]>
Commit | Line | Data |
---|---|---|
a416ff28 RB |
1 | <?xml version="1.0" encoding="utf-8"?> |
2 | <manpage program="ovn-nbctl" section="8" title="ovn-nbctl"> | |
3 | <h1>Name</h1> | |
4 | <p>ovn-nbctl -- Open Virtual Network northbound db management utility</p> | |
5 | ||
1fa33fc9 | 6 | <h1>Synopsis</h1> |
a416ff28 RB |
7 | <p><code>ovn-nbctl</code> [<var>options</var>] <var>command</var> [<var>arg</var>...]</p> |
8 | ||
9 | <h1>Description</h1> | |
10 | <p>This utility can be used to manage the OVN northbound database.</p> | |
11 | ||
907a0edf JP |
12 | <h1>General Commands</h1> |
13 | ||
14 | <dl> | |
fa183acc BP |
15 | <dt><code>init</code></dt> |
16 | <dd> | |
17 | Initializes the database, if it is empty. If the database has already | |
18 | been initialized, this command has no effect. | |
19 | </dd> | |
20 | ||
ea46a4e9 | 21 | <dt><code>show [<var>switch</var> | <var>router</var>]</code></dt> |
907a0edf JP |
22 | <dd> |
23 | Prints a brief overview of the database contents. If | |
ea46a4e9 | 24 | <var>switch</var> is provided, only records related to that |
7127583d | 25 | logical switch are shown. If |
fa2a27b2 | 26 | <var>router</var> is provided, only records related to that |
7127583d | 27 | logical router are shown. |
907a0edf JP |
28 | </dd> |
29 | </dl> | |
30 | ||
a416ff28 | 31 | <h1>Logical Switch Commands</h1> |
f74baecf JP |
32 | |
33 | <dl> | |
ea46a4e9 | 34 | <dt><code>ls-add</code></dt> |
4ff6642f BP |
35 | <dd> |
36 | <p> | |
37 | Creates a new, unnamed logical switch, which initially has no ports. | |
38 | The switch does not have a name, other commands must refer to this | |
39 | switch by its UUID. | |
40 | </p> | |
41 | </dd> | |
42 | ||
ea46a4e9 | 43 | <dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>ls-add</code> <var>switch</var></dt> |
4ff6642f BP |
44 | <dd> |
45 | <p> | |
ea46a4e9 | 46 | Creates a new logical switch named <var>switch</var>, which |
4ff6642f BP |
47 | initially has no ports. |
48 | </p> | |
49 | ||
50 | <p> | |
51 | The OVN northbound database schema does not require logical switch | |
52 | names to be unique, but the whole point to the names is to provide an | |
53 | easy way for humans to refer to the switches, making duplicate names | |
54 | unhelpful. Thus, without any options, this command regards it as an | |
ea46a4e9 | 55 | error if <var>switch</var> is a duplicate name. With |
4ff6642f BP |
56 | <code>--may-exist</code>, adding a duplicate name succeeds but does |
57 | not create a new logical switch. With <code>--add-duplicate</code>, | |
58 | the command really creates a new logical switch with a duplicate | |
7d31ba83 | 59 | name. It is an error to specify both options. If there are multiple |
60 | logical switches with a duplicate name, configure the logical switches | |
61 | using the UUID instead of the <var>switch</var> name. | |
4ff6642f | 62 | </p> |
f74baecf JP |
63 | </dd> |
64 | ||
ea46a4e9 | 65 | <dt>[<code>--if-exists</code>] <code>ls-del</code> <var>switch</var></dt> |
f74baecf | 66 | <dd> |
ea46a4e9 | 67 | Deletes <var>switch</var>. It is an error if <var>switch</var> does |
d24d3372 | 68 | not exist, unless <code>--if-exists</code> is specified. |
f74baecf JP |
69 | </dd> |
70 | ||
ea46a4e9 | 71 | <dt><code>ls-list</code></dt> |
f74baecf JP |
72 | <dd> |
73 | Lists all existing switches on standard output, one per line. | |
74 | </dd> | |
f74baecf | 75 | </dl> |
a416ff28 | 76 | |
ea46a4e9 | 77 | <h1>Logical Switch ACL Commands</h1> |
8f96455d | 78 | <dl> |
fa3cc9b9 | 79 | <dt>[<code>--log</code>] [<code>--may-exist</code>] <code>acl-add</code> <var>switch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt> |
8f96455d | 80 | <dd> |
ea46a4e9 | 81 | Adds the specified ACL to <var>switch</var>. |
8f96455d JP |
82 | <var>direction</var> must be either <code>from-lport</code> or |
83 | <code>to-lport</code>. <var>priority</var> must be between | |
5861e918 | 84 | <code>0</code> and <code>32767</code>, inclusive. If |
70799ae8 | 85 | <code>--log</code> is specified, packet logging is enabled for the |
8f96455d | 86 | ACL. A full description of the fields are in <code>ovn-nb</code>(5). |
fa3cc9b9 HZ |
87 | If <code>--may-exist</code> is specified, adding a duplicated ACL |
88 | succeeds but the ACL is not really created. Without <code>--may-exist</code>, | |
89 | adding a duplicated ACL results in error. | |
8f96455d JP |
90 | </dd> |
91 | ||
ea46a4e9 | 92 | <dt><code>acl-del</code> <var>switch</var> [<var>direction</var> [<var>priority</var> <var>match</var>]]</dt> |
8f96455d | 93 | <dd> |
ea46a4e9 JP |
94 | Deletes ACLs from <var>switch</var>. If only |
95 | <var>switch</var> is supplied, all the ACLs from the logical | |
8f96455d JP |
96 | switch are deleted. If <var>direction</var> is also specified, |
97 | then all the flows in that direction will be deleted from the | |
98 | logical switch. If all the fields are given, then a single flow | |
99 | that matches all the fields will be deleted. | |
100 | </dd> | |
101 | ||
ea46a4e9 | 102 | <dt><code>acl-list</code> <var>switch</var></dt> |
8f96455d | 103 | <dd> |
ea46a4e9 | 104 | Lists the ACLs on <var>switch</var>. |
8f96455d JP |
105 | </dd> |
106 | </dl> | |
fa2a27b2 | 107 | |
31ed1192 | 108 | <h1>Logical Switch Port Commands</h1> |
f74baecf | 109 | <dl> |
ea46a4e9 | 110 | <dt>[<code>--may-exist</code>] <code>lsp-add</code> <var>switch</var> <var>port</var></dt> |
f74baecf | 111 | <dd> |
d24d3372 | 112 | <p> |
31ed1192 JP |
113 | Creates on <var>lswitch</var> a new logical switch port named |
114 | <var>port</var>. | |
d24d3372 BP |
115 | </p> |
116 | ||
117 | <p> | |
31ed1192 | 118 | It is an error if a logical port named <var>port</var> already |
d24d3372 BP |
119 | exists, unless <code>--may-exist</code> is specified. Regardless of |
120 | <code>--may-exist</code>, it is an error if the existing port is in | |
ea46a4e9 | 121 | some logical switch other than <var>switch</var> or if it has a |
d24d3372 BP |
122 | parent port. |
123 | </p> | |
f74baecf JP |
124 | </dd> |
125 | ||
b511690b | 126 | <dt>[<code>--may-exist</code>] <code>lsp-add</code> <var>switch</var> <var>port</var> <var>parent</var> <var>tag_request</var></dt> |
bf5fa52a | 127 | <dd> |
d24d3372 | 128 | <p> |
ea46a4e9 | 129 | Creates on <var>switch</var> a logical switch port named |
31ed1192 | 130 | <var>port</var> that is a child of <var>parent</var> that is |
2ffb8bd1 | 131 | identified with VLAN ID <var>tag_request</var>, |
132 | which must be between <code>0</code> and | |
133 | <code>4095</code>, inclusive. If | |
b511690b GS |
134 | <var>tag_request</var> is <code>0</code>, <code>ovn-northd</code> |
135 | generates a tag that is unique in the scope of <var>parent</var>. | |
136 | This is useful in cases such as virtualized container environments | |
137 | where Open vSwitch does not have a direct connection to the | |
138 | container's port and it must be shared with the virtual machine's | |
139 | port. | |
d24d3372 BP |
140 | </p> |
141 | ||
142 | <p> | |
31ed1192 | 143 | It is an error if a logical port named <var>port</var> already |
d24d3372 BP |
144 | exists, unless <code>--may-exist</code> is specified. Regardless of |
145 | <code>--may-exist</code>, it is an error if the existing port is not | |
ea46a4e9 | 146 | in <var>switch</var> or if it does not have the specified |
b511690b | 147 | <var>parent</var> and <var>tag_request</var>. |
d24d3372 | 148 | </p> |
bf5fa52a RB |
149 | </dd> |
150 | ||
31ed1192 | 151 | <dt>[<code>--if-exists</code>] <code>lsp-del</code> <var>port</var></dt> |
f74baecf | 152 | <dd> |
31ed1192 | 153 | Deletes <var>port</var>. It is an error if <var>port</var> does |
d24d3372 | 154 | not exist, unless <code>--if-exists</code> is specified. |
f74baecf JP |
155 | </dd> |
156 | ||
ea46a4e9 | 157 | <dt><code>lsp-list</code> <var>switch</var></dt> |
f74baecf | 158 | <dd> |
ea46a4e9 | 159 | Lists all the logical switch ports within <var>switch</var> on |
f74baecf JP |
160 | standard output, one per line. |
161 | </dd> | |
162 | ||
31ed1192 | 163 | <dt><code>lsp-get-parent</code> <var>port</var></dt> |
bf5fa52a | 164 | <dd> |
31ed1192 | 165 | If set, get the parent port of <var>port</var>. If not set, print |
bf5fa52a RB |
166 | nothing. |
167 | </dd> | |
168 | ||
31ed1192 | 169 | <dt><code>lsp-get-tag</code> <var>port</var></dt> |
bf5fa52a | 170 | <dd> |
31ed1192 | 171 | If set, get the tag for <var>port</var> traffic. If not set, print |
bf5fa52a RB |
172 | nothing. |
173 | </dd> | |
174 | ||
31ed1192 | 175 | <dt><code>lsp-set-addresses</code> <var>port</var> [<var>address</var>]...</dt> |
f74baecf | 176 | <dd> |
9797069a | 177 | <p> |
178 | Sets the addresses associated with <var>port</var> to | |
179 | <var>address</var>. Each <var>address</var> should be one of the | |
180 | following: | |
181 | </p> | |
182 | ||
183 | <dl> | |
184 | <dt>an Ethernet address, optionally followed by a space and one or more IP addresses</dt> | |
185 | <dd> | |
186 | OVN delivers packets for the Ethernet address to this port. | |
187 | </dd> | |
188 | ||
189 | <dt><code>unknown</code></dt> | |
190 | <dd> | |
191 | OVN delivers unicast Ethernet packets whose destination MAC address | |
192 | is not in any logical port's addresses column to ports with address | |
193 | <code>unknown</code>. | |
194 | </dd> | |
195 | ||
196 | <dt><code>dynamic</code></dt> | |
197 | <dd> | |
198 | Use this keyword to make <code>ovn-northd</code> generate a | |
199 | globally unique MAC address and choose an unused IPv4 address with | |
200 | the logical port's subnet and store them in the port's | |
201 | <code>dynamic_addresses</code> column. | |
202 | </dd> | |
20418099 MS |
203 | |
204 | <dt><code>router</code></dt> | |
205 | <dd> | |
206 | Accepted only when the <code>type</code> of the logical switch | |
207 | port is <code>router</code>. This indicates that the Ethernet, | |
208 | IPv4, and IPv6 addresses for this logical switch port should be | |
209 | obtained from the connected logical router port, as specified by | |
210 | <code>router-port</code> in <code>lsp-set-options</code>. | |
211 | </dd> | |
9797069a | 212 | </dl> |
213 | ||
214 | <p> | |
215 | Multiple addresses may be set. If no <var>address</var> argument is | |
216 | given, <var>port</var> will have no addresses associated with it. | |
217 | </p> | |
f74baecf JP |
218 | </dd> |
219 | ||
31ed1192 | 220 | <dt><code>lsp-get-addresses</code> <var>port</var></dt> |
f74baecf | 221 | <dd> |
31ed1192 | 222 | Lists all the addresses associated with <var>port</var> on standard |
f74baecf JP |
223 | output, one per line. |
224 | </dd> | |
225 | ||
31ed1192 | 226 | <dt><code>lsp-set-port-security</code> <var>port</var> [<var>addrs</var>]...</dt> |
92207865 | 227 | <dd> |
eee7a8ed | 228 | <p> |
31ed1192 | 229 | Sets the port security addresses associated with <var>port</var> to |
92207865 BP |
230 | <var>addrs</var>. Multiple sets of addresses may be set by using |
231 | multiple <var>addrs</var> arguments. If no <var>addrs</var> argument | |
31ed1192 | 232 | is given, <var>port</var> will not have port security enabled. |
eee7a8ed JP |
233 | </p> |
234 | ||
235 | <p> | |
236 | Port security limits the addresses from which a logical port may send | |
237 | packets and to which it may receive packets. See the | |
238 | <code>ovn-nb</code>(5) documentation for the <ref | |
80f408f4 JP |
239 | column="port_security" table="Logical_Switch_Port"/> column in |
240 | the <ref table="Logical_Switch_Port"/> table for details. | |
eee7a8ed | 241 | </p> |
92207865 BP |
242 | </dd> |
243 | ||
31ed1192 | 244 | <dt><code>lsp-get-port-security</code> <var>port</var></dt> |
92207865 | 245 | <dd> |
31ed1192 | 246 | Lists all the port security addresses associated with <var>port</var> |
92207865 BP |
247 | on standard output, one per line. |
248 | </dd> | |
249 | ||
31ed1192 | 250 | <dt><code>lsp-get-up</code> <var>port</var></dt> |
f74baecf | 251 | <dd> |
31ed1192 | 252 | Prints the state of <var>port</var>, either <code>up</code> or |
f74baecf JP |
253 | <code>down</code>. |
254 | </dd> | |
255 | ||
31ed1192 | 256 | <dt><code>lsp-set-enabled</code> <var>port</var> <var>state</var></dt> |
e9e8bcdf | 257 | <dd> |
31ed1192 | 258 | Set the administrative state of <var>port</var>, either <code>enabled</code> |
e9e8bcdf RB |
259 | or <code>disabled</code>. When a port is disabled, no traffic is allowed into |
260 | or out of the port. | |
261 | </dd> | |
262 | ||
31ed1192 | 263 | <dt><code>lsp-get-enabled</code> <var>port</var></dt> |
e9e8bcdf | 264 | <dd> |
31ed1192 | 265 | Prints the administrative state of <var>port</var>, either <code>enabled</code> |
e9e8bcdf RB |
266 | or <code>disabled</code>. |
267 | </dd> | |
268 | ||
31ed1192 | 269 | <dt><code>lsp-set-type</code> <var>port</var> <var>type</var></dt> |
f2903c22 RB |
270 | <dd> |
271 | Set the type for the logical port. No special types have been implemented yet. | |
272 | </dd> | |
273 | ||
31ed1192 | 274 | <dt><code>lsp-get-type</code> <var>port</var></dt> |
f2903c22 RB |
275 | <dd> |
276 | Get the type for the logical port. | |
277 | </dd> | |
278 | ||
31ed1192 | 279 | <dt><code>lsp-set-options</code> <var>port</var> [<var>key=value</var>]...</dt> |
f2903c22 RB |
280 | <dd> |
281 | Set type-specific key-value options for the logical port. | |
282 | </dd> | |
283 | ||
31ed1192 | 284 | <dt><code>lsp-get-options</code> <var>port</var></dt> |
f2903c22 RB |
285 | <dd> |
286 | Get the type-specific options for the logical port. | |
287 | </dd> | |
288 | ||
f74baecf | 289 | </dl> |
a416ff28 | 290 | |
fa2a27b2 JP |
291 | <h1>Logical Router Commands</h1> |
292 | ||
293 | <dl> | |
294 | <dt><code>lr-add</code></dt> | |
295 | <dd> | |
296 | <p> | |
297 | Creates a new, unnamed logical router, which initially has no ports. | |
298 | The router does not have a name, other commands must refer to this | |
299 | router by its UUID. | |
300 | </p> | |
301 | </dd> | |
302 | ||
303 | <dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>lr-add</code> <var>router</var></dt> | |
304 | <dd> | |
305 | <p> | |
306 | Creates a new logical router named <var>router</var>, which | |
307 | initially has no ports. | |
308 | </p> | |
309 | ||
310 | <p> | |
311 | The OVN northbound database schema does not require logical router | |
312 | names to be unique, but the whole point to the names is to provide an | |
313 | easy way for humans to refer to the routers, making duplicate names | |
314 | unhelpful. Thus, without any options, this command regards it as an | |
315 | error if <var>router</var> is a duplicate name. With | |
316 | <code>--may-exist</code>, adding a duplicate name succeeds but does | |
317 | not create a new logical router. With <code>--add-duplicate</code>, | |
318 | the command really creates a new logical router with a duplicate | |
7d31ba83 | 319 | name. It is an error to specify both options. If there are multiple |
320 | logical routers with a duplicate name, configure the logical routers | |
321 | using the UUID instead of the <var>router</var> name. | |
fa2a27b2 JP |
322 | </p> |
323 | </dd> | |
324 | ||
325 | <dt>[<code>--if-exists</code>] <code>lr-del</code> <var>router</var></dt> | |
326 | <dd> | |
327 | Deletes <var>router</var>. It is an error if <var>router</var> does | |
328 | not exist, unless <code>--if-exists</code> is specified. | |
329 | </dd> | |
330 | ||
331 | <dt><code>lr-list</code></dt> | |
332 | <dd> | |
333 | Lists all existing routers on standard output, one per line. | |
334 | </dd> | |
335 | </dl> | |
336 | ||
31114af7 JP |
337 | <h1>Logical Router Port Commands</h1> |
338 | ||
339 | <dl> | |
4685e523 | 340 | <dt>[<code>--may-exist</code>] <code>lrp-add</code> <var>router</var> <var>port</var> <var>mac</var> <var>network</var>... [<code>peer=</code><var>peer</var>]</dt> |
31114af7 JP |
341 | <dd> |
342 | <p> | |
343 | Creates on <var>router</var> a new logical router port named | |
4685e523 JP |
344 | <var>port</var> with Ethernet address <var>mac</var> and one |
345 | or more IP address/netmask for each <var>network</var>. | |
346 | </p> | |
347 | ||
348 | <p> | |
349 | The optional argument <code>peer</code> identifies a logical | |
350 | router port that connects to this one. The following example | |
351 | adds a router port with an IPv4 and IPv6 address with peer | |
352 | <code>lr1</code>: | |
353 | </p> | |
354 | ||
355 | <p> | |
356 | <code>lrp-add lr0 lrp0 00:11:22:33:44:55 192.168.0.1/24 2001:db8::1/64 peer=lr1</code> | |
31114af7 JP |
357 | </p> |
358 | ||
359 | <p> | |
360 | It is an error if a logical router port named <var>port</var> | |
361 | already exists, unless <code>--may-exist</code> is specified. | |
362 | Regardless of <code>--may-exist</code>, it is an error if the | |
363 | existing router port is in some logical router other than | |
364 | <var>router</var>. | |
365 | </p> | |
366 | </dd> | |
367 | ||
368 | <dt>[<code>--if-exists</code>] <code>lrp-del</code> <var>port</var></dt> | |
369 | <dd> | |
370 | Deletes <var>port</var>. It is an error if <var>port</var> does | |
371 | not exist, unless <code>--if-exists</code> is specified. | |
372 | </dd> | |
373 | ||
374 | <dt><code>lrp-list</code> <var>router</var></dt> | |
375 | <dd> | |
376 | Lists all the logical router ports within <var>router</var> on | |
377 | standard output, one per line. | |
378 | </dd> | |
379 | ||
380 | <dt><code>lrp-set-enabled</code> <var>port</var> <var>state</var></dt> | |
381 | <dd> | |
382 | Set the administrative state of <var>port</var>, either | |
383 | <code>enabled</code> or <code>disabled</code>. When a port is | |
384 | disabled, no traffic is allowed into or out of the port. | |
385 | </dd> | |
386 | ||
387 | <dt><code>lrp-get-enabled</code> <var>port</var></dt> | |
388 | <dd> | |
389 | Prints the administrative state of <var>port</var>, either | |
390 | <code>enabled</code> or <code>disabled</code>. | |
391 | </dd> | |
e48ccf3c JP |
392 | </dl> |
393 | ||
394 | <h1>Logical Router Static Route Commands</h1> | |
395 | ||
396 | <dl> | |
440a9f4b | 397 | <dt>[<code>--may-exist</code>] [<code>--policy</code>=<var>POLICY</var>] <code>lr-route-add</code> <var>router</var> <var>prefix</var> <var>nexthop</var> [<var>port</var>]</dt> |
e48ccf3c JP |
398 | <dd> |
399 | <p> | |
400 | Adds the specified route to <var>router</var>. | |
401 | <var>prefix</var> describes an IPv4 or IPv6 prefix for this | |
402 | route, such as <code>192.168.100.0/24</code>. | |
403 | <var>nexthop</var> specifies the gateway to use for this | |
404 | route, which should be the IP address of one of | |
405 | <var>router</var> logical router ports or the IP address of a | |
406 | logical port. If <var>port</var> is specified, packets that | |
407 | match this route will be sent out that port. When | |
408 | <var>port</var> is omitted, OVN infers the output port based | |
409 | on <var>nexthop</var>. | |
410 | </p> | |
411 | ||
440a9f4b GS |
412 | <p> |
413 | <code>--policy</code> describes the policy used to make routing | |
414 | decisions. This should be one of "dst-ip" or "src-ip". If not | |
415 | specified, the default is "dst-ip". | |
416 | </p> | |
417 | ||
e48ccf3c JP |
418 | <p> |
419 | It is an error if a route with <var>prefix</var> already exists, | |
420 | unless <code>--may-exist</code> is specified. | |
421 | </p> | |
422 | </dd> | |
31114af7 | 423 | |
e48ccf3c JP |
424 | <dt>[<code>--if-exists</code>] <code>lr-route-del</code> <var>router</var> [<var>prefix</var>]</dt> |
425 | <dd> | |
426 | <p> | |
427 | Deletes routes from <var>router</var>. If only <var>router</var> | |
428 | is supplied, all the routes from the logical router are | |
429 | deleted. If <var>prefix</var> is also specified, then all the | |
430 | routes that match the prefix will be deleted from the logical | |
431 | router. | |
432 | </p> | |
433 | ||
434 | <p> | |
847fdeca | 435 | It is an error if <var>prefix</var> is specified and there |
e48ccf3c JP |
436 | is no matching route entry, unless <code>--if-exists</code> is |
437 | specified. | |
438 | </p> | |
439 | </dd> | |
440 | ||
441 | <dt><code>lr-route-list</code> <var>router</var></dt> | |
442 | <dd> | |
443 | Lists the routes on <var>router</var>. | |
444 | </dd> | |
31114af7 JP |
445 | </dl> |
446 | ||
3722730e | 447 | <h1>NAT Commands</h1> |
448 | ||
449 | <dl> | |
6a725785 | 450 | <dt>[<code>--may-exist</code>] <code>lr-nat-add</code> <var>router</var> <var>type</var> <var>external_ip</var> <var>logical_ip</var> [<var>logical_port</var> <var>external_mac</var>]</dt> |
3722730e | 451 | <dd> |
452 | <p> | |
453 | Adds the specified NAT to <var>router</var>. | |
454 | The <var>type</var> must be one of <code>snat</code>, | |
455 | <code>dnat</code>, or <code>dnat_and_snat</code>. | |
456 | The <var>external_ip</var> is an IPv4 address. | |
457 | The <var>logical_ip</var> is an IPv4 network (e.g 192.168.1.0/24) | |
458 | or an IPv4 address. | |
6a725785 MS |
459 | The <var>logical_port</var> and <var>external_mac</var> are only |
460 | accepted when <var>router</var> is a distributed router (rather | |
461 | than a gateway router) and <var>type</var> is | |
462 | <code>dnat_and_snat</code>. | |
463 | The <var>logical_port</var> is the name of an existing logical | |
464 | switch port where the <var>logical_ip</var> resides. | |
465 | The <var>external_mac</var> is an Ethernet address. | |
3722730e | 466 | </p> |
467 | <p> | |
468 | When <var>type</var> is <code>dnat</code>, the externally | |
469 | visible IP address <var>external_ip</var> is DNATted to the | |
470 | IP address <var>logical_ip</var> in the logical space. | |
471 | </p> | |
472 | <p> | |
473 | When <var>type</var> is <code>snat</code>, IP packets with their | |
474 | source IP address that either matches the IP address in | |
475 | <var>logical_ip</var> or is in the network provided by | |
476 | <var>logical_ip</var> is SNATed into the IP address in | |
477 | <var>external_ip</var>. | |
478 | </p> | |
479 | <p> | |
480 | When <var>type</var> is <code>dnat_and_snat</code>, | |
481 | the externally visible IP address <var>external_ip</var> | |
482 | is DNATted to the IP address <var>logical_ip</var> in | |
483 | the logical space. In addition, IP packets with the source | |
484 | IP address that matches <var>logical_ip</var> is SNATed into | |
485 | the IP address in <var>external_ip</var>. | |
486 | </p> | |
487 | <p> | |
6a725785 MS |
488 | When the <var>logical_port</var> and <var>external_mac</var> |
489 | are specified, the NAT rule will be programmed on the chassis | |
490 | where the <var>logical_port</var> resides. This includes | |
491 | ARP replies for the <var>external_ip</var>, which return the | |
492 | value of <var>external_mac</var>. All packets transmitted | |
493 | with source IP address equal to <var>external_ip</var> will | |
494 | be sent using the <var>external_mac</var>. | |
495 | </p> | |
496 | <p> | |
497 | It is an error if a NAT already exists with the same values | |
498 | of <var>router</var>, <var>type</var>, <var>external_ip</var>, | |
499 | and <var>logical_ip</var>, unless <code>--may-exist</code> is | |
500 | specified. When <code>--may-exist</code>, | |
501 | <var>logical_port</var>, and <var>external_mac</var> are all | |
502 | specified, the existing values of <var>logical_port</var> and | |
503 | <var>external_mac</var> are overwritten. | |
3722730e | 504 | </p> |
505 | </dd> | |
506 | ||
507 | <dt>[<code>--if-exists</code>] <code>lr-nat-del</code> <var>router</var> [<var>type</var> [<var>ip</var>]]</dt> | |
508 | <dd> | |
509 | <p> | |
510 | Deletes NATs from <var>router</var>. If only <var>router</var> | |
511 | is supplied, all the NATs from the logical router are | |
512 | deleted. If <var>type</var> is also specified, then all the | |
513 | NATs that match the <var>type</var> will be deleted from the logical | |
514 | router. If all the fields are given, then a single NAT rule | |
515 | that matches all the fields will be deleted. When <var>type</var> | |
516 | is <code>snat</code>, the <var>ip</var> should be logical_ip. | |
517 | When <var>type</var> is <code>dnat</code> or | |
518 | <code>dnat_and_snat</code>, the <var>ip</var> shoud be external_ip. | |
519 | </p> | |
520 | ||
521 | <p> | |
522 | It is an error if <var>ip</var> is specified and there | |
523 | is no matching NAT entry, unless <code>--if-exists</code> is | |
524 | specified. | |
525 | </p> | |
526 | </dd> | |
527 | ||
528 | <dt><code>lr-nat-list</code> <var>router</var></dt> | |
529 | <dd> | |
530 | Lists the NATs on <var>router</var>. | |
531 | </dd> | |
532 | </dl> | |
533 | ||
e2bfcad6 | 534 | <h1>Load Balancer Commands</h1> |
535 | <dl> | |
536 | <dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>lb-add</code> <var>lb</var> <var>vip</var> <var>ips</var> [<var>protocol</var>]</dt> | |
537 | <dd> | |
538 | <p> | |
539 | Creates a new load balancer named <var>lb</var> with the provided | |
540 | <var>vip</var> and <var>ips</var> or adds the <var>vip</var> to | |
541 | an existing <var>lb</var>. <var>vip</var> should be a | |
542 | virtual IPv4 address (or an IPv4 address and a port number with | |
543 | <code>:</code> as a separator). Examples for <var>vip</var> are | |
544 | <code>192.168.1.4</code> and <code>192.168.1.5:8080</code>. | |
545 | <var>ips</var> should be comma separated IPv4 endpoints (or comma | |
546 | separated IPv4 addresses and port numbers with <code>:</code> as a | |
547 | separator). Examples for <var>ips</var> are <code>10.0.0.1,10.0.0.2 | |
548 | </code>or <code>20.0.0.10:8800,20.0.0.11:8800</code>. | |
549 | </p> | |
550 | ||
551 | <p> | |
552 | The optional argument <var>protocol</var> must be either | |
553 | <code>tcp</code> or <code>udp</code>. This argument is useful when | |
554 | a port number is provided as part of the <var>vip</var>. If the | |
555 | <var>protocol</var> is unspecified and a port number is provided as | |
556 | part of the <var>vip</var>, OVN assumes the <var>protocol</var> to | |
557 | be <code>tcp</code>. | |
558 | </p> | |
559 | ||
560 | <p> | |
561 | It is an error if the <var>vip</var> already exists in the load | |
562 | balancer named <var>lb</var>, unless <code>--may-exist</code> is | |
563 | specified. With <code>--add-duplicate</code>, the command really | |
564 | creates a new load balancer with a duplicate name. | |
565 | </p> | |
566 | ||
567 | <p> | |
568 | The following example adds a load balancer. | |
569 | </p> | |
570 | ||
571 | <p> | |
572 | <code>lb-add lb0 30.0.0.10:80 | |
573 | 192.168.10.10:80,192.168.10.20:80,192.168.10.30:80 udp</code> | |
574 | </p> | |
575 | </dd> | |
576 | ||
577 | <dt>[<code>--if-exists</code>] <code>lb-del</code> <var>lb</var> [<var>vip</var>]</dt> | |
578 | <dd> | |
579 | Deletes <var>lb</var> or the <var>vip</var> from <var>lb</var>. | |
580 | If <var>vip</var> is supplied, only the <var>vip</var> will be | |
581 | deleted from the <var>lb</var>. If only the <var>lb</var> is supplied, | |
582 | the <var>lb</var> will be deleted. It is an error if <var>vip</var> | |
583 | does not already exist in <var>lb</var>, unless | |
584 | <code>--if-exists</code> is specified. | |
585 | </dd> | |
586 | ||
587 | <dt><code>lb-list</code> [<var>lb</var>]</dt> | |
588 | <dd> | |
589 | Lists the LBs. If <var>lb</var> is also specified, then only the | |
590 | specified <var>lb</var> will be listed. | |
591 | </dd> | |
592 | ||
593 | <dt>[<code>--may-exist</code>] <code>ls-lb-add</code> <var>switch</var> <var>lb</var></dt> | |
594 | <dd> | |
595 | Adds the specified <var>lb</var> to <var>switch</var>. | |
596 | It is an error if a load balancer named <var>lb</var> already exists | |
597 | in the <var>switch</var>, unless <code>--may-exist</code> is specified. | |
598 | </dd> | |
599 | ||
600 | <dt>[<code>--if-exists</code>] <code>ls-lb-del</code> <var>switch</var> [<var>lb</var>]</dt> | |
601 | <dd> | |
602 | Removes <var>lb</var> from <var>switch</var>. If only | |
603 | <var>switch</var> is supplied, all the LBs from the logical switch are | |
604 | removed. If <var>lb</var> is also specified, then only the | |
605 | <var>lb</var> will be removed from the logical switch. | |
606 | It is an error if <var>lb</var> does not exist in the | |
607 | <var>switch</var>, unless <code>--if-exists</code> is specified. | |
608 | </dd> | |
609 | ||
610 | <dt><code>ls-lb-list</code> <var>switch</var></dt> | |
611 | <dd> | |
612 | Lists the LBs for the given <var>switch</var>. | |
613 | </dd> | |
614 | ||
615 | <dt>[<code>--may-exist</code>] <code>lr-lb-add</code> <var>router</var> <var>lb</var></dt> | |
616 | <dd> | |
617 | Adds the specified <var>lb</var> to <var>router</var>. | |
618 | It is an error if a load balancer named <var>lb</var> already exists | |
619 | in the <var>router</var>, unless <code>--may-exist</code> is specified. | |
620 | </dd> | |
621 | ||
622 | <dt>[<code>--if-exists</code>] <code>lr-lb-del</code> <var>router</var> [<var>lb</var>]</dt> | |
623 | <dd> | |
624 | Removes <var>lb</var> from <var>router</var>. If only | |
625 | <var>router</var> is supplied, all the LBs from the logical router are | |
626 | removed. If <var>lb</var> is also specified, then only the | |
627 | <var>lb</var> will be removed from the logical router. | |
628 | It is an error if <var>lb</var> does not exist in the | |
629 | <var>router</var>, unless <code>--if-exists</code> is specified. | |
630 | </dd> | |
631 | ||
632 | <dt><code>lr-lb-list</code> <var>router</var></dt> | |
633 | <dd> | |
634 | Lists the LBs for the given <var>router</var>. | |
635 | </dd> | |
636 | </dl> | |
637 | ||
638 | ||
281977f7 NS |
639 | <h1>DHCP Options commands</h1> |
640 | ||
641 | <dl> | |
642 | <dt><code>dhcp-options-create</code> <var>cidr</var> [<var>key=value</var>]</dt> | |
643 | <dd> | |
644 | Creates a new DHCP Options entry in the <code>DHCP_Options</code> table | |
645 | with the specified <code>cidr</code> and optional <code>external-ids</code>. | |
646 | </dd> | |
647 | ||
648 | <dt><code>dhcp-options-list</code></dt> | |
649 | <dd> | |
650 | Lists the DHCP Options entries. | |
651 | </dd> | |
652 | ||
653 | <dt><code>dhcp-options-del</code> <var>dhcp-option</var></dt> | |
654 | <dd> | |
655 | Deletes the DHCP Options entry referred by <var>dhcp-option</var> UUID. | |
656 | </dd> | |
657 | ||
658 | <dt><code>dhcp-options-set-options</code> <var>dhcp-option</var> [<var>key=value</var>]...</dt> | |
659 | <dd> | |
660 | Set the DHCP Options for the <var>dhcp-option</var> UUID. | |
661 | </dd> | |
662 | ||
663 | <dt><code>dhcp-options-get-options</code> <var>dhcp-option</var></dt> | |
664 | <dd> | |
665 | Lists the DHCP Options for the <var>dhcp-option</var> UUID. | |
666 | </dd> | |
667 | </dl> | |
668 | ||
7ba0c32f WL |
669 | <h1>Database Commands</h1> |
670 | <p>These commands query and modify the contents of <code>ovsdb</code> tables. | |
671 | They are a slight abstraction of the <code>ovsdb</code> interface and | |
4e3000a0 | 672 | as such they operate at a lower level than other <code>ovn-nbctl</code> commands.</p> |
7ba0c32f WL |
673 | <p><var>Identifying Tables, Records, and Columns</var></p> |
674 | <p>Each of these commands has a <var>table</var> parameter to identify a table | |
675 | within the database. Many of them also take a <var>record</var> parameter | |
676 | that identifies a particular record within a table. The <var>record</var> | |
4e3000a0 BP |
677 | parameter may be the UUID for a record, which may be abbreviated to its |
678 | first 4 (or more) hex digits, as long as that is unique. Many tables offer | |
7ba0c32f WL |
679 | additional ways to identify records. Some commands also take |
680 | <var>column</var> parameters that identify a particular field within the | |
681 | records in a table.</p> | |
682 | <p>The following tables are currently defined:</p> | |
683 | <dl> | |
684 | <dt><code>Logical_Switch</code></dt> | |
685 | <dd> | |
686 | An L2 logical switch. Records may be identified by name. | |
687 | </dd> | |
688 | ||
80f408f4 | 689 | <dt><code>Logical_Switch_Port</code></dt> |
7ba0c32f WL |
690 | <dd> |
691 | A port within an L2 logical switch. Records may be identified by name. | |
692 | </dd> | |
693 | ||
694 | <dt><code>ACL</code></dt> | |
695 | <dd> | |
696 | An ACL rule for a logical switch that points to it through its <var>acls</var> column. | |
697 | </dd> | |
698 | ||
699 | <dt><code>Logical_Router</code></dt> | |
700 | <dd> | |
701 | An L3 logical router. Records may be identified by name. | |
702 | </dd> | |
703 | ||
704 | <dt><code>Logical_Router_Port</code></dt> | |
705 | <dd> | |
706 | A port within an L3 logical router. Records may be identified by name. | |
707 | </dd> | |
708 | ||
e4c61c65 HZ |
709 | <dt><code>Logical_Router_Static_Route</code></dt> |
710 | <dd> | |
711 | A static route belonging to an L3 logical router. | |
712 | </dd> | |
713 | ||
714 | <dt><code>Address_Set</code></dt> | |
715 | <dd> | |
716 | An address set that can be used in ACLs. | |
717 | </dd> | |
718 | ||
719 | <dt><code>Load_Balancer</code></dt> | |
720 | <dd> | |
721 | A load balancer for a logical switch that points to it through its <var>load_balancer</var> column. | |
722 | </dd> | |
723 | ||
724 | <dt><code>NAT</code></dt> | |
725 | <dd> | |
726 | A NAT rule for a Gateway router. | |
727 | </dd> | |
728 | ||
729 | <dt><code>DHCP_Options</code></dt> | |
730 | <dd> | |
731 | DHCP options. | |
732 | </dd> | |
733 | ||
734 | <dt><code>NB_Global</code></dt> | |
735 | <dd> | |
736 | North bound global configurations. | |
737 | </dd> | |
28dc3fe9 | 738 | |
7ba0c32f WL |
739 | </dl> |
740 | ||
4e3000a0 BP |
741 | <p> |
742 | Record names must be specified in full and with correct capitalization, | |
743 | except that UUIDs may be abbreviated to their first 4 (or more) hex | |
744 | digits, as long as that is unique within the table. Names of tables and | |
745 | columns are not case-sensitive, and <code>-</code> and <code>_</code> are | |
746 | treated interchangeably. Unique abbreviations of table and column names | |
747 | are acceptable, e.g. <code>d</code> or <code>dhcp</code> is sufficient | |
748 | to identify the <code>DHCP_Options</code> table. | |
749 | </p> | |
750 | ||
7ba0c32f WL |
751 | <xi:include href="lib/db-ctl-base.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/> |
752 | ||
de32cec7 BP |
753 | <h1>Synchronization Commands</h1> |
754 | ||
755 | <dl> | |
756 | <dt>sync</dt> | |
757 | <dd> | |
758 | Ordinarily, <code>--wait=sb</code> or <code>--wait=hv</code> only waits | |
759 | for changes by the current <code>ovn-nbctl</code> invocation to take | |
760 | effect. This means that, if none of the commands supplied to | |
761 | <code>ovn-nbctl</code> change the database, then the command does not | |
762 | wait at all. With the <code>sync</code> command, however, | |
763 | <code>ovn-nbctl</code> waits even for earlier changes to the database | |
764 | to propagate down to the southbound database or all of the OVN chassis, | |
765 | according to the argument to <code>--wait</code>. | |
766 | </dd> | |
767 | </dl> | |
768 | ||
821302cf LR |
769 | <h1>Remote Connectivity Commands</h1> |
770 | <dl> | |
771 | <dt><code>get-connection</code></dt> | |
772 | <dd> | |
773 | Prints the configured connection(s). | |
774 | </dd> | |
775 | ||
776 | <dt><code>del-connection</code></dt> | |
777 | <dd> | |
778 | Deletes the configured connection(s). | |
779 | </dd> | |
780 | ||
781 | <dt><code>set-connection</code> <var>target</var>...</dt> | |
782 | <dd> | |
783 | Sets the configured manager target or targets. | |
784 | </dd> | |
785 | </dl> | |
786 | ||
787 | <h1>SSL Configuration Commands</h1> | |
788 | <dl> | |
789 | <dt><code>get-ssl</code></dt> | |
790 | <dd> | |
791 | Prints the SSL configuration. | |
792 | </dd> | |
793 | ||
794 | <dt><code>del-ssl</code></dt> | |
795 | <dd> | |
796 | Deletes the current SSL configuration. | |
797 | </dd> | |
798 | ||
51af591b LR |
799 | <dt>[<code>--bootstrap</code>] <code>set-ssl</code> |
800 | <var>private-key</var> <var>certificate</var> <var>ca-cert</var> | |
801 | [<var>ssl-protocol-list</var> [<var>ssl-cipher-list</var>]]</dt> | |
821302cf LR |
802 | <dd> |
803 | Sets the SSL configuration. | |
804 | </dd> | |
805 | </dl> | |
806 | ||
a416ff28 | 807 | <h1>Options</h1> |
d75ef07f BP |
808 | |
809 | <dl> | |
fa183acc BP |
810 | <dt><code>--no-wait</code> | <code>--wait=none</code></dt> |
811 | <dt><code>--wait=sb</code></dt> | |
812 | <dt><code>--wait=hv</code></dt> | |
813 | ||
814 | <dd> | |
815 | <p> | |
816 | These options control whether and how <code>ovn-nbctl</code> waits | |
817 | for the OVN system to become up-to-date with changes made in an | |
818 | <code>ovn-nbctl</code> invocation. | |
819 | </p> | |
820 | ||
821 | <p> | |
822 | By default, or if <code>--no-wait</code> or <code>--wait=none</code>, | |
823 | <code>ovn-nbctl</code> exits immediately after confirming that | |
824 | changes have been committed to the northbound database, without | |
825 | waiting. | |
826 | </p> | |
827 | ||
828 | <p> | |
829 | With <code>--wait=sb</code>, before <code>ovn-nbctl</code> exits, it | |
830 | waits for <code>ovn-northd</code> to bring the southbound database | |
831 | up-to-date with the northbound database updates. | |
832 | </p> | |
833 | ||
834 | <p> | |
835 | With <code>--wait=hv</code>, before <code>ovn-nbctl</code> exits, it | |
836 | additionally waits for all OVN chassis (hypervisors and gateways) to | |
837 | become up-to-date with the northbound database updates. (This can | |
838 | become an indefinite wait if any chassis is malfunctioning.) | |
839 | </p> | |
de32cec7 BP |
840 | |
841 | <p> | |
842 | Ordinarily, <code>--wait=sb</code> or <code>--wait=hv</code> only | |
843 | waits for changes by the current <code>ovn-nbctl</code> invocation to | |
844 | take effect. This means that, if none of the commands supplied to | |
845 | <code>ovn-nbctl</code> change the database, then the command does not | |
846 | wait at all. Use the <code>sync</code> command to override this | |
847 | behavior. | |
848 | </p> | |
fa183acc BP |
849 | </dd> |
850 | ||
d75ef07f BP |
851 | <dt><code>--db</code> <var>database</var></dt> |
852 | <dd> | |
853 | The OVSDB database remote to contact. If the <env>OVN_NB_DB</env> | |
854 | environment variable is set, its value is used as the default. | |
a576470f | 855 | Otherwise, the default is <code>unix:@RUNDIR@/ovnnb_db.sock</code>, but this |
d75ef07f BP |
856 | default is unlikely to be useful outside of single-machine OVN test |
857 | environments. | |
858 | </dd> | |
d75ef07f | 859 | </dl> |
a416ff28 RB |
860 | |
861 | <h1>Logging options</h1> | |
0fdc4312 | 862 | <xi:include href="lib/vlog.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/> |
5e8ab797 LR |
863 | |
864 | <h1>Table Formatting Options</h1> | |
865 | These options control the format of output from the <code>list</code> and | |
866 | <code>find</code> commands. | |
867 | <xi:include href="lib/table.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/> | |
868 | ||
0fdc4312 BP |
869 | <h2>PKI Options</h2> |
870 | <p> | |
871 | PKI configuration is required to use SSL for the connection to the | |
872 | database. | |
873 | </p> | |
874 | <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/> | |
cfdaff25 | 875 | <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/> |
a416ff28 | 876 | |
0fdc4312 BP |
877 | <h2>Other Options</h2> |
878 | ||
879 | <xi:include href="lib/common.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/> | |
a416ff28 RB |
880 | |
881 | </manpage> |