1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <database name=
"ovn-nb" title=
"OVN Northbound Database">
4 This database is the interface between OVN and the cloud management system
5 (CMS), such as OpenStack, running above it. The CMS produces almost all of
6 the contents of the database. The
<code>ovn-northd
</code> program
7 monitors the database contents, transforms it, and stores it into the
<ref
8 db=
"OVN_Southbound"/> database.
12 We generally speak of ``the'' CMS, but one can imagine scenarios in
13 which multiple CMSes manage different parts of an OVN deployment.
19 Each of the tables in this database contains a special column, named
20 <code>external_ids
</code>. This column has the same form and purpose each
25 <dt><code>external_ids
</code>: map of string-string pairs
</dt>
27 Key-value pairs for use by the CMS. The CMS might use certain pairs, for
28 example, to identify entities in its own configuration that correspond to
29 those in this database.
33 <table name=
"NB_Global" title=
"Northbound configuration">
35 Northbound configuration for an OVN system. This table must have exactly
39 <group title=
"Status">
40 These columns allow a client to track the overall configuration state of
43 <column name=
"nb_cfg">
44 Sequence number for client to increment. When a client modifies any
45 part of the northbound database configuration and wishes to wait for
46 <code>ovn-northd
</code> and possibly all of the hypervisors to finish
47 applying the changes, it may increment this sequence number.
50 <column name=
"sb_cfg">
51 Sequence number that
<code>ovn-northd
</code> sets to the value of
<ref
52 column=
"nb_cfg"/> after it finishes applying the corresponding
53 configuration changes to the
<ref db=
"OVN_Southbound"/> database.
56 <column name=
"hv_cfg">
57 Sequence number that
<code>ovn-northd
</code> sets to the smallest
58 sequence number of all the chassis in the system, as reported in the
59 <code>Chassis
</code> table in the southbound database. Thus,
<ref
60 column=
"hv_cfg"/> equals
<ref column=
"nb_cfg"/> if all chassis are
61 caught up with the northbound configuration (which may never happen, if
62 any chassis is down). This value can regress, if a chassis was removed
63 from the system and rejoins before catching up.
67 <group title=
"Common Columns">
68 <column name=
"external_ids">
69 See
<em>External IDs
</em> at the beginning of this document.
73 <group title=
"Common options">
74 <column name=
"options">
75 This column provides general key/value settings. The supported
76 options are described individually below.
79 <group title=
"Options for configuring BFD">
81 These options apply when
<code>ovn-controller
</code> configures
82 BFD on tunnels interfaces.
85 <column name=
"options" key=
"bfd-min-rx">
86 BFD option
<code>min-rx
</code> value to use when configuring BFD on
90 <column name=
"options" key=
"bfd-decay-min-rx">
91 BFD option
<code>decay-min-rx
</code> value to use when configuring
92 BFD on tunnel interfaces.
95 <column name=
"options" key=
"bfd-min-tx">
96 BFD option
<code>min-tx
</code> value to use when configuring BFD on
100 <column name=
"options" key=
"bfd-mult">
101 BFD option
<code>mult
</code> value to use when configuring BFD on
106 <column name=
"options" key=
"mac_prefix">
107 Configure a given OUI to be used as prefix when L2 address is
108 dynamically assigned, e.g.
<code>00:
11:
22</code>
111 <column name=
"options" key=
"controller_event" type='{
"type":
"boolean"}'
>
112 Value set by the CMS to enable/disable ovn-controller event reporting.
113 Traffic into OVS can raise a 'controller' event that results in a
114 Controller_Event being written to the
<ref table=
"Controller_Event"/>
115 table in SBDB. When the CMS has seen the event and taken appropriate
116 action, it can remove the correponding row in
117 <ref table=
"Controller_Event"/> table.
118 The intention is for a CMS to see the events and take some sort of
119 action. Please see the
<ref table=
"Controller_Event"/> table in SBDB.
123 <group title=
"Connection Options">
124 <column name=
"connections">
125 Database clients to which the Open vSwitch database server should
126 connect or on which it should listen, along with options for how these
127 connections should be configured. See the
<ref table=
"Connection"/>
128 table for more information.
131 Global SSL configuration.
134 <group title=
"Security Configurations">
135 <column name=
"ipsec">
136 Tunnel encryption configuration. If this column is set to be true, all
137 OVN tunnels will be encrypted with IPsec.
142 <table name=
"Logical_Switch" title=
"L2 logical switch">
144 Each row represents one L2 logical switch.
148 There are two kinds of logical switches, that is, ones that fully
149 virtualize the network (overlay logical switches) and ones that provide
150 simple connectivity to a physical network (bridged logical switches).
151 They work in the same way when providing connectivity between logical
152 ports on same chasis, but differently when connecting remote logical
153 ports. Overlay logical switches connect remote logical ports by tunnels,
154 while bridged logical switches provide connectivity to remote ports by
155 bridging the packets to directly connected physical L2 segment with the
156 help of
<code>localnet
</code> ports. Each bridged logical switch has
157 one and only one
<code>localnet
</code> port, which has only one special
158 address
<code>unknown
</code>.
161 <column name=
"ports">
163 The logical ports connected to the logical switch.
167 It is an error for multiple logical switches to include the same
172 <column name=
"load_balancer">
173 Load balance a virtual ip address to a set of logical port endpoint
178 Access control rules that apply to packets within the logical switch.
181 <column name=
"qos_rules">
182 QoS marking and metering rules that apply to packets within the
186 <column name=
"dns_records">
187 This column defines the DNS records to be used for resolving internal
188 DNS queries within the logical switch by the native DNS resolver.
189 Please see the
<ref table=
"DNS"/> table.
192 <group title=
"Naming">
194 These columns provide names for the logical switch. From OVN's
195 perspective, these names have no special meaning or purpose other than
196 to provide convenience for human interaction with the database.
197 There is no requirement for the name to be unique. (For a unique
198 identifier for a logical switch, use its row UUID.)
202 (Originally,
<ref column=
"name"/> was intended to serve the purpose of
203 a human-friendly name, but the Neutron integration used it to uniquely
204 identify its own switch object, in the format
205 <code>neutron-
<var>uuid
</var></code>. Later on, Neutron started
206 propagating the friendly name of a switch as
<ref column=
"external_ids"
207 key=
"neutron:network_name"/>. Perhaps this can be cleaned up someday.)
211 A name for the logical switch.
214 <column name=
"external_ids" key=
"neutron:network_name">
215 Another name for the logical switch.
219 <group title=
"IP Address Assignment">
221 These options control automatic IP address management (IPAM) for ports
222 attached to the logical switch. To enable IPAM for IPv4, set
<ref
223 column=
"other_config" key=
"subnet"/> and optionally
<ref
224 column=
"other_config:exclude_ips"/>. To enable IPAM for IPv6, set
225 <ref column=
"other_config" key=
"ipv6_prefix"/>. IPv4 and IPv6 may
226 be enabled together or separately.
230 To request dynamic address assignment for a particular port, use the
231 <code>dynamic
</code> keyword in the
<ref table=
"Logical_Switch_Port"
232 column=
"addresses"/> column of the port's
<ref
233 table=
"Logical_Switch_Port"/> row. This requests both an IPv4 and an
234 IPv6 address, if IPAM for IPv4 and IPv6 are both enabled.
237 <column name=
"other_config" key=
"subnet">
238 Set this to an IPv4 subnet, e.g.
<code>192.168.0.0/
24</code>, to enable
239 <code>ovn-northd
</code> to automatically assign IP addresses within
243 <column name=
"other_config" key=
"exclude_ips">
245 To exclude some addresses from automatic IP address management, set
246 this to a list of the IPv4 addresses or
<code>..
</code>-delimited
247 ranges to exclude. The addresses or ranges should be a subset of
248 those in
<ref column=
"other_config" key=
"subnet"/>.
251 Whether listed or not,
<code>ovn-northd
</code> will never allocate
252 the first or last address in a subnet, such as
192.168.0.0 or
253 192.168.0.255 in
192.168.0.0/
24.
259 <li><code>192.168.0.2 192.168.0.10</code></li>
260 <li><code>192.168.0.4 192.168.0.30.
.192.168.0.60 192.168.0.110.
.192.168.0.120</code></li>
261 <li><code>192.168.0.110.
.192.168.0.120 192.168.0.25.
.192.168.0.30 192.168.0.144</code></li>
265 <column name=
"other_config" key=
"ipv6_prefix">
266 Set this to an IPv6 prefix to enable
<code>ovn-northd
</code> to
267 automatically assign IPv6 addresses using this prefix. The assigned
268 IPv6 address will be generated using the IPv6 prefix and the MAC
269 address (converted to an IEEE EUI64 identifier) of the port. The IPv6
270 prefix defined here should be a valid IPv6 address ending with
276 <li><code>aef0::
</code></li>
277 <li><code>bef0:
1234:a890:
5678::
</code></li>
278 <li><code>8230:
5678::
</code></li>
282 <column name=
"other_config" key=
"mac_only" type='{
"type":
"boolean"}'
>
283 Value used to request to assign L2 address only if neither subnet
284 nor ipv6_prefix are specified
288 <group title=
"Common Columns">
289 <column name=
"external_ids">
290 See
<em>External IDs
</em> at the beginning of this document.
295 <table name=
"Logical_Switch_Port" title=
"L2 logical switch port">
297 A port within an L2 logical switch.
300 <group title=
"Core Features">
303 The logical port name.
307 For entities (VMs or containers) that are spawned in the hypervisor,
308 the name used here must match those used in the
<ref key=
"iface-id"
309 table=
"Interface" column=
"external_ids" db=
"Open_vSwitch"/> in the
310 <ref db=
"Open_vSwitch"/> database's
<ref table=
"Interface"
311 db=
"Open_vSwitch"/> table, because hypervisors use
<ref key=
"iface-id"
312 table=
"Interface" column=
"external_ids" db=
"Open_vSwitch"/> as a lookup
313 key to identify the network interface of that entity.
317 For containers that share a VIF within a VM, the name can be any
318 unique identifier. See
<code>Containers
</code>, below, for more
325 Specify a type for this logical port. Logical ports can be used to
326 model other types of connectivity into an OVN logical switch. The
327 following types are defined:
331 <dt>(empty string)
</dt>
333 A VM (or VIF) interface.
336 <dt><code>router
</code></dt>
338 A connection to a logical router.
341 <dt><code>localnet
</code></dt>
343 A connection to a locally accessible network from each
344 <code>ovn-controller
</code> instance. A logical switch can only
345 have a single
<code>localnet
</code> port attached. This is used
346 to model direct connectivity to an existing network.
349 <dt><code>localport
</code></dt>
351 A connection to a local VIF. Traffic that arrives on a
352 <code>localport
</code> is never forwarded over a tunnel to another
353 chassis. These ports are present on every chassis and have the same
354 address in all of them. This is used to model connectivity to local
355 services that run on every hypervisor.
358 <dt><code>l2gateway
</code></dt>
360 A connection to a physical network.
363 <dt><code>vtep
</code></dt>
365 A port to a logical switch on a VTEP gateway.
368 <dt><code>external
</code></dt>
371 Represents a logical port which is external and not having
372 an OVS port in the integration bridge.
373 <code>OVN
</code> will never receive any traffic from this port or
374 send any traffic to this port.
<code>OVN
</code> can support
375 native services like DHCPv4/DHCPv6/DNS for this port.
376 If
<ref column=
"ha_chassis_group"/> is defined,
377 <code>ovn-controller
</code> running in the master chassis of
378 the HA chassis group will bind this port to provide these native
379 services. It is expected that this port belong to a bridged
380 logical switch (with a
<code>localnet
</code> port).
384 It is recommended to use the same HA chassis group for all the
385 external ports of a logical switch. Otherwise, the physical
386 switch might see MAC flap issue when different chassis provide
387 the native services. For example when supporting native DHCPv4
388 service, DHCPv4 server mac (configured in
389 <ref column=
"options:server_mac" table=
"DHCP_Options"
390 db=
"OVN_NB"/> column in table
<ref table=
"DHCP_Options"/>)
391 originating from different ports can cause MAC flap issue.
392 The MAC of the logical router IP(s) can also flap if the
393 same HA chassis group is not set for all the external ports
398 Below are some of the use cases where
<code>external
</code>
404 VMs connected to SR-IOV nics - Traffic from these VMs by passes
405 the kernel stack and local
<code>ovn-controller
</code> do not
406 bind these ports and cannot serve the native services.
410 When CMS supports provisioning baremetal servers.
418 <group title=
"Options">
419 <column name=
"options">
420 This column provides key/value settings specific to the logical port
421 <ref column=
"type"/>. The type-specific options are described
425 <group title=
"Options for router ports">
427 These options apply when
<ref column=
"type"/> is
<code>router
</code>.
430 <column name=
"options" key=
"router-port">
431 Required. The
<ref column=
"name"/> of the
<ref
432 table=
"Logical_Router_Port"/> to which this logical switch port is
436 <column name=
"options" key=
"nat-addresses">
438 This is used to send gratuitous ARPs for SNAT and DNAT IP
439 addresses via the
<code>localnet
</code> port that is attached
440 to the same logical switch as this type
<code>router
</code>
441 port. This option is specified on a logical switch port that is
442 connected to a gateway router, or a logical switch port that is
443 connected to a distributed gateway port on a logical router.
447 This must take one of the following forms:
451 <dt><code>router
</code></dt>
454 Gratuitous ARPs will be sent for all SNAT and DNAT external IP
455 addresses and for all load balancer IP addresses defined on the
456 <ref column=
"options" key=
"router-port"/>'s logical router,
457 using the
<ref column=
"options" key=
"router-port"/>'s MAC
462 This form of
<ref column=
"options" key=
"nat-addresses"/> is
463 valid for logical switch ports where
<ref column=
"options"
464 key=
"router-port"/> is the name of a port on a gateway router,
465 or the name of a distributed gateway port.
469 Supported only in OVN
2.8 and later. Earlier versions required
470 NAT addresses to be manually synchronized.
474 <dt><code>Ethernet address followed by one or more IPv4 addresses
</code></dt>
477 Example:
<code>80:fa:
5b:
06:
72:b7
158.36.44.22
478 158.36.44.24</code>. This would result in generation of
479 gratuitous ARPs for IP addresses
158.36.44.22 and
158.36.44.24
480 with a MAC address of
80:fa:
5b:
06:
72:b7.
484 This form of
<ref column=
"options" key=
"nat-addresses"/> is
485 only valid for logical switch ports where
<ref column=
"options"
486 key=
"router-port"/> is the name of a port on a gateway router.
493 <group title=
"Options for localnet ports">
495 These options apply when
<ref column=
"type"/> is
496 <code>localnet
</code>.
499 <column name=
"options" key=
"network_name">
500 Required. The name of the network to which the
<code>localnet
</code>
501 port is connected. Each hypervisor, via
<code>ovn-controller
</code>,
502 uses its local configuration to determine exactly how to connect to
503 this locally accessible network.
507 <group title=
"Options for l2gateway ports">
509 These options apply when
<ref column=
"type"/> is
510 <code>l2gateway
</code>.
513 <column name=
"options" key=
"network_name">
514 Required. The name of the network to which the
<code>l2gateway
</code>
515 port is connected. The L2 gateway, via
<code>ovn-controller
</code>,
516 uses its local configuration to determine exactly how to connect to
520 <column name=
"options" key=
"l2gateway-chassis">
521 Required. The chassis on which the
<code>l2gateway
</code> logical
522 port should be bound to.
<code>ovn-controller
</code> running on the
523 defined chassis will connect this logical port to the physical network.
528 <group title=
"Options for vtep ports">
530 These options apply when
<ref column=
"type"/> is
<code>vtep
</code>.
533 <column name=
"options" key=
"vtep-physical-switch">
534 Required. The name of the VTEP gateway.
537 <column name=
"options" key=
"vtep-logical-switch">
538 Required. A logical switch name connected by the VTEP gateway.
542 <group title=
"VMI (or VIF) Options">
544 These options apply to logical ports with
<ref column=
"type"/> having
548 <column name=
"options" key=
"requested-chassis">
549 If set, identifies a specific chassis (by name or hostname) that
550 is allowed to bind this port. Using this option will prevent
551 thrashing between two chassis trying to bind the same port during
552 a live migration. It can also prevent similar thrashing due to a
553 mis-configuration, if a port is accidentally created on more than
557 <column name=
"options" key=
"qos_max_rate">
558 If set, indicates the maximum rate for data sent from this interface,
559 in bit/s. The traffic will be shaped according to this limit.
562 <column name=
"options" key=
"qos_burst">
563 If set, indicates the maximum burst size for data sent from this
569 <group title=
"Containers">
571 When a large number of containers are nested within a VM, it may be too
572 expensive to dedicate a VIF to each container. OVN can use VLAN tags
573 to support such cases. Each container is assigned a VLAN ID and each
574 packet that passes between the hypervisor and the VM is tagged with the
575 appropriate ID for the container. Such VLAN IDs never appear on a
576 physical wire, even inside a tunnel, so they need not be unique except
577 relative to a single VM on a hypervisor.
581 These columns are used for VIFs that represent nested containers using
582 shared VIFs. For VMs and for containers that have dedicated VIFs, they
586 <column name=
"parent_name">
587 The VM interface through which the nested container sends its network
588 traffic. This must match the
<ref column=
"name"/> column for some
589 other
<ref table=
"Logical_Switch_Port"/>.
592 <column name=
"tag_request">
594 The VLAN tag in the network traffic associated with a container's
595 network interface. The client can request
<code>ovn-northd
</code>
596 to allocate a tag that is unique within the scope of a specific
597 parent (specified in
<ref column=
"parent_name"/>) by setting a value
598 of
<code>0</code> in this column. The allocated value is written
599 by
<code>ovn-northd
</code> in the
<ref column=
"tag"/> column.
600 (Note that these tags are allocated and managed locally in
601 <code>ovn-northd
</code>, so they cannot be reconstructed in the event
602 that the database is lost.) The client can also request a specific
603 non-zero tag and
<code>ovn-northd
</code> will honor it and copy that
604 value to the
<ref column=
"tag"/> column.
608 When
<ref column=
"type"/> is set to
<code>localnet
</code> or
609 <code>l2gateway
</code>, this can
610 be set to indicate that the port represents a connection to a
611 specific VLAN on a locally accessible network. The VLAN ID is used
612 to match incoming traffic and is also added to outgoing traffic.
618 The VLAN tag allocated by
<code>ovn-northd
</code> based on the
619 contents of the
<ref column=
"tag_request"/> column.
624 <group title=
"Port State">
627 This column is populated by
<code>ovn-northd
</code>, rather
628 than by the CMS plugin as is most of this database. When a
629 logical port is bound to a physical location in the OVN
630 Southbound database
<ref db=
"OVN_Southbound"
631 table=
"Binding"/> table,
<code>ovn-northd
</code> sets this
632 column to
<code>true
</code>; otherwise, or if the port
633 becomes unbound later, it sets it to
<code>false
</code>.
634 This allows the CMS to wait for a VM's (or container's)
635 networking to become active before it allows the VM (or
640 Logical ports of router type are an exception to this rule.
641 They are considered to be always up, that is this column is
642 always set to
<code>true
</code>.
646 <column name=
"enabled">
647 This column is used to administratively set port state. If this column
648 is empty or is set to
<code>true
</code>, the port is enabled. If this
649 column is set to
<code>false
</code>, the port is disabled. A disabled
650 port has all ingress and egress traffic dropped.
655 <group title=
"Addressing">
656 <column name=
"addresses">
658 Addresses owned by the logical port.
662 Each element in the set must take one of the following forms:
666 <dt><code>Ethernet address followed by zero or more IPv4 or IPv6 addresses (or both)
</code></dt>
669 An Ethernet address defined is owned by the logical port.
670 Like a physical Ethernet NIC, a logical port ordinarily has
671 a single fixed Ethernet address.
675 When a OVN logical switch processes a unicast Ethernet frame
676 whose destination MAC address is in a logical port's
<ref
677 column=
"addresses"/> column, it delivers it only to that port, as
678 if a MAC learning process had learned that MAC address on the
683 If IPv4 or IPv6 address(es) (or both) are defined, it indicates
684 that the logical port owns the given IP addresses.
688 If IPv4 address(es) are defined, the OVN logical switch uses this
689 information to synthesize responses to ARP requests without
690 traversing the physical network. The OVN logical router connected
691 to the logical switch, if any, uses this information to avoid
692 issuing ARP requests for logical switch ports.
696 Note that the order here is important. The Ethernet address must
697 be listed before the IP address(es) if defined.
705 <dt><code>80:fa:
5b:
06:
72:b7
</code></dt>
707 This indicates that the logical port owns the above mac address.
710 <dt><code>80:fa:
5b:
06:
72:b7
10.0.0.4 20.0.0.4</code></dt>
712 This indicates that the logical port owns the mac address and two
716 <dt><code>80:fa:
5b:
06:
72:b7 fdaa:
15f2:
72cf:
0:f816:
3eff:fe20:
3f41
</code></dt>
718 This indicates that the logical port owns the mac address and
722 <dt><code>80:fa:
5b:
06:
72:b7
10.0.0.4 fdaa:
15f2:
72cf:
0:f816:
3eff:fe20:
3f41
</code></dt>
724 This indicates that the logical port owns the mac address and
725 1 IPv4 address and
1 IPv6 address.
730 <dt><code>unknown
</code></dt>
732 This indicates that the logical port has an unknown set of Ethernet
733 addresses. When an OVN logical switch processes a unicast Ethernet
734 frame whose destination MAC address is not in any logical port's
735 <ref column=
"addresses"/> column, it delivers it to the port (or
736 ports) whose
<ref column=
"addresses"/> columns include
737 <code>unknown
</code>.
740 <dt><code>dynamic
</code></dt>
742 Use this keyword to make
<code>ovn-northd
</code> generate a
743 globally unique MAC address and choose an unused IPv4 address with
744 the logical port's subnet and store them in the port's
<ref
745 column=
"dynamic_addresses"/> column.
<code>ovn-northd
</code> will
746 use the subnet specified in
<ref table=
"Logical_Switch"
747 column=
"other_config" key=
"subnet"/> in the port's
<ref
748 table=
"Logical_Switch"/>.
751 <dt><code>Ethernet address followed by keyword
"dynamic"</code></dt>
755 The keyword
<code>dynamic
</code> after the MAC address indicates
756 that
<code>ovn-northd
</code> should choose an unused IPv4 address
757 from the logical port's subnet and store it with the specified
758 MAC in the port's
<ref column=
"dynamic_addresses"/> column.
759 <code>ovn-northd
</code> will use the subnet specified in
<ref
760 table=
"Logical_Switch" column=
"other_config" key=
"subnet"/> in
761 the port's
<ref table=
"Logical_Switch"/> table.
769 <dt><code>80:fa:
5b:
06:
72:b7 dynamic
</code></dt>
771 This indicates that the logical port owns the specified
772 MAC address and
<code>ovn-northd
</code> should allocate an
773 unused IPv4 address for the logical port from the corresponding
774 logical switch subnet.
779 <dt><code>Keyword
"dynamic" followed by an IPv4/IPv6 address
</code></dt>
783 The keyword
<code>dynamic
</code> followed by an IPv4/IPv6
784 address indicates that
<code>ovn-northd
</code> should choose
785 a dynamic ethernet address and use the provided IPv4/IPv6 address
794 <dt><code>dynamic
192.168.0.1 2001::
1</code></dt>
796 This indicates that
<code>ovn-northd
</code> should allocate
797 a unique MAC address and use the provided IPv4/IPv6 address
803 <dt><code>router
</code></dt>
806 Accepted only when
<ref column=
"type"/> is
<code>router
</code>.
807 This indicates that the Ethernet, IPv4, and IPv6 addresses for
808 this logical switch port should be obtained from the connected
809 logical router port, as specified by
<code>router-port
</code> in
810 <ref column=
"options"/>.
814 The resulting addresses are used to populate the logical
815 switch's destination lookup, and also for the logical switch
816 to generate ARP and ND replies.
820 If the connected logical router port has a
821 <code>redirect-chassis
</code> specified and the logical router
822 has rules specified in
<ref column=
"nat" table=
"Logical_Router"/>
823 with
<ref column=
"external_mac" table=
"NAT"/>, then those
824 addresses are also used to populate the switch's destination
829 Supported only in OVN
2.7 and later. Earlier versions required
830 router addresses to be manually synchronized.
837 <column name=
"dynamic_addresses">
839 Addresses assigned to the logical port by
<code>ovn-northd
</code>, if
840 <code>dynamic
</code> is specified in
<ref column=
"addresses"/>.
841 Addresses will be of the same format as those that populate the
<ref
842 column=
"addresses"/> column. Note that dynamically assigned
843 addresses are constructed and managed locally in ovn-northd, so they
844 cannot be reconstructed in the event that the database is lost.
848 <column name=
"port_security">
850 This column controls the addresses from which the host attached to the
851 logical port (``the host'') is allowed to send packets and to which it
852 is allowed to receive packets. If this column is empty, all addresses
857 Each element in the set must begin with one Ethernet address.
858 This would restrict the host to sending packets from and receiving
859 packets to the ethernet addresses defined in the logical port's
860 <ref column=
"port_security"/> column. It also restricts the inner
861 source MAC addresses that the host may send in ARP and IPv6
862 Neighbor Discovery packets. The host is always allowed to receive packets
863 to multicast and broadcast Ethernet addresses.
867 Each element in the set may additionally contain one or more IPv4 or
868 IPv6 addresses (or both), with optional masks. If a mask is given, it
869 must be a CIDR mask. In addition to the restrictions described for
870 Ethernet addresses above, such an element restricts the IPv4 or IPv6
871 addresses from which the host may send and to which it may receive
872 packets to the specified addresses. A masked address, if the host part
873 is zero, indicates that the host is allowed to use any address in the
874 subnet; if the host part is nonzero, the mask simply indicates the size
875 of the subnet. In addition:
881 If any IPv4 address is given, the host is also allowed to receive
882 packets to the IPv4 local broadcast address
255.255.255.255 and to
883 IPv4 multicast addresses (
224.0.0.0/
4). If an IPv4 address with a
884 mask is given, the host is also allowed to receive packets to the
885 broadcast address in that specified subnet.
889 If any IPv4 address is given, the host is additionally restricted
890 to sending ARP packets with the specified source IPv4 address.
891 (RARP is not restricted.)
897 If any IPv6 address is given, the host is also allowed to receive
898 packets to IPv6 multicast addresses (ff00::/
8).
902 If any IPv6 address is given, the host is additionally restricted
903 to sending IPv6 Neighbor Discovery Solicitation or Advertisement
904 packets with the specified source address or, for solicitations,
905 the unspecified address.
911 If an element includes an IPv4 address, but no IPv6 addresses, then
912 IPv6 traffic is not allowed. If an element includes an IPv6 address,
913 but no IPv4 address, then IPv4 and ARP traffic is not allowed.
917 This column uses the same lexical syntax as the
<ref column=
"match"
918 table=
"Pipeline" db=
"OVN_Southbound"/> column in the OVN Southbound
919 database's
<ref table=
"Pipeline" db=
"OVN_Southbound"/> table. Multiple
920 addresses within an element may be space or comma separated.
924 This column is provided as a convenience to cloud management systems,
925 but all of the features that it implements can be implemented as ACLs
926 using the
<ref table=
"ACL"/> table.
934 <dt><code>80:fa:
5b:
06:
72:b7
</code></dt>
936 The host may send traffic from and receive traffic to the specified
937 MAC address, and to receive traffic to Ethernet multicast and
938 broadcast addresses, but not otherwise. The host may not send ARP or
939 IPv6 Neighbor Discovery packets with inner source Ethernet addresses
940 other than the one specified.
943 <dt><code>80:fa:
5b:
06:
72:b7
192.168.1.10/
24</code></dt>
945 This adds further restrictions to the first example. The host may
946 send IPv4 packets from or receive IPv4 packets to only
192.168.1.10,
947 except that it may also receive IPv4 packets to
192.168.1.255 (based
948 on the subnet mask),
255.255.255.255, and any address in
224.0.0.0/
4.
949 The host may not send ARPs with a source Ethernet address other than
950 80:fa:
5b:
06:
72:b7 or source IPv4 address other than
192.168.1.10.
951 The host may not send or receive any IPv6 (including IPv6 Neighbor
955 <dt><code>"80:fa:5b:12:42:ba",
"80:fa:5b:06:72:b7 192.168.1.10/24"</code></dt>
957 The host may send traffic from and receive traffic to the
958 specified MAC addresses, and
959 to receive traffic to Ethernet multicast and broadcast addresses,
960 but not otherwise. With MAC
80:fa:
5b:
12:
42:ba, the host may
961 send traffic from and receive traffic to any L3 address.
962 With MAC
80:fa:
5b:
06:
72:b7, the host may send IPv4 packets from or
963 receive IPv4 packets to only
192.168.1.10, except that it may also
964 receive IPv4 packets to
192.168.1.255 (based on the subnet mask),
965 255.255.255.255, and any address in
224.0.0.0/
4. The host may not
966 send or receive any IPv6 (including IPv6 Neighbor Discovery) traffic.
973 <column name=
"dhcpv4_options">
974 This column defines the DHCPv4 Options to be included by the
975 <code>ovn-controller
</code> when it replies to the DHCPv4 requests.
976 Please see the
<ref table=
"DHCP_Options"/> table.
979 <column name=
"dhcpv6_options">
980 This column defines the DHCPv6 Options to be included by the
981 <code>ovn-controller
</code> when it replies to the DHCPv6 requests.
982 Please see the
<ref table=
"DHCP_Options"/> table.
986 <column name=
"ha_chassis_group">
987 References a row in the OVN Northbound database's
988 <ref table=
"HA_Chassis_Group" db=
"OVN_Northbound"/> table.
989 It indicates the HA chassis group to use if the
990 <ref column=
"type"/> is set to
<code>external
</code>.
991 If
<ref column=
"type"/> is not
<code>external
</code>, this
995 <group title=
"Naming">
996 <column name=
"external_ids" key=
"neutron:port_name">
998 This column gives an optional human-friendly name for the port. This
999 name has no special meaning or purpose other than to provide
1000 convenience for human interaction with the northbound database.
1004 Neutron copies this from its own port object's name. (Neutron ports
1005 do are not assigned human-friendly names by default, so it will often
1011 <group title=
"Common Columns">
1012 <column name=
"external_ids">
1014 See
<em>External IDs
</em> at the beginning of this document.
1018 The
<code>ovn-northd
</code> program copies all these pairs into the
1019 <ref column=
"external_ids"/> column of the
1020 <ref table=
"Port_Binding"/> table in
<ref db=
"OVN_Southbound"/>
1027 <table name=
"Address_Set" title=
"Address Sets">
1029 Each row in this table represents a named set of addresses.
1030 An address set may contain Ethernet, IPv4, or IPv6 addresses
1031 with optional bitwise or CIDR masks.
1032 Address set may ultimately be used in ACLs to compare against
1033 fields such as
<code>ip4.src
</code> or
<code>ip6.src
</code>.
1034 A single address set must contain addresses of the
1035 same type. As an example, the following would create an address set
1036 with three IP addresses:
1040 ovn-nbctl create Address_Set name=set1 addresses='
10.0.0.1 10.0.0.2 10.0.0.3'
1044 Address sets may be used in the
<ref column=
"match" table=
"ACL"/> column
1045 of the
<ref table=
"ACL"/> table. For syntax information, see the details
1046 of the expression language used for the
<ref column=
"match"
1047 table=
"Logical_Flow" db=
"OVN_Southbound"/> column in the
<ref
1048 table=
"Logical_Flow" db=
"OVN_Southbound"/> table of the
<ref
1049 db=
"OVN_Southbound"/> database.
1052 <column name=
"name">
1053 A name for the address set. Names are ASCII and must match
1054 <code>[a-zA-Z_.][a-zA-Z_
.0-
9]*
</code>.
1057 <column name=
"addresses">
1058 The set of addresses in string form.
1061 <group title=
"Common Columns">
1062 <column name=
"external_ids">
1063 See
<em>External IDs
</em> at the beginning of this document.
1068 <table name=
"Port_Group" title=
"Port Groups">
1070 Each row in this table represents a named group of logical switch ports.
1074 Port groups may be used in the
<ref column=
"match" table=
"ACL"/> column
1075 of the
<ref table=
"ACL"/> table. For syntax information, see the details
1076 of the expression language used for the
<ref column=
"match"
1077 table=
"Logical_Flow" db=
"OVN_Southbound"/> column in the
<ref
1078 table=
"Logical_Flow" db=
"OVN_Southbound"/> table of the
<ref
1079 db=
"OVN_Southbound"/> database.
1083 For each port group, there are two address sets generated to the
1084 <ref table=
"Address_Set" db=
"OVN_Southbound"/> table of the
1085 <ref db=
"OVN_Southbound"/> database, containing the IP addresses
1086 of the group of ports, one for IPv4, and the other for IPv6, with
1087 <ref column=
"name" table=
"Address_Set" db=
"OVN_Southbound"/> being
1088 the
<ref column=
"name" table=
"Port_Group" db=
"OVN_Northbound"/>
1089 of the
<ref table=
"Port_Group" db=
"OVN_Northbound"/> followed by
1090 a suffix
<code>_ip4
</code> for IPv4 and
<code>_ip6
</code> for IPv6.
1091 The generated address sets can be used in the same way as regular
1092 address sets in the
<ref column=
"match" table=
"ACL"/> column
1093 of the
<ref table=
"ACL"/> table. For syntax information, see the details
1094 of the expression language used for the
<ref column=
"match"
1095 table=
"Logical_Flow" db=
"OVN_Southbound"/> column in the
<ref
1096 table=
"Logical_Flow" db=
"OVN_Southbound"/> table of the
<ref
1097 db=
"OVN_Southbound"/> database.
1100 <column name=
"name">
1101 A name for the port group. Names are ASCII and must match
1102 <code>[a-zA-Z_.][a-zA-Z_
.0-
9]*
</code>.
1105 <column name=
"ports">
1106 The logical switch ports belonging to the group in uuids.
1109 <column name=
"acls">
1110 Access control rules that apply to the port group. Applying an ACL
1111 to a port group has the same effect as applying the ACL to all logical
1112 lswitches that the ports of the port group belong to.
1115 <group title=
"Common Columns">
1116 <column name=
"external_ids">
1117 See
<em>External IDs
</em> at the beginning of this document.
1122 <table name=
"Load_Balancer" title=
"load balancer">
1124 Each row represents one load balancer.
1127 <column name=
"name">
1128 A name for the load balancer. This name has no special meaning or
1129 purpose other than to provide convenience for human interaction with
1130 the ovn-nb database.
1133 <column name=
"vips">
1135 A map of virtual IP addresses (and an optional port number with
1136 <code>:
</code> as a separator) associated with this load balancer and
1137 their corresponding endpoint IP addresses (and optional port numbers
1138 with
<code>:
</code> as separators) separated by commas. If
1139 the destination IP address (and port number) of a packet leaving a
1140 container or a VM matches the virtual IP address (and port number)
1141 provided here as a key, then OVN will statefully replace the
1142 destination IP address by one of the provided IP address (and port
1143 number) in this map as a value. IPv4 and IPv6 addresses are supported
1144 for load balancing; however a VIP of one address family may not be
1145 mapped to a destination IP address of a different family. If
1146 specifying an IPv6 address with a port, the address portion must be
1147 enclosed in square brackets. Examples for keys are
"192.168.1.4" and
1148 "[fd0f::1]:8800". Examples for value are
"10.0.0.1, 10.0.0.2" and
1149 "20.0.0.10:8800, 20.0.0.11:8800".
1152 When the
<code>Load_Balancer
</code> is added to the
1153 <code>logical_switch
</code>, the VIP has to be in a different subnet
1154 than the one used for the
<code>logical_switch
</code>. Since VIP is
1155 in a different subnet, you should connect your logical switch to
1156 either a OVN logical router or a real router (this is because the
1157 client can now send a packet with VIP as the destination IP address
1158 and router's mac address as the destination MAC address).
1162 <column name=
"protocol">
1164 Valid protocols are
<code>tcp
</code> or
<code>udp
</code>. This column
1165 is useful when a port number is provided as part of the
1166 <code>vips
</code> column. If this column is empty and a port number
1167 is provided as part of
<code>vips
</code> column, OVN assumes the
1168 protocol to be
<code>tcp
</code>.
1172 <group title=
"Common Columns">
1173 <column name=
"external_ids">
1174 See
<em>External IDs
</em> at the beginning of this document.
1179 <table name=
"ACL" title=
"Access Control List (ACL) rule">
1181 Each row in this table represents one ACL rule for a logical switch
1182 or a port group that points to it through its
<ref column=
"acls"/>
1183 column. The
<ref column=
"action"/> column for the
1184 highest-
<ref column=
"priority"/> matching row in this table determines a
1185 packet's treatment. If no row matches, packets are allowed by default.
1186 (Default-deny treatment is possible: add a rule with
1187 <ref column=
"priority"/> 0,
<code>1</code> as
<ref column=
"match"/>,
1188 and
<code>deny
</code> as
<ref column=
"action"/>.)
1191 <column name=
"priority">
1193 The ACL rule's priority. Rules with numerically higher priority
1194 take precedence over those with lower. If two ACL rules with
1195 the same priority both match, then the one actually applied to a
1196 packet is undefined.
1200 Return traffic from an
<code>allow-related
</code> flow is always
1201 allowed and cannot be changed through an ACL.
1205 <column name=
"direction">
1206 <p>Direction of the traffic to which this rule should apply:
</p>
1209 <code>from-lport
</code>: Used to implement filters on traffic
1210 arriving from a logical port. These rules are applied to the
1211 logical switch's ingress pipeline.
1214 <code>to-lport
</code>: Used to implement filters on traffic
1215 forwarded to a logical port. These rules are applied to the
1216 logical switch's egress pipeline.
1221 <column name=
"match">
1223 The packets that the ACL should match, in the same expression
1224 language used for the
<ref column=
"match" table=
"Logical_Flow"
1225 db=
"OVN_Southbound"/> column in the OVN Southbound database's
1226 <ref table=
"Logical_Flow" db=
"OVN_Southbound"/> table. The
1227 <code>outport
</code> logical port is only available in the
1228 <code>to-lport
</code> direction (the
<code>inport
</code> is
1229 available in both directions).
1233 By default all traffic is allowed. When writing a more
1234 restrictive policy, it is important to remember to allow flows
1235 such as ARP and IPv6 neighbor discovery packets.
1239 Note that you can not create an ACL matching on a port with
1240 type=router or type=localnet.
1244 <column name=
"action">
1245 <p>The action to take when the ACL rule matches:
</p>
1248 <code>allow
</code>: Forward the packet.
1252 <code>allow-related
</code>: Forward the packet and related traffic
1253 (e.g. inbound replies to an outbound connection).
1257 <code>drop
</code>: Silently drop the packet.
1261 <code>reject
</code>: Drop the packet, replying with a RST for TCP or
1262 ICMPv4/ICMPv6 unreachable message for other IPv4/IPv6-based
1268 <group title=
"Logging">
1270 These columns control whether and how OVN logs packets that match an
1276 If set to
<code>true
</code>, packets that match the ACL will trigger
1277 a log message on the transport node or nodes that perform ACL
1278 processing. Logging may be combined with any
<ref column=
"action"/>.
1282 If set to
<code>false
</code>, the remaining columns in this group
1283 have no significance.
1287 <column name=
"name">
1289 This name, if it is provided, is included in log records. It
1290 provides the administrator and the cloud management system a way to
1291 associate a log record with a particular ACL.
1295 <column name=
"severity">
1297 The severity of the ACL. The severity levels match those of syslog,
1298 in decreasing level of severity:
<code>alert
</code>,
1299 <code>warning
</code>,
<code>notice
</code>,
<code>info
</code>, or
1300 <code>debug
</code>. When the column is empty, the default is
1305 <column name=
"meter">
1307 The name of a meter to rate-limit log messages for the ACL.
1308 The string must match the
<ref column=
"name" table=
"meter"/>
1309 column of a row in the
<ref table=
"Meter"/> table. By
1310 default, log messages are not rate-limited.
1315 <group title=
"Common Columns">
1316 <column name=
"external_ids">
1317 See
<em>External IDs
</em> at the beginning of this document.
1322 <table name=
"Logical_Router" title=
"L3 logical router">
1324 Each row represents one L3 logical router.
1327 <column name=
"ports">
1331 <column name=
"static_routes">
1332 Zero or more static routes for the router.
1335 <column name=
"policies">
1336 Zero or more routing policies for the router.
1339 <column name=
"enabled">
1340 This column is used to administratively set router state. If this column
1341 is empty or is set to
<code>true
</code>, the router is enabled. If this
1342 column is set to
<code>false
</code>, the router is disabled. A disabled
1343 router has all ingress and egress traffic dropped.
1347 One or more NAT rules for the router. NAT rules only work on
1348 Gateway routers, and on distributed routers with one logical router
1349 port with a
<code>redirect-chassis
</code> specified.
1352 <column name=
"load_balancer">
1353 Load balance a virtual ip address to a set of logical port ip
1354 addresses. Load balancer rules only work on the Gateway routers.
1357 <group title=
"Naming">
1359 These columns provide names for the logical router. From OVN's
1360 perspective, these names have no special meaning or purpose other than
1361 to provide convenience for human interaction with the northbound
1362 database. There is no requirement for the name to be unique. (For a
1363 unique identifier for a logical router, use its row UUID.)
1367 (Originally,
<ref column=
"name"/> was intended to serve the purpose of
1368 a human-friendly name, but the Neutron integration used it to uniquely
1369 identify its own router object, in the format
1370 <code>neutron-
<var>uuid
</var></code>. Later on, Neutron started
1371 propagating the friendly name of a router as
<ref column=
"external_ids"
1372 key=
"neutron:router_name"/>. Perhaps this can be cleaned up someday.)
1375 <column name=
"name">
1376 A name for the logical router.
1379 <column name=
"external_ids" key=
"neutron:router_name">
1380 Another name for the logical router.
1384 <group title=
"Options">
1386 Additional options for the logical router.
1389 <column name=
"options" key=
"chassis">
1391 If set, indicates that the logical router in question is a Gateway
1392 router (which is centralized) and resides in the set chassis. The
1393 same value is also used by
<code>ovn-controller
</code> to
1394 uniquely identify the chassis in the OVN deployment and
1395 comes from
<code>external_ids:system-id
</code> in the
1396 <code>Open_vSwitch
</code> table of Open_vSwitch database.
1400 The Gateway router can only be connected to a distributed router
1401 via a switch if SNAT and DNAT are to be configured in the Gateway
1405 <column name=
"options" key=
"dnat_force_snat_ip">
1407 If set, indicates the IP address to use to force SNAT a packet
1408 that has already been DNATed in the gateway router. When multiple
1409 gateway routers are configured, a packet can potentially enter any
1410 of the gateway router, get DNATted and eventually reach the logical
1411 switch port. For the return traffic to go back to the same gateway
1412 router (for unDNATing), the packet needs a SNAT in the first place.
1413 This can be achieved by setting the above option with a gateway
1414 specific IP address.
1417 <column name=
"options" key=
"lb_force_snat_ip">
1419 If set, indicates the IP address to use to force SNAT a packet
1420 that has already been load-balanced in the gateway router. When
1421 multiple gateway routers are configured, a packet can potentially
1422 enter any of the gateway routers, get DNATted as part of the load-
1423 balancing and eventually reach the logical switch port.
1424 For the return traffic to go back to the same gateway router (for
1425 unDNATing), the packet needs a SNAT in the first place. This can be
1426 achieved by setting the above option with a gateway specific IP
1432 <group title=
"Common Columns">
1433 <column name=
"external_ids">
1434 See
<em>External IDs
</em> at the beginning of this document.
1439 <table name=
"QoS" title=
"QoS rule">
1441 Each row in this table represents one QoS rule for a logical switch
1442 that points to it through its
<ref column=
"qos_rules"/> column.
1443 Two types of QoS are supported: DSCP marking and metering. A
1444 <ref column=
"match"/> with the highest-
<ref column=
"priority"/>
1445 will have QoS applied to it. If the
<ref column=
"action"/> column is
1446 specified, then matching packets will have DSCP marking applied.
1447 If the
<ref column=
"bandwdith"/> column is specified, then matching
1448 packets will have metering applied.
<ref column=
"action"/> and
1449 <ref column=
"bandwdith"/> are not exclusive, so both marking and
1450 metering by defined for the same QoS entry. If no row matches,
1451 packets will not have any QoS applied.
1454 <column name=
"priority">
1456 The QoS rule's priority. Rules with numerically higher priority
1457 take precedence over those with lower. If two QoS rules with
1458 the same priority both match, then the one actually applied to a
1459 packet is undefined.
1463 <column name=
"direction">
1465 The value of this field is similar to
<ref colun=
"direction"
1466 table=
"ACL" db=
"OVN_Northbound"/> column in the OVN Northbound
1467 database's
<ref table=
"ACL" db=
"OVN_Northbound"/> table.
1471 <column name=
"match">
1473 The packets that the QoS rules should match, in the same expression
1474 language used for the
<ref column=
"match" table=
"Logical_Flow"
1475 db=
"OVN_Southbound"/> column in the OVN Southbound database's
1476 <ref table=
"Logical_Flow" db=
"OVN_Southbound"/> table. The
1477 <code>outport
</code> logical port is only available in the
1478 <code>to-lport
</code> direction (the
<code>inport
</code> is
1479 available in both directions).
1483 <column name=
"action">
1484 <p>When specified, matching flows will have DSCP marking applied.
</p>
1487 <code>dscp
</code>: The value of this action should be in the
1488 range of
0 to
63 (inclusive).
1493 <column name=
"bandwidth">
1495 When specified, matching packets will have bandwidth metering
1496 applied. Traffic over the limit will be dropped.
1500 <code>rate
</code>: The value of rate limit in kbps.
1503 <code>burst
</code>: The value of burst rate limit in kilobits.
1504 This is optional and needs to specify the
<code>rate
</code>.
1509 <column name=
"external_ids">
1510 See
<em>External IDs
</em> at the beginning of this document.
1514 <table name=
"Meter" title=
"Meter entry">
1516 Each row in this table represents a meter that can be used for QoS or
1520 <column name=
"name">
1522 A name for this meter.
1526 Names that begin with
"__" (two underscores) are reserved for
1527 OVN internal use and should not be added manually.
1531 <column name=
"unit">
1533 The unit for
<ref column=
"rate" table=
"Meter_Band"/> and
1534 <ref column=
"burst_rate" table=
"Meter_Band"/> parameters in
1535 the
<ref column=
"bands"/> entry.
<code>kbps
</code> specifies
1536 kilobits per second, and
<code>pktps
</code> specifies packets
1541 <column name=
"bands">
1543 The bands associated with this meter. Each band specifies a
1544 rate above which the band is to take the action
1545 <code>action
</code>. If multiple bands' rates are exceeded,
1546 then the band with the highest rate among the exceeded bands is
1551 <column name=
"external_ids">
1552 See
<em>External IDs
</em> at the beginning of this document.
1556 <table name=
"Meter_Band" title=
"Band for meter entries">
1558 Each row in this table represents a meter band which specifies the
1559 rate above which the configured action should be applied. These bands
1560 are referenced by the
<ref column=
"bands" table=
"Meter"/> column in
1561 the
<ref table=
"Meter"/> table.
1564 <column name=
"action">
1566 The action to execute when this band matches. The only supported
1567 action is
<code>drop
</code>.
1571 <column name=
"rate">
1573 The rate limit for this band, in kilobits per second or bits per
1574 second, depending on whether the parent
<ref table=
"Meter"/>
1575 entry's
<ref column=
"unit" table=
"Meter"/> column specified
1576 <code>kbps
</code> or
<code>pktps
</code>.
1580 <column name=
"burst_size">
1582 The maximum burst allowed for the band in kilobits or packets,
1583 depending on whether
<code>kbps
</code> or
<code>pktps
</code> was
1584 selected in the parent
<ref table=
"Meter"/> entry's
1585 <ref column=
"unit" table=
"Meter"/> column. If the size is zero,
1586 the switch is free to select some reasonable value depending on
1591 <column name=
"external_ids">
1592 See
<em>External IDs
</em> at the beginning of this document.
1596 <table name=
"Logical_Router_Port" title=
"L3 logical router port">
1598 A port within an L3 logical router.
1602 Exactly one
<ref table=
"Logical_Router"/> row must reference a given
1603 logical router port.
1606 <column name=
"name">
1608 A name for the logical router port.
1612 In addition to provide convenience for human interaction with the
1613 northbound database, this column is used as reference by its patch port
1614 in
<ref table=
"Logical_Switch_Port"/> or another logical router port in
1615 <ref table=
"Logical_Router_Port"/>.
1619 <column name=
"gateway_chassis">
1621 This column is ignored if the column
1622 <ref column=
"ha_chassis_group" table=
"Logical_Router_Port"/>.
1627 If set, this indicates that this logical router port represents
1628 a distributed gateway port that connects this router to a logical
1629 switch with a localnet port. There may be at most one such
1630 logical router port on each logical router.
1634 Several
<ref table=
"Gateway_Chassis"/> can be referenced for a given
1635 logical router port. A single
<ref table=
"Gateway_Chassis"/> is
1636 functionally equivalent to setting
1637 <ref column=
"options" key=
"redirect-chassis"/>. Refer to the
1638 description of
<ref column=
"options" key=
"redirect-chassis"/>
1639 for additional details on gateway handling.
1643 Defining more than one
<ref table=
"Gateway_Chassis"/> will enable
1644 gateway high availability. Only one gateway will be active at a
1645 time. OVN chassis will use BFD to monitor connectivity to a
1646 gateway. If connectivity to the active gateway is interrupted,
1647 another gateway will become active.
1648 The
<ref column=
"priority" table=
"Gateway_Chassis"/> column
1649 specifies the order that gateways will be chosen by OVN.
1653 <column name=
"ha_chassis_group">
1655 If set, this indicates that this logical router port represents
1656 a distributed gateway port that connects this router to a logical
1657 switch with a localnet port. There may be at most one such
1658 logical router port on each logical router. The HA chassis which
1659 are part of the HA chassis group will provide the gateway high
1660 availability. Please see the
<ref table=
"HA_Chassis_Group"/> for
1665 When this column is set, the column
1666 <ref column=
"gateway_chassis" table=
"Logical_Router_Port"/> will
1671 <column name=
"networks">
1673 The IP addresses and netmasks of the router. For example,
1674 <code>192.168.0.1/
24</code> indicates that the router's IP
1675 address is
192.168.0.1 and that packets destined to
1676 192.168.0.
<var>x
</var> should be routed to this port.
1680 A logical router port always adds a link-local IPv6 address
1681 (fe80::/
64) automatically generated from the interface's MAC
1682 address using the modified EUI-
64 format.
1687 The Ethernet address that belongs to this router port.
1690 <column name=
"enabled">
1691 This column is used to administratively set port state. If this column
1692 is empty or is set to
<code>true
</code>, the port is enabled. If this
1693 column is set to
<code>false
</code>, the port is disabled. A disabled
1694 port has all ingress and egress traffic dropped.
1697 <group title=
"ipv6_ra_configs">
1699 This column defines the IPv6 ND RA address mode and ND MTU Option to be
1700 included by
<code>ovn-controller
</code> when it replies to the IPv6
1701 Router solicitation requests.
1704 <column name=
"ipv6_ra_configs" key=
"address_mode">
1705 The address mode to be used for IPv6 address configuration.
1706 The supported values are:
1709 <code>slaac
</code>: Address configuration using Router
1710 Advertisement (RA) packet. The IPv6 prefixes defined in the
1711 <ref table=
"Logical_Router_Port"/> table's
1712 <ref table=
"Logical_Router_Port" column=
"networks"/> column will
1713 be included in the RA's ICMPv6 option - Prefix information.
1717 <code>dhcpv6_stateful
</code>: Address configuration using DHCPv6.
1721 <code>dhcpv6_stateless
</code>: Address configuration using Router
1722 Advertisement (RA) packet. Other IPv6 options are provided by
1728 <column name=
"ipv6_ra_configs" key=
"mtu">
1729 The recommended MTU for the link. Default is
0, which means no MTU
1730 Option will be included in RA packet replied by ovn-controller.
1731 Per RFC
2460, the mtu value is recommended no less than
1280, so
1732 any mtu value less than
1280 will be considered as no MTU Option.
1735 <column name=
"ipv6_ra_configs" key=
"send_periodic">
1736 If set to true, then this router interface will send router
1737 advertisements periodically. The default is false.
1740 <column name=
"ipv6_ra_configs" key=
"max_interval">
1741 The maximum number of seconds to wait between sending periodic router
1742 advertisements. This option has no effect if
<ref
1743 column=
"ipv6_ra_configs" key=
"send_periodic"/> is false. The default
1747 <column name=
"ipv6_ra_configs" key=
"min_interval">
1748 The minimum number of seconds to wait between sending periodic router
1749 advertisements. This option has no effect if
<ref
1750 column=
"ipv6_ra_configs" key=
"send_periodic"/> is false. The default
1751 is one-third of
<ref column=
"ipv6_ra_configs" key=
"max_interval"/>,
1752 i.e.
200 seconds if that key is unset.
1756 <group title=
"Options">
1758 Additional options for the logical router port.
1761 <column name=
"options" key=
"redirect-chassis">
1763 If set, this indicates that this logical router port represents
1764 a distributed gateway port that connects this router to a logical
1765 switch with a localnet port. There may be at most one such
1766 logical router port on each logical router.
1770 Even when a
<code>redirect-chassis
</code> is specified, the
1771 logical router port still effectively resides on each chassis.
1772 However, due to the implications of the use of L2 learning in the
1773 physical network, as well as the need to support advanced features
1774 such as one-to-many NAT (aka IP masquerading), a subset of the
1775 logical router processing is handled in a centralized manner on
1776 the specified
<code>redirect-chassis
</code>.
1780 When this option is specified, the peer logical switch port's
1781 <ref column=
"addresses" table=
"Logical_Switch_Port"/> must be
1782 set to
<code>router
</code>. With this setting, the
<ref
1783 column=
"external_mac" table=
"NAT"/>s specified in NAT rules are
1784 automatically programmed in the peer logical switch's
1785 destination lookup on the chassis where the
<ref
1786 column=
"logical_port" table=
"NAT"/> resides. In addition, the
1787 logical router's MAC address is automatically programmed in the
1788 peer logical switch's destination lookup flow on the
1789 <code>redirect-chassis
</code>.
1793 When this option is specified and it is desired to generate
1794 gratuitous ARPs for NAT addresses, then the peer logical switch
1795 port's
<ref column=
"options" key=
"nat-addresses"
1796 table=
"Logical_Switch_Port"/> should be set to
1797 <code>router
</code>.
1801 While
<ref column=
"options" key=
"redirect-chassis"/> is still
1802 supported for backwards compatibility, it is now preferred to
1803 specify one or more
<ref column=
"gateway_chassis"/> instead.
1804 It is functionally equivalent, but allows you to specify multiple
1805 chassis to enable high availability.
1809 <column name=
"options" key=
"reside-on-redirect-chassis">
1811 Generally routing is distributed in
<code>OVN
</code>. The packet
1812 from a logical port which needs to be routed hits the router pipeline
1813 in the source chassis. For the East-West traffic, the packet is
1814 sent directly to the destination chassis. For the outside traffic
1815 the packet is sent to the gateway chassis.
1819 When this option is set,
<code>OVN
</code> considers this only if
1824 The logical router to which this logical router port belongs to
1825 has a distributed gateway port.
1829 The peer's logical switch has a localnet port (representing
1830 a VLAN tagged network)
1835 When this option is set to
<code>true
</code>, then the packet
1836 which needs to be routed hits the router pipeline in the chassis
1837 hosting the distributed gateway router port. The source chassis
1838 pushes out this traffic via the localnet port. With this the
1839 East-West traffic is no more distributed and will always go through
1840 the gateway chassis.
1844 Without this option set, for any traffic destined to outside from a
1845 logical port which belongs to a logical switch with localnet port,
1846 the source chassis will send the traffic to the gateway chassis via
1847 the tunnel port instead of the localnet port and this could cause MTU
1853 <group title=
"Attachment">
1855 A given router port serves one of two purposes:
1860 To attach a logical switch to a logical router. A logical router
1861 port of this type is referenced by exactly one
<ref
1862 table=
"Logical_Switch_Port"/> of type
<code>router
</code>.
1863 The value of
<ref column=
"name"/> is set as
1864 <code>router-port
</code> in column
<ref column=
"options"/> of
1865 <ref table=
"Logical_Switch_Port"/>. In this case
<ref
1866 column=
"peer"/> column is empty.
1870 To connect one logical router to another. This requires a pair of
1871 logical router ports, each connected to a different router. Each
1872 router port in the pair specifies the other in its
<ref
1873 column=
"peer"/> column. No
<ref table=
"Logical_Switch"/> refers to
1878 <column name=
"peer">
1880 For a router port used to connect two logical routers, this
1881 identifies the other router port in the pair by
<ref column=
"name"/>.
1885 For a router port attached to a logical switch, this column is empty.
1890 <group title=
"Common Columns">
1891 <column name=
"external_ids">
1892 See
<em>External IDs
</em> at the beginning of this document.
1897 <table name=
"Logical_Router_Static_Route" title=
"Logical router static routes">
1899 Each record represents a static route.
1903 When multiple routes match a packet, the longest-prefix match is chosen.
1904 For a given prefix length, a
<code>dst-ip
</code> route is preferred over
1905 a
<code>src-ip
</code> route.
1908 <column name=
"ip_prefix">
1910 IP prefix of this route (e.g.
192.168.100.0/
24).
1914 <column name=
"policy">
1916 If it is specified, this setting describes the policy used to make
1917 routing decisions. This setting must be one of the following strings:
1921 <code>src-ip
</code>: This policy sends the packet to the
1922 <ref column=
"nexthop"/> when the packet's source IP address matches
1923 <ref column=
"ip_prefix"/>.
1926 <code>dst-ip
</code>: This policy sends the packet to the
1927 <ref column=
"nexthop"/> when the packet's destination IP address
1928 matches
<ref column=
"ip_prefix"/>.
1932 If not specified, the default is
<code>dst-ip
</code>.
1936 <column name=
"nexthop">
1938 Nexthop IP address for this route. Nexthop IP address should be the IP
1939 address of a connected router port or the IP address of a logical port.
1943 <column name=
"output_port">
1945 The name of the
<ref table=
"Logical_Router_Port"/> via which the packet
1946 needs to be sent out. This is optional and when not specified,
1947 OVN will automatically figure this out based on the
1948 <ref column=
"nexthop"/>. When this is specified and there are
1949 multiple IP addresses on the router port and none of them are in the
1950 same subnet of
<ref column=
"nexthop"/>, OVN chooses the first IP
1951 address as the one via which the
<ref column=
"nexthop"/> is reachable.
1955 <group title=
"Common Columns">
1956 <column name=
"external_ids">
1957 See
<em>External IDs
</em> at the beginning of this document.
1963 <table name=
"Logical_Router_Policy" title=
"Logical router policies">
1965 Each row in this table represents one routing policy for a logical router
1966 that points to it through its
<ref column=
"policies"/> column. The
<ref
1967 column=
"action"/> column for the highest-
<ref column=
"priority"/>
1968 matching row in this table determines a packet's treatment. If no row
1969 matches, packets are allowed by default. (Default-deny treatment is
1970 possible: add a rule with
<ref column=
"priority"/> 0,
<code>1</code> as
1971 <ref column=
"match"/>, and
<code>drop
</code> as
<ref column=
"action"/>.)
1974 <column name=
"priority">
1976 The routing policy's priority. Rules with numerically higher priority
1977 take precedence over those with lower. A rule is uniquely identified
1978 by the priority and match string.
1982 <column name=
"match">
1984 The packets that the routing policy should match,
1985 in the same expression language used for the
1986 <ref column=
"match" table=
"Logical_Flow" db=
"OVN_Southbound"/>
1987 column in the OVN Southbound database's
1988 <ref table=
"Logical_Flow" db=
"OVN_Southbound"/> table.
1992 By default all traffic is allowed. When writing a more
1993 restrictive policy, it is important to remember to allow flows
1994 such as ARP and IPv6 neighbor discovery packets.
1998 <column name=
"action">
1999 <p>The action to take when the routing policy matches:
</p>
2002 <code>allow
</code>: Forward the packet.
2006 <code>drop
</code>: Silently drop the packet.
2010 <code>reroute
</code>: Reroute packet to
<ref column=
"nexthop"/>.
2015 <column name=
"nexthop">
2017 Next-hop IP address for this route, which should be the IP
2018 address of a connected router port or the IP address of a logical port.
2023 <table name=
"NAT" title=
"NAT rules">
2025 Each record represents a NAT rule.
2028 <column name=
"type">
2029 <p>Type of the NAT rule.
</p>
2032 When
<ref column=
"type"/> is
<code>dnat
</code>, the externally
2033 visible IP address
<ref column=
"external_ip"/> is DNATted to the IP
2034 address
<ref column=
"logical_ip"/> in the logical space.
2037 When
<ref column=
"type"/> is
<code>snat
</code>, IP packets
2038 with their source IP address that either matches the IP address
2039 in
<ref column=
"logical_ip"/> or is in the network provided by
2040 <ref column=
"logical_ip"/> is SNATed into the IP address in
2041 <ref column=
"external_ip"/>.
2044 When
<ref column=
"type"/> is
<code>dnat_and_snat
</code>, the
2045 externally visible IP address
<ref column=
"external_ip"/> is
2046 DNATted to the IP address
<ref column=
"logical_ip"/> in the
2047 logical space. In addition, IP packets with the source IP
2048 address that matches
<ref column=
"logical_ip"/> is SNATed into
2049 the IP address in
<ref column=
"external_ip"/>.
2054 <column name=
"external_ip">
2058 <column name=
"external_mac">
2064 This is only used on the gateway port on distributed routers.
2065 This must be specified in order for the NAT rule to be
2066 processed in a distributed manner on all chassis. If this is
2067 not specified for a NAT rule on a distributed router, then
2068 this NAT rule will be processed in a centralized manner on
2069 the gateway port instance on the
<code>redirect-chassis
</code>.
2073 This MAC address must be unique on the logical switch that the
2074 gateway port is attached to. If the MAC address used on the
2075 <ref column=
"logical_port"/> is globally unique, then that MAC
2076 address can be specified as this
<ref column=
"external_mac"/>.
2080 <column name=
"logical_ip">
2081 An IPv4 network (e.g
192.168.1.0/
24) or an IPv4 address.
2084 <column name=
"logical_port">
2086 The name of the logical port where the
<ref column=
"logical_ip"/>
2091 This is only used on distributed routers. This must be
2092 specified in order for the NAT rule to be processed in a
2093 distributed manner on all chassis. If this is not specified
2094 for a NAT rule on a distributed router, then this NAT rule
2095 will be processed in a centralized manner on the gateway
2096 port instance on the
<code>redirect-chassis
</code>.
2100 <group title=
"Common Columns">
2101 <column name=
"external_ids">
2102 See
<em>External IDs
</em> at the beginning of this document.
2108 <table name=
"DHCP_Options" title=
"DHCP options">
2110 OVN implements native DHCPv4 support which caters to the common
2111 use case of providing an IPv4 address to a booting instance by
2112 providing stateless replies to DHCPv4 requests based on statically
2113 configured address mappings. To do this it allows a short list of
2114 DHCPv4 options to be configured and applied at each compute host
2115 running
<code>ovn-controller
</code>.
2119 OVN also implements native DHCPv6 support which provides stateless
2120 replies to DHCPv6 requests.
2123 <column name=
"cidr">
2125 The DHCPv4/DHCPv6 options will be included if the logical port has its
2126 IP address in this
<ref column=
"cidr"/>.
2130 <group title=
"DHCPv4 options">
2132 The CMS should define the set of DHCPv4 options as key/value pairs
2133 in the
<ref column=
"options"/> column of this table. For
2134 <code>ovn-controller
</code> to include these DHCPv4 options, the
2135 <ref column=
"dhcpv4_options"/> of
<ref table=
"Logical_Switch_Port"/>
2136 should refer to an entry in this table.
2139 <group title=
"Mandatory DHCPv4 options">
2141 The following options must be defined.
2144 <column name=
"options" key=
"server_id">
2145 The IP address for the DHCP server to use. This should be in the
2146 subnet of the offered IP. This is also included in the DHCP offer as
2147 option
54, ``server identifier.''
2150 <column name=
"options" key=
"server_mac">
2151 The Ethernet address for the DHCP server to use.
2154 <column name=
"options" key=
"lease_time"
2155 type='{
"type":
"integer",
"minInteger":
0,
"maxInteger":
4294967295}'
>
2157 The offered lease time in seconds,
2161 The DHCPv4 option code for this option is
51.
2166 <group title=
"IPv4 DHCP Options">
2168 Below are the supported DHCPv4 options whose values are an IPv4
2169 address, e.g.
<code>192.168.1.1</code>. Some options accept multiple
2170 IPv4 addresses enclosed within curly braces, e.g.
<code>{
192.168.1.2,
2171 192.168.1.3}
</code>. Please refer to RFC
2132 for more details on
2172 DHCPv4 options and their codes.
2175 <column name=
"options" key=
"router">
2177 The IP address of a gateway for the client to use. This should be
2178 in the subnet of the offered IP. The DHCPv4 option code for this
2183 <column name=
"options" key=
"netmask">
2185 The DHCPv4 option code for this option is
1.
2189 <column name=
"options" key=
"dns_server">
2191 The DHCPv4 option code for this option is
6.
2195 <column name=
"options" key=
"log_server">
2197 The DHCPv4 option code for this option is
7.
2201 <column name=
"options" key=
"lpr_server">
2203 The DHCPv4 option code for this option is
9.
2207 <column name=
"options" key=
"swap_server">
2209 The DHCPv4 option code for this option is
16.
2213 <column name=
"options" key=
"policy_filter">
2215 The DHCPv4 option code for this option is
21.
2219 <column name=
"options" key=
"router_solicitation">
2221 The DHCPv4 option code for this option is
32.
2225 <column name=
"options" key=
"nis_server">
2227 The DHCPv4 option code for this option is
41.
2231 <column name=
"options" key=
"ntp_server">
2233 The DHCPv4 option code for this option is
42.
2237 <column name=
"options" key=
"tftp_server">
2239 The DHCPv4 option code for this option is
66.
2243 <column name=
"options" key=
"classless_static_route">
2245 The DHCPv4 option code for this option is
121.
2249 This option can contain one or more static routes, each of which
2250 consists of a destination descriptor and the IP address of the
2251 router that should be used to reach that destination. Please see
2252 RFC
3442 for more details.
2256 Example:
<code>{
30.0.0.0/
24,
10.0.0.10,
0.0.0.0/
0,
10.0.0.1}
</code>
2260 <column name=
"options" key=
"ms_classless_static_route">
2262 The DHCPv4 option code for this option is
249. This option is
2263 similar to
<code>classless_static_route
</code> supported by
2264 Microsoft Windows DHCPv4 clients.
2270 <group title=
"Boolean DHCP Options">
2272 These options accept a Boolean value, expressed as
<code>0</code> for
2273 false or
<code>1</code> for true.
2276 <column name=
"options" key=
"ip_forward_enable"
2277 type='{
"type":
"string",
"enum": [
"set", [
"0",
"1"]]}'
>
2279 The DHCPv4 option code for this option is
19.
2283 <column name=
"options" key=
"router_discovery"
2284 type='{
"type":
"string",
"enum": [
"set", [
"0",
"1"]]}'
>
2286 The DHCPv4 option code for this option is
31.
2290 <column name=
"options" key=
"ethernet_encap"
2291 type='{
"type":
"string",
"enum": [
"set", [
"0",
"1"]]}'
>
2293 The DHCPv4 option code for this option is
36.
2298 <group title=
"Integer DHCP Options">
2300 These options accept a nonnegative integer value.
2303 <column name=
"options" key=
"default_ttl"
2304 type='{
"type":
"integer",
"minInteger":
0,
"maxInteger":
255}'
>
2305 The DHCPv4 option code for this option is
23.
2308 <column name=
"options" key=
"tcp_ttl"
2309 type='{
"type":
"integer",
"minInteger":
0,
"maxInteger":
255}'
>
2310 The DHCPv4 option code for this option is
37.
2313 <column name=
"options" key=
"mtu"
2314 type='{
"type":
"integer",
"minInteger":
68,
"maxInteger":
65535}'
>
2315 The DHCPv4 option code for this option is
26.
2318 <column name=
"options" key=
"T1"
2319 type='{
"type":
"integer",
"minInteger":
68,
"maxInteger":
4294967295}'
>
2320 This specifies the time interval from address assignment until the
2321 client begins trying to renew its address. The DHCPv4 option code
2322 for this option is
58.
2325 <column name=
"options" key=
"T2"
2326 type='{
"type":
"integer",
"minInteger":
68,
"maxInteger":
4294967295}'
>
2327 This specifies the time interval from address assignment until the
2328 client begins trying to rebind its address. The DHCPv4 option code
2329 for this option is
59.
2333 <group title=
"String DHCP Options">
2335 These options accept a string value.
2338 <column name=
"options" key=
"wpad">
2340 The DHCPv4 option code for this option is
252. This option is used
2341 as part of web proxy auto discovery to provide a URL for a web
2346 <column name=
"options" key=
"bootfile_name">
2348 The DHCPv4 option code for this option is
67. This option is used
2349 to identify a bootfile.
2353 <column name=
"options" key=
"path_prefix">
2355 The DHCPv4 option code for this option is
210. In PXELINUX'
2356 case this option is used to set a common path prefix,
2357 instead of deriving it from the bootfile name.
2361 <column name=
"options" key=
"tftp_server_address">
2363 The DHCPv4 option code for this option is
150. The option
2364 contains one or more IPv4 addresses that the client MAY
2365 use. This option is Cisco proprietary, the IEEE standard
2366 that matches with this requirement is option
66 (tftp_server).
2370 <column name=
"options" key=
"domain_name">
2372 The DHCPv4 option code for this option is
15. This option
2373 specifies the domain name that client should use when
2374 resolving hostnames via the Domain Name System.
2380 <group title=
"DHCPv6 options">
2382 OVN also implements native DHCPv6 support. The CMS should define
2383 the set of DHCPv6 options as key/value pairs. The define DHCPv6
2384 options will be included in the DHCPv6 response to the DHCPv6
2385 Solicit/Request/Confirm packet from the logical ports having the
2386 IPv6 addresses in the
<ref column=
"cidr"/>.
2389 <group title=
"Mandatory DHCPv6 options">
2391 The following options must be defined.
2394 <column name=
"options" key=
"server_id">
2396 The Ethernet address for the DHCP server to use. This is also
2397 included in the DHCPv6 reply as option
2, ``Server Identifier''
2398 to carry a DUID identifying a server between a client and a server.
2399 <code>ovn-controller
</code> defines DUID based on
2400 Link-layer Address [DUID-LL].
2405 <group title=
"IPv6 DHCPv6 options">
2407 Below are the supported DHCPv6 options whose values are an IPv6
2408 address, e.g.
<code>aef0::
4</code>. Some options accept multiple
2409 IPv6 addresses enclosed within curly braces, e.g.
<code>{aef0::
4,
2410 aef0::
5}
</code>. Please refer to RFC
3315 for more details on
2411 DHCPv6 options and their codes.
2414 <column name=
"options" key=
"dns_server">
2416 The DHCPv6 option code for this option is
23. This option specifies
2417 the DNS servers that the VM should use.
2422 <group title=
"String DHCPv6 options">
2424 These options accept string values.
2427 <column name=
"options" key=
"domain_search">
2429 The DHCPv6 option code for this option is
24. This option specifies
2430 the domain search list the client should use to resolve hostnames
2435 Example:
<code>"ovn.org"</code>.
2439 <column name=
"options" key=
"dhcpv6_stateless">
2441 This option specifies the OVN native DHCPv6 will work in stateless
2442 mode, which means OVN native DHCPv6 will not offer IPv6 addresses
2443 for VM/VIF ports, but only reply other configurations, such as
2444 DNS and domain search list. When setting this option with string
2445 value
"true", VM/VIF will configure IPv6 addresses by stateless
2446 way. Default value for this option is false.
2452 <group title=
"Common Columns">
2453 <column name=
"external_ids">
2454 See
<em>External IDs
</em> at the beginning of this document.
2459 <table name=
"Connection" title=
"OVSDB client connections.">
2461 Configuration for a database connection to an Open vSwitch database
2466 This table primarily configures the Open vSwitch database server
2467 (
<code>ovsdb-server
</code>).
2471 The Open vSwitch database server can initiate and maintain active
2472 connections to remote clients. It can also listen for database
2476 <group title=
"Core Features">
2477 <column name=
"target">
2478 <p>Connection methods for clients.
</p>
2480 The following connection methods are currently supported:
2483 <dt><code>ssl:
<var>host
</var></code>[
<code>:
<var>port
</var></code>]
</dt>
2486 The specified SSL
<var>port
</var> on the host at the given
2487 <var>host
</var>, which can either be a DNS name (if built with
2488 unbound library) or an IP address. A valid SSL configuration must
2489 be provided when this form is used, this configuration can be
2490 specified via command-line options or the
<ref table=
"SSL"/> table.
2493 If
<var>port
</var> is not specified, it defaults to
6640.
2496 SSL support is an optional feature that is not always
2497 built as part of Open vSwitch.
2501 <dt><code>tcp:
<var>host
</var></code>[
<code>:
<var>port
</var></code>]
</dt>
2504 The specified TCP
<var>port
</var> on the host at the given
2505 <var>host
</var>, which can either be a DNS name (if built with
2506 unbound library) or an IP address. If
<var>host
</var> is an IPv6
2507 address, wrap it in square brackets, e.g.
<code>tcp:[::
1]:
6640</code>.
2510 If
<var>port
</var> is not specified, it defaults to
6640.
2513 <dt><code>pssl:
</code>[
<var>port
</var>][
<code>:
<var>host
</var></code>]
</dt>
2516 Listens for SSL connections on the specified TCP
<var>port
</var>.
2517 Specify
0 for
<var>port
</var> to have the kernel automatically
2518 choose an available port. If
<var>host
</var>, which can either
2519 be a DNS name (if built with unbound library) or an IP address,
2520 is specified, then connections are restricted to the resolved or
2521 specified local IPaddress (either IPv4 or IPv6 address). If
2522 <var>host
</var> is an IPv6 address, wrap in square brackets,
2523 e.g.
<code>pssl:
6640:[::
1]
</code>. If
<var>host
</var> is not
2524 specified then it listens only on IPv4 (but not IPv6) addresses.
2525 A valid SSL configuration must be provided when this form is used,
2526 this can be specified either via command-line options or the
2527 <ref table=
"SSL"/> table.
2530 If
<var>port
</var> is not specified, it defaults to
6640.
2533 SSL support is an optional feature that is not always built as
2534 part of Open vSwitch.
2537 <dt><code>ptcp:
</code>[
<var>port
</var>][
<code>:
<var>host
</var></code>]
</dt>
2540 Listens for connections on the specified TCP
<var>port
</var>.
2541 Specify
0 for
<var>port
</var> to have the kernel automatically
2542 choose an available port. If
<var>host
</var>, which can either
2543 be a DNS name (if built with unbound library) or an IP address,
2544 is specified, then connections are restricted to the resolved or
2545 specified local IP address (either IPv4 or IPv6 address). If
2546 <var>host
</var> is an IPv6 address, wrap it in square brackets,
2547 e.g.
<code>ptcp:
6640:[::
1]
</code>. If
<var>host
</var> is not
2548 specified then it listens only on IPv4 addresses.
2551 If
<var>port
</var> is not specified, it defaults to
6640.
2555 <p>When multiple clients are configured, the
<ref column=
"target"/>
2556 values must be unique. Duplicate
<ref column=
"target"/> values yield
2557 unspecified results.
</p>
2561 <group title=
"Client Failure Detection and Handling">
2562 <column name=
"max_backoff">
2563 Maximum number of milliseconds to wait between connection attempts.
2564 Default is implementation-specific.
2567 <column name=
"inactivity_probe">
2568 Maximum number of milliseconds of idle time on connection to the client
2569 before sending an inactivity probe message. If Open vSwitch does not
2570 communicate with the client for the specified number of seconds, it
2571 will send a probe. If a response is not received for the same
2572 additional amount of time, Open vSwitch assumes the connection has been
2573 broken and attempts to reconnect. Default is implementation-specific.
2574 A value of
0 disables inactivity probes.
2578 <group title=
"Status">
2580 Key-value pair of
<ref column=
"is_connected"/> is always updated.
2581 Other key-value pairs in the status columns may be updated depends
2582 on the
<ref column=
"target"/> type.
2586 When
<ref column=
"target"/> specifies a connection method that
2587 listens for inbound connections (e.g.
<code>ptcp:
</code> or
2588 <code>punix:
</code>), both
<ref column=
"n_connections"/> and
2589 <ref column=
"is_connected"/> may also be updated while the
2590 remaining key-value pairs are omitted.
2594 On the other hand, when
<ref column=
"target"/> specifies an
2595 outbound connection, all key-value pairs may be updated, except
2596 the above-mentioned two key-value pairs associated with inbound
2597 connection targets. They are omitted.
2600 <column name=
"is_connected">
2601 <code>true
</code> if currently connected to this client,
2602 <code>false
</code> otherwise.
2605 <column name=
"status" key=
"last_error">
2606 A human-readable description of the last error on the connection
2607 to the manager; i.e.
<code>strerror(errno)
</code>. This key
2608 will exist only if an error has occurred.
2611 <column name=
"status" key=
"state"
2612 type='{
"type":
"string",
"enum": [
"set", [
"VOID",
"BACKOFF",
"CONNECTING",
"ACTIVE",
"IDLE"]]}'
>
2614 The state of the connection to the manager:
2617 <dt><code>VOID
</code></dt>
2618 <dd>Connection is disabled.
</dd>
2620 <dt><code>BACKOFF
</code></dt>
2621 <dd>Attempting to reconnect at an increasing period.
</dd>
2623 <dt><code>CONNECTING
</code></dt>
2624 <dd>Attempting to connect.
</dd>
2626 <dt><code>ACTIVE
</code></dt>
2627 <dd>Connected, remote host responsive.
</dd>
2629 <dt><code>IDLE
</code></dt>
2630 <dd>Connection is idle. Waiting for response to keep-alive.
</dd>
2633 These values may change in the future. They are provided only for
2638 <column name=
"status" key=
"sec_since_connect"
2639 type='{
"type":
"integer",
"minInteger":
0}'
>
2640 The amount of time since this client last successfully connected
2641 to the database (in seconds). Value is empty if client has never
2642 successfully been connected.
2645 <column name=
"status" key=
"sec_since_disconnect"
2646 type='{
"type":
"integer",
"minInteger":
0}'
>
2647 The amount of time since this client last disconnected from the
2648 database (in seconds). Value is empty if client has never
2652 <column name=
"status" key=
"locks_held">
2653 Space-separated list of the names of OVSDB locks that the connection
2654 holds. Omitted if the connection does not hold any locks.
2657 <column name=
"status" key=
"locks_waiting">
2658 Space-separated list of the names of OVSDB locks that the connection is
2659 currently waiting to acquire. Omitted if the connection is not waiting
2663 <column name=
"status" key=
"locks_lost">
2664 Space-separated list of the names of OVSDB locks that the connection
2665 has had stolen by another OVSDB client. Omitted if no locks have been
2666 stolen from this connection.
2669 <column name=
"status" key=
"n_connections"
2670 type='{
"type":
"integer",
"minInteger":
2}'
>
2671 When
<ref column=
"target"/> specifies a connection method that
2672 listens for inbound connections (e.g.
<code>ptcp:
</code> or
2673 <code>pssl:
</code>) and more than one connection is actually active,
2674 the value is the number of active connections. Otherwise, this
2675 key-value pair is omitted.
2678 <column name=
"status" key=
"bound_port" type='{
"type":
"integer"}'
>
2679 When
<ref column=
"target"/> is
<code>ptcp:
</code> or
2680 <code>pssl:
</code>, this is the TCP port on which the OVSDB server is
2681 listening. (This is particularly useful when
<ref
2682 column=
"target"/> specifies a port of
0, allowing the kernel to
2683 choose any available port.)
2687 <group title=
"Common Columns">
2688 The overall purpose of these columns is described under
<code>Common
2689 Columns
</code> at the beginning of this document.
2691 <column name=
"external_ids"/>
2692 <column name=
"other_config"/>
2695 <table name=
"DNS" title=
"Native DNS resolution">
2697 Each row in this table stores the DNS records. The
2698 <ref table=
"Logical_Switch"/> table's
<ref table=
"Logical_Switch"
2699 column=
"dns_records"/> references these records.
2702 <column name=
"records">
2703 Key-value pair of DNS records with
<code>DNS query name
</code> as the key
2704 and value as a string of IP address(es) separated by comma or space.
2706 <p><b>Example:
</b> "vm1.ovn.org" =
"10.0.0.4 aef0::4"</p>
2709 <column name=
"external_ids">
2710 See
<em>External IDs
</em> at the beginning of this document.
2714 SSL configuration for ovn-nb database access.
2716 <column name=
"private_key">
2717 Name of a PEM file containing the private key used as the switch's
2718 identity for SSL connections to the controller.
2721 <column name=
"certificate">
2722 Name of a PEM file containing a certificate, signed by the
2723 certificate authority (CA) used by the controller and manager,
2724 that certifies the switch's private key, identifying a trustworthy
2728 <column name=
"ca_cert">
2729 Name of a PEM file containing the CA certificate used to verify
2730 that the switch is connected to a trustworthy controller.
2733 <column name=
"bootstrap_ca_cert">
2734 If set to
<code>true
</code>, then Open vSwitch will attempt to
2735 obtain the CA certificate from the controller on its first SSL
2736 connection and save it to the named PEM file. If it is successful,
2737 it will immediately drop the connection and reconnect, and from then
2738 on all SSL connections must be authenticated by a certificate signed
2739 by the CA certificate thus obtained.
<em>This option exposes the
2740 SSL connection to a man-in-the-middle attack obtaining the initial
2741 CA certificate.
</em> It may still be useful for bootstrapping.
2744 <column name=
"ssl_protocols">
2745 List of SSL protocols to be enabled for SSL connections. The default
2746 when this option is omitted is
<code>TLSv1,TLSv1.1,TLSv1.2
</code>.
2749 <column name=
"ssl_ciphers">
2750 List of ciphers (in OpenSSL cipher string format) to be supported
2751 for SSL connections. The default when this option is omitted is
2752 <code>HIGH:!aNULL:!MD5
</code>.
2755 <group title=
"Common Columns">
2756 The overall purpose of these columns is described under
<code>Common
2757 Columns
</code> at the beginning of this document.
2759 <column name=
"external_ids"/>
2762 <table name=
"Gateway_Chassis">
2764 Association of one or more chassis to a logical router port. The traffic
2765 going out through an specific router port will be redirected to a
2766 chassis, or a set of them in high availability configurations.
2767 A single
<ref table=
"Gateway_Chassis"/> is equivalent to setting
2768 <ref column=
"options" key=
"redirect-chassis"/>. Using
2769 <ref table=
"Gateway_Chassis"/> allows associating multiple prioritized
2770 chassis with a single logical router port.
2773 <column name=
"name">
2775 Name of the
<ref table=
"Gateway_Chassis"/>.
2778 A suggested, but not required naming convention is
2779 <code>${port_name}_${chassis_name}
</code>.
2783 <column name=
"chassis_name">
2785 Name of the chassis that we want to redirect traffic through for the
2786 associated logical router port. The value must match the
2787 <ref db=
"OVN_Southbound" table=
"Chassis" column=
"name"/> column
2788 of the
<ref db=
"OVN_Southbound" table=
"Chassis"/> table in the
2789 <ref db=
"OVN_Southbound"/> database.
2793 <column name=
"priority">
2795 This is the priority of a chassis among all
2796 <ref table=
"Gateway_Chassis"/> belonging to the same logical router
2801 <column name=
"options">
2802 Reserved for future use.
2805 <group title=
"Common Columns">
2806 <column name=
"external_ids">
2807 See
<em>External IDs
</em> at the beginning of this document.
2812 <table name=
"HA_Chassis_Group">
2814 Table representing a group of chassis which can provide High availability
2815 services. Each chassis in the group is represented by the table
2816 <ref table=
"HA_Chassis"/>. The HA chassis with highest priority will
2817 be the master of this group. If the master chassis failover is detected,
2818 the HA chassis with the next higher priority takes over the
2819 responsibility of providing the HA. If a distributed gateway router port
2820 references a row in this table, then the master HA chassis in this group
2821 provides the gateway functionality.
2824 <column name=
"name">
2825 Name of the
<ref table=
"HA_Chassis_Group"/>. Name should be unique.
2828 <column name=
"ha_chassis">
2829 A list of HA chassis which belongs to this group.
2832 <group title=
"Common Columns">
2833 <column name=
"external_ids">
2834 See
<em>External IDs
</em> at the beginning of this document.
2839 <table name=
"HA_Chassis">
2840 <column name=
"chassis_name">
2842 Name of the chassis which is part of the HA chassis group.
2843 The value must match the
2844 <ref db=
"OVN_Southbound" table=
"Chassis" column=
"name"/> column
2845 of the
<ref db=
"OVN_Southbound" table=
"Chassis"/> table in the
2846 <ref db=
"OVN_Southbound"/> database.
2850 <column name=
"priority">
2852 Priority of the chassis. Chassis with highest priority will be
2857 <group title=
"Common Columns">
2858 <column name=
"external_ids">
2859 See
<em>External IDs
</em> at the beginning of this document.