 address on
1837 it, separated by a space character.
1838 options : skip_snat: optional string
1840 If the load balancing rule is configured with skip_snat option,
1841 the option lb_force_snat_ip configured for the logical router
1842 that references this load balancer will not be applied for this
1843 load balancer.
1844 options : add_route: optional string
1846 If set to true, then neighbor routers will have logical flows
1847 added that will allow for routing to the VIP IP. It also will
1848 have ARP resolution logical flows added. By setting this option,
1849 it means there is no reason to create a Logi‐
1850 cal_Router_Static_Route from neighbor routers to this NAT ad‐
1851 dress. It also means that no ARP request is required for neigh‐
1852 bor routers to learn the IP-MAC mapping for this VIP IP. For
1853 more information about what flows are added for IP routes,
1854 please see the ovn-northd manpage section on IP Routing.
1855 options : neighbor_responder: optional string
1857 If set to all, then routers on which the load balancer is ap‐
1858 plied reply to ARP/neighbor discovery requests for all VIPs of
1859 the load balancer. If set to reachable, then routers on which
1860 the load balancer is applied reply to ARP/neighbor discovery re‐
1861 quests only for VIPs that are part of a router’s subnet. If set
1862 to none, then routers on which the load balancer is applied
1863 never reply to ARP/neighbor discovery requests for any of the
1864 load balancer VIPs. Load balancers with options:template=true do
1865 not support reachable as a valid mode. The default value of this
1866 option, if not specified, is reachable for regular load bal‐
1867 ancers and none for template load balancers.
1868 options : template: optional string
1870 Option to be set to true, if the load balancer is a template.
1871 The load balancer VIPs and backends must be using Chassis_Tem‐
1872 plate_Var in their definitions.
1873 Load balancer template VIP supported formats are:
1875 ^VIP_VAR[:^PORT_VAR|:port]
1877 where VIP_VAR and PORT_VAR are keys of the Chassis_Template_Var
1880 variables records.
1881 Note: The VIP and PORT cannot be combined into a single template
1883 variable. For example, a Chassis_Template_Var variable expanding
1884 to 10.0.0.1:8080 is not valid if used as VIP.
1885 Load balancer template backend supported formats are:
1887 ^BACKEND_VAR1[:^PORT_VAR1|:port],^BACKEND_VAR2[:^PORT_VAR2|:port]
1889 or
1890 ^BACKENDS_VAR1,^BACKENDS_VAR2
1891 where BACKEND_VAR1, PORT_VAR1, BACKEND_VAR2, PORT_VAR2, BACK‐
1894 ENDS_VAR1 and BACKENDS_VAR2 are keys of the Chassis_Template_Var
1895 variables records.
1896 options : address-family: optional string
1898 Address family used by the load balancer. Supported values are
1899 ipv4 and ipv6. The address-family is only used for load bal‐
1900 ancers with options:template=true. For explicit load balancers,
1901 setting the address-family has no effect.
1902 options : affinity_timeout: optional string
1904 If the CMS provides a positive value (in seconds) for affin‐
1905 ity_timeout, OVN will dnat connections received from the same
1906 client to this lb to the same backend if received in the affin‐
1907 ity timeslot. Max supported affinity_timeout is 65535 seconds.
1908 options : ct_flush: optional string, either true or false
1910 The value indicates whether ovn-controller should flush CT en‐
1911 tries that are related to this LB. The flush happens if the LB
1912 is removed, any of the backends is updated/removed or the LB is
1913 not considered local anymore by the ovn-controller. This option
1914 is set to false by default.
1915
1917 Each row represents a logical grouping of load balancers. It is up to
1918 the CMS to decide the criteria on which load balancers are grouped to‐
1919 gether. To simplify configuration and to optimize its processing load
1920 balancers that must be associated to the same set of logical switches
1921 and/or logical routers should be grouped together.
1922 Summary:
1924 name string (must be unique within table)
1925 load_balancer set of weak reference to Load_Balancers
1926 Details:
1928 name: string (must be unique within table)
1929 A name for the load balancer group. This name has no special
1930 meaning or purpose other than to provide convenience for human
1931 interaction with the ovn-nb database.
1932 load_balancer: set of weak reference to Load_Balancers
1934 A set of load balancers.
1935
1937 Each row represents one load balancer health check.
1938 Summary:
1940 vip string
1941 Health check options:
1942 options : interval optional string, containing an integer
1943 options : timeout optional string, containing an integer
1944 options : success_count optional string, containing an integer
1945 options : failure_count optional string, containing an integer
1946 Common Columns:
1947 external_ids map of string-string pairs
1948 Details:
1950 vip: string
1951 vip whose endpoints should be monitored for health check.
1952 Health check options:
1954 options : interval: optional string, containing an integer
1956 The interval, in seconds, between health checks.
1957 options : timeout: optional string, containing an integer
1959 The time, in seconds, after which a health check times out.
1960 options : success_count: optional string, containing an integer
1962 The number of successful checks after which the endpoint is con‐
1963 sidered online.
1964 options : failure_count: optional string, containing an integer
1966 The number of failure checks after which the endpoint is consid‐
1967 ered offline.
1968 Common Columns:
1970 external_ids: map of string-string pairs
1972 See External IDs at the beginning of this document.
1973
1975 Each row in this table represents one ACL rule for a logical switch or
1976 a port group that points to it through its acls column. The action col‐
1977 umn for the highest-priority matching row in this table determines a
1978 packet’s treatment. If no row matches, packets are allowed by default.
1979 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1980 match, and deny as action.)
1981 Summary:
1983 label integer, in range 0 to 4,294,967,295
1984 priority integer, in range 0 to 32,767
1985 direction string, either from-lport or to-lport
1986 match string
1987 action string, one of allow-related, al‐
1988 low-stateless, allow, drop, pass, or re‐
1989 ject
1990 tier integer, in range 0 to 3
1991 options:
1992 options : apply-after-lb optional string
1993 Logging:
1994 log boolean
1995 name optional string, at most 63 characters
1996 long
1997 severity optional string, one of alert, debug,
1998 info, notice, or warning
1999 meter optional string
2000 Common Columns:
2001 options map of string-string pairs
2002 ACL configuration options:
2003 options : log-related optional string
2004 external_ids map of string-string pairs
2005 Details:
2007 label: integer, in range 0 to 4,294,967,295
2008 Associates an identifier with the ACL. The same value will be
2009 written to corresponding connection tracker entry. The value
2010 should be a valid 32-bit unsigned integer. This value can help
2011 in debugging from connection tracker side. For example, through
2012 this "label" we can backtrack to the ACL rule which is causing a
2013 "leaked" connection. Connection tracker entries are created only
2014 for allowed connections so the label is valid only for allow and
2015 allow-related actions.
2016 priority: integer, in range 0 to 32,767
2018 The ACL rule’s priority. Rules with numerically higher priority
2019 take precedence over those with lower. If two ACL rules with the
2020 same priority both match, then the one actually applied to a
2021 packet is undefined.
2022 Return traffic from an allow-related flow is always allowed and
2024 cannot be changed through an ACL.
2025 allow-stateless flows always take precedence before stateful
2027 ACLs, regardless of their priority. (Both allow and allow-re‐
2028 lated ACLs can be stateful.)
2029 direction: string, either from-lport or to-lport
2031 Direction of the traffic to which this rule should apply:
2032 • from-lport: Used to implement filters on traffic arriving
2034 from a logical port. These rules are applied to the logi‐
2035 cal switch’s ingress pipeline.
2036 • to-lport: Used to implement filters on traffic forwarded
2038 to a logical port. These rules are applied to the logical
2039 switch’s egress pipeline.
2040 match: string
2042 The packets that the ACL should match, in the same expression
2043 language used for the match column in the OVN Southbound data‐
2044 base’s Logical_Flow table. The outport logical port is only
2045 available in the to-lport direction (the inport is available in
2046 both directions).
2047 By default all traffic is allowed. When writing a more restric‐
2049 tive policy, it is important to remember to allow flows such as
2050 ARP and IPv6 neighbor discovery packets.
2051 Note that you can not create an ACL matching on a port with
2053 type=router or type=localnet.
2054 action: string, one of allow-related, allow-stateless, allow, drop,
2056 pass, or reject
2057 The action to take when the ACL rule matches:
2058 • allow-stateless: Always forward the packet in stateless
2060 manner, omitting connection tracking mechanism, regard‐
2061 less of other rules defined for the switch. May require
2062 defining additional rules for inbound replies. For exam‐
2063 ple, if you define a rule to allow outgoing TCP traffic
2064 directed to an IP address, then you probably also want to
2065 define another rule to allow incoming TCP traffic coming
2066 from this same IP address. In addition, traffic that
2067 matches stateless ACLs will bypass load-balancer DNAT/un-
2068 DNAT processing. Stateful ACLs should be used instead if
2069 the traffic is supposed to be load-balanced.
2070 • allow: Forward the packet. It will also send the packets
2072 through connection tracking when allow-related rules ex‐
2073 ist on the logical switch. Otherwise, it’s equivalent to
2074 allow-stateless.
2075 • allow-related: Forward the packet and related traffic
2077 (e.g. inbound replies to an outbound connection).
2078 • drop: Silently drop the packet.
2080 • reject: Drop the packet, replying with a RST for TCP or
2082 ICMPv4/ICMPv6 unreachable message for other
2083 IPv4/IPv6-based protocols.
2084 • pass: Pass to the next ACL tier. If using multiple ACL
2086 tiers, a match on this ACL will stop evaluating ACLs at
2087 the current tier and move to the next one. If not using
2088 ACL tiers or if a pass ACL is matched at the final tier,
2089 then the options:default_acl_drop option from the
2090 NB_Global table is used to determine how to proceed.
2091 tier: integer, in range 0 to 3
2093 The hierarchical tier that this ACL belongs to.
2094 ACLs can be assigned to numerical tiers. When evaluating ACLs,
2096 an internal counter is used to determine which tier of ACLs
2097 should be evaluated. Tier 0 ACLs are evaluated first. If no ver‐
2098 dict can be determined, then tier 1 ACLs are evaluated next.
2099 This continues until the maximum tier value is reached. If all
2100 tiers of ACLs are evaluated and no verdict is reached, then the
2101 options:default_acl_drop option from table NB_Global is used to
2102 determine how to proceed.
2103 In this version of OVN, the maximum tier value for ACLs is 3,
2105 meaning there are 4 tiers of ACLs allowed (0-3).
2106 options:
2108 ACLs options.
2110 options : apply-after-lb: optional string
2112 If set to true, the ACL will be applied after load balancing
2113 stage. Supported only for from-lport direction.
2114 The main use case of this option is to support ACLs matching on
2116 the destination IP address of the packet for the backend IPs of
2117 load balancers.
2118 OVN will apply the from-lport ACLs in two stages. ACLs without
2120 this option apply-after-lb set, will be applied before the load
2121 balancer stage and ACLs with this option set will be applied af‐
2122 ter the load balancer stage. The priorities are indepedent be‐
2123 tween these stages and may not be obvious to the CMS. Hence CMS
2124 should be extra careful when using this option and should care‐
2125 fully evaluate the priorities of all the ACLs and the default
2126 deny/allow ACLs if any.
2127 Logging:
2129 These columns control whether and how OVN logs packets that match an
2131 ACL.
2132 log: boolean
2134 If set to true, packets that match the ACL will trigger a log
2135 message on the transport node or nodes that perform ACL process‐
2136 ing. Logging may be combined with any action.
2137 If set to false, the remaining columns in this group have no
2139 significance.
2140 name: optional string, at most 63 characters long
2142 This name, if it is provided, is included in log records. It
2143 provides the administrator and the cloud management system a way
2144 to associate a log record with a particular ACL.
2145 severity: optional string, one of alert, debug, info, notice, or warn‐
2147 ing
2148 The severity of the ACL. The severity levels match those of sys‐
2149 log, in decreasing level of severity: alert, warning, notice,
2150 info, or debug. When the column is empty, the default is info.
2151 meter: optional string
2153 The name of a meter to rate-limit log messages for the ACL. The
2154 string must match the name column of a row in the Meter table.
2155 By default, log messages are not rate-limited. In order to en‐
2156 sure that the same Meter rate limits multiple ACL logs sepa‐
2157 rately, set the fair column.
2158 Common Columns:
2160 options: map of string-string pairs
2162 This column provides general key/value settings. The supported
2163 options are described individually below.
2164 ACL configuration options:
2166 options : log-related: optional string
2168 If set to true, then log when reply or related traffic is admit‐
2169 ted from a stateful ACL. In order for this option to function,
2170 the log option must be set to true and a label must be set, and
2171 it must be unique to the ACL. The label is necessary as it is
2172 the only means to associate the reply traffic with the ACL to
2173 which it belongs. It must be unique, because otherwise it is am‐
2174 biguous which ACL will be matched. Note: If this option is en‐
2175 abled, an extra flow is installed in order to log the related
2176 traffic. Therefore, if this is enabled on all ACLs, then the to‐
2177 tal number of flows necessary to log the ACL traffic is doubled,
2178 compared to if this option is not enabled.
2179 external_ids: map of string-string pairs
2181 See External IDs at the beginning of this document.
2182
2184 Each row represents one L3 logical router.
2185 Summary:
2187 ports set of Logical_Router_Ports
2188 static_routes set of Logical_Router_Static_Routes
2189 policies set of Logical_Router_Policys
2190 enabled optional boolean
2191 nat set of NATs
2192 load_balancer set of weak reference to Load_Balancers
2193 load_balancer_group set of Load_Balancer_Groups
2194 Naming:
2195 name string
2196 external_ids : neutron:router_name
2197 optional string
2198 copp optional weak reference to Copp
2199 Options:
2200 options : chassis optional string
2201 options : dnat_force_snat_ip
2202 optional string
2203 options : lb_force_snat_ip optional string
2204 options : mcast_relay optional string, either true or false
2205 options : dynamic_neigh_routers
2206 optional string, either true or false
2207 options : always_learn_from_arp_request
2208 optional string, either true or false
2209 options : requested-tnl-key
2210 optional string, containing an integer,
2211 in range 1 to 16,777,215
2212 options : snat-ct-zone optional string, containing an integer,
2213 in range 0 to 65,535
2214 options : mac_binding_age_threshold
2215 optional string, containing an integer,
2216 in range 0 to 4,294,967,295
2217 Common Columns:
2218 external_ids map of string-string pairs
2219 Details:
2221 ports: set of Logical_Router_Ports
2222 The router’s ports.
2223 static_routes: set of Logical_Router_Static_Routes
2225 Zero or more static routes for the router.
2226 policies: set of Logical_Router_Policys
2228 Zero or more routing policies for the router.
2229 enabled: optional boolean
2231 This column is used to administratively set router state. If
2232 this column is empty or is set to true, the router is enabled.
2233 If this column is set to false, the router is disabled. A dis‐
2234 abled router has all ingress and egress traffic dropped.
2235 nat: set of NATs
2237 One or more NAT rules for the router. NAT rules only work on
2238 Gateway routers, and on distributed routers with one and only
2239 one distributed gateway port.
2240 load_balancer: set of weak reference to Load_Balancers
2242 Set of load balancers associated to this logical router. Load
2243 balancer Load balancer rules only work on the Gateway routers or
2244 routers with one and only one distributed gateway port.
2245 load_balancer_group: set of Load_Balancer_Groups
2247 Set of load balancers groups associated to this logical router.
2248 Naming:
2250 These columns provide names for the logical router. From OVN’s perspec‐
2252 tive, these names have no special meaning or purpose other than to pro‐
2253 vide convenience for human interaction with the northbound database.
2254 There is no requirement for the name to be unique. (For a unique iden‐
2255 tifier for a logical router, use its row UUID.)
2256 (Originally, name was intended to serve the purpose of a human-friendly
2258 name, but the Neutron integration used it to uniquely identify its own
2259 router object, in the format neutron-uuid. Later on, Neutron started
2260 propagating the friendly name of a router as external_ids:neu‐
2261 tron:router_name. Perhaps this can be cleaned up someday.)
2262 name: string
2264 A name for the logical router.
2265 external_ids : neutron:router_name: optional string
2267 Another name for the logical router.
2268 copp: optional weak reference to Copp
2270 The control plane protection policy from table Copp used for me‐
2271 tering packets sent to ovn-controller from logical ports of this
2272 router.
2273 Options:
2275 Additional options for the logical router.
2277 options : chassis: optional string
2279 If set, indicates that the logical router in question is a Gate‐
2280 way router (which is centralized) and resides in the set chas‐
2281 sis. The same value is also used by ovn-controller to uniquely
2282 identify the chassis in the OVN deployment and comes from exter‐
2283 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
2284 database.
2285 The Gateway router can only be connected to a distributed router
2287 via a switch if SNAT and DNAT are to be configured in the Gate‐
2288 way router.
2289 options : dnat_force_snat_ip: optional string
2291 If set, indicates a set of IP addresses to use to force SNAT a
2292 packet that has already been DNATed in the gateway router. When
2293 multiple gateway routers are configured, a packet can poten‐
2294 tially enter any of the gateway router, get DNATted and eventu‐
2295 ally reach the logical switch port. For the return traffic to go
2296 back to the same gateway router (for unDNATing), the packet
2297 needs a SNAT in the first place. This can be achieved by setting
2298 the above option with a gateway specific set of IP addresses.
2299 This option may have exactly one IPv4 and/or one IPv6 address on
2300 it, separated by a a space.
2301 options : lb_force_snat_ip: optional string
2303 If set, this option can take two possible type of values. Either
2304 a set of IP addresses or the string value - router_ip.
2305 If a set of IP addresses are configured, it indicates to use to
2307 force SNAT a packet that has already been load-balanced in the
2308 gateway router. When multiple gateway routers are configured, a
2309 packet can potentially enter any of the gateway routers, get
2310 DNATted as part of the load-balancing and eventually reach the
2311 logical switch port. For the return traffic to go back to the
2312 same gateway router (for unDNATing), the packet needs a SNAT in
2313 the first place. This can be achieved by setting the above op‐
2314 tion with a gateway specific set of IP addresses. This option
2315 may have exactly one IPv4 and/or one IPv6 address on it, sepa‐
2316 rated by a space character.
2317 If it is configured with the value router_ip, then the load bal‐
2319 anced packet is SNATed with the IP of router port (attached to
2320 the gateway router) selected as the destination after taking the
2321 routing decision.
2322 options : mcast_relay: optional string, either true or false
2324 Enables/disables IP multicast relay between logical switches
2325 connected to the logical router. Default: False.
2326 options : dynamic_neigh_routers: optional string, either true or false
2328 If set to true, the router will resolve neighbor routers’ MAC
2329 addresses only by dynamic ARP/ND, instead of prepopulating
2330 static mappings for all neighbor routers in the ARP/ND Resolu‐
2331 tion stage. This reduces number of flows, but requires ARP/ND
2332 messages to resolve the IP-MAC bindings when needed. It is false
2333 by default. It is recommended to set to true when a large number
2334 of logical routers are connected to the same logical switch but
2335 most of them never need to send traffic between each other. By
2336 default, ovn-northd does not create mappings to NAT and load
2337 balancer addresess. However, for NAT and load balancer addresses
2338 that have the add_route option added, ovn-northd will create
2339 logical flows that map NAT and load balancer IP addresses to the
2340 appropriate MAC address. Setting dynamic_neigh_routers to true
2341 will prevent the automatic creation of these logical flows.
2342 options : always_learn_from_arp_request: optional string, either true
2344 or false
2345 This option controls the behavior when handling IPv4 ARP re‐
2346 quests or IPv6 ND-NS packets - whether a dynamic neighbor (MAC
2347 binding) entry is added/updated.
2348 true - Always learn the MAC-IP binding, and add/update the MAC
2350 binding entry.
2351 false - If there is a MAC binding for that IP and the MAC is
2353 different, or, if TPA of ARP request belongs to any router port
2354 on this router, then update/add that MAC-IP binding. Otherwise,
2355 don’t update/add entries.
2356 It is true by default. It is recommended to set to false when a
2358 large number of logical routers are connected to the same logi‐
2359 cal switch but most of them never need to send traffic between
2360 each other, to reduce the size of the MAC binding table.
2361 options : requested-tnl-key: optional string, containing an integer, in
2363 range 1 to 16,777,215
2364 Configures the datapath tunnel key for the logical router. This
2365 is not needed because ovn-northd will assign an unique key for
2366 each datapath by itself. However, if it is configured,
2367 ovn-northd honors the configured value.
2368 options : snat-ct-zone: optional string, containing an integer, in
2370 range 0 to 65,535
2371 Use the requested conntrack zone for SNAT with this router. This
2372 can be useful if egress traffic from the host running OVN comes
2373 from both OVN and other sources. This way, OVN and the other
2374 sources can make use of the same conntrack zone.
2375 options : mac_binding_age_threshold: optional string, containing an in‐
2377 teger, in range 0 to 4,294,967,295
2378 MAC binding aging threshold value in seconds. MAC binding ex‐
2379 ceeding this timeout will be automatically removed. The value
2380 defaults to 0, which means disabled.
2381 Common Columns:
2383 external_ids: map of string-string pairs
2385 See External IDs at the beginning of this document.
2386
2388 Each row in this table represents one QoS rule for a logical switch
2389 that points to it through its qos_rules column. Two types of QoS are
2390 supported: DSCP marking and metering. A match with the highest-priority
2391 will have QoS applied to it. If the action column is specified, then
2392 matching packets will have DSCP marking applied. If the bandwidth col‐
2393 umn is specified, then matching packets will have metering applied. ac‐
2394 tion and bandwidth are not exclusive, so both marking and metering by
2395 defined for the same QoS entry. If no row matches, packets will not
2396 have any QoS applied.
2397 Summary:
2399 priority integer, in range 0 to 32,767
2400 direction string, either from-lport or to-lport
2401 match string
2402 action map of string-integer pairs, key must be
2403 dscp, value in range 0 to 63
2404 bandwidth map of string-integer pairs, key either
2405 burst or rate, value in range 1 to
2406 4,294,967,295
2407 external_ids map of string-string pairs
2408 Details:
2410 priority: integer, in range 0 to 32,767
2411 The QoS rule’s priority. Rules with numerically higher priority
2412 take precedence over those with lower. If two QoS rules with the
2413 same priority both match, then the one actually applied to a
2414 packet is undefined.
2415 direction: string, either from-lport or to-lport
2417 The value of this field is similar to ACL column in the OVN
2418 Northbound database’s ACL table.
2419 match: string
2421 The packets that the QoS rules should match, in the same expres‐
2422 sion language used for the match column in the OVN Southbound
2423 database’s Logical_Flow table. The outport logical port is only
2424 available in the to-lport direction (the inport is available in
2425 both directions).
2426 action: map of string-integer pairs, key must be dscp, value in range 0
2428 to 63
2429 When specified, matching flows will have DSCP marking applied.
2430 • dscp: The value of this action should be in the range of
2432 0 to 63 (inclusive).
2433 bandwidth: map of string-integer pairs, key either burst or rate, value
2435 in range 1 to 4,294,967,295
2436 When specified, matching packets will have bandwidth metering
2437 applied. Traffic over the limit will be dropped.
2438 • rate: The value of rate limit in kbps.
2440 • burst: The value of burst rate limit in kilobits. This is
2442 optional and needs to specify the rate.
2443 external_ids: map of string-string pairs
2445 See External IDs at the beginning of this document.
2446
2448 Each row in this table represents a mirror that can be used for port
2449 mirroring. These mirrors are referenced by the mirror_rules column in
2450 the Logical_Switch_Port table.
2451 Summary:
2453 name string (must be unique within table)
2454 filter string, one of both, from-lport, or
2455 to-lport
2456 sink string
2457 type string, one of erspan, gre, or local
2458 index integer
2459 external_ids map of string-string pairs
2460 Details:
2462 name: string (must be unique within table)
2463 Represents the name of the mirror.
2464 filter: string, one of both, from-lport, or to-lport
2466 The value of this field represents selection criteria of the
2467 mirror. to-lport mirrors the packets coming into logical port.
2468 from-lport mirrors the packets going out of logical port. both
2469 mirrors for both directions.
2470 sink: string
2472 The value of this field represents the destination/sink of the
2473 mirror. If the type is gre or erspan, the value indicates the
2474 tunnel remote IP (either IPv4 or IPv6). For a type of local,
2475 this field defines a local interface on the OVS integration
2476 bridge to be used as the mirror destination. The interface must
2477 possess external-ids:mirror-id that matches this string.
2478 type: string, one of erspan, gre, or local
2480 The value of this field specifies the mirror type - gre, erspan
2481 or local.
2482 index: integer
2484 The value of this field represents the tunnel ID. If the config‐
2485 ured tunnel type is gre, this field represents the GRE key value
2486 and if the configured tunnel type is erspan it represents the
2487 erspan_idx value. It is ignored if the type is local.
2488 external_ids: map of string-string pairs
2490 See External IDs at the beginning of this document.
2491
2493 Each row in this table represents a meter that can be used for QoS or
2494 rate-limiting.
2495 Summary:
2497 name string (must be unique within table)
2498 unit string, either kbps or pktps
2499 bands set of 1 or more Meter_Bands
2500 fair optional boolean
2501 external_ids map of string-string pairs
2502 Details:
2504 name: string (must be unique within table)
2505 A name for this meter.
2506 Names that begin with "__" (two underscores) are reserved for
2508 OVN internal use and should not be added manually.
2509 unit: string, either kbps or pktps
2511 The unit for rate and burst_rate parameters in the bands entry.
2512 kbps specifies kilobits per second, and pktps specifies packets
2513 per second.
2514 bands: set of 1 or more Meter_Bands
2516 The bands associated with this meter. Each band specifies a rate
2517 above which the band is to take the action action. If multiple
2518 bands’ rates are exceeded, then the band with the highest rate
2519 among the exceeded bands is selected.
2520 fair: optional boolean
2522 This column is used to further describe the desired behavior of
2523 the meter when there are multiple references to it. If this col‐
2524 umn is empty or is set to false, the rate will be shared across
2525 all rows that refer to the same Meter name. Conversely, when
2526 this column is set to true, each user of the same Meter will be
2527 rate-limited on its own.
2528 external_ids: map of string-string pairs
2530 See External IDs at the beginning of this document.
2531
2533 Each row in this table represents a meter band which specifies the rate
2534 above which the configured action should be applied. These bands are
2535 referenced by the bands column in the Meter table.
2536 Summary:
2538 action string, must be drop
2539 rate integer, in range 1 to 4,294,967,295
2540 burst_size integer, in range 0 to 4,294,967,295
2541 external_ids map of string-string pairs
2542 Details:
2544 action: string, must be drop
2545 The action to execute when this band matches. The only supported
2546 action is drop.
2547 rate: integer, in range 1 to 4,294,967,295
2549 The rate limit for this band, in kilobits per second or bits per
2550 second, depending on whether the parent Meter entry’s unit col‐
2551 umn specified kbps or pktps.
2552 burst_size: integer, in range 0 to 4,294,967,295
2554 The maximum burst allowed for the band in kilobits or packets,
2555 depending on whether kbps or pktps was selected in the parent
2556 Meter entry’s unit column. If the size is zero, the switch is
2557 free to select some reasonable value depending on its configura‐
2558 tion.
2559 external_ids: map of string-string pairs
2561 See External IDs at the beginning of this document.
2562
2564 A port within an L3 logical router.
2565 Exactly one Logical_Router row must reference a given logical router
2567 port.
2568 Summary:
2570 name string (must be unique within table)
2571 networks set of 1 or more strings
2572 mac string
2573 enabled optional boolean
2574 Distributed Gateway Ports:
2575 ha_chassis_group optional HA_Chassis_Group
2576 gateway_chassis set of Gateway_Chassises
2577 Options for Physical VLAN MTU Issues:
2578 options : reside-on-redirect-chassis
2579 optional string, either true or false
2580 options : redirect-type optional string, either bridged or over‐
2581 lay
2582 ipv6_prefix set of strings
2583 ipv6_ra_configs:
2584 ipv6_ra_configs : address_mode
2585 optional string
2586 ipv6_ra_configs : router_preference
2587 optional string
2588 ipv6_ra_configs : route_info
2589 optional string
2590 ipv6_ra_configs : mtu optional string
2591 ipv6_ra_configs : send_periodic
2592 optional string
2593 ipv6_ra_configs : max_interval
2594 optional string
2595 ipv6_ra_configs : min_interval
2596 optional string
2597 ipv6_ra_configs : rdnss optional string
2598 ipv6_ra_configs : dnssl optional string
2599 Options:
2600 options : mcast_flood optional string, either true or false
2601 options : requested-tnl-key
2602 optional string, containing an integer,
2603 in range 1 to 32,767
2604 options : prefix_delegation
2605 optional string, either true or false
2606 options : prefix optional string, either true or false
2607 options : route_table optional string
2608 options : gateway_mtu optional string, containing an integer,
2609 in range 68 to 65,535
2610 options : gateway_mtu_bypass
2611 optional string
2612 Attachment:
2613 peer optional string
2614 Common Columns:
2615 external_ids map of string-string pairs
2616 Status:
2617 status : hosting-chassis optional string
2618 Details:
2620 name: string (must be unique within table)
2621 A name for the logical router port.
2622 In addition to provide convenience for human interaction with
2624 the northbound database, this column is used as reference by its
2625 patch port in Logical_Switch_Port or another logical router port
2626 in Logical_Router_Port.
2627 A logical router port may not have the same name as a logical
2629 switch port, but the database schema cannot enforce this.
2630 networks: set of 1 or more strings
2632 The IP addresses and netmasks of the router. For example,
2633 192.168.0.1/24 indicates that the router’s IP address is
2634 192.168.0.1 and that packets destined to 192.168.0.x should be
2635 routed to this port.
2636 A logical router port always adds a link-local IPv6 address
2638 (fe80::/64) automatically generated from the interface’s MAC ad‐
2639 dress using the modified EUI-64 format.
2640 mac: string
2642 The Ethernet address that belongs to this router port.
2643 enabled: optional boolean
2645 This column is used to administratively set port state. If this
2646 column is empty or is set to true, the port is enabled. If this
2647 column is set to false, the port is disabled. A disabled port
2648 has all ingress and egress traffic dropped.
2649 Distributed Gateway Ports:
2651 Gateways, as documented under Gateways in the OVN architecture guide,
2653 provide limited connectivity between logical networks and physical
2654 ones. OVN support multiple kinds of gateways. The Logical_Router_Port
2655 table can be used two different ways to configure distributed gateway
2656 ports, which are one kind of gateway. These two forms of configuration
2657 exist for historical reasons. Both of them produce the same kind of OVN
2658 southbound records and the same behavior in practice.
2659 If either of these are set, this logical router port represents a dis‐
2661 tributed gateway port that connects this router to a logical switch
2662 with a localnet port or a connection to another OVN deployment.
2663 Also mentioned in the OVN architecture guide, distributed gateway ports
2665 can also be used for scalability reasons in deployments where logical
2666 switches are dedicated to chassises rather than distributed.
2667 The preferred way to configure a gateway is ha_chassis_group, but gate‐
2669 way_chassis is also supported for backward compatibility. Only one of
2670 these should be set at a time on a given LRP, since they configure the
2671 same features.
2672 Even when a gateway is configured, the logical router port still effec‐
2674 tively resides on each chassis. However, due to the implications of the
2675 use of L2 learning in the physical network, as well as the need to sup‐
2676 port advanced features such as one-to-many NAT (aka IP masquerading), a
2677 subset of the logical router processing is handled in a centralized
2678 manner on the gateway chassis.
2679 There can be more than one distributed gateway ports configured on each
2681 logical router, each connecting to different L2 segments. Load-balanc‐
2682 ing is not yet supported on logical routers with more than one distrib‐
2683 uted gateway ports.
2684 For each distributed gateway port, it may have more than one gateway
2686 chassises. When more than one gateway chassis is specified, OVN only
2687 uses one at a time. OVN can rely on OVS BFD implementation to monitor
2688 gateway connectivity, preferring the highest-priority gateway that is
2689 online. Priorities are specified in the priority column of Gate‐
2690 way_Chassis or HA_Chassis.
2691 ovn-northd programs the external_mac rules specified in the LRP’s LR
2693 into the peer logical switch’s destination lookup on the chassis where
2694 the logical_port resides. In addition, the logical router’s MAC address
2695 is automatically programmed in the peer logical switch’s destination
2696 lookup flow on the gateway chasssis. If it is desired to generate gra‐
2697 tuitous ARPs for NAT addresses, then set the peer LSP’s options:nat-ad‐
2698 dresses to router.
2699 OVN 20.03 and earlier supported a third way to configure distributed
2701 gateway ports using options:redirect-chassis to specify the gateway
2702 chassis. This method is no longer supported. Any remaining users should
2703 switch to one of the newer methods instead. A gateway_chassis may be
2704 easily configured from the command line, e.g. ovn-nbctl lrp-set-gate‐
2705 way-chassis lrp chassis.
2706 ha_chassis_group: optional HA_Chassis_Group
2708 Designates an HA_Chassis_Group to provide gateway high avail‐
2709 ability.
2710 gateway_chassis: set of Gateway_Chassises
2712 Designates one or more Gateway_Chassis for the logical router
2713 port.
2714 Options for Physical VLAN MTU Issues:
2716 MTU issues arise in mixing tunnels with logical networks that are
2718 bridged to a physical VLAN. For an explanation of the MTU issues, see
2719 Physical VLAN MTU Issues in the OVN architecture document. The follow‐
2720 ing options, which are alternatives, provide solutions. Both of them
2721 cause packets to be sent over localnet instead of tunnels, but they
2722 differ in whether some or all packets are sent this way. The most prom‐
2723 inent tradeoff between these options is that reside-on-redirect-chassis
2724 is easier to configure and that redirect-type performs better for east-
2725 west traffic.
2726 options : reside-on-redirect-chassis: optional string, either true or
2728 false
2729 If set to true, this option forces all traffic across the logi‐
2730 cal router port to pass through the gateway chassis using a hop
2731 across a localnet port. This changes behavior in two ways:
2732 • Without this option, east-west traffic passes directly
2734 between source and destination chassis (or even within a
2735 single chassis, for co-located VMs). With this option,
2736 all east-west traffic passes through the gateway chassis.
2737 • Without this option, traffic between the gateway chassis
2739 and other chassis is encapsulated in tunnels. With this
2740 option, traffic passes over a localnet interface.
2741 This option may usefully be set only on logical router ports
2743 that connect a distributed logical router to a logical switch
2744 with VIFs. It should not be set on a distributed gateway port.
2745 OVN honors this option only if the logical router has one and
2747 only one distributed gateway port and if the LRP’s peer switch
2748 has a localnet port.
2749 options : redirect-type: optional string, either bridged or overlay
2751 If set to bridged on a distributed gateway port, this option
2752 causes OVN to redirect packets to the gateway chassis over a lo‐
2753 calnet port instead of a tunnel. The relevant chassis must share
2754 a localnet port.
2755 This feature requires the administrator or the CMS to configure
2757 each participating chassis with a unique Ethernet address for
2758 the logical router by setting ovn-chassis-mac-mappings in the
2759 Open vSwitch database, for use by ovn-controller.
2760 Setting this option to overlay or leaving it unset has no ef‐
2762 fect. This option may usefully be set only on a distributed
2763 gateway port when there is one and only one distributed gateway
2764 port on the logical router. It is otherwise ignored.
2765 ipv6_prefix: set of strings
2767 This column contains IPv6 prefix obtained by prefix delegation
2768 router according to RFC 3633
2769 ipv6_ra_configs:
2771 This column defines the IPv6 ND RA address mode and ND MTU Option to be
2773 included by ovn-controller when it replies to the IPv6 Router solicita‐
2774 tion requests.
2775 ipv6_ra_configs : address_mode: optional string
2777 The address mode to be used for IPv6 address configuration. The
2778 supported values are:
2779 • slaac: Address configuration using Router Advertisement
2781 (RA) packet. The IPv6 prefixes defined in the Logi‐
2782 cal_Router_Port table’s networks column will be included
2783 in the RA’s ICMPv6 option - Prefix information.
2784 • dhcpv6_stateful: Address configuration using DHCPv6.
2786 • dhcpv6_stateless: Address configuration using Router Ad‐
2788 vertisement (RA) packet. Other IPv6 options are provided
2789 by DHCPv6.
2790 ipv6_ra_configs : router_preference: optional string
2792 Default Router Preference (PRF) indicates whether to prefer this
2793 router over other default routers (RFC 4191). Possible values
2794 are:
2795 • HIGH: mapped to 0x01 in RA PRF field
2797 • MEDIUM: mapped to 0x00 in RA PRF field
2799 • LOW: mapped to 0x11 in RA PRF field
2801 ipv6_ra_configs : route_info: optional string
2803 Route Info is used to configure Route Info Option sent in Router
2804 Advertisement according to RFC 4191. Route Info is a comma sepa‐
2805 rated string where each field provides PRF and prefix for a
2806 given route (e.g: HIGH-aef1::11/48,LOW-aef2::11/96) Possible PRF
2807 values are:
2808 • HIGH: mapped to 0x01 in RA PRF field
2810 • MEDIUM: mapped to 0x00 in RA PRF field
2812 • LOW: mapped to 0x11 in RA PRF field
2814 ipv6_ra_configs : mtu: optional string
2816 The recommended MTU for the link. Default is 0, which means no
2817 MTU Option will be included in RA packet replied by ovn-con‐
2818 troller. Per RFC 2460, the mtu value is recommended no less than
2819 1280, so any mtu value less than 1280 will be considered as no
2820 MTU Option.
2821 ipv6_ra_configs : send_periodic: optional string
2823 If set to true, then this router interface will send router ad‐
2824 vertisements periodically. The default is false.
2825 ipv6_ra_configs : max_interval: optional string
2827 The maximum number of seconds to wait between sending periodic
2828 router advertisements. This option has no effect if ipv6_ra_con‐
2829 figs:send_periodic is false. The default is 600.
2830 ipv6_ra_configs : min_interval: optional string
2832 The minimum number of seconds to wait between sending periodic
2833 router advertisements. This option has no effect if ipv6_ra_con‐
2834 figs:send_periodic is false. The default is one-third of
2835 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
2836 unset.
2837 ipv6_ra_configs : rdnss: optional string
2839 IPv6 address of RDNSS server announced in RA packets. At the mo‐
2840 ment OVN supports just one RDNSS server.
2841 ipv6_ra_configs : dnssl: optional string
2843 DNS Search List announced in RA packets. Multiple DNS Search
2844 List must be ’comma’ separated (e.g. "a.b.c, d.e.f")
2845 Options:
2847 Additional options for the logical router port.
2849 options : mcast_flood: optional string, either true or false
2851 If set to true, multicast traffic (including reports) are uncon‐
2852 ditionally forwarded to the specific port.
2853 This option applies when the port is part of a logical router
2855 which has options:mcast_relay set to true.
2856 Default: false.
2858 options : requested-tnl-key: optional string, containing an integer, in
2860 range 1 to 32,767
2861 Configures the port binding tunnel key for the port. Usually
2862 this is not needed because ovn-northd will assign an unique key
2863 for each port by itself. However, if it is configured,
2864 ovn-northd honors the configured value.
2865 options : prefix_delegation: optional string, either true or false
2867 If set to true, enable IPv6 prefix delegation state machine on
2868 this logical router port (RFC3633). IPv6 prefix delegation is
2869 available just on a gateway router or on a gateway router port.
2870 options : prefix: optional string, either true or false
2872 If set to true, this interface will receive an IPv6 prefix ac‐
2873 cording to RFC3663
2874 options : route_table: optional string
2876 Designates lookup Logical_Router_Static_Routes with specified
2877 route_table value. Routes to directly connected networks from
2878 same Logical Router and routes without route_table option set
2879 have higher priority than routes with route_table option set.
2880 options : gateway_mtu: optional string, containing an integer, in range
2882 68 to 65,535
2883 If set, logical flows will be added to router pipeline to check
2884 packet length. If packet length is greater than the value set,
2885 ICMPv4 type 3 (Destination Unreachable) code 4 (Fragmentation
2886 Needed and Don’t Fragment was Set) or ICMPv6 type 2 (Packet Too
2887 Big) code 0 (no route to destination) packets will be generated.
2888 This allows for Path MTU Discovery.
2889 options : gateway_mtu_bypass: optional string
2891 When configured, represents a match expression, in the same ex‐
2892 pression language used for the match column in the OVN South‐
2893 bound database’s Logical_Flow table. Packets matching this ex‐
2894 pression will bypass the length check configured through the op‐
2895 tions:gateway_mtu option.
2896 Attachment:
2898 A given router port serves one of two purposes:
2900 • To attach a logical switch to a logical router. A logical
2902 router port of this type is referenced by exactly one
2903 Logical_Switch_Port of type router. The value of name is
2904 set as router-port in column options of Logi‐
2905 cal_Switch_Port. In this case peer column is empty.
2906 • To connect one logical router to another. This requires a
2908 pair of logical router ports, each connected to a differ‐
2909 ent router. Each router port in the pair specifies the
2910 other in its peer column. No Logical_Switch refers to the
2911 router port.
2912 peer: optional string
2914 For a router port used to connect two logical routers, this
2915 identifies the other router port in the pair by name.
2916 For a router port attached to a logical switch, this column is
2918 empty.
2919 Common Columns:
2921 external_ids: map of string-string pairs
2923 See External IDs at the beginning of this document.
2924 The ovn-northd program copies all these pairs into the exter‐
2926 nal_ids column of the Port_Binding table in OVN_Southbound data‐
2927 base.
2928 Status:
2930 Additional status about the logical router port.
2932 status : hosting-chassis: optional string
2934 This option is populated by ovn-northd.
2935 When a distributed gateway port is bound to a location in the
2937 OVN Southbound database Port_Binding ovn-northd will populate
2938 this key with the name of the Chassis that is currently hosting
2939 this port.
2941 Each record represents a static route.
2942 When multiple routes match a packet, the longest-prefix match is cho‐
2944 sen. For a given prefix length, a dst-ip route is preferred over a
2945 src-ip route.
2946 When there are ECMP routes, i.e. multiple routes with same prefix and
2948 policy, one of them will be selected based on the 5-tuple hashing of
2949 the packet header.
2950 Summary:
2952 ip_prefix string
2953 policy optional string, either dst-ip or src-ip
2954 nexthop string
2955 output_port optional string
2956 bfd optional weak reference to BFD
2957 route_table string
2958 external_ids : ic-learned-route
2959 optional string
2960 Common Columns:
2961 external_ids map of string-string pairs
2962 Common options:
2963 options map of string-string pairs
2964 options : ecmp_symmetric_reply
2965 optional string
2966 options : origin optional string
2967 Details:
2969 ip_prefix: string
2970 IP prefix of this route (e.g. 192.168.100.0/24).
2971 policy: optional string, either dst-ip or src-ip
2973 If it is specified, this setting describes the policy used to
2974 make routing decisions. This setting must be one of the follow‐
2975 ing strings:
2976 • src-ip: This policy sends the packet to the nexthop when
2978 the packet’s source IP address matches ip_prefix.
2979 • dst-ip: This policy sends the packet to the nexthop when
2981 the packet’s destination IP address matches ip_prefix.
2982 If not specified, the default is dst-ip.
2984 nexthop: string
2986 Nexthop IP address for this route. Nexthop IP address should be
2987 the IP address of a connected router port or the IP address of a
2988 logical port or can be set to discard for dropping packets which
2989 match the given route.
2990 output_port: optional string
2992 The name of the Logical_Router_Port via which the packet needs
2993 to be sent out. This is optional and when not specified, OVN
2994 will automatically figure this out based on the nexthop. When
2995 this is specified and there are multiple IP addresses on the
2996 router port and none of them are in the same subnet of nexthop,
2997 OVN chooses the first IP address as the one via which the nex‐
2998 thop is reachable.
2999 bfd: optional weak reference to BFD
3001 Reference to BFD row if the route has associated a BFD session
3002 route_table: string
3004 Any string to place route to separate routing table. If Logical
3005 Router Port has configured value in options:route_table other
3006 than empty string, OVN performs route lookup for all packets en‐
3007 tering Logical Router ingress pipeline from this port in the
3008 following manner:
3009 • 1. First lookup among "global" routes: routes without
3011 route_table value set and routes to directly connected
3012 networks.
3013 • 2. Next lookup among routes with same route_table value
3015 as specified in LRP’s options:route_table field.
3016 external_ids : ic-learned-route: optional string
3018 ovn-ic populates this key if the route is learned from the
3019 global OVN_IC_Southbound database. In this case the value will
3020 be set to the uuid of the row in Route table of the
3021 OVN_IC_Southbound database.
3022 Common Columns:
3024 external_ids: map of string-string pairs
3026 See External IDs at the beginning of this document.
3027 Common options:
3029 options: map of string-string pairs
3031 This column provides general key/value settings. The supported
3032 options are described individually below.
3033 options : ecmp_symmetric_reply: optional string
3035 If true, then new traffic that arrives over this route will have
3036 its reply traffic bypass ECMP route selection and will be sent
3037 out this route instead. Note that this option overrides any
3038 rules set in the Logical_Router_policy table. This option only
3039 works on gateway routers (routers that have options:chassis
3040 set).
3041 options : origin: optional string
3043 In case ovn-interconnection has been learned this route, it will
3044 have its origin set: either "connected" or "static". This key is
3045 supposed to be written only by ovn-ic daemon. ovn-northd then
3046 checks this value when generating Logical Flows. Logi‐
3047 cal_Router_Static_Route records with same ip_prefix within same
3048 Logical Router will have next lookup order based on origin key
3049 value:
3050 1. connected
3052 2. static
3054
3056 Each row in this table represents one routing policy for a logical
3057 router that points to it through its policies column. The action column
3058 for the highest-priority matching row in this table determines a
3059 packet’s treatment. If no row matches, packets are allowed by default.
3060 (Default-deny treatment is possible: add a rule with priority 0, 1 as
3061 match, and drop as action.)
3062 Summary:
3064 priority integer, in range 0 to 32,767
3065 match string
3066 action string, one of allow, drop, or reroute
3067 nexthop optional string
3068 nexthops set of strings
3069 options : pkt_mark optional string
3070 Common Columns:
3071 external_ids map of string-string pairs
3072 Details:
3074 priority: integer, in range 0 to 32,767
3075 The routing policy’s priority. Rules with numerically higher
3076 priority take precedence over those with lower. A rule is
3077 uniquely identified by the priority and match string.
3078 match: string
3080 The packets that the routing policy should match, in the same
3081 expression language used for the match column in the OVN South‐
3082 bound database’s Logical_Flow table.
3083 By default all traffic is allowed. When writing a more restric‐
3085 tive policy, it is important to remember to allow flows such as
3086 ARP and IPv6 neighbor discovery packets.
3087 action: string, one of allow, drop, or reroute
3089 The action to take when the routing policy matches:
3090 • allow: Forward the packet.
3092 • drop: Silently drop the packet.
3094 • reroute: Reroute packet to nexthop or nexthops.
3096 nexthop: optional string
3098 Note: This column is deprecated in favor of nexthops.
3099 Next-hop IP address for this route, which should be the IP ad‐
3101 dress of a connected router port or the IP address of a logical
3102 port.
3103 nexthops: set of strings
3105 Next-hop ECMP IP addresses for this route. Each IP in the list
3106 should be the IP address of a connected router port or the IP
3107 address of a logical port.
3108 One IP from the list is selected as next hop.
3110 options : pkt_mark: optional string
3112 Marks the packet with the value specified when the router policy
3113 is applied. CMS can inspect this packet marker and take some de‐
3114 cisions if desired. This value is not preserved when the packet
3115 goes out on the wire.
3116 Common Columns:
3118 external_ids: map of string-string pairs
3120 See External IDs at the beginning of this document.
3121
3123 Each record represents a NAT rule.
3124 Summary:
3126 type string, one of dnat, dnat_and_snat, or
3127 snat
3128 external_ip string
3129 external_mac optional string
3130 external_port_range string
3131 logical_ip string
3132 logical_port optional string
3133 allowed_ext_ips optional Address_Set
3134 exempted_ext_ips optional Address_Set
3135 gateway_port optional weak reference to Logi‐
3136 cal_Router_Port
3137 options : stateless optional string
3138 options : add_route optional string
3139 Common Columns:
3140 external_ids map of string-string pairs
3141 Details:
3143 type: string, one of dnat, dnat_and_snat, or snat
3144 Type of the NAT rule.
3145 • When type is dnat, the externally visible IP address ex‐
3147 ternal_ip is DNATted to the IP address logical_ip in the
3148 logical space.
3149 • When type is snat, IP packets with their source IP ad‐
3151 dress that either matches the IP address in logical_ip or
3152 is in the network provided by logical_ip is SNATed into
3153 the IP address in external_ip.
3154 • When type is dnat_and_snat, the externally visible IP ad‐
3156 dress external_ip is DNATted to the IP address logical_ip
3157 in the logical space. In addition, IP packets with the
3158 source IP address that matches logical_ip is SNATed into
3159 the IP address in external_ip.
3160 external_ip: string
3162 An IPv4 address.
3163 external_mac: optional string
3165 A MAC address.
3166 This is only used on the gateway port on distributed routers.
3168 This must be specified in order for the NAT rule to be processed
3169 in a distributed manner on all chassis. If this is not specified
3170 for a NAT rule on a distributed router, then this NAT rule will
3171 be processed in a centralized manner on the gateway port in‐
3172 stance on the gateway chassis.
3173 This MAC address must be unique on the logical switch that the
3175 gateway port is attached to. If the MAC address used on the log‐
3176 ical_port is globally unique, then that MAC address can be spec‐
3177 ified as this external_mac.
3178 external_port_range: string
3180 L4 source port range
3181 Range of ports, from which a port number will be picked that
3183 will replace the source port of to be NATed packet. This is ba‐
3184 sically PAT (port address translation).
3185 Value of the column is in the format, port_lo-port_hi. For exam‐
3187 ple: external_port_range : "1-30000"
3188 Valid range of ports is 1-65535.
3190 logical_ip: string
3192 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
3193 logical_port: optional string
3195 The name of the logical port where the logical_ip resides.
3196 This is only used on distributed routers. This must be specified
3198 in order for the NAT rule to be processed in a distributed man‐
3199 ner on all chassis. If this is not specified for a NAT rule on a
3200 distributed router, then this NAT rule will be processed in a
3201 centralized manner on the gateway port instance on the gateway
3202 chassis.
3203 allowed_ext_ips: optional Address_Set
3205 It represents Address Set of external ips that NAT rule is ap‐
3206 plicable to. For SNAT type NAT rules, this refers to destination
3207 addresses. For DNAT type NAT rules, this refers to source ad‐
3208 dresses.
3209 This configuration overrides the default NAT behavior of apply‐
3211 ing a rule solely based on internal IP. Without this configura‐
3212 tion, NAT happens without considering the external IP (i.e
3213 dest/source for snat/dnat type rule). With this configuration
3214 NAT rule is applied ONLY if external ip is in the input Address
3215 Set.
3216 exempted_ext_ips: optional Address_Set
3218 It represents Address Set of external ips that NAT rule is NOT
3219 applicable to. For SNAT type NAT rules, this refers to destina‐
3220 tion addresses. For DNAT type NAT rules, this refers to source
3221 addresses.
3222 This configuration overrides the default NAT behavior of apply‐
3224 ing a rule solely based on internal IP. Without this configura‐
3225 tion, NAT happens without considering the external IP (i.e
3226 dest/source for snat/dnat type rule). With this configuration
3227 NAT rule is NOT applied if external ip is in the input Address
3228 Set.
3229 If there are NAT rules in a logical router with overlapping IP
3231 prefixes (including /32), then usage of exempted_ext_ips should
3232 be avoided in following scenario. a. SNAT rule (let us say
3233 RULE1) with logical_ip PREFIX/MASK (let us say 50.0.0.0/24). b.
3234 SNAT rule (let us say RULE2) with logical_ip PREFIX/MASK+1 (let
3235 us say 50.0.0.0/25). c. Now, if exempted_ext_ips is associated
3236 with RULE2, then a logical ip which matches both 50.0.0.0/24 and
3237 50.0.0.0/25 may get the RULE2 applied to it instead of RULE1.
3238 allowed_ext_ips and exempted_ext_ips are mutually exclusive to
3240 each other. If both Address Sets are set for a rule, then the
3241 NAT rule is not considered.
3242 gateway_port: optional weak reference to Logical_Router_Port
3244 A distributed gateway port in the Logical_Router_Port table
3245 where the NAT rule needs to be applied.
3246 When multiple distributed gateway ports are configured on a Log‐
3248 ical_Router, applying a NAT rule at each of the distributed
3249 gateway ports might not be desired. Consider the case where a
3250 logical router has 2 distributed gateway port, one with networks
3251 50.0.0.10/24 and the other with networks 60.0.0.10/24. If the
3252 logical router has a NAT rule of type snat, logical_ip
3253 10.1.1.0/24 and external_ip 50.1.1.20/24, the rule needs to be
3254 selectively applied on matching packets entering/leaving through
3255 the distributed gateway port with networks 50.0.0.10/24.
3256 When a logical router has multiple distributed gateway ports and
3258 this column is not set for a NAT rule, then the rule will be ap‐
3259 plied at the distributed gateway port which is in the same net‐
3260 work as the external_ip of the NAT rule, if such a router port
3261 exists. If logical router has a single distributed gateway port
3262 and this column is not set for a NAT rule, the rule will be ap‐
3263 plied at the distributed gateway port even if the router port is
3264 not in the same network as the external_ip of the NAT rule.
3265 options : stateless: optional string
3267 Indicates if a dnat_and_snat rule should lead to connection
3268 tracking state or not.
3269 options : add_route: optional string
3271 If set to true, then neighbor routers will have logical flows
3272 added that will allow for routing to the NAT address. It also
3273 will have ARP resolution logical flows added. By setting this
3274 option, it means there is no reason to create a Logi‐
3275 cal_Router_Static_Route from neighbor routers to this NAT ad‐
3276 dress. It also means that no ARP request is required for neigh‐
3277 bor routers to learn the IP-MAC mapping for this NAT address.
3278 This option only applies to NATs of type dnat and dnat_and_snat.
3279 For more information about what flows are added for IP routes,
3280 please see the ovn-northd manpage section on IP Routing.
3281 Common Columns:
3283 external_ids: map of string-string pairs
3285 See External IDs at the beginning of this document.
3286
3288 OVN implements native DHCPv4 support which caters to the common use
3289 case of providing an IPv4 address to a booting instance by providing
3290 stateless replies to DHCPv4 requests based on statically configured ad‐
3291 dress mappings. To do this it allows a short list of DHCPv4 options to
3292 be configured and applied at each compute host running ovn-controller.
3293 OVN also implements native DHCPv6 support which provides stateless
3295 replies to DHCPv6 requests.
3296 Summary:
3298 cidr string
3299 DHCPv4 options:
3300 Mandatory DHCPv4 options:
3301 options : server_id optional string
3302 options : server_mac optional string
3303 options : lease_time optional string, containing an integer,
3304 in range 0 to 4,294,967,295
3305 IPv4 DHCP Options:
3306 options : router optional string
3307 options : netmask optional string
3308 options : dns_server optional string
3309 options : log_server optional string
3310 options : lpr_server optional string
3311 options : swap_server optional string
3312 options : policy_filter optional string
3313 options : router_solicitation
3314 optional string
3315 options : nis_server optional string
3316 options : ntp_server optional string
3317 options : netbios_name_server
3318 optional string
3319 options : classless_static_route
3320 optional string
3321 options : ms_classless_static_route
3322 optional string
3323 options : next_server optional string
3324 Boolean DHCP Options:
3325 options : ip_forward_enable
3326 optional string, either 0 or 1
3327 options : router_discovery
3328 optional string, either 0 or 1
3329 options : ethernet_encap optional string, either 0 or 1
3330 Integer DHCP Options:
3331 options : default_ttl optional string, containing an integer,
3332 in range 0 to 255
3333 options : tcp_ttl optional string, containing an integer,
3334 in range 0 to 255
3335 options : mtu optional string, containing an integer,
3336 in range 68 to 65,535
3337 options : T1 optional string, containing an integer,
3338 in range 68 to 4,294,967,295
3339 options : T2 optional string, containing an integer,
3340 in range 68 to 4,294,967,295
3341 options : arp_cache_timeout
3342 optional string, containing an integer,
3343 in range 0 to 255
3344 options : tcp_keepalive_interval
3345 optional string, containing an integer,
3346 in range 0 to 255
3347 options : netbios_node_type
3348 optional string, containing an integer,
3349 in range 0 to 255
3350 String DHCP Options:
3351 options : wpad optional string
3352 options : bootfile_name optional string
3353 options : path_prefix optional string
3354 options : tftp_server_address
3355 optional string
3356 options : hostname optional string
3357 options : domain_name optional string
3358 options : bootfile_name_alt
3359 optional string
3360 options : broadcast_address
3361 optional string
3362 DHCP Options of type host_id:
3363 options : tftp_server optional string
3364 DHCP Options of type domains:
3365 options : domain_search_list
3366 optional string
3367 DHCPv6 options:
3368 Mandatory DHCPv6 options:
3369 options : server_id optional string
3370 IPv6 DHCPv6 options:
3371 options : dns_server optional string
3372 String DHCPv6 options:
3373 options : domain_search optional string
3374 options : dhcpv6_stateless
3375 optional string
3376 options : fqdn optional string
3377 Common Columns:
3378 external_ids map of string-string pairs
3379 Details:
3381 cidr: string
3382 The DHCPv4/DHCPv6 options will be included if the logical port
3383 has its IP address in this cidr.
3384 DHCPv4 options:
3386 The CMS should define the set of DHCPv4 options as key/value pairs in
3388 the options column of this table. For ovn-controller to include these
3389 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
3390 to an entry in this table.
3391 Mandatory DHCPv4 options:
3393 The following options must be defined.
3395 options : server_id: optional string
3397 The IP address for the DHCP server to use. This should be in the
3398 subnet of the offered IP. This is also included in the DHCP of‐
3399 fer as option 54, ``server identifier.’’
3400 options : server_mac: optional string
3402 The Ethernet address for the DHCP server to use.
3403 options : lease_time: optional string, containing an integer, in range
3405 0 to 4,294,967,295
3406 The offered lease time in seconds,
3407 The DHCPv4 option code for this option is 51.
3409 IPv4 DHCP Options:
3411 Below are the supported DHCPv4 options whose values are an IPv4 ad‐
3413 dress, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
3414 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
3415 refer to RFC 2132 for more details on DHCPv4 options and their codes.
3416 options : router: optional string
3418 The IP address of a gateway for the client to use. This should
3419 be in the subnet of the offered IP. The DHCPv4 option code for
3420 this option is 3.
3421 options : netmask: optional string
3423 The DHCPv4 option code for this option is 1.
3424 options : dns_server: optional string
3426 The DHCPv4 option code for this option is 6.
3427 options : log_server: optional string
3429 The DHCPv4 option code for this option is 7.
3430 options : lpr_server: optional string
3432 The DHCPv4 option code for this option is 9.
3433 options : swap_server: optional string
3435 The DHCPv4 option code for this option is 16.
3436 options : policy_filter: optional string
3438 The DHCPv4 option code for this option is 21.
3439 options : router_solicitation: optional string
3441 The DHCPv4 option code for this option is 32.
3442 options : nis_server: optional string
3444 The DHCPv4 option code for this option is 41.
3445 options : ntp_server: optional string
3447 The DHCPv4 option code for this option is 42.
3448 options : netbios_name_server: optional string
3450 The DHCPv4 option code for this option is 44.
3451 options : classless_static_route: optional string
3453 The DHCPv4 option code for this option is 121.
3454 This option can contain one or more static routes, each of which
3456 consists of a destination descriptor and the IP address of the
3457 router that should be used to reach that destination. Please see
3458 RFC 3442 for more details.
3459 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
3461 options : ms_classless_static_route: optional string
3463 The DHCPv4 option code for this option is 249. This option is
3464 similar to classless_static_route supported by Microsoft Windows
3465 DHCPv4 clients.
3466 options : next_server: optional string
3468 The DHCPv4 option code for setting the "Next server IP address"
3469 field in the DHCP header.
3470 Boolean DHCP Options:
3472 These options accept a Boolean value, expressed as 0 for false or 1 for
3474 true.
3475 options : ip_forward_enable: optional string, either 0 or 1
3477 The DHCPv4 option code for this option is 19.
3478 options : router_discovery: optional string, either 0 or 1
3480 The DHCPv4 option code for this option is 31.
3481 options : ethernet_encap: optional string, either 0 or 1
3483 The DHCPv4 option code for this option is 36.
3484 Integer DHCP Options:
3486 These options accept a nonnegative integer value.
3488 options : default_ttl: optional string, containing an integer, in range
3490 0 to 255
3491 The DHCPv4 option code for this option is 23.
3492 options : tcp_ttl: optional string, containing an integer, in range 0
3494 to 255
3495 The DHCPv4 option code for this option is 37.
3496 options : mtu: optional string, containing an integer, in range 68 to
3498 65,535
3499 The DHCPv4 option code for this option is 26.
3500 options : T1: optional string, containing an integer, in range 68 to
3502 4,294,967,295
3503 This specifies the time interval from address assignment until
3504 the client begins trying to renew its address. The DHCPv4 option
3505 code for this option is 58.
3506 options : T2: optional string, containing an integer, in range 68 to
3508 4,294,967,295
3509 This specifies the time interval from address assignment until
3510 the client begins trying to rebind its address. The DHCPv4 op‐
3511 tion code for this option is 59.
3512 options : arp_cache_timeout: optional string, containing an integer, in
3514 range 0 to 255
3515 The DHCPv4 option code for this option is 35. This option speci‐
3516 fies the timeout in seconds for ARP cache entries.
3517 options : tcp_keepalive_interval: optional string, containing an inte‐
3519 ger, in range 0 to 255
3520 The DHCPv4 option code for this option is 38. This option speci‐
3521 fies the interval that the client TCP should wait before sending
3522 a keepalive message on a TCP connection.
3523 options : netbios_node_type: optional string, containing an integer, in
3525 range 0 to 255
3526 The DHCPv4 option code for this option is 46.
3527 String DHCP Options:
3529 These options accept a string value.
3531 options : wpad: optional string
3533 The DHCPv4 option code for this option is 252. This option is
3534 used as part of web proxy auto discovery to provide a URL for a
3535 web proxy.
3536 options : bootfile_name: optional string
3538 The DHCPv4 option code for this option is 67. This option is
3539 used to identify a bootfile.
3540 options : path_prefix: optional string
3542 The DHCPv4 option code for this option is 210. In PXELINUX’ case
3543 this option is used to set a common path prefix, instead of de‐
3544 riving it from the bootfile name.
3545 options : tftp_server_address: optional string
3547 The DHCPv4 option code for this option is 150. The option con‐
3548 tains one or more IPv4 addresses that the client MAY use. This
3549 option is Cisco proprietary, the IEEE standard that matches with
3550 this requirement is option 66 (tftp_server).
3551 options : hostname: optional string
3553 The DHCPv4 option code for this option is 12. If set, indicates
3554 the DHCPv4 option "Hostname". Alternatively, this option can be
3555 configured in options:hostname column in table Logi‐
3556 cal_Switch_Port. If Hostname option value is set in both con‐
3557 flicting Logical_Switch_Port and DHCP_Options tables, Logi‐
3558 cal_Switch_Port takes precedence.
3559 options : domain_name: optional string
3561 The DHCPv4 option code for this option is 15. This option speci‐
3562 fies the domain name that client should use when resolving host‐
3563 names via the Domain Name System.
3564 options : bootfile_name_alt: optional string
3566 "bootfile_name_alt" option is used to support iPXE. When both
3567 "bootfile_name" and "bootfile_name_alt" are provided by the CMS,
3568 "bootfile_name" will be used for option 67 if the dhcp request
3569 contains etherboot option (175), otherwise "bootfile_name_alt"
3570 will be used.
3571 options : broadcast_address: optional string
3573 The DHCPv4 option code for this option is 28. This option speci‐
3574 fies the IP address used as a broadcast address.
3575 DHCP Options of type host_id:
3577 These options accept either an IPv4 address or a string value.
3579 options : tftp_server: optional string
3581 The DHCPv4 option code for this option is 66.
3582 DHCP Options of type domains:
3584 These options accept string value which is a comma separated list of
3586 domain names. The domain names are encoded based on RFC 1035.
3587 options : domain_search_list: optional string
3589 The DHCPv4 option code for this option is 119.
3590 DHCPv6 options:
3592 OVN also implements native DHCPv6 support. The CMS should define the
3594 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
3595 will be included in the DHCPv6 response to the DHCPv6 Solicit/Re‐
3596 quest/Confirm packet from the logical ports having the IPv6 addresses
3597 in the cidr.
3598 Mandatory DHCPv6 options:
3600 The following options must be defined.
3602 options : server_id: optional string
3604 The Ethernet address for the DHCP server to use. This is also
3605 included in the DHCPv6 reply as option 2, ``Server Identifier’’
3606 to carry a DUID identifying a server between a client and a
3607 server. ovn-controller defines DUID based on Link-layer Address
3608 [DUID-LL].
3609 IPv6 DHCPv6 options:
3611 Below are the supported DHCPv6 options whose values are an IPv6 ad‐
3613 dress, e.g. aef0::4. Some options accept multiple IPv6 addresses en‐
3614 closed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
3615 RFC 3315 for more details on DHCPv6 options and their codes.
3616 options : dns_server: optional string
3618 The DHCPv6 option code for this option is 23. This option speci‐
3619 fies the DNS servers that the VM should use.
3620 String DHCPv6 options:
3622 These options accept string values.
3624 options : domain_search: optional string
3626 The DHCPv6 option code for this option is 24. This option speci‐
3627 fies the domain search list the client should use to resolve
3628 hostnames with DNS.
3629 Example: "ovn.org".
3631 options : dhcpv6_stateless: optional string
3633 This option specifies the OVN native DHCPv6 will work in state‐
3634 less mode, which means OVN native DHCPv6 will not offer IPv6 ad‐
3635 dresses for VM/VIF ports, but only reply other configurations,
3636 such as DNS and domain search list. When setting this option
3637 with string value "true", VM/VIF will configure IPv6 addresses
3638 by stateless way. Default value for this option is false.
3639 options : fqdn: optional string
3641 The DHCPv6 option code for this option is 39. If set, indicates
3642 the DHCPv6 option "FQDN".
3643 Common Columns:
3645 external_ids: map of string-string pairs
3647 See External IDs at the beginning of this document.
3648
3650 Configuration for a database connection to an Open vSwitch database
3651 (OVSDB) client.
3652 This table primarily configures the Open vSwitch database server
3654 (ovsdb-server).
3655 The Open vSwitch database server can initiate and maintain active con‐
3657 nections to remote clients. It can also listen for database connec‐
3658 tions.
3659 Summary:
3661 Core Features:
3662 target string (must be unique within table)
3663 Client Failure Detection and Handling:
3664 max_backoff optional integer, at least 1,000
3665 inactivity_probe optional integer
3666 Status:
3667 is_connected boolean
3668 status : last_error optional string
3669 status : state optional string, one of ACTIVE, BACKOFF,
3670 CONNECTING, IDLE, or VOID
3671 status : sec_since_connect optional string, containing an integer,
3672 at least 0
3673 status : sec_since_disconnect
3674 optional string, containing an integer,
3675 at least 0
3676 status : locks_held optional string
3677 status : locks_waiting optional string
3678 status : locks_lost optional string
3679 status : n_connections optional string, containing an integer,
3680 at least 2
3681 status : bound_port optional string, containing an integer
3682 Common Columns:
3683 external_ids map of string-string pairs
3684 other_config map of string-string pairs
3685 Details:
3687 Core Features:
3688 target: string (must be unique within table)
3690 Connection methods for clients.
3691 The following connection methods are currently supported:
3693 ssl:host[:port]
3695 The specified SSL port on the host at the given host,
3696 which can either be a DNS name (if built with unbound li‐
3697 brary) or an IP address. A valid SSL configuration must
3698 be provided when this form is used, this configuration
3699 can be specified via command-line options or the SSL ta‐
3700 ble.
3701 If port is not specified, it defaults to 6640.
3703 SSL support is an optional feature that is not always
3705 built as part of Open vSwitch.
3706 tcp:host[:port]
3708 The specified TCP port on the host at the given host,
3709 which can either be a DNS name (if built with unbound li‐
3710 brary) or an IP address. If host is an IPv6 address, wrap
3711 it in square brackets, e.g. tcp:[::1]:6640.
3712 If port is not specified, it defaults to 6640.
3714 pssl:[port][:host]
3716 Listens for SSL connections on the specified TCP port.
3717 Specify 0 for port to have the kernel automatically
3718 choose an available port. If host, which can either be a
3719 DNS name (if built with unbound library) or an IP ad‐
3720 dress, is specified, then connections are restricted to
3721 the resolved or specified local IPaddress (either IPv4 or
3722 IPv6 address). If host is an IPv6 address, wrap in square
3723 brackets, e.g. pssl:6640:[::1]. If host is not specified
3724 then it listens only on IPv4 (but not IPv6) addresses. A
3725 valid SSL configuration must be provided when this form
3726 is used, this can be specified either via command-line
3727 options or the SSL table.
3728 If port is not specified, it defaults to 6640.
3730 SSL support is an optional feature that is not always
3732 built as part of Open vSwitch.
3733 ptcp:[port][:host]
3735 Listens for connections on the specified TCP port. Spec‐
3736 ify 0 for port to have the kernel automatically choose an
3737 available port. If host, which can either be a DNS name
3738 (if built with unbound library) or an IP address, is
3739 specified, then connections are restricted to the re‐
3740 solved or specified local IP address (either IPv4 or IPv6
3741 address). If host is an IPv6 address, wrap it in square
3742 brackets, e.g. ptcp:6640:[::1]. If host is not specified
3743 then it listens only on IPv4 addresses.
3744 If port is not specified, it defaults to 6640.
3746 When multiple clients are configured, the target values must be
3748 unique. Duplicate target values yield unspecified results.
3749 Client Failure Detection and Handling:
3751 max_backoff: optional integer, at least 1,000
3753 Maximum number of milliseconds to wait between connection at‐
3754 tempts. Default is implementation-specific.
3755 inactivity_probe: optional integer
3757 Maximum number of milliseconds of idle time on connection to the
3758 client before sending an inactivity probe message. If Open
3759 vSwitch does not communicate with the client for the specified
3760 number of seconds, it will send a probe. If a response is not
3761 received for the same additional amount of time, Open vSwitch
3762 assumes the connection has been broken and attempts to recon‐
3763 nect. Default is implementation-specific. A value of 0 disables
3764 inactivity probes.
3765 Status:
3767 Key-value pair of is_connected is always updated. Other key-value pairs
3769 in the status columns may be updated depends on the target type.
3770 When target specifies a connection method that listens for inbound con‐
3772 nections (e.g. ptcp: or punix:), both n_connections and is_connected
3773 may also be updated while the remaining key-value pairs are omitted.
3774 On the other hand, when target specifies an outbound connection, all
3776 key-value pairs may be updated, except the above-mentioned two key-
3777 value pairs associated with inbound connection targets. They are omit‐
3778 ted.
3779 is_connected: boolean
3781 true if currently connected to this client, false otherwise.
3782 status : last_error: optional string
3784 A human-readable description of the last error on the connection
3785 to the manager; i.e. strerror(errno). This key will exist only
3786 if an error has occurred.
3787 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
3789 IDLE, or VOID
3790 The state of the connection to the manager:
3791 VOID Connection is disabled.
3793 BACKOFF
3795 Attempting to reconnect at an increasing period.
3796 CONNECTING
3798 Attempting to connect.
3799 ACTIVE Connected, remote host responsive.
3801 IDLE Connection is idle. Waiting for response to keep-alive.
3803 These values may change in the future. They are provided only
3805 for human consumption.
3806 status : sec_since_connect: optional string, containing an integer, at
3808 least 0
3809 The amount of time since this client last successfully connected
3810 to the database (in seconds). Value is empty if client has never
3811 successfully been connected.
3812 status : sec_since_disconnect: optional string, containing an integer,
3814 at least 0
3815 The amount of time since this client last disconnected from the
3816 database (in seconds). Value is empty if client has never dis‐
3817 connected.
3818 status : locks_held: optional string
3820 Space-separated list of the names of OVSDB locks that the con‐
3821 nection holds. Omitted if the connection does not hold any
3822 locks.
3823 status : locks_waiting: optional string
3825 Space-separated list of the names of OVSDB locks that the con‐
3826 nection is currently waiting to acquire. Omitted if the connec‐
3827 tion is not waiting for any locks.
3828 status : locks_lost: optional string
3830 Space-separated list of the names of OVSDB locks that the con‐
3831 nection has had stolen by another OVSDB client. Omitted if no
3832 locks have been stolen from this connection.
3833 status : n_connections: optional string, containing an integer, at
3835 least 2
3836 When target specifies a connection method that listens for in‐
3837 bound connections (e.g. ptcp: or pssl:) and more than one con‐
3838 nection is actually active, the value is the number of active
3839 connections. Otherwise, this key-value pair is omitted.
3840 status : bound_port: optional string, containing an integer
3842 When target is ptcp: or pssl:, this is the TCP port on which the
3843 OVSDB server is listening. (This is particularly useful when
3844 target specifies a port of 0, allowing the kernel to choose any
3845 available port.)
3846 Common Columns:
3848 The overall purpose of these columns is described under Common Columns
3850 at the beginning of this document.
3851 external_ids: map of string-string pairs
3853 other_config: map of string-string pairs
3855
3857 Each row in this table stores the DNS records. The Logical_Switch ta‐
3858 ble’s dns_records references these records.
3859 Summary:
3861 records map of string-string pairs
3862 external_ids map of string-string pairs
3863 Details:
3865 records: map of string-string pairs
3866 Key-value pair of DNS records with DNS query name as the key and
3867 value as a string of IP address(es) separated by comma or space.
3868 For PTR requests, the key-value pair can be Reverse IPv4 ad‐
3869 dress.in-addr.arpa and the value DNS domain name. For IPv6 ad‐
3870 dresses, the key has to be Reverse IPv6 address.ip6.arpa.
3871 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
3873 Example: "4.0.0.10.in-addr.arpa" = "vm1.ovn.org"
3875 external_ids: map of string-string pairs
3877 See External IDs at the beginning of this document.
3878
3880 SSL configuration for ovn-nb database access.
3881 Summary:
3883 private_key string
3884 certificate string
3885 ca_cert string
3886 bootstrap_ca_cert boolean
3887 ssl_protocols string
3888 ssl_ciphers string
3889 Common Columns:
3890 external_ids map of string-string pairs
3891 Details:
3893 private_key: string
3894 Name of a PEM file containing the private key used as the
3895 switch’s identity for SSL connections to the controller.
3896 certificate: string
3898 Name of a PEM file containing a certificate, signed by the cer‐
3899 tificate authority (CA) used by the controller and manager, that
3900 certifies the switch’s private key, identifying a trustworthy
3901 switch.
3902 ca_cert: string
3904 Name of a PEM file containing the CA certificate used to verify
3905 that the switch is connected to a trustworthy controller.
3906 bootstrap_ca_cert: boolean
3908 If set to true, then Open vSwitch will attempt to obtain the CA
3909 certificate from the controller on its first SSL connection and
3910 save it to the named PEM file. If it is successful, it will im‐
3911 mediately drop the connection and reconnect, and from then on
3912 all SSL connections must be authenticated by a certificate
3913 signed by the CA certificate thus obtained. This option exposes
3914 the SSL connection to a man-in-the-middle attack obtaining the
3915 initial CA certificate. It may still be useful for bootstrap‐
3916 ping.
3917 ssl_protocols: string
3919 List of SSL protocols to be enabled for SSL connections. The de‐
3920 fault when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
3921 ssl_ciphers: string
3923 List of ciphers (in OpenSSL cipher string format) to be sup‐
3924 ported for SSL connections. The default when this option is
3925 omitted is HIGH:!aNULL:!MD5.
3926 Common Columns:
3928 The overall purpose of these columns is described under Common Columns
3930 at the beginning of this document.
3931 external_ids: map of string-string pairs
3933
3935 Association of a chassis to a logical router port. The traffic going
3936 out through an specific router port will be redirected to a chassis, or
3937 a set of them in high availability configurations.
3938 Summary:
3940 name string (must be unique within table)
3941 chassis_name string
3942 priority integer, in range 0 to 32,767
3943 options map of string-string pairs
3944 Common Columns:
3945 external_ids map of string-string pairs
3946 Details:
3948 name: string (must be unique within table)
3949 Name of the Gateway_Chassis.
3950 A suggested, but not required naming convention is
3952 ${port_name}_${chassis_name}.
3953 chassis_name: string
3955 Name of the chassis that we want to redirect traffic through for
3956 the associated logical router port. The value must match the
3957 name column of the Chassis table in the OVN_Southbound database.
3958 priority: integer, in range 0 to 32,767
3960 This is the priority of a chassis among all Gateway_Chassis be‐
3961 longing to the same logical router port.
3962 options: map of string-string pairs
3964 Reserved for future use.
3965 Common Columns:
3967 external_ids: map of string-string pairs
3969 See External IDs at the beginning of this document.
3970
3972 Table representing a group of chassis which can provide high availabil‐
3973 ity services. Each chassis in the group is represented by the table
3974 HA_Chassis. The HA chassis with highest priority will be the master of
3975 this group. If the master chassis failover is detected, the HA chassis
3976 with the next higher priority takes over the responsibility of provid‐
3977 ing the HA. If a distributed gateway router port references a row in
3978 this table, then the master HA chassis in this group provides the gate‐
3979 way functionality.
3980 Summary:
3982 name string (must be unique within table)
3983 ha_chassis set of HA_Chassises
3984 Common Columns:
3985 external_ids map of string-string pairs
3986 Details:
3988 name: string (must be unique within table)
3989 Name of the HA_Chassis_Group. Name should be unique.
3990 ha_chassis: set of HA_Chassises
3992 A list of HA chassis which belongs to this group.
3993 Common Columns:
3995 external_ids: map of string-string pairs
3997 See External IDs at the beginning of this document.
3998
4000 Summary:
4001 chassis_name string
4002 priority integer, in range 0 to 32,767
4003 Common Columns:
4004 external_ids map of string-string pairs
4005 Details:
4007 chassis_name: string
4008 Name of the chassis which is part of the HA chassis group. The
4009 value must match the name column of the Chassis table in the
4010 OVN_Southbound database.
4011 priority: integer, in range 0 to 32,767
4013 Priority of the chassis. Chassis with highest priority will be
4014 the master.
4015 Common Columns:
4017 external_ids: map of string-string pairs
4019 See External IDs at the beginning of this document.
4020
4022 Contains BFD parameter for ovn-controller BFD configuration. OVN BFD
4023 implementation is used to provide detection of failures in the path be‐
4024 tween adjacent forwarding engines, including the OVN interfaces. OVN
4025 BFD provides link status info to OVN northd in order to update logical
4026 flows according to the status of BFD endpoints. In the current imple‐
4027 mentation OVN BFD is used to check next-hop status for ECMP routes.
4028 Please note BFD table refers to OVN BFD implementation and not to OVS
4029 legacy one.
4030 Summary:
4032 Configuration:
4033 logical_port string
4034 dst_ip string
4035 min_tx optional integer, at least 1
4036 min_rx optional integer
4037 detect_mult optional integer, at least 1
4038 options map of string-string pairs
4039 external_ids map of string-string pairs
4040 Status Reporting:
4041 status optional string, one of admin_down, down,
4042 init, or up
4043 Details:
4045 Configuration:
4046 ovn-northd reads configuration from these columns.
4048 logical_port: string
4050 OVN logical port when BFD engine is running.
4051 dst_ip: string
4053 BFD peer IP address.
4054 min_tx: optional integer, at least 1
4056 This is the minimum interval, in milliseconds, that the local
4057 system would like to use when transmitting BFD Control packets,
4058 less any jitter applied. The value zero is reserved. Default
4059 value is 1000 ms.
4060 min_rx: optional integer
4062 This is the minimum interval, in milliseconds, between received
4063 BFD Control packets that this system is capable of supporting,
4064 less any jitter applied by the sender. If this value is zero,
4065 the transmitting system does not want the remote system to send
4066 any periodic BFD Control packets.
4067 detect_mult: optional integer, at least 1
4069 Detection time multiplier. The negotiated transmit interval,
4070 multiplied by this value, provides the Detection Time for the
4071 receiving system in Asynchronous mode. Default value is 5.
4072 options: map of string-string pairs
4074 Reserved for future use.
4075 external_ids: map of string-string pairs
4077 See External IDs at the beginning of this document.
4078 Status Reporting:
4080 ovn-northd writes BFD status into these columns.
4082 status: optional string, one of admin_down, down, init, or up
4084 BFD port logical states. Possible values are:
4085 • admin_down
4087 • down
4089 • init
4091 • up
4093
4095 Each record represents a Static_MAC_Binding entry for a logical router.
4096 Summary:
4098 Configuration:
4099 logical_port string
4100 ip string
4101 mac string
4102 override_dynamic_mac boolean
4103 Details:
4105 Configuration:
4106 ovn-northd reads configuration from these columns and propagates the
4108 value to SBDB.
4109 logical_port: string
4111 The logical router port for the binding.
4112 ip: string
4114 The bound IP address.
4115 mac: string
4117 The Ethernet address to which the IP is bound.
4118 override_dynamic_mac: boolean
4120 Override dynamically learnt MACs.
4121
4123 One record per chassis, each containing a map, variables, between tem‐
4124 plate variable names and their value for that specific chassis. A tem‐
4125 plate variable has a name and potentially different values on different
4126 hypervisors in the OVN cluster. For example, two rows, R1 = (.chas‐
4127 sis=C1, variables={(N: V1)} and R2 = (.chassis=C2, variables={(N: V2)}
4128 will make ovn-controller running on chassis C1 and C2 interpret the to‐
4129 ken N either as V1 (on C1) or as V2 (on C2). Users can refer to tem‐
4130 plate variables from within other logical components, e.g., within ACL,
4131 QoS or Logical_Router_Policy matches or from Load_Balancer VIP and
4132 backend definitions.
4133 If a template variable is referenced on a chassis for which that vari‐
4135 able is not defined then ovn-controller running on that chassis will
4136 just interpret it as a raw string literal.
4137 Summary:
4139 chassis string (must be unique within table)
4140 variables map of string-string pairs
4141 Common Columns:
4142 external_ids map of string-string pairs
4143 Details:
4145 chassis: string (must be unique within table)
4146 The chassis this set of variable values applies to.
4147 variables: map of string-string pairs
4149 The set of variable values for a given chassis.
4150 Common Columns:
4152 external_ids: map of string-string pairs
4154 See External IDs at the beginning of this document.
4155Open vSwitch 23.09.2 DB Schema 7.1.0 ovn-nb(5)